Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 8b8f3876a91d582795712d1b1355e69eba1f97ce / . / bgpwtf / cccampix / kube / ix.libsonnet
blob: f8ed06792b301083faca0b93157526558ec3229b [file] [log] [blame]
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]1local kube = import "../../../kube/hscloud.libsonnet";
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]2
3{
4 IX: {
5 local ix = self,
6 local cfg = ix.cfg,
7 cfg:: {
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]8 image: "registry.k0.hswaw.net/bgpwtf/cccampix:1566584484-a2960f526c36de0dbcd911f05ee9db587e63eb9b",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]9
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]10
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]11 octorpki: {
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]12 image: cfg.image,
Sergiusz Bazanskiddfd6592019-08-09 18:24:00 +0200[diff] [blame]13 storageClassName: "waw-hdd-redundant-2",
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]14 resources: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]15 requests: { cpu: "200m", memory: "1Gi" },
16 limits: { cpu: "1", memory: "2Gi" },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]17 },
18 },
19
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]20 verifier: {
21 image: cfg.image,
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]22 domain: "ix-grpc.bgp.wtf",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]23 db: {
24 host: "public.crdb-waw1.svc.cluster.local",
25 port: 26257,
26 username: "cccampix",
27 name: "cccampix",
28 tlsSecret: "client-cccampix-certificate",
29 },
30 },
31
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]32 pgpencryptor: {
33 image: cfg.image,
34 db: {
35 host: "public.crdb-waw1.svc.cluster.local",
36 port: 26257,
37 username: "cccampix",
38 name: "cccampix-pgpencryptor",
39 tlsSecret: "client-cccampix-certificate",
40 },
41 },
42
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]43 irr: {
44 image: cfg.image,
45 },
46
47 peeringdb: {
48 image: cfg.image,
49 },
50
51 frontend: {
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]52 domain: "ix-status.bgp.wtf",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]53 image: cfg.image,
54 },
55
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]56 alice: {
57 domain: "ix-lg.bgp.wtf",
58 image: "registry.k0.hswaw.net/q3k/alice-lg:20190823-1557",
59 },
60
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]61 appName: "ix",
62 namespace: error "namespace must be defined",
63 prefix: "",
64 },
65
66 namespace: kube.Namespace(cfg.namespace),
67 name(component):: cfg.prefix + component,
68 metadata(component):: {
69 namespace: cfg.namespace,
70 labels: {
71 "app.kubernetes.io/name": cfg.appName,
72 "app.kubernetes.io/managed-by": "kubecfg",
73 "app.kubernetes.io/component": component,
74 },
75 },
76
77 octorpki: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]78 address:: "%s.%s.svc.cluster.local:%d" % [
79 "octorpki",
80 ix.cfg.namespace,
81 8080,
82 ],
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]83 cache: kube.PersistentVolumeClaim(ix.name("octorpki")) {
84 metadata+: ix.metadata("octorpki"),
Radek Pietruszewskif28cd622023-11-03 17:30:10 +0100[diff] [blame]85 storage: "2Gi",
86 storageClass: cfg.octorpki.storageClassName,
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]87 },
88 deployment: kube.Deployment(ix.name("octorpki")) {
89 metadata+: ix.metadata("octorpki"),
90 spec+: {
91 template+: {
92 spec+: {
93 volumes_: {
94 cache: kube.PersistentVolumeClaimVolume(ix.octorpki.cache),
95 },
96 containers_: {
97 octorpki: kube.Container(ix.name("octorpki")){
98 image: cfg.octorpki.image,
99 args: [
100 "/octorpki/entrypoint.sh",
101 ],
102 ports_: {
103 client: { containerPort: 8080 },
104 },
105 volumeMounts_: {
106 cache: { mountPath: "/cache" },
107 },
108 resources: cfg.octorpki.resources,
109 },
110 },
111 },
112 },
113 },
114 },
115 svc: kube.Service(ix.name("octorpki")) {
116 metadata+: ix.metadata("octorpki"),
radex8b8f3872023-11-24 11:09:46 +0100[diff] [blame^]117 target:: ix.octorpki.deployment,
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]118 spec+: {
119 ports: [
120 { name: "client", port: 8080, targetPort: 8080, protocol: "TCP" },
121 ],
122 },
123 },
124 },
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]125
126 component(name):: {
127 local component = self,
128 args:: error "args must be set",
129 name:: name,
130 port:: 4200,
131 volumes:: {},
132 volumeMounts:: {},
133
134 deployment: kube.Deployment(ix.name(name)) {
135 metadata+: ix.metadata(name),
136 spec+: {
137 template+: {
138 spec+: {
139 volumes_: component.volumes,
140 containers_: {
141 [name]: kube.Container(ix.name(name)) {
142 image: cfg[name].image,
143 args: component.args,
144 volumeMounts_: component.volumeMounts,
145 },
146 },
147 },
148 },
149 },
150 },
151 svc: kube.Service(ix.name(name)) {
152 metadata+: ix.metadata(name),
radex8b8f3872023-11-24 11:09:46 +0100[diff] [blame^]153 target:: component.deployment,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]154 spec+: {
155 ports: [
156 { name: "client", port: component.port, targetPort: component.port, protocol: "TCP" },
157 ],
158 },
159 },
160
161 address:: "%s.%s.svc.cluster.local:%d" % [
162 component.name,
163 ix.cfg.namespace,
164 component.port,
165 ],
166 },
167
168 irr: ix.component("irr") {
169 args: [
170 "/ix/irr",
171 "-hspki_disable",
172 "-listen_address=0.0.0.0:4200",
173 ],
174 },
175
176 peeringdb: ix.component("peeringdb") {
177 args: [
178 "/ix/peeringdb",
179 "-hspki_disable",
180 "-listen_address=0.0.0.0:4200",
181 ],
182 },
183
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]184 crdb:: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]185 volumes: {
186 tls: {
187 secret: {
188 secretName: cfg.verifier.db.tlsSecret,
189 defaultMode: kube.parseOctal("0400"),
190 },
191 },
192 },
193 volumeMounts: {
194 tls: {
195 mountPath: "/tls",
196 },
197 },
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]198 args(dbconf): [
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]199 "-dsn", "postgres://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]200 dbconf.username,
201 dbconf.host,
202 dbconf.port,
203 dbconf.name,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]204 "/tls/ca.crt",
205 "/tls/tls.crt",
206 "/tls/tls.key",
207 ],
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]208 ]
209 },
210
211 verifier: ix.component("verifier") {
212 volumes: ix.crdb.volumes,
213 volumeMounts: ix.crdb.volumeMounts,
214 args: [
215 "/ix/verifier",
216 "-hspki_disable",
217 "-listen_address=0.0.0.0:4200",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]218 "-peeringdb=" + ix.peeringdb.address,
219 "-irr=" + ix.irr.address,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]220 "-octorpki=" + ix.octorpki.address,
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]221 "-pgpencryptor=" + ix.pgpencryptor.address,
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]222 ] + ix.crdb.args(cfg.verifier.db),
223 },
224
225 pgpencryptor: ix.component("pgpencryptor") {
226 volumes: ix.crdb.volumes,
227 volumeMounts: ix.crdb.volumeMounts,
228 args: [
229 "/ix/pgpencryptor",
230 "-hspki_disable",
231 "-listen_address=0.0.0.0:4200",
232 ] + ix.crdb.args(cfg.pgpencryptor.db),
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]233 },
234
235 frontend: ix.component("frontend") {
236 port: 8080,
237 args: [
238 "/ix/frontend.par",
239 "--flask_secret=dupa",
240 "--listen=0.0.0.0:8080",
241 "--verifier=" + ix.verifier.address,
242 ],
243 },
244
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]245 alice: ix.component("alice") {
246 port: 7340,
247 volumes: {
248 config: kube.ConfigMapVolume(ix.alice.configMap),
249 theme: kube.ConfigMapVolume(ix.alice.themeMap),
250 },
251 volumeMounts: {
252 config: {
253 mountPath: "/etc/alice",
254 },
255 theme: {
256 mountPath: "/etc/alice-theme",
257 },
258 },
259 args: [
260 "/usr/bin/alice-lg",
261 "-config", "/etc/alice/alice",
262 ],
263
264 themeMap: kube.ConfigMap(ix.name("alice-theme")) {
265 metadata+: ix.metadata("alice-theme"),
266 data: {
267 "content.js": |||
268 Alice.updateContent({
269 header: {
270 title: "CCCampIX Looking Glass",
271 tagline: "powered by alice-lg"
272 },
273 welcome: {
274 title: "CCCampIX Looking Glass",
275 tagline: "BGP to the tent."
276 }
277 });
278 |||,
279 },
280 },
281 configMap: kube.ConfigMap(ix.name("alice")) {
282 metadata+: ix.metadata("alice"),
283 data: {
284 config: |||
285 [server]
286 listen_http = 0.0.0.0:7340
287 enable_neighbors_status_refresh = false
288 asn = 208521
289
290 [housekeeping]
291 interval = 5
292 force_release_memory = true
293
294 [theme]
295 path = /etc/alice-theme
296
297 [pagination]
298 routes_filtered_page_size = 250
299 routes_accepted_page_size = 250
300 routes_not_exported_page_size = 250
301
302 [rejection_reasons]
303 208521:65666:1 = An IP Bogon was detected
304 208521:65666:2 = Prefix is longer than 64
305 208521:65666:3 = Prefix is longer than 24
306 208521:65666:4 = AS path contains a bogon AS
307 208521:65666:5 = AS path length is longer than 64
308 208521:65666:6 = BGP Path invalid (must be only peer)
309 208521:65666:9 = Prefix not found in RPKI for Origin AS
310
311 [neighbours_columns]
312 Description = Description
313 address = Neighbour
314 asn = ASN
315 state = State
316 Uptime = Uptime
317 routes_received = Routes Received
318 routes_filtered = Filtered
319
320 [routes_columns]
321 network = Network
322 gateway = Gateway
323 interface = Interface
324 metric = Metric
325 bgp.as_path = AS Path
326
327 [lookup_columns]
328 network = Network
329 gateway = Gateway
330 neighbour.asn = ASN
331 neighbour.description = Description
332 bgp.as_path = AS Path
333 routeserver.name = RS
334
335 [source.rs1-camp-v4]
336 name = rs1.camp.bgp.wtf (IPv4)
337 group = Camp
338 [source.rs1-camp-v4.birdwatcher]
339 timezone = UTC
340 api = http://isw01.camp.bgp.wtf:3000/
341 type = single_table
342 neighbors_refresh_timeout = 2
343 servertime = 2006-01-02T15:04:05Z
344 servertime_short = 2006-01-02 15:04:05
345 servertime_ext = 2006-01-02 15:04:05
Radek Pietruszewskif28cd622023-11-03 17:30:10 +0100[diff] [blame]346
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]347 [source.rs1-camp-v6]
348 name = rs1.camp.bgp.wtf (IPv6)
349 group = Camp
350 [source.rs1-camp-v6.birdwatcher]
351 timezone = UTC
352 api = http://isw01.camp.bgp.wtf:3001/
353 type = single_table
354 neighbors_refresh_timeout = 2
355 servertime = 2006-01-02T15:04:05Z
356 servertime_short = 2006-01-02 15:04:05
357 servertime_ext = 2006-01-02 15:04:05
Radek Pietruszewskif28cd622023-11-03 17:30:10 +0100[diff] [blame]358
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]359 [source.rs2-camp-v4]
360 name = rs2.camp.bgp.wtf (IPv4)
361 group = Camp
362 [source.rs2-camp-v4.birdwatcher]
363 timezone = UTC
364 api = http://isw01.camp.bgp.wtf:3002/
365 type = single_table
366 neighbors_refresh_timeout = 2
367 servertime = 2006-01-02T15:04:05Z
368 servertime_short = 2006-01-02 15:04:05
369 servertime_ext = 2006-01-02 15:04:05
Radek Pietruszewskif28cd622023-11-03 17:30:10 +0100[diff] [blame]370
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]371 [source.rs2-camp-v6]
372 name = rs2.camp.bgp.wtf (IPv6)
373 group = Camp
374 [source.rs2-camp-v6.birdwatcher]
375 timezone = UTC
376 api = http://isw01.camp.bgp.wtf:3003/
377 type = single_table
378 neighbors_refresh_timeout = 2
379 servertime = 2006-01-02T15:04:05Z
380 servertime_short = 2006-01-02 15:04:05
381 servertime_ext = 2006-01-02 15:04:05
382 |||,
383 },
384 },
385 },
386
Serge Bazanski821fa5f2019-08-14 14:33:30 +0200[diff] [blame]387 ripeSync: kube.CronJob(ix.name("ripe-sync")) {
388 metadata+: ix.metadata("ripe-sync"),
389 spec+: {
390 schedule: "*/5 * * * *",
391 jobTemplate+: {
392 spec+: {
393 selector:: null,
394 template+: {
395 spec+: {
396 containers_: {
397 "ripe-sync": kube.Container(ix.name("ripe-sync")) {
398 image: cfg.image,
399 args: [
400 "/ix/ripe-sync.par",
401 "$(PASSWORD)",
402 ix.verifier.address,
403 ],
404 env_: {
405 PASSWORD: {
406 secretKeyRef: {
407 name: ix.name("ripe-sync"),
408 key: "password",
409 },
410 },
411 },
412 },
413 },
414 },
415 },
416 },
417 },
418 },
419 },
420
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]421 ingress: kube.SimpleIngress("ingress") {
422 hosts:: [cfg.frontend.domain],
423 target_service:: ix.frontend.svc,
424 metadata+: ix.metadata("public"),
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]425 },
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]426
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]427 aliceIngress: kube.SimpleIngress("alice") {
428 hosts:: [cfg.alice.domain],
429 target_service:: ix.alice.svc,
430 metadata+: ix.metadata("alice"),
431 },
432
433 grpcIngress: kube.SimpleIngress("grpc") {
434 hosts:: [cfg.verifier.domain],
435 target_service:: ix.verifier.svc,
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]436 metadata+: ix.metadata("alice") {
437 annotations+: {
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]438 "kubernetes.io/ingress.class": "nginx",
439 "nginx.ingress.kubernetes.io/ssl-redirect": "true",
440 "nginx.ingress.kubernetes.io/backend-protocol": "GRPC",
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]441 },
442 },
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]443 },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]444 },
445}