Radek Pietruszewski | f584431 | 2023-10-27 22:41:18 +0200 | [diff] [blame] | 1 | local kube = import "../../../kube/hscloud.libsonnet"; |
Bartosz Stebel | f5b1a21 | 2023-02-04 23:47:44 +0100 | [diff] [blame] | 2 | |
| 3 | { |
| 4 | local app = self, |
| 5 | local cfg = app.cfg, |
| 6 | |
| 7 | cfg:: { |
| 8 | namespace: error "cfg.namespace must be set", |
| 9 | webDomain: error "cfg.webDomain must be set", |
| 10 | images: { |
| 11 | web: "registry.k0.hswaw.net/implr/mailman-web:0.6", |
| 12 | # https://github.com/octeep/wireproxy |
| 13 | wireproxy: "registry.k0.hswaw.net/implr/wireproxy:1.0.5" |
| 14 | }, |
| 15 | passwords: { |
| 16 | postgres: error "cfg.secrets.postgres must be set", |
| 17 | mailmanRest: error "cfg.secrets.mailmanRest must be set", |
| 18 | mailmanArchiver: error "cfg.secrets.mailmanArchiver must be set", |
| 19 | }, |
| 20 | smtp: { |
| 21 | user: "postorius", |
| 22 | # from mail server |
| 23 | password: error "cfg.smtp.password must be set", |
| 24 | }, |
| 25 | secrets: { |
| 26 | djangoSecretKey: error "cfg.secrets.djangoSecretKey must be set", |
| 27 | }, |
| 28 | wg: { |
| 29 | peerPubkey: error "cfg.wg.peerPubkey must be set", |
| 30 | privkey: error "cfg.wg.privkey must be set", |
| 31 | endpoint: error "cfg.wg.endpoint must be set", |
| 32 | }, |
| 33 | }, |
| 34 | |
| 35 | env:: { |
| 36 | WEB_DOMAIN: cfg.webDomain, |
| 37 | BIND_ADDR: "0.0.0.0:8080", |
| 38 | |
| 39 | //DB_HOST: app.postgres.svc.host, |
| 40 | DB_HOST: "boston-packets.hackerspace.pl", |
| 41 | DB_USER: "mailman", |
| 42 | DB_NAME: "mailman-web", |
| 43 | DB_PASS: kube.SecretKeyRef(app.config, "postgres-pass"), |
| 44 | DB_PORT: "5432", |
| 45 | |
| 46 | |
| 47 | SMTP_HOST: "mail.hackerspace.pl", |
| 48 | SMTP_PORT: "587", |
| 49 | SMTP_USER: "postorius", |
| 50 | SMTP_PASSWORD: kube.SecretKeyRef(app.config, "smtp-password"), |
| 51 | |
| 52 | SECRET_KEY: kube.SecretKeyRef(app.config, "django-secret-key"), |
| 53 | MAILMAN_REST_API_PASS: kube.SecretKeyRef(app.config, 'mailman-api-password'), |
| 54 | MAILMAN_ARCHIVER_KEY: kube.SecretKeyRef(app.config, 'mailman-archiver-key'), |
| 55 | |
| 56 | }, |
| 57 | |
radex | 99ed6a7 | 2023-11-24 11:42:55 +0100 | [diff] [blame^] | 58 | local ns = kube.Namespace(cfg.namespace), |
Bartosz Stebel | f5b1a21 | 2023-02-04 23:47:44 +0100 | [diff] [blame] | 59 | |
| 60 | web: ns.Contain(kube.Deployment("web")) { |
| 61 | spec+: { |
| 62 | minReadySeconds: 10, |
| 63 | replicas: 1, |
| 64 | template+: { |
| 65 | spec+: { |
| 66 | initContainers_: { |
| 67 | migrate: kube.Container("migrate") { |
| 68 | image: cfg.images.web, |
| 69 | env_: app.env, |
| 70 | args: [ |
| 71 | "manage", "migrate", |
| 72 | ], |
| 73 | }, |
| 74 | }, |
| 75 | volumes_: { |
| 76 | config: kube.SecretVolume(app.wireproxyConfig), |
| 77 | }, |
| 78 | containers_: { |
| 79 | default: kube.Container("default") { |
| 80 | image: cfg.images.web, |
| 81 | env_: app.env, |
| 82 | args: ["serve"], |
| 83 | ports_: { |
| 84 | web: { containerPort: 8080 }, |
| 85 | }, |
| 86 | # readinessProbe: { |
| 87 | # httpGet: { |
| 88 | # path: "/", |
| 89 | # port: "web", |
| 90 | # }, |
| 91 | # failureThreshold: 10, |
| 92 | # periodSeconds: 5, |
| 93 | # }, |
| 94 | resources: { |
| 95 | requests: { |
| 96 | cpu: "250m", |
| 97 | memory: "1024M", |
| 98 | }, |
| 99 | limits: { |
| 100 | cpu: "1", |
| 101 | memory: "1024M", |
| 102 | }, |
| 103 | }, |
| 104 | }, |
| 105 | wireproxy: kube.Container("wireproxy") { |
| 106 | image: cfg.images.wireproxy, |
| 107 | resources: { |
| 108 | requests: { |
| 109 | cpu: "100m", |
| 110 | memory: "64M", |
| 111 | }, |
| 112 | limits: { |
| 113 | cpu: "200m", |
| 114 | memory: "128M", |
| 115 | }, |
| 116 | }, |
| 117 | volumeMounts_: { |
| 118 | config: { mountPath: "/etc/wireproxy/config", subPath: "config" } |
| 119 | }, |
| 120 | }, |
| 121 | }, |
| 122 | }, |
| 123 | }, |
| 124 | }, |
| 125 | }, |
| 126 | |
| 127 | local manifestIniMultisection(sname, values) = std.join('\n', |
| 128 | [std.manifestIni({ |
| 129 | sections: { |
| 130 | [sname]: i, |
| 131 | }}) for i in values]), |
| 132 | wireproxyConfig: ns.Contain(kube.Secret("wireproxy-config")) { |
| 133 | data: { |
| 134 | config: std.base64(std.manifestIni({ |
| 135 | sections: { |
| 136 | Interface: { |
| 137 | Address: cfg.wg.address, |
| 138 | PrivateKey: cfg.wg.privkey, |
| 139 | }, |
| 140 | Peer: { |
| 141 | PublicKey: cfg.wg.peerPubkey, |
| 142 | Endpoint: cfg.wg.endpoint, |
| 143 | }, |
| 144 | |
| 145 | }, |
| 146 | }) + manifestIniMultisection("TCPClientTunnel", [ |
| 147 | # { |
| 148 | # # postgres |
| 149 | # ListenPort: 5432, |
| 150 | # Target: "localhost:5432", |
| 151 | # }, |
| 152 | { |
| 153 | # mailman core api |
| 154 | BindAddress: "127.0.0.1:8001", |
| 155 | Target: "172.17.1.1:8001", |
| 156 | }, |
| 157 | ])), |
| 158 | }, |
| 159 | }, |
| 160 | |
| 161 | |
| 162 | svcWeb: ns.Contain(kube.Service("web")) { |
radex | 8b8f387 | 2023-11-24 11:09:46 +0100 | [diff] [blame] | 163 | target:: app.web, |
Bartosz Stebel | f5b1a21 | 2023-02-04 23:47:44 +0100 | [diff] [blame] | 164 | spec+: { |
| 165 | # hax |
| 166 | type: "LoadBalancer", |
| 167 | externalTrafficPolicy: "Local", |
| 168 | }, |
| 169 | }, |
| 170 | |
| 171 | |
Radek Pietruszewski | f584431 | 2023-10-27 22:41:18 +0200 | [diff] [blame] | 172 | #ingress: ns.Contain(kube.SimpleIngress("mailman")) { |
| 173 | # hosts:: [cfg.webDomain], |
| 174 | # target_service:: app.svcWeb, |
Bartosz Stebel | f5b1a21 | 2023-02-04 23:47:44 +0100 | [diff] [blame] | 175 | #}, |
| 176 | |
| 177 | config: ns.Contain(kube.Secret("config")) { |
| 178 | data_: { |
| 179 | "postgres-pass": cfg.passwords.postgres, |
| 180 | "django-secret-key": cfg.secrets.djangoSecretKey, |
| 181 | |
| 182 | "smtp-password": cfg.smtp.password, |
| 183 | |
| 184 | "mailman-api-password": cfg.mailmanCore.mailmanApiPass, |
| 185 | "mailman-archiver-key": cfg.mailmanCore.mailmanArchiverKey, |
| 186 | |
| 187 | }, |
| 188 | }, |
| 189 | } |