| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 1 | // k0.hswaw.net kubernetes cluster |
| 2 | // This defines the cluster as a single object. |
| 3 | // Use the sibling k0*.jsonnet 'view' files to actually apply the configuration. |
| 4 | |
| 5 | local kube = import "../../kube/kube.libsonnet"; |
| 6 | local policies = import "../../kube/policies.libsonnet"; |
| 7 | |
| 8 | local cluster = import "cluster.libsonnet"; |
| 9 | |
| Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 10 | local admitomatic = import "lib/admitomatic.libsonnet"; |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 11 | local cockroachdb = import "lib/cockroachdb.libsonnet"; |
| 12 | local registry = import "lib/registry.libsonnet"; |
| 13 | local rook = import "lib/rook.libsonnet"; |
| 14 | |
| 15 | { |
| 16 | k0: { |
| 17 | local k0 = self, |
| 18 | cluster: cluster.Cluster("k0", "hswaw.net") { |
| 19 | cfg+: { |
| Serge Bazanski | 3d29484 | 2020-08-04 01:34:07 +0200 | [diff] [blame] | 20 | storageClassNameParanoid: k0.ceph.waw3Pools.blockRedundant.name, |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 21 | }, |
| 22 | metallb+: { |
| 23 | cfg+: { |
| Serge Bazanski | a5ed644 | 2020-09-20 22:52:57 +0000 | [diff] [blame] | 24 | // Peer with calico running on same node. |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 25 | peers: [ |
| 26 | { |
| Serge Bazanski | a5ed644 | 2020-09-20 22:52:57 +0000 | [diff] [blame] | 27 | "peer-address": "127.0.0.1", |
| 28 | "peer-asn": 65003, |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 29 | "my-asn": 65002, |
| 30 | }, |
| 31 | ], |
| Serge Bazanski | a5ed644 | 2020-09-20 22:52:57 +0000 | [diff] [blame] | 32 | // Public IP address pools. Keep in sync with k0.calico.yaml. |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 33 | addressPools: [ |
| 34 | { |
| 35 | name: "public-v4-1", |
| 36 | protocol: "bgp", |
| 37 | addresses: [ |
| 38 | "185.236.240.48/28", |
| 39 | ], |
| 40 | }, |
| 41 | { |
| 42 | name: "public-v4-2", |
| 43 | protocol: "bgp", |
| 44 | addresses: [ |
| 45 | "185.236.240.112/28" |
| 46 | ], |
| 47 | }, |
| 48 | ], |
| 49 | }, |
| 50 | }, |
| 51 | }, |
| 52 | |
| 53 | // Docker registry |
| 54 | registry: registry.Environment { |
| 55 | cfg+: { |
| 56 | domain: "registry.%s" % [k0.cluster.fqdn], |
| 57 | storageClassName: k0.cluster.cfg.storageClassNameParanoid, |
| Serge Bazanski | 3d29484 | 2020-08-04 01:34:07 +0200 | [diff] [blame] | 58 | objectStorageName: "waw-hdd-redundant-3-object", |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 59 | }, |
| 60 | }, |
| 61 | |
| 62 | // CockroachDB, running on bc01n{01,02,03}. |
| 63 | cockroach: { |
| 64 | waw2: cockroachdb.Cluster("crdb-waw1") { |
| 65 | cfg+: { |
| 66 | topology: [ |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 67 | { name: "bc01n02", node: "bc01n02.hswaw.net" }, |
| Patryk Jakuszew | edf14cc | 2021-01-23 23:00:29 +0100 | [diff] [blame] | 68 | { name: "dcr01s22", node: "dcr01s22.hswaw.net" }, |
| Serge Bazanski | bdd403c | 2021-10-28 23:37:38 +0000 | [diff] [blame] | 69 | { name: "dcr01s24", node: "dcr01s24.hswaw.net" }, |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 70 | ], |
| 71 | // Host path on SSD. |
| 72 | hostPath: "/var/db/crdb-waw1", |
| Serge Bazanski | 509ab6e | 2020-07-30 22:43:20 +0200 | [diff] [blame] | 73 | extraDNS: [ |
| 74 | "crdb-waw1.hswaw.net", |
| 75 | ], |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 76 | }, |
| Serge Bazanski | bdd403c | 2021-10-28 23:37:38 +0000 | [diff] [blame] | 77 | initJob:: null, |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 78 | }, |
| 79 | clients: { |
| 80 | cccampix: k0.cockroach.waw2.Client("cccampix"), |
| 81 | cccampixDev: k0.cockroach.waw2.Client("cccampix-dev"), |
| 82 | buglessDev: k0.cockroach.waw2.Client("bugless-dev"), |
| 83 | sso: k0.cockroach.waw2.Client("sso"), |
| Serge Bazanski | 509ab6e | 2020-07-30 22:43:20 +0200 | [diff] [blame] | 84 | herpDev: k0.cockroach.waw2.Client("herp-dev"), |
| Patryk Jakuszew | f315388 | 2021-01-23 15:38:50 +0100 | [diff] [blame] | 85 | gitea: k0.cockroach.waw2.Client("gitea"), |
| Piotr Dobrowolski | f4a6a56 | 2021-02-01 21:32:25 +0100 | [diff] [blame] | 86 | issues: k0.cockroach.waw2.Client("issues"), |
| Serge Bazanski | bf266c6 | 2021-03-17 21:48:58 +0000 | [diff] [blame] | 87 | dns: k0.cockroach.waw2.Client("dns"), |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 88 | }, |
| 89 | }, |
| 90 | |
| 91 | ceph: { |
| 92 | // waw1 cluster - dead as of 2019/08/06, data corruption |
| Serge Bazanski | 61f978a | 2021-01-22 16:26:07 +0100 | [diff] [blame] | 93 | // waw2 cluster - dead as of 2021/01/22, torn down (horrible M610 RAID controllers are horrible) |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 94 | |
| Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 95 | // waw3: 6TB SAS 3.5" HDDs, internal Rook cluster. |
| 96 | // |
| 97 | // Suffers from rook going apeshit and nuking all mons if enough of |
| 98 | // a control plane is up for rook to run but if nodes are |
| 99 | // unavailable to the point of it deciding that no mon exists and |
| 100 | // it should create some new ones, fully nuking the monmap and |
| 101 | // making recovery a pain. |
| 102 | // |
| 103 | // Supposedly new versions of Rook slowly fix these issues, but q3k |
| 104 | // doesn't personally trust this codebase anymore. He'd rather |
| 105 | // manage the actual Ceph cluster myself, we don't need all of this |
| 106 | // magic. |
| 107 | // |
| 108 | // See: b.hswaw.net/6 |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 109 | waw3: rook.Cluster(k0.cluster.rook, "ceph-waw3") { |
| 110 | spec: { |
| 111 | mon: { |
| Serge Bazanski | 1684211 | 2022-11-17 19:30:05 +0000 | [diff] [blame] | 112 | count: 3, |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 113 | allowMultiplePerNode: false, |
| 114 | }, |
| Serge Bazanski | 793ca1b | 2021-03-07 00:07:19 +0000 | [diff] [blame] | 115 | resources: { |
| 116 | osd: { |
| 117 | requests: { |
| Serge Bazanski | 64de7af | 2021-03-17 21:47:29 +0000 | [diff] [blame] | 118 | cpu: "2", |
| 119 | memory: "6G", |
| Serge Bazanski | 793ca1b | 2021-03-07 00:07:19 +0000 | [diff] [blame] | 120 | }, |
| 121 | limits: { |
| Serge Bazanski | 64de7af | 2021-03-17 21:47:29 +0000 | [diff] [blame] | 122 | cpu: "2", |
| 123 | memory: "8G", |
| Serge Bazanski | 793ca1b | 2021-03-07 00:07:19 +0000 | [diff] [blame] | 124 | }, |
| 125 | }, |
| 126 | |
| 127 | }, |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 128 | storage: { |
| 129 | useAllNodes: false, |
| 130 | useAllDevices: false, |
| 131 | config: { |
| 132 | databaseSizeMB: "1024", |
| 133 | journalSizeMB: "1024", |
| 134 | }, |
| Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 135 | |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 136 | nodes: [ |
| 137 | { |
| 138 | name: "dcr01s22.hswaw.net", |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 139 | devices: [ |
| Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 140 | { name: "/dev/disk/by-id/wwn-0x" + id } |
| 141 | for id in [ |
| Serge Bazanski | 712a5dc | 2023-02-28 01:15:40 +0000 | [diff] [blame^] | 142 | "5000c5008508c433", # ST6000NM0034 Z4D40QZR0000R629ME1B |
| 143 | "5000c500850989cf", # ST6000NM0034 Z4D40JRL0000R63008A2 |
| 144 | "5000c5008508baf7", # ST6000NM0034 Z4D40M380000R630V00M |
| 145 | "5000c5008508f843", # ST6000NM0034 Z4D40LGP0000R630UVTD |
| 146 | "5000c500850312cb", # ST6000NM0034 Z4D3ZAAX0000R629NW31 |
| 147 | "5000c500850293e3", # ST6000NM0034 Z4D3Z5TD0000R629MF7P |
| 148 | "5000c5008508e3ef", # ST6000NM0034 Z4D40LM50000R630V0W3 |
| 149 | "5000c5008508e23f", # ST6000NM0034 Z4D40QMX0000R629MD3C |
| Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 150 | ] |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 151 | ], |
| 152 | }, |
| 153 | { |
| 154 | name: "dcr01s24.hswaw.net", |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 155 | devices: [ |
| Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 156 | { name: "/dev/disk/by-id/wwn-0x" + id } |
| 157 | for id in [ |
| Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 158 | "5000c5008508c9ef", |
| 159 | "5000c5008508df33", |
| 160 | "5000c5008508dd3b", |
| 161 | ] |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 162 | ], |
| 163 | }, |
| 164 | ], |
| 165 | }, |
| 166 | benji:: { |
| 167 | metadataStorageClass: "waw-hdd-redundant-3", |
| 168 | encryptionPassword: std.split((importstr "../secrets/plain/k0-benji-encryption-password"), '\n')[0], |
| 169 | pools: [ |
| 170 | "waw-hdd-redundant-3", |
| 171 | "waw-hdd-redundant-3-metadata", |
| 172 | "waw-hdd-yolo-3", |
| 173 | ], |
| 174 | s3Configuration: { |
| 175 | awsAccessKeyId: "RPYZIROFXNLQVU2WJ4R3", |
| 176 | awsSecretAccessKey: std.split((importstr "../secrets/plain/k0-benji-secret-access-key"), '\n')[0], |
| 177 | bucketName: "benji-k0-backups-waw3", |
| 178 | endpointUrl: "https://s3.eu-central-1.wasabisys.com/", |
| 179 | }, |
| 180 | } |
| 181 | }, |
| 182 | }, |
| 183 | waw3Pools: { |
| 184 | // redundant block storage |
| 185 | blockRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-3") { |
| 186 | metadataReplicas: 2, |
| 187 | spec: { |
| 188 | failureDomain: "host", |
| 189 | replicated: { |
| 190 | size: 2, |
| 191 | }, |
| 192 | }, |
| 193 | }, |
| Serge Bazanski | 242ec58 | 2020-09-20 15:36:11 +0000 | [diff] [blame] | 194 | // q3k's personal pool, used externally from k8s. |
| 195 | q3kRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-q3k-3") { |
| 196 | metadataReplicas: 2, |
| 197 | spec: { |
| 198 | failureDomain: "host", |
| 199 | replicated: { |
| 200 | size: 2, |
| 201 | }, |
| 202 | }, |
| 203 | }, |
| Serge Bazanski | 38f72fe | 2021-09-13 23:43:47 +0000 | [diff] [blame] | 204 | |
| 205 | object: { |
| 206 | local poolSpec = { |
| 207 | failureDomain: "host", |
| 208 | replicated: { size: 2 }, |
| 209 | }, |
| 210 | |
| 211 | realm: rook.S3ObjectRealm(k0.ceph.waw3, "hscloud"), |
| 212 | zonegroup: rook.S3ObjectZoneGroup(self.realm, "eu"), |
| 213 | // This is serving at object.ceph-waw3.hswaw.net, but |
| 214 | // internally to Ceph it is known as |
| 215 | // waw-hdd-redundant-3-object (name of radosgw zone). |
| 216 | store: rook.S3ObjectStore(self.zonegroup, "waw-hdd-redundant-3-object") { |
| 217 | cfg+: { |
| 218 | // Override so that this radosgw serves on |
| 219 | // object.ceph-{waw3,eu}.hswaw.net instead of |
| 220 | // ceph-{waw-hdd-redundant-3-object,eu}. |
| 221 | domainParts: [ |
| 222 | "waw3", "eu", |
| 223 | ], |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 224 | }, |
| Serge Bazanski | 38f72fe | 2021-09-13 23:43:47 +0000 | [diff] [blame] | 225 | spec: { |
| 226 | metadataPool: poolSpec, |
| 227 | dataPool: poolSpec, |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 228 | }, |
| 229 | }, |
| 230 | }, |
| 231 | }, |
| 232 | |
| 233 | // Clients for S3/radosgw storage. |
| 234 | clients: { |
| 235 | # Used for owncloud.hackerspace.pl, which for now lives on boston-packets.hackerspace.pl. |
| 236 | nextcloudWaw3: kube.CephObjectStoreUser("nextcloud") { |
| 237 | metadata+: { |
| 238 | namespace: "ceph-waw3", |
| 239 | }, |
| 240 | spec: { |
| 241 | store: "waw-hdd-redundant-3-object", |
| 242 | displayName: "nextcloud", |
| 243 | }, |
| 244 | }, |
| Piotr Dobrowolski | 3b8a43f | 2021-02-01 21:19:48 +0100 | [diff] [blame] | 245 | # issues.hackerspace.pl (redmine) attachments bucket |
| 246 | issuesWaw3: kube.CephObjectStoreUser("issues") { |
| 247 | metadata+: { |
| 248 | namespace: "ceph-waw3", |
| 249 | }, |
| 250 | spec: { |
| 251 | store: "waw-hdd-redundant-3-object", |
| 252 | displayName: "issues", |
| 253 | }, |
| 254 | }, |
| Piotr Dobrowolski | e839f95 | 2021-09-14 22:21:22 +0200 | [diff] [blame] | 255 | # matrix.hackerspace.pl media storage bucket |
| 256 | matrixWaw3: kube.CephObjectStoreUser("matrix") { |
| 257 | metadata+: { |
| 258 | namespace: "ceph-waw3", |
| 259 | }, |
| 260 | spec: { |
| 261 | store: "waw-hdd-redundant-3-object", |
| 262 | displayName: "matrix", |
| 263 | }, |
| 264 | }, |
| Bartosz Stebel | 54a34b2 | 2022-03-05 23:20:56 +0100 | [diff] [blame] | 265 | # tape staging temporary storage |
| 266 | tapeStaging: kube.CephObjectStoreUser("tape-staging") { |
| 267 | metadata+: { |
| 268 | namespace: "ceph-waw3", |
| 269 | }, |
| 270 | spec: { |
| 271 | store: "waw-hdd-redundant-3-object", |
| 272 | displayName: "tape-staging", |
| 273 | }, |
| 274 | }, |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 275 | |
| 276 | # nuke@hackerspace.pl's personal storage. |
| 277 | nukePersonalWaw3: kube.CephObjectStoreUser("nuke-personal") { |
| 278 | metadata+: { |
| 279 | namespace: "ceph-waw3", |
| 280 | }, |
| 281 | spec: { |
| 282 | store: "waw-hdd-redundant-3-object", |
| 283 | displayName: "nuke-personal", |
| 284 | }, |
| 285 | }, |
| 286 | |
| 287 | # patryk@hackerspace.pl's ArmA3 mod bucket. |
| 288 | cz2ArmaModsWaw3: kube.CephObjectStoreUser("cz2-arma3mods") { |
| 289 | metadata+: { |
| 290 | namespace: "ceph-waw3", |
| 291 | }, |
| 292 | spec: { |
| 293 | store: "waw-hdd-redundant-3-object", |
| 294 | displayName: "cz2-arma3mods", |
| 295 | }, |
| 296 | }, |
| Bartosz Stebel | 0156ab2 | 2023-02-20 21:33:33 +0100 | [diff] [blame] | 297 | # implr's personal user |
| 298 | implrSparkWaw3: kube.CephObjectStoreUser("implr") { |
| Bartosz Stebel | d9df587 | 2020-06-13 21:19:40 +0200 | [diff] [blame] | 299 | metadata+: { |
| 300 | namespace: "ceph-waw3", |
| 301 | }, |
| 302 | spec: { |
| 303 | store: "waw-hdd-redundant-3-object", |
| Bartosz Stebel | 0156ab2 | 2023-02-20 21:33:33 +0100 | [diff] [blame] | 304 | displayName: "implr", |
| Bartosz Stebel | d9df587 | 2020-06-13 21:19:40 +0200 | [diff] [blame] | 305 | }, |
| 306 | }, |
| Sergiusz Bazanski | b1aadd8 | 2020-06-24 19:06:17 +0200 | [diff] [blame] | 307 | # q3k's personal user |
| 308 | q3kWaw3: kube.CephObjectStoreUser("q3k") { |
| 309 | metadata+: { |
| 310 | namespace: "ceph-waw3", |
| 311 | }, |
| 312 | spec: { |
| 313 | store: "waw-hdd-redundant-3-object", |
| 314 | displayName: "q3k", |
| 315 | }, |
| 316 | }, |
| Serge Bazanski | bfe9bb0 | 2020-10-27 20:50:50 +0100 | [diff] [blame] | 317 | # woju's personal user |
| 318 | wojuWaw3: kube.CephObjectStoreUser("woju") { |
| 319 | metadata+: { |
| 320 | namespace: "ceph-waw3", |
| 321 | }, |
| 322 | spec: { |
| 323 | store: "waw-hdd-redundant-3-object", |
| 324 | displayName: "woju", |
| 325 | }, |
| Patryk Jakuszew | cae7cf7 | 2020-11-28 14:36:48 +0100 | [diff] [blame] | 326 | }, |
| Patryk Jakuszew | 34668a5 | 2020-11-28 13:45:25 +0100 | [diff] [blame] | 327 | # cz3's (patryk@hackerspace.pl) personal user |
| 328 | cz3Waw3: kube.CephObjectStoreUser("cz3") { |
| 329 | metadata+: { |
| 330 | namespace: "ceph-waw3", |
| 331 | }, |
| 332 | spec: { |
| 333 | store: "waw-hdd-redundant-3-object", |
| 334 | displayName: "cz3", |
| 335 | }, |
| Serge Bazanski | bfe9bb0 | 2020-10-27 20:50:50 +0100 | [diff] [blame] | 336 | }, |
| Piotr Dobrowolski | e839f95 | 2021-09-14 22:21:22 +0200 | [diff] [blame] | 337 | # informatic's personal user |
| 338 | informaticWaw3: kube.CephObjectStoreUser("informatic") { |
| 339 | metadata+: { |
| 340 | namespace: "ceph-waw3", |
| 341 | }, |
| 342 | spec: { |
| 343 | store: "waw-hdd-redundant-3-object", |
| 344 | displayName: "informatic", |
| 345 | }, |
| 346 | }, |
| Serge Bazanski | 1684211 | 2022-11-17 19:30:05 +0000 | [diff] [blame] | 347 | # mastodon qa and prod |
| 348 | mastodonWaw3: { |
| 349 | qa: kube.CephObjectStoreUser("mastodon-qa") { |
| 350 | metadata+: { |
| 351 | namespace: "ceph-waw3", |
| 352 | }, |
| 353 | spec: { |
| 354 | store: "waw-hdd-redundant-3-object", |
| 355 | displayName: "mastodon-qa", |
| 356 | }, |
| 357 | }, |
| 358 | prod: kube.CephObjectStoreUser("mastodon-prod") { |
| 359 | metadata+: { |
| 360 | namespace: "ceph-waw3", |
| 361 | }, |
| 362 | spec: { |
| 363 | store: "waw-hdd-redundant-3-object", |
| 364 | displayName: "mastodon-prod", |
| 365 | }, |
| 366 | }, |
| 367 | }, |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 368 | }, |
| 369 | }, |
| 370 | |
| 371 | |
| 372 | # These are policies allowing for Insecure pods in some namespaces. |
| 373 | # A lot of them are spurious and come from the fact that we deployed |
| 374 | # these namespaces before we deployed the draconian PodSecurityPolicy |
| 375 | # we have now. This should be fixed by setting up some more granular |
| 376 | # policies, or fixing the workloads to not need some of the permission |
| 377 | # bits they use, whatever those might be. |
| 378 | # TODO(q3k): fix this? |
| 379 | unnecessarilyInsecureNamespaces: [ |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 380 | policies.AllowNamespaceInsecure("ceph-waw3"), |
| 381 | policies.AllowNamespaceInsecure("matrix"), |
| 382 | policies.AllowNamespaceInsecure("registry"), |
| 383 | policies.AllowNamespaceInsecure("internet"), |
| 384 | # TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root |
| 385 | policies.AllowNamespaceInsecure("implr-vpn"), |
| 386 | ], |
| Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 387 | |
| 388 | # Admission controller that permits non-privileged users to manage |
| 389 | # their namespaces without danger of hijacking important URLs. |
| 390 | admitomatic: admitomatic.Environment { |
| 391 | cfg+: { |
| 392 | proto: { |
| 393 | // Domains allowed in given namespaces. If a domain exists |
| 394 | // anywhere, ingresses will only be permitted to be created |
| 395 | // within namespaces in which it appears here. This works |
| 396 | // the same way for wildcards, if a wildcard exists in this |
| 397 | // list it blocks all unauthorized uses of that domain |
| 398 | // elsewhere. |
| 399 | // |
| 400 | // See //cluster/admitomatic for more information. |
| 401 | // |
| 402 | // Or, tl;dr: |
| 403 | // |
| 404 | // If you do a wildcard CNAME onto the k0 ingress, you |
| 405 | // should explicitly state *.your.name.com here. |
| 406 | // |
| 407 | // If you just want to protect your host from being |
| 408 | // hijacked by other cluster users, you should also state |
| 409 | // it here (either as a wildcard, or unary domains). |
| 410 | allow_domain: [ |
| 411 | { namespace: "covid-formity", dns: "covid19.hackerspace.pl" }, |
| 412 | { namespace: "covid-formity", dns: "covid.hackerspace.pl" }, |
| 413 | { namespace: "covid-formity", dns: "www.covid.hackerspace.pl" }, |
| 414 | { namespace: "devtools-prod", dns: "hackdoc.hackerspace.pl" }, |
| 415 | { namespace: "devtools-prod", dns: "cs.hackerspace.pl" }, |
| 416 | { namespace: "engelsystem-prod", dns: "engelsystem.hackerspace.pl" }, |
| 417 | { namespace: "gerrit", dns: "gerrit.hackerspace.pl" }, |
| 418 | { namespace: "gitea-prod", dns: "gitea.hackerspace.pl" }, |
| 419 | { namespace: "hswaw-prod", dns: "*.hackerspace.pl" }, |
| Serge Bazanski | 99b91b1 | 2021-03-28 17:34:32 +0000 | [diff] [blame] | 420 | { namespace: "hswaw-prod", dns: "*.hswaw.net" }, |
| Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 421 | { namespace: "internet", dns: "internet.hackerspace.pl" }, |
| 422 | { namespace: "matrix", dns: "matrix.hackerspace.pl" }, |
| 423 | { namespace: "onlyoffice-prod", dns: "office.hackerspace.pl" }, |
| Piotr Dobrowolski | 3b2a2a2 | 2023-01-05 08:26:02 +0100 | [diff] [blame] | 424 | { namespace: "paperless", dns: "paperless.hackerspace.pl" }, |
| Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 425 | { namespace: "redmine", dns: "issues.hackerspace.pl" }, |
| Serge Bazanski | 877cf0a | 2021-02-08 00:34:34 +0100 | [diff] [blame] | 426 | { namespace: "redmine", dns: "b.hackerspace.pl" }, |
| 427 | { namespace: "redmine", dns: "b.hswaw.net" }, |
| 428 | { namespace: "redmine", dns: "xn--137h.hackerspace.pl" }, |
| 429 | { namespace: "redmine", dns: "xn--137h.hswaw.net" }, |
| Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 430 | { namespace: "speedtest", dns: "speedtest.hackerspace.pl" }, |
| 431 | { namespace: "sso", dns: "sso.hackerspace.pl" }, |
| Serge Bazanski | 1684211 | 2022-11-17 19:30:05 +0000 | [diff] [blame] | 432 | { namespace: "mastodon-hackerspace-qa", dns: "social-qa-2.hackerspace.pl" }, |
| 433 | { namespace: "mastodon-hackerspace-prod", dns: "social.hackerspace.pl" }, |
| Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 434 | |
| 435 | { namespace: "ceph-waw3", dns: "ceph-waw3.hswaw.net" }, |
| 436 | { namespace: "ceph-waw3", dns: "object.ceph-waw3.hswaw.net" }, |
| Serge Bazanski | 38f72fe | 2021-09-13 23:43:47 +0000 | [diff] [blame] | 437 | { namespace: "ceph-waw3", dns: "object.ceph-eu.hswaw.net" }, |
| Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 438 | { namespace: "monitoring-global-k0", dns: "*.hswaw.net" }, |
| 439 | { namespace: "registry", dns: "*.hswaw.net" }, |
| 440 | |
| 441 | // q3k's legacy namespace (pre-prodvider) |
| 442 | { namespace: "q3k", dns: "*.q3k.org" }, |
| 443 | { namespace: "personal-q3k", dns: "*.q3k.org" }, |
| 444 | ], |
| 445 | }, |
| 446 | }, |
| 447 | }, |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 448 | }, |
| 449 | } |