Blame - kube/mirko.libsonnet - hscloud

blob: b35833fa59e66fc26dbc8e516fff1c1e5e841e74 [file] [log] [blame]

Sergiusz Bazanski	6f773e0	2019-10-02 20:46:48 +0200	[diff] [blame]	1	# Mirko, an abstraction layer for hscloud kubernetes services.
				2
				3	local kube = import "kube.libsonnet";
				4
				5	{
				6	Environment(name): {
				7	local env = self,
				8	local cfg = env.cfg,
				9	cfg:: {
				10	name: name,
				11	namespace: cfg.name,
				12	},
				13
				14	namespace: kube.Namespace(cfg.namespace),
				15
				16	components: {}, // type: mirko.Component
				17
				18	// Currently hardcoded!
				19	// This might end up being something passed part of kubecfg evaluation,
				20	// when we get to supporting multiple/federated clusters.
				21	// For now, this is goog enough.
				22	pkiRealm:: "hswaw.net",
				23	pkiClusterFQDN:: "k0.hswaw.net",
				24
				25	// Generate an ingress if we have any public ports.
				26	publicHTTPPorts:: std.flattenArrays([
				27	[
				28	{
				29	local component = env.components[c],
				30
				31	service: component.svc,
				32	port: component.cfg.ports.publicHTTP[p].port,
				33	dns: component.cfg.ports.publicHTTP[p].dns,
				34	}
				35	for p in std.objectFields(env.components[c].cfg.ports.publicHTTP)
				36	]
				37	for c in std.objectFields(env.components)
				38	]),
				39
				40	ingress: if std.length(env.publicHTTPPorts) > 0 then kube.Ingress("mirko-public") {
				41	metadata+: {
				42	namespace: env.cfg.namespace,
				43	labels: {
				44	"app.kubernetes.io/name": cfg.name,
				45	"app.kubernetes.io/managed-by": "kubecfg-mirko",
				46	"app.kubernetes.io/component": cfg.name,
				47	"mirko.hscloud.hackerspace.pl/environment": env.cfg.name,
				48	"mirko.hscloud.hackerspace.pl/component": "mirko-public-ingress",
				49	},
				50	annotations+: {
				51	"kubernetes.io/tls-acme": "true",
				52	"certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
				53	},
				54	},
				55	spec+: {
				56	tls: [
				57	{
				58	hosts: [p.dns for p in env.publicHTTPPorts],
				59	secretName: "mirko-public-tls",
				60	},
				61	],
				62	rules: [
				63	{
				64	host: p.dns,
				65	http: {
				66	paths: [
				67	{ path: "/", backend: { serviceName: p.service.metadata.name, servicePort: p.port }},
				68	],
				69	},
				70	}
				71	for p in env.publicHTTPPorts
				72	],
				73	},
				74	} else {}
				75	},
				76
				77	Component(env, name): {
				78	local component = self,
				79	local cfg = component.cfg,
				80
				81	makeName(suffix):: "%s%s%s" % [cfg.prefix, cfg.name, suffix],
Sergiusz Bazanski	74818e1	2020-02-18 22:56:21 +0100	[diff] [blame^]	82	makeNameGlobal(suffix):: "%s-%s" % [env.cfg.namespace, component.makeName(suffix)],
Sergiusz Bazanski	6f773e0	2019-10-02 20:46:48 +0200	[diff] [blame]	83
				84	metadata:: {
				85	namespace: env.cfg.namespace,
				86	labels: {
				87	"app.kubernetes.io/name": env.cfg.name,
				88	"app.kubernetes.io/managed-by": "kubecfg-mirko",
				89	"app.kubernetes.io/component": cfg.name,
				90	"mirko.hscloud.hackerspace.pl/environment": env.cfg.name,
				91	"mirko.hscloud.hackerspace.pl/component": cfg.name,
				92	},
				93	},
				94
				95
				96	# Tunables for users.
				97	cfg:: {
				98	name: name,
				99
				100	prefix:: "",
				101	image:: env.image,
				102	volumes:: {},
				103	containers:: {
				104	main: cfg.container,
				105	},
Sergiusz Bazanski	92b48d6	2020-01-08 13:59:04 +0100	[diff] [blame]	106	nodeSelector: null,
Sergiusz Bazanski	aa8c2b0	2020-02-15 12:38:39 +0100	[diff] [blame]	107	securityContext: {},
Sergiusz Bazanski	6f773e0	2019-10-02 20:46:48 +0200	[diff] [blame]	108	container:: error "container(s) must be set",
				109	ports:: {
				110	publicHTTP: {}, // name -> { port: no, dns: fqdn }
				111	grpc: { main: 4200 }, // name -> port no
				112	},
				113
				114	},
				115
				116	allPorts:: {
				117	['grpc-' + p]: cfg.ports.grpc[p]
				118	for p in std.objectFields(cfg.ports.grpc)
				119	} + {
				120	['pubhttp-' + p] : cfg.ports.publicHTTP[p].port
				121	for p in std.objectFields(cfg.ports.publicHTTP)
				122	},
				123
				124	Container(name):: kube.Container(component.makeName(name)) {
				125	image: cfg.image,
				126	volumeMounts_: {
				127	pki: { mountPath: "/mnt/pki" },
				128	},
				129	ports_: {
				130	[p]: { containerPort: component.allPorts[p] }
				131	for p in std.objectFields(component.allPorts)
				132	},
				133	resources: {
				134	requests: {
				135	cpu: "25m",
				136	memory: "64Mi",
				137	},
				138	limits: {
				139	cpu: "500m",
				140	memory: "128Mi",
				141	},
				142	},
				143	},
				144
				145	GoContainer(name, binary):: component.Container(name) {
				146	command: [
				147	binary,
				148	"-hspki_realm", env.pkiRealm,
				149	"-hspki_cluster", env.pkiClusterFQDN,
				150	"-hspki_tls_ca_path", "/mnt/pki/ca.crt",
				151	"-hspki_tls_certificate_path", "/mnt/pki/tls.crt",
				152	"-hspki_tls_key_path", "/mnt/pki/tls.key",
				153	"-logtostderr",
				154	"-listen_address", "0.0.0.0:4200",
				155	],
				156	},
				157
				158	deployment: kube.Deployment(component.makeName("-main")) {
				159	metadata+: component.metadata,
				160	spec+: {
				161	template+: {
				162	spec+: {
				163	volumes_: {
				164	pki: {
				165	secret: { secretName: component.pki.cert.spec.secretName },
				166	},
				167	} + cfg.volumes,
				168	containers_: cfg.containers,
Sergiusz Bazanski	92b48d6	2020-01-08 13:59:04 +0100	[diff] [blame]	169	nodeSelector: cfg.nodeSelector,
Sergiusz Bazanski	6f773e0	2019-10-02 20:46:48 +0200	[diff] [blame]	170
				171	serviceAccountName: component.sa.metadata.name,
Sergiusz Bazanski	aa8c2b0	2020-02-15 12:38:39 +0100	[diff] [blame]	172	securityContext: cfg.securityContext,
Sergiusz Bazanski	6f773e0	2019-10-02 20:46:48 +0200	[diff] [blame]	173	},
				174	},
				175	},
				176	},
				177
				178	svc: kube.Service(component.makeName("")) { // No suffix, name part of DNS entry.
				179	metadata+: component.metadata,
				180	target_pod:: component.deployment.spec.template,
				181	spec+: {
				182	ports: [
				183	{
				184	name: p,
				185	port: component.allPorts[p],
				186	targetPort: component.allPorts[p],
				187	}
				188	for p in std.objectFields(component.allPorts)
				189	],
				190	},
				191	},
				192
				193	sa: kube.ServiceAccount(component.makeName("-main")) {
				194	metadata+: component.metadata,
				195	},
				196
				197	pki: {
				198	cert: kube.Certificate(component.makeName("-cert")) {
				199	metadata+: component.metadata,
				200
				201	spec: {
				202	secretName: component.makeName("-cert"),
				203	duration: "35040h0m0s", // 4 years
				204	issuerRef: {
				205	// Contract with cluster/lib/pki.libsonnet.
				206	name: "pki-ca",
				207	kind: "ClusterIssuer",
				208	},
				209	commonName: "%s.%s.svc.%s" % [component.svc.metadata.name, component.svc.metadata.namespace, env.pkiClusterFQDN ],
				210	dnsNames: [
				211	"%s" % [component.svc.metadata.name ],
				212	"%s.%s" % [component.svc.metadata.name, component.svc.metadata.namespace ],
				213	"%s.%s.svc" % [component.svc.metadata.name, component.svc.metadata.namespace ],
				214	"%s.%s.svc.cluster.local" % [component.svc.metadata.name, component.svc.metadata.namespace ],
				215	"%s.%s.svc.%s" % [component.svc.metadata.name, component.svc.metadata.namespace, env.pkiClusterFQDN ],
				216	],
				217	},
				218	},
				219	},
				220	},
				221	}