Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 821fa5fcc40903ce95105aadade4e2a2bdad1dd3 / . / bgpwtf / cccampix / kube / ix.libsonnet
blob: 597252d2f4ee0c40b95b601a4312b32454d9b444 [file] [log] [blame]
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]1local kube = import "../../../kube/kube.libsonnet";
2
3{
4 IX: {
5 local ix = self,
6 local cfg = ix.cfg,
7 cfg:: {
Serge Bazanski821fa5f2019-08-14 14:33:30 +0200[diff] [blame^]8 image: "registry.k0.hswaw.net/bgpwtf/cccampix:1565566961-49bf87f8e1ff80e35acd8eb9fc699c4ae0bf250e",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]9
10 domain: "ix-status.bgp.wtf",
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]11 octorpki: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]12 image: "registry.k0.hswaw.net/bgpwtf/cccampix:1565469898-95928eecd7e35e8582fa011d1457643ca398c310",
Sergiusz Bazanskiddfd6592019-08-09 18:24:00 +0200[diff] [blame]13 storageClassName: "waw-hdd-redundant-2",
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]14 resources: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]15 requests: { cpu: "200m", memory: "1Gi" },
16 limits: { cpu: "1", memory: "2Gi" },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]17 },
18 },
19
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]20 verifier: {
21 image: cfg.image,
22 db: {
23 host: "public.crdb-waw1.svc.cluster.local",
24 port: 26257,
25 username: "cccampix",
26 name: "cccampix",
27 tlsSecret: "client-cccampix-certificate",
28 },
29 },
30
31 irr: {
32 image: cfg.image,
33 },
34
35 peeringdb: {
36 image: cfg.image,
37 },
38
39 frontend: {
40 image: cfg.image,
41 },
42
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]43 appName: "ix",
44 namespace: error "namespace must be defined",
45 prefix: "",
46 },
47
48 namespace: kube.Namespace(cfg.namespace),
49 name(component):: cfg.prefix + component,
50 metadata(component):: {
51 namespace: cfg.namespace,
52 labels: {
53 "app.kubernetes.io/name": cfg.appName,
54 "app.kubernetes.io/managed-by": "kubecfg",
55 "app.kubernetes.io/component": component,
56 },
57 },
58
59 octorpki: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]60 address:: "%s.%s.svc.cluster.local:%d" % [
61 "octorpki",
62 ix.cfg.namespace,
63 8080,
64 ],
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]65 cache: kube.PersistentVolumeClaim(ix.name("octorpki")) {
66 metadata+: ix.metadata("octorpki"),
67 spec+: {
68 storageClassName: cfg.octorpki.storageClassName,
69 accessModes: [ "ReadWriteOnce" ],
70 resources: {
71 requests: {
72 storage: "2Gi",
73 },
74 },
75 },
76 },
77 deployment: kube.Deployment(ix.name("octorpki")) {
78 metadata+: ix.metadata("octorpki"),
79 spec+: {
80 template+: {
81 spec+: {
82 volumes_: {
83 cache: kube.PersistentVolumeClaimVolume(ix.octorpki.cache),
84 },
85 containers_: {
86 octorpki: kube.Container(ix.name("octorpki")){
87 image: cfg.octorpki.image,
88 args: [
89 "/octorpki/entrypoint.sh",
90 ],
91 ports_: {
92 client: { containerPort: 8080 },
93 },
94 volumeMounts_: {
95 cache: { mountPath: "/cache" },
96 },
97 resources: cfg.octorpki.resources,
98 },
99 },
100 },
101 },
102 },
103 },
104 svc: kube.Service(ix.name("octorpki")) {
105 metadata+: ix.metadata("octorpki"),
106 target_pod:: ix.octorpki.deployment.spec.template,
107 spec+: {
108 ports: [
109 { name: "client", port: 8080, targetPort: 8080, protocol: "TCP" },
110 ],
111 },
112 },
113 },
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]114
115 component(name):: {
116 local component = self,
117 args:: error "args must be set",
118 name:: name,
119 port:: 4200,
120 volumes:: {},
121 volumeMounts:: {},
122
123 deployment: kube.Deployment(ix.name(name)) {
124 metadata+: ix.metadata(name),
125 spec+: {
126 template+: {
127 spec+: {
128 volumes_: component.volumes,
129 containers_: {
130 [name]: kube.Container(ix.name(name)) {
131 image: cfg[name].image,
132 args: component.args,
133 volumeMounts_: component.volumeMounts,
134 },
135 },
136 },
137 },
138 },
139 },
140 svc: kube.Service(ix.name(name)) {
141 metadata+: ix.metadata(name),
142 target_pod:: component.deployment.spec.template,
143 spec+: {
144 ports: [
145 { name: "client", port: component.port, targetPort: component.port, protocol: "TCP" },
146 ],
147 },
148 },
149
150 address:: "%s.%s.svc.cluster.local:%d" % [
151 component.name,
152 ix.cfg.namespace,
153 component.port,
154 ],
155 },
156
157 irr: ix.component("irr") {
158 args: [
159 "/ix/irr",
160 "-hspki_disable",
161 "-listen_address=0.0.0.0:4200",
162 ],
163 },
164
165 peeringdb: ix.component("peeringdb") {
166 args: [
167 "/ix/peeringdb",
168 "-hspki_disable",
169 "-listen_address=0.0.0.0:4200",
170 ],
171 },
172
173 verifier: ix.component("verifier") {
174 volumes: {
175 tls: {
176 secret: {
177 secretName: cfg.verifier.db.tlsSecret,
178 defaultMode: kube.parseOctal("0400"),
179 },
180 },
181 },
182 volumeMounts: {
183 tls: {
184 mountPath: "/tls",
185 },
186 },
187 args: [
188 "/ix/verifier",
189 "-hspki_disable",
190 "-dsn", "postgres://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
191 cfg.verifier.db.username,
192 cfg.verifier.db.host,
193 cfg.verifier.db.port,
194 cfg.verifier.db.name,
195 "/tls/ca.crt",
196 "/tls/tls.crt",
197 "/tls/tls.key",
198 ],
199 "-peeringdb=" + ix.peeringdb.address,
200 "-irr=" + ix.irr.address,
201 "-listen_address=0.0.0.0:4200",
202 "-octorpki=" + ix.octorpki.address,
203 ],
204 },
205
206 frontend: ix.component("frontend") {
207 port: 8080,
208 args: [
209 "/ix/frontend.par",
210 "--flask_secret=dupa",
211 "--listen=0.0.0.0:8080",
212 "--verifier=" + ix.verifier.address,
213 ],
214 },
215
Serge Bazanski821fa5f2019-08-14 14:33:30 +0200[diff] [blame^]216 ripeSync: kube.CronJob(ix.name("ripe-sync")) {
217 metadata+: ix.metadata("ripe-sync"),
218 spec+: {
219 schedule: "*/5 * * * *",
220 jobTemplate+: {
221 spec+: {
222 selector:: null,
223 template+: {
224 spec+: {
225 containers_: {
226 "ripe-sync": kube.Container(ix.name("ripe-sync")) {
227 image: cfg.image,
228 args: [
229 "/ix/ripe-sync.par",
230 "$(PASSWORD)",
231 ix.verifier.address,
232 ],
233 env_: {
234 PASSWORD: {
235 secretKeyRef: {
236 name: ix.name("ripe-sync"),
237 key: "password",
238 },
239 },
240 },
241 },
242 },
243 },
244 },
245 },
246 },
247 },
248 },
249
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]250 ingress: kube.Ingress("ingress") {
251 metadata+: ix.metadata("public") {
252 annotations+: {
253 "kubernetes.io/tls-acme": "true",
254 "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
255 "nginx.ingress.kubernetes.io/proxy-body-size": "0",
256 },
257 },
258 spec+: {
259 tls: [
260 { hosts: [cfg.domain], secretName: "public-tls"}
261 ],
262 rules: [
263 {
264 host: cfg.domain,
265 http: {
266 paths: [
267 { path: "/", backend: ix.frontend.svc.name_port },
268 ],
269 },
270 },
271 ],
272 },
273 },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]274 },
275}