Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 915b265b8a36d4bea89adbe7b8b305c3994a0f6b / . / bgpwtf / cccampix / kube / ix.libsonnet
blob: 297fd34fd67d342019cc989bd043889cef5780c0 [file] [log] [blame]
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]1local kube = import "../../../kube/kube.libsonnet";
2
3{
4 IX: {
5 local ix = self,
6 local cfg = ix.cfg,
7 cfg:: {
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame^]8 image: "registry.k0.hswaw.net/bgpwtf/cccampix:1565803250-3a1811e363502c697ea337c15d653698bd662dae",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]9
10 domain: "ix-status.bgp.wtf",
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]11 octorpki: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]12 image: "registry.k0.hswaw.net/bgpwtf/cccampix:1565469898-95928eecd7e35e8582fa011d1457643ca398c310",
Sergiusz Bazanskiddfd6592019-08-09 18:24:00 +0200[diff] [blame]13 storageClassName: "waw-hdd-redundant-2",
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]14 resources: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]15 requests: { cpu: "200m", memory: "1Gi" },
16 limits: { cpu: "1", memory: "2Gi" },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]17 },
18 },
19
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]20 verifier: {
21 image: cfg.image,
22 db: {
23 host: "public.crdb-waw1.svc.cluster.local",
24 port: 26257,
25 username: "cccampix",
26 name: "cccampix",
27 tlsSecret: "client-cccampix-certificate",
28 },
29 },
30
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame^]31 pgpencryptor: {
32 image: cfg.image,
33 db: {
34 host: "public.crdb-waw1.svc.cluster.local",
35 port: 26257,
36 username: "cccampix",
37 name: "cccampix-pgpencryptor",
38 tlsSecret: "client-cccampix-certificate",
39 },
40 },
41
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]42 irr: {
43 image: cfg.image,
44 },
45
46 peeringdb: {
47 image: cfg.image,
48 },
49
50 frontend: {
51 image: cfg.image,
52 },
53
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]54 appName: "ix",
55 namespace: error "namespace must be defined",
56 prefix: "",
57 },
58
59 namespace: kube.Namespace(cfg.namespace),
60 name(component):: cfg.prefix + component,
61 metadata(component):: {
62 namespace: cfg.namespace,
63 labels: {
64 "app.kubernetes.io/name": cfg.appName,
65 "app.kubernetes.io/managed-by": "kubecfg",
66 "app.kubernetes.io/component": component,
67 },
68 },
69
70 octorpki: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]71 address:: "%s.%s.svc.cluster.local:%d" % [
72 "octorpki",
73 ix.cfg.namespace,
74 8080,
75 ],
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]76 cache: kube.PersistentVolumeClaim(ix.name("octorpki")) {
77 metadata+: ix.metadata("octorpki"),
78 spec+: {
79 storageClassName: cfg.octorpki.storageClassName,
80 accessModes: [ "ReadWriteOnce" ],
81 resources: {
82 requests: {
83 storage: "2Gi",
84 },
85 },
86 },
87 },
88 deployment: kube.Deployment(ix.name("octorpki")) {
89 metadata+: ix.metadata("octorpki"),
90 spec+: {
91 template+: {
92 spec+: {
93 volumes_: {
94 cache: kube.PersistentVolumeClaimVolume(ix.octorpki.cache),
95 },
96 containers_: {
97 octorpki: kube.Container(ix.name("octorpki")){
98 image: cfg.octorpki.image,
99 args: [
100 "/octorpki/entrypoint.sh",
101 ],
102 ports_: {
103 client: { containerPort: 8080 },
104 },
105 volumeMounts_: {
106 cache: { mountPath: "/cache" },
107 },
108 resources: cfg.octorpki.resources,
109 },
110 },
111 },
112 },
113 },
114 },
115 svc: kube.Service(ix.name("octorpki")) {
116 metadata+: ix.metadata("octorpki"),
117 target_pod:: ix.octorpki.deployment.spec.template,
118 spec+: {
119 ports: [
120 { name: "client", port: 8080, targetPort: 8080, protocol: "TCP" },
121 ],
122 },
123 },
124 },
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]125
126 component(name):: {
127 local component = self,
128 args:: error "args must be set",
129 name:: name,
130 port:: 4200,
131 volumes:: {},
132 volumeMounts:: {},
133
134 deployment: kube.Deployment(ix.name(name)) {
135 metadata+: ix.metadata(name),
136 spec+: {
137 template+: {
138 spec+: {
139 volumes_: component.volumes,
140 containers_: {
141 [name]: kube.Container(ix.name(name)) {
142 image: cfg[name].image,
143 args: component.args,
144 volumeMounts_: component.volumeMounts,
145 },
146 },
147 },
148 },
149 },
150 },
151 svc: kube.Service(ix.name(name)) {
152 metadata+: ix.metadata(name),
153 target_pod:: component.deployment.spec.template,
154 spec+: {
155 ports: [
156 { name: "client", port: component.port, targetPort: component.port, protocol: "TCP" },
157 ],
158 },
159 },
160
161 address:: "%s.%s.svc.cluster.local:%d" % [
162 component.name,
163 ix.cfg.namespace,
164 component.port,
165 ],
166 },
167
168 irr: ix.component("irr") {
169 args: [
170 "/ix/irr",
171 "-hspki_disable",
172 "-listen_address=0.0.0.0:4200",
173 ],
174 },
175
176 peeringdb: ix.component("peeringdb") {
177 args: [
178 "/ix/peeringdb",
179 "-hspki_disable",
180 "-listen_address=0.0.0.0:4200",
181 ],
182 },
183
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame^]184 crdb:: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]185 volumes: {
186 tls: {
187 secret: {
188 secretName: cfg.verifier.db.tlsSecret,
189 defaultMode: kube.parseOctal("0400"),
190 },
191 },
192 },
193 volumeMounts: {
194 tls: {
195 mountPath: "/tls",
196 },
197 },
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame^]198 args(dbconf): [
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]199 "-dsn", "postgres://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame^]200 dbconf.username,
201 dbconf.host,
202 dbconf.port,
203 dbconf.name,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]204 "/tls/ca.crt",
205 "/tls/tls.crt",
206 "/tls/tls.key",
207 ],
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame^]208 ]
209 },
210
211 verifier: ix.component("verifier") {
212 volumes: ix.crdb.volumes,
213 volumeMounts: ix.crdb.volumeMounts,
214 args: [
215 "/ix/verifier",
216 "-hspki_disable",
217 "-listen_address=0.0.0.0:4200",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]218 "-peeringdb=" + ix.peeringdb.address,
219 "-irr=" + ix.irr.address,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]220 "-octorpki=" + ix.octorpki.address,
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame^]221 ] + ix.crdb.args(cfg.verifier.db),
222 },
223
224 pgpencryptor: ix.component("pgpencryptor") {
225 volumes: ix.crdb.volumes,
226 volumeMounts: ix.crdb.volumeMounts,
227 args: [
228 "/ix/pgpencryptor",
229 "-hspki_disable",
230 "-listen_address=0.0.0.0:4200",
231 ] + ix.crdb.args(cfg.pgpencryptor.db),
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]232 },
233
234 frontend: ix.component("frontend") {
235 port: 8080,
236 args: [
237 "/ix/frontend.par",
238 "--flask_secret=dupa",
239 "--listen=0.0.0.0:8080",
240 "--verifier=" + ix.verifier.address,
241 ],
242 },
243
Serge Bazanski821fa5f2019-08-14 14:33:30 +0200[diff] [blame]244 ripeSync: kube.CronJob(ix.name("ripe-sync")) {
245 metadata+: ix.metadata("ripe-sync"),
246 spec+: {
247 schedule: "*/5 * * * *",
248 jobTemplate+: {
249 spec+: {
250 selector:: null,
251 template+: {
252 spec+: {
253 containers_: {
254 "ripe-sync": kube.Container(ix.name("ripe-sync")) {
255 image: cfg.image,
256 args: [
257 "/ix/ripe-sync.par",
258 "$(PASSWORD)",
259 ix.verifier.address,
260 ],
261 env_: {
262 PASSWORD: {
263 secretKeyRef: {
264 name: ix.name("ripe-sync"),
265 key: "password",
266 },
267 },
268 },
269 },
270 },
271 },
272 },
273 },
274 },
275 },
276 },
277
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]278 ingress: kube.Ingress("ingress") {
279 metadata+: ix.metadata("public") {
280 annotations+: {
281 "kubernetes.io/tls-acme": "true",
282 "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
283 "nginx.ingress.kubernetes.io/proxy-body-size": "0",
284 },
285 },
286 spec+: {
287 tls: [
288 { hosts: [cfg.domain], secretName: "public-tls"}
289 ],
290 rules: [
291 {
292 host: cfg.domain,
293 http: {
294 paths: [
295 { path: "/", backend: ix.frontend.svc.name_port },
296 ],
297 },
298 },
299 ],
300 },
301 },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]302 },
303}