Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 99ed6a7abb57ee302a1f2f96c0173f7d0b318d5d / . / bgpwtf / cccampix / kube / ix.libsonnet
blob: a5039418e78216fbda89033dfe0b318d69fa79e9 [file] [log] [blame]
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]1local kube = import "../../../kube/hscloud.libsonnet";
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]2
3{
4 IX: {
5 local ix = self,
6 local cfg = ix.cfg,
7 cfg:: {
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]8 image: "registry.k0.hswaw.net/bgpwtf/cccampix:1566584484-a2960f526c36de0dbcd911f05ee9db587e63eb9b",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]9
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]10
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]11 octorpki: {
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]12 image: cfg.image,
Sergiusz Bazanskiddfd6592019-08-09 18:24:00 +0200[diff] [blame]13 storageClassName: "waw-hdd-redundant-2",
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]14 resources: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]15 requests: { cpu: "200m", memory: "1Gi" },
16 limits: { cpu: "1", memory: "2Gi" },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]17 },
18 },
19
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]20 verifier: {
21 image: cfg.image,
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]22 domain: "ix-grpc.bgp.wtf",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]23 db: {
24 host: "public.crdb-waw1.svc.cluster.local",
25 port: 26257,
26 username: "cccampix",
27 name: "cccampix",
28 tlsSecret: "client-cccampix-certificate",
29 },
30 },
31
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]32 pgpencryptor: {
33 image: cfg.image,
34 db: {
35 host: "public.crdb-waw1.svc.cluster.local",
36 port: 26257,
37 username: "cccampix",
38 name: "cccampix-pgpencryptor",
39 tlsSecret: "client-cccampix-certificate",
40 },
41 },
42
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]43 irr: {
44 image: cfg.image,
45 },
46
47 peeringdb: {
48 image: cfg.image,
49 },
50
51 frontend: {
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]52 domain: "ix-status.bgp.wtf",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]53 image: cfg.image,
54 },
55
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]56 alice: {
57 domain: "ix-lg.bgp.wtf",
58 image: "registry.k0.hswaw.net/q3k/alice-lg:20190823-1557",
59 },
60
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]61 appName: "ix",
62 namespace: error "namespace must be defined",
63 prefix: "",
64 },
65
radex99ed6a72023-11-24 11:42:55 +0100[diff] [blame^]66 local ns = kube.Namespace(cfg.namespace),
67
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]68 name(component):: cfg.prefix + component,
69 metadata(component):: {
70 namespace: cfg.namespace,
71 labels: {
72 "app.kubernetes.io/name": cfg.appName,
73 "app.kubernetes.io/managed-by": "kubecfg",
74 "app.kubernetes.io/component": component,
75 },
76 },
77
78 octorpki: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]79 address:: "%s.%s.svc.cluster.local:%d" % [
80 "octorpki",
81 ix.cfg.namespace,
82 8080,
83 ],
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]84 cache: kube.PersistentVolumeClaim(ix.name("octorpki")) {
85 metadata+: ix.metadata("octorpki"),
radex36964dc2023-11-24 11:19:46 +0100[diff] [blame]86 storage:: "2Gi",
87 storageClass:: cfg.octorpki.storageClassName,
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]88 },
89 deployment: kube.Deployment(ix.name("octorpki")) {
90 metadata+: ix.metadata("octorpki"),
91 spec+: {
92 template+: {
93 spec+: {
94 volumes_: {
95 cache: kube.PersistentVolumeClaimVolume(ix.octorpki.cache),
96 },
97 containers_: {
98 octorpki: kube.Container(ix.name("octorpki")){
99 image: cfg.octorpki.image,
100 args: [
101 "/octorpki/entrypoint.sh",
102 ],
103 ports_: {
104 client: { containerPort: 8080 },
105 },
106 volumeMounts_: {
107 cache: { mountPath: "/cache" },
108 },
109 resources: cfg.octorpki.resources,
110 },
111 },
112 },
113 },
114 },
115 },
116 svc: kube.Service(ix.name("octorpki")) {
117 metadata+: ix.metadata("octorpki"),
radex8b8f3872023-11-24 11:09:46 +0100[diff] [blame]118 target:: ix.octorpki.deployment,
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]119 spec+: {
120 ports: [
121 { name: "client", port: 8080, targetPort: 8080, protocol: "TCP" },
122 ],
123 },
124 },
125 },
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]126
127 component(name):: {
128 local component = self,
129 args:: error "args must be set",
130 name:: name,
131 port:: 4200,
132 volumes:: {},
133 volumeMounts:: {},
134
135 deployment: kube.Deployment(ix.name(name)) {
136 metadata+: ix.metadata(name),
137 spec+: {
138 template+: {
139 spec+: {
140 volumes_: component.volumes,
141 containers_: {
142 [name]: kube.Container(ix.name(name)) {
143 image: cfg[name].image,
144 args: component.args,
145 volumeMounts_: component.volumeMounts,
146 },
147 },
148 },
149 },
150 },
151 },
152 svc: kube.Service(ix.name(name)) {
153 metadata+: ix.metadata(name),
radex8b8f3872023-11-24 11:09:46 +0100[diff] [blame]154 target:: component.deployment,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]155 spec+: {
156 ports: [
157 { name: "client", port: component.port, targetPort: component.port, protocol: "TCP" },
158 ],
159 },
160 },
161
162 address:: "%s.%s.svc.cluster.local:%d" % [
163 component.name,
164 ix.cfg.namespace,
165 component.port,
166 ],
167 },
168
169 irr: ix.component("irr") {
170 args: [
171 "/ix/irr",
172 "-hspki_disable",
173 "-listen_address=0.0.0.0:4200",
174 ],
175 },
176
177 peeringdb: ix.component("peeringdb") {
178 args: [
179 "/ix/peeringdb",
180 "-hspki_disable",
181 "-listen_address=0.0.0.0:4200",
182 ],
183 },
184
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]185 crdb:: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]186 volumes: {
187 tls: {
188 secret: {
189 secretName: cfg.verifier.db.tlsSecret,
190 defaultMode: kube.parseOctal("0400"),
191 },
192 },
193 },
194 volumeMounts: {
195 tls: {
196 mountPath: "/tls",
197 },
198 },
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]199 args(dbconf): [
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]200 "-dsn", "postgres://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]201 dbconf.username,
202 dbconf.host,
203 dbconf.port,
204 dbconf.name,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]205 "/tls/ca.crt",
206 "/tls/tls.crt",
207 "/tls/tls.key",
208 ],
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]209 ]
210 },
211
212 verifier: ix.component("verifier") {
213 volumes: ix.crdb.volumes,
214 volumeMounts: ix.crdb.volumeMounts,
215 args: [
216 "/ix/verifier",
217 "-hspki_disable",
218 "-listen_address=0.0.0.0:4200",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]219 "-peeringdb=" + ix.peeringdb.address,
220 "-irr=" + ix.irr.address,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]221 "-octorpki=" + ix.octorpki.address,
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]222 "-pgpencryptor=" + ix.pgpencryptor.address,
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]223 ] + ix.crdb.args(cfg.verifier.db),
224 },
225
226 pgpencryptor: ix.component("pgpencryptor") {
227 volumes: ix.crdb.volumes,
228 volumeMounts: ix.crdb.volumeMounts,
229 args: [
230 "/ix/pgpencryptor",
231 "-hspki_disable",
232 "-listen_address=0.0.0.0:4200",
233 ] + ix.crdb.args(cfg.pgpencryptor.db),
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]234 },
235
236 frontend: ix.component("frontend") {
237 port: 8080,
238 args: [
239 "/ix/frontend.par",
240 "--flask_secret=dupa",
241 "--listen=0.0.0.0:8080",
242 "--verifier=" + ix.verifier.address,
243 ],
244 },
245
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]246 alice: ix.component("alice") {
247 port: 7340,
248 volumes: {
249 config: kube.ConfigMapVolume(ix.alice.configMap),
250 theme: kube.ConfigMapVolume(ix.alice.themeMap),
251 },
252 volumeMounts: {
253 config: {
254 mountPath: "/etc/alice",
255 },
256 theme: {
257 mountPath: "/etc/alice-theme",
258 },
259 },
260 args: [
261 "/usr/bin/alice-lg",
262 "-config", "/etc/alice/alice",
263 ],
264
265 themeMap: kube.ConfigMap(ix.name("alice-theme")) {
266 metadata+: ix.metadata("alice-theme"),
267 data: {
268 "content.js": |||
269 Alice.updateContent({
270 header: {
271 title: "CCCampIX Looking Glass",
272 tagline: "powered by alice-lg"
273 },
274 welcome: {
275 title: "CCCampIX Looking Glass",
276 tagline: "BGP to the tent."
277 }
278 });
279 |||,
280 },
281 },
282 configMap: kube.ConfigMap(ix.name("alice")) {
283 metadata+: ix.metadata("alice"),
284 data: {
285 config: |||
286 [server]
287 listen_http = 0.0.0.0:7340
288 enable_neighbors_status_refresh = false
289 asn = 208521
290
291 [housekeeping]
292 interval = 5
293 force_release_memory = true
294
295 [theme]
296 path = /etc/alice-theme
297
298 [pagination]
299 routes_filtered_page_size = 250
300 routes_accepted_page_size = 250
301 routes_not_exported_page_size = 250
302
303 [rejection_reasons]
304 208521:65666:1 = An IP Bogon was detected
305 208521:65666:2 = Prefix is longer than 64
306 208521:65666:3 = Prefix is longer than 24
307 208521:65666:4 = AS path contains a bogon AS
308 208521:65666:5 = AS path length is longer than 64
309 208521:65666:6 = BGP Path invalid (must be only peer)
310 208521:65666:9 = Prefix not found in RPKI for Origin AS
311
312 [neighbours_columns]
313 Description = Description
314 address = Neighbour
315 asn = ASN
316 state = State
317 Uptime = Uptime
318 routes_received = Routes Received
319 routes_filtered = Filtered
320
321 [routes_columns]
322 network = Network
323 gateway = Gateway
324 interface = Interface
325 metric = Metric
326 bgp.as_path = AS Path
327
328 [lookup_columns]
329 network = Network
330 gateway = Gateway
331 neighbour.asn = ASN
332 neighbour.description = Description
333 bgp.as_path = AS Path
334 routeserver.name = RS
335
336 [source.rs1-camp-v4]
337 name = rs1.camp.bgp.wtf (IPv4)
338 group = Camp
339 [source.rs1-camp-v4.birdwatcher]
340 timezone = UTC
341 api = http://isw01.camp.bgp.wtf:3000/
342 type = single_table
343 neighbors_refresh_timeout = 2
344 servertime = 2006-01-02T15:04:05Z
345 servertime_short = 2006-01-02 15:04:05
346 servertime_ext = 2006-01-02 15:04:05
Radek Pietruszewskif28cd622023-11-03 17:30:10 +0100[diff] [blame]347
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]348 [source.rs1-camp-v6]
349 name = rs1.camp.bgp.wtf (IPv6)
350 group = Camp
351 [source.rs1-camp-v6.birdwatcher]
352 timezone = UTC
353 api = http://isw01.camp.bgp.wtf:3001/
354 type = single_table
355 neighbors_refresh_timeout = 2
356 servertime = 2006-01-02T15:04:05Z
357 servertime_short = 2006-01-02 15:04:05
358 servertime_ext = 2006-01-02 15:04:05
Radek Pietruszewskif28cd622023-11-03 17:30:10 +0100[diff] [blame]359
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]360 [source.rs2-camp-v4]
361 name = rs2.camp.bgp.wtf (IPv4)
362 group = Camp
363 [source.rs2-camp-v4.birdwatcher]
364 timezone = UTC
365 api = http://isw01.camp.bgp.wtf:3002/
366 type = single_table
367 neighbors_refresh_timeout = 2
368 servertime = 2006-01-02T15:04:05Z
369 servertime_short = 2006-01-02 15:04:05
370 servertime_ext = 2006-01-02 15:04:05
Radek Pietruszewskif28cd622023-11-03 17:30:10 +0100[diff] [blame]371
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]372 [source.rs2-camp-v6]
373 name = rs2.camp.bgp.wtf (IPv6)
374 group = Camp
375 [source.rs2-camp-v6.birdwatcher]
376 timezone = UTC
377 api = http://isw01.camp.bgp.wtf:3003/
378 type = single_table
379 neighbors_refresh_timeout = 2
380 servertime = 2006-01-02T15:04:05Z
381 servertime_short = 2006-01-02 15:04:05
382 servertime_ext = 2006-01-02 15:04:05
383 |||,
384 },
385 },
386 },
387
Serge Bazanski821fa5f2019-08-14 14:33:30 +0200[diff] [blame]388 ripeSync: kube.CronJob(ix.name("ripe-sync")) {
389 metadata+: ix.metadata("ripe-sync"),
390 spec+: {
391 schedule: "*/5 * * * *",
392 jobTemplate+: {
393 spec+: {
394 selector:: null,
395 template+: {
396 spec+: {
397 containers_: {
398 "ripe-sync": kube.Container(ix.name("ripe-sync")) {
399 image: cfg.image,
400 args: [
401 "/ix/ripe-sync.par",
402 "$(PASSWORD)",
403 ix.verifier.address,
404 ],
405 env_: {
406 PASSWORD: {
407 secretKeyRef: {
408 name: ix.name("ripe-sync"),
409 key: "password",
410 },
411 },
412 },
413 },
414 },
415 },
416 },
417 },
418 },
419 },
420 },
421
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]422 ingress: kube.SimpleIngress("ingress") {
423 hosts:: [cfg.frontend.domain],
424 target_service:: ix.frontend.svc,
425 metadata+: ix.metadata("public"),
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]426 },
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]427
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]428 aliceIngress: kube.SimpleIngress("alice") {
429 hosts:: [cfg.alice.domain],
430 target_service:: ix.alice.svc,
431 metadata+: ix.metadata("alice"),
432 },
433
434 grpcIngress: kube.SimpleIngress("grpc") {
435 hosts:: [cfg.verifier.domain],
436 target_service:: ix.verifier.svc,
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame]437 metadata+: ix.metadata("alice") {
438 annotations+: {
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]439 "kubernetes.io/ingress.class": "nginx",
440 "nginx.ingress.kubernetes.io/ssl-redirect": "true",
441 "nginx.ingress.kubernetes.io/backend-protocol": "GRPC",
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]442 },
443 },
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]444 },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]445 },
446}