Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 1 | # Mirko, an abstraction layer for hscloud kubernetes services. |
| 2 | |
| 3 | local kube = import "kube.libsonnet"; |
| 4 | |
| 5 | { |
| 6 | Environment(name): { |
| 7 | local env = self, |
| 8 | local cfg = env.cfg, |
| 9 | cfg:: { |
| 10 | name: name, |
| 11 | namespace: cfg.name, |
| 12 | }, |
| 13 | |
| 14 | namespace: kube.Namespace(cfg.namespace), |
| 15 | |
| 16 | components: {}, // type: mirko.Component |
| 17 | |
| 18 | // Currently hardcoded! |
| 19 | // This might end up being something passed part of kubecfg evaluation, |
| 20 | // when we get to supporting multiple/federated clusters. |
| 21 | // For now, this is goog enough. |
| 22 | pkiRealm:: "hswaw.net", |
| 23 | pkiClusterFQDN:: "k0.hswaw.net", |
| 24 | |
| 25 | // Generate an ingress if we have any public ports. |
| 26 | publicHTTPPorts:: std.flattenArrays([ |
| 27 | [ |
| 28 | { |
| 29 | local component = env.components[c], |
| 30 | |
| 31 | service: component.svc, |
| 32 | port: component.cfg.ports.publicHTTP[p].port, |
| 33 | dns: component.cfg.ports.publicHTTP[p].dns, |
Sergiusz Bazanski | 91e1a8c | 2020-06-25 12:16:29 +0200 | [diff] [blame] | 34 | // Extra headers to set. |
| 35 | // BUG(q3k): these headers are applied to all components in the environment! |
| 36 | // We should be splitting up ingresses where necessary to combat this. |
| 37 | setHeaders: [], |
| 38 | // Extra paths to add to ingress. These are bare HTTPIngressPaths. |
| 39 | extraPaths: component.cfg.extraPaths, |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 40 | } |
| 41 | for p in std.objectFields(env.components[c].cfg.ports.publicHTTP) |
| 42 | ] |
| 43 | for c in std.objectFields(env.components) |
| 44 | ]), |
| 45 | |
| 46 | ingress: if std.length(env.publicHTTPPorts) > 0 then kube.Ingress("mirko-public") { |
| 47 | metadata+: { |
| 48 | namespace: env.cfg.namespace, |
| 49 | labels: { |
| 50 | "app.kubernetes.io/name": cfg.name, |
| 51 | "app.kubernetes.io/managed-by": "kubecfg-mirko", |
| 52 | "app.kubernetes.io/component": cfg.name, |
| 53 | "mirko.hscloud.hackerspace.pl/environment": env.cfg.name, |
| 54 | "mirko.hscloud.hackerspace.pl/component": "mirko-public-ingress", |
| 55 | }, |
| 56 | annotations+: { |
| 57 | "kubernetes.io/tls-acme": "true", |
Piotr Dobrowolski | 7e84106 | 2023-04-23 11:36:15 +0200 | [diff] [blame] | 58 | "cert-manager.io/cluster-issuer": "letsencrypt-prod", |
Serge Bazanski | 15db04c | 2020-08-10 18:55:22 +0200 | [diff] [blame] | 59 | [if env.ingressServerSnippet != null then "nginx.ingress.kubernetes.io/server-snippet"]: env.ingressServerSnippet, |
Sergiusz Bazanski | 91e1a8c | 2020-06-25 12:16:29 +0200 | [diff] [blame] | 60 | [if std.length(env.extraHeaders) > 0 then "nginx.ingress.kubernetes.io/configuration-snippet"]: |
| 61 | std.join("\n", ["proxy_set_header %s;" % [h] for h in env.extraHeaders]), |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 62 | }, |
| 63 | }, |
| 64 | spec+: { |
| 65 | tls: [ |
| 66 | { |
| 67 | hosts: [p.dns for p in env.publicHTTPPorts], |
| 68 | secretName: "mirko-public-tls", |
| 69 | }, |
| 70 | ], |
| 71 | rules: [ |
| 72 | { |
| 73 | host: p.dns, |
| 74 | http: { |
| 75 | paths: [ |
| 76 | { path: "/", backend: { serviceName: p.service.metadata.name, servicePort: p.port }}, |
Sergiusz Bazanski | 91e1a8c | 2020-06-25 12:16:29 +0200 | [diff] [blame] | 77 | ] + p.extraPaths, |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 78 | }, |
| 79 | } |
| 80 | for p in env.publicHTTPPorts |
| 81 | ], |
| 82 | }, |
Sergiusz Bazanski | 91e1a8c | 2020-06-25 12:16:29 +0200 | [diff] [blame] | 83 | } else {}, |
| 84 | |
| 85 | // Nginx Ingress Controller server configuration snippet to add. |
| 86 | ingressServerSnippet:: null, |
| 87 | |
| 88 | // Extra request headers to add to ingress |
| 89 | extraHeaders:: std.flattenArrays([ |
| 90 | std.flattenArrays([ |
| 91 | |
| 92 | local portc = env.components[c].cfg.ports.publicHTTP[p]; |
| 93 | if std.objectHas(portc, "setHeaders") then portc.setHeaders else [] |
| 94 | for p in std.objectFields(env.components[c].cfg.ports.publicHTTP) |
| 95 | ]) |
| 96 | for c in std.objectFields(env.components) |
| 97 | ]), |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 98 | }, |
| 99 | |
| 100 | Component(env, name): { |
| 101 | local component = self, |
| 102 | local cfg = component.cfg, |
| 103 | |
| 104 | makeName(suffix):: "%s%s%s" % [cfg.prefix, cfg.name, suffix], |
Sergiusz Bazanski | 74818e1 | 2020-02-18 22:56:21 +0100 | [diff] [blame] | 105 | makeNameGlobal(suffix):: "%s-%s" % [env.cfg.namespace, component.makeName(suffix)], |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 106 | |
| 107 | metadata:: { |
| 108 | namespace: env.cfg.namespace, |
| 109 | labels: { |
| 110 | "app.kubernetes.io/name": env.cfg.name, |
| 111 | "app.kubernetes.io/managed-by": "kubecfg-mirko", |
| 112 | "app.kubernetes.io/component": cfg.name, |
| 113 | "mirko.hscloud.hackerspace.pl/environment": env.cfg.name, |
| 114 | "mirko.hscloud.hackerspace.pl/component": cfg.name, |
| 115 | }, |
| 116 | }, |
| 117 | |
| 118 | |
| 119 | # Tunables for users. |
| 120 | cfg:: { |
| 121 | name: name, |
| 122 | |
| 123 | prefix:: "", |
| 124 | image:: env.image, |
| 125 | volumes:: {}, |
| 126 | containers:: { |
| 127 | main: cfg.container, |
radex | 8b8f387 | 2023-11-24 11:09:46 +0100 | [diff] [blame] | 128 | }, |
Sergiusz Bazanski | 92b48d6 | 2020-01-08 13:59:04 +0100 | [diff] [blame] | 129 | nodeSelector: null, |
Sergiusz Bazanski | aa8c2b0 | 2020-02-15 12:38:39 +0100 | [diff] [blame] | 130 | securityContext: {}, |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 131 | container:: error "container(s) must be set", |
Serge Bazanski | b7898a8 | 2020-08-23 11:05:27 +0000 | [diff] [blame] | 132 | initContainer:: null, |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 133 | ports:: { |
| 134 | publicHTTP: {}, // name -> { port: no, dns: fqdn } |
| 135 | grpc: { main: 4200 }, // name -> port no |
| 136 | }, |
Sergiusz Bazanski | 91e1a8c | 2020-06-25 12:16:29 +0200 | [diff] [blame] | 137 | extraPaths:: [], |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 138 | }, |
| 139 | |
| 140 | allPorts:: { |
| 141 | ['grpc-' + p]: cfg.ports.grpc[p] |
| 142 | for p in std.objectFields(cfg.ports.grpc) |
| 143 | } + { |
| 144 | ['pubhttp-' + p] : cfg.ports.publicHTTP[p].port |
| 145 | for p in std.objectFields(cfg.ports.publicHTTP) |
| 146 | }, |
| 147 | |
| 148 | Container(name):: kube.Container(component.makeName(name)) { |
| 149 | image: cfg.image, |
| 150 | volumeMounts_: { |
| 151 | pki: { mountPath: "/mnt/pki" }, |
| 152 | }, |
| 153 | ports_: { |
| 154 | [p]: { containerPort: component.allPorts[p] } |
| 155 | for p in std.objectFields(component.allPorts) |
| 156 | }, |
| 157 | resources: { |
| 158 | requests: { |
| 159 | cpu: "25m", |
| 160 | memory: "64Mi", |
| 161 | }, |
| 162 | limits: { |
| 163 | cpu: "500m", |
| 164 | memory: "128Mi", |
| 165 | }, |
| 166 | }, |
| 167 | }, |
| 168 | |
| 169 | GoContainer(name, binary):: component.Container(name) { |
| 170 | command: [ |
| 171 | binary, |
| 172 | "-hspki_realm", env.pkiRealm, |
| 173 | "-hspki_cluster", env.pkiClusterFQDN, |
| 174 | "-hspki_tls_ca_path", "/mnt/pki/ca.crt", |
| 175 | "-hspki_tls_certificate_path", "/mnt/pki/tls.crt", |
| 176 | "-hspki_tls_key_path", "/mnt/pki/tls.key", |
| 177 | "-logtostderr", |
| 178 | "-listen_address", "0.0.0.0:4200", |
| 179 | ], |
| 180 | }, |
| 181 | |
| 182 | deployment: kube.Deployment(component.makeName("-main")) { |
| 183 | metadata+: component.metadata, |
| 184 | spec+: { |
| 185 | template+: { |
| 186 | spec+: { |
| 187 | volumes_: { |
| 188 | pki: { |
| 189 | secret: { secretName: component.pki.cert.spec.secretName }, |
| 190 | }, |
| 191 | } + cfg.volumes, |
| 192 | containers_: cfg.containers, |
Serge Bazanski | b7898a8 | 2020-08-23 11:05:27 +0000 | [diff] [blame] | 193 | [if cfg.initContainer != null then "initContainers"]: [cfg.initContainer], |
Sergiusz Bazanski | 92b48d6 | 2020-01-08 13:59:04 +0100 | [diff] [blame] | 194 | nodeSelector: cfg.nodeSelector, |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 195 | |
| 196 | serviceAccountName: component.sa.metadata.name, |
Sergiusz Bazanski | aa8c2b0 | 2020-02-15 12:38:39 +0100 | [diff] [blame] | 197 | securityContext: cfg.securityContext, |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 198 | }, |
| 199 | }, |
| 200 | }, |
| 201 | }, |
| 202 | |
| 203 | svc: kube.Service(component.makeName("")) { // No suffix, name part of DNS entry. |
| 204 | metadata+: component.metadata, |
radex | 8b8f387 | 2023-11-24 11:09:46 +0100 | [diff] [blame] | 205 | target:: component.deployment, |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 206 | spec+: { |
| 207 | ports: [ |
| 208 | { |
| 209 | name: p, |
| 210 | port: component.allPorts[p], |
| 211 | targetPort: component.allPorts[p], |
| 212 | } |
| 213 | for p in std.objectFields(component.allPorts) |
| 214 | ], |
| 215 | }, |
| 216 | }, |
| 217 | |
| 218 | sa: kube.ServiceAccount(component.makeName("-main")) { |
| 219 | metadata+: component.metadata, |
| 220 | }, |
| 221 | |
| 222 | pki: { |
| 223 | cert: kube.Certificate(component.makeName("-cert")) { |
| 224 | metadata+: component.metadata, |
radex | 8b8f387 | 2023-11-24 11:09:46 +0100 | [diff] [blame] | 225 | |
Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 226 | spec: { |
| 227 | secretName: component.makeName("-cert"), |
| 228 | duration: "35040h0m0s", // 4 years |
| 229 | issuerRef: { |
| 230 | // Contract with cluster/lib/pki.libsonnet. |
| 231 | name: "pki-ca", |
| 232 | kind: "ClusterIssuer", |
| 233 | }, |
| 234 | commonName: "%s.%s.svc.%s" % [component.svc.metadata.name, component.svc.metadata.namespace, env.pkiClusterFQDN ], |
| 235 | dnsNames: [ |
| 236 | "%s" % [component.svc.metadata.name ], |
| 237 | "%s.%s" % [component.svc.metadata.name, component.svc.metadata.namespace ], |
| 238 | "%s.%s.svc" % [component.svc.metadata.name, component.svc.metadata.namespace ], |
| 239 | "%s.%s.svc.cluster.local" % [component.svc.metadata.name, component.svc.metadata.namespace ], |
| 240 | "%s.%s.svc.%s" % [component.svc.metadata.name, component.svc.metadata.namespace, env.pkiClusterFQDN ], |
| 241 | ], |
| 242 | }, |
| 243 | }, |
| 244 | }, |
| 245 | }, |
| 246 | } |