Blame - cluster/kube/cluster.jsonnet - hscloud

blob: e9e8932c3934b60cb2213eea2347cfda133b4a49 [file] [log] [blame]

Sergiusz Bazanski	4d9e72c	2019-01-13 22:06:33 +0100	[diff] [blame]	1	# Top level cluster configuration.
				2
				3	local kube = import "../../kube/kube.libsonnet";
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	4	local policies = import "../../kube/policies.libsonnet";
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	5
Sergiusz Bazanski	af3be42	2019-01-17 18:57:19 +0100	[diff] [blame]	6	local calico = import "lib/calico.libsonnet";
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	7	local certmanager = import "lib/cert-manager.libsonnet";
				8	local cockroachdb = import "lib/cockroachdb.libsonnet";
				9	local coredns = import "lib/coredns.libsonnet";
Sergiusz Bazanski	1e565dc	2019-01-18 09:40:59 +0100	[diff] [blame]	10	local metallb = import "lib/metallb.libsonnet";
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	11	local metrics = import "lib/metrics.libsonnet";
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	12	local nginx = import "lib/nginx.libsonnet";
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	13	local prodvider = import "lib/prodvider.libsonnet";
Sergiusz Bazanski	4d61d20	2019-07-21 16:56:41 +0200	[diff] [blame]	14	local registry = import "lib/registry.libsonnet";
Sergiusz Bazanski	b7fcc67	2019-04-01 18:40:50 +0200	[diff] [blame]	15	local rook = import "lib/rook.libsonnet";
Sergiusz Bazanski	4d9e72c	2019-01-13 22:06:33 +0100	[diff] [blame]	16
				17	local Cluster(fqdn) = {
				18	local cluster = self,
Sergiusz Bazanski	4d61d20	2019-07-21 16:56:41 +0200	[diff] [blame]	19	local cfg = cluster.cfg,
				20
				21	cfg:: {
				22	// Storage class used for internal services (like registry). This must
				23	// be set to a valid storage class. This can either be a cloud provider class
				24	// (when running on GKE &co) or a storage class created using rook.
				25	storageClassNameRedundant: error "storageClassNameRedundant must be set",
				26	},
Sergiusz Bazanski	4d9e72c	2019-01-13 22:06:33 +0100	[diff] [blame]	27
				28	// These are required to let the API Server contact kubelets.
				29	crAPIServerToKubelet: kube.ClusterRole("system:kube-apiserver-to-kubelet") {
				30	metadata+: {
				31	annotations+: {
				32	"rbac.authorization.kubernetes.io/autoupdate": "true",
				33	},
				34	labels+: {
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	35	"kubernetes.io/bootstrapping": "rbac-defaults",
Sergiusz Bazanski	4d9e72c	2019-01-13 22:06:33 +0100	[diff] [blame]	36	},
				37	},
				38	rules: [
				39	{
				40	apiGroups: [""],
				41	resources: ["nodes/%s" % r for r in [ "proxy", "stats", "log", "spec", "metrics" ]],
				42	verbs: ["*"],
				43	},
				44	],
				45	},
Sergiusz Bazanski	5bebbeb	2019-01-13 22:08:05 +0100	[diff] [blame]	46	crbAPIServer: kube.ClusterRoleBinding("system:kube-apiserver") {
Sergiusz Bazanski	4d9e72c	2019-01-13 22:06:33 +0100	[diff] [blame]	47	roleRef: {
				48	apiGroup: "rbac.authorization.k8s.io",
				49	kind: "ClusterRole",
				50	name: cluster.crAPIServerToKubelet.metadata.name,
				51	},
				52	subjects: [
				53	{
				54	apiGroup: "rbac.authorization.k8s.io",
				55	kind: "User",
				56	# A cluster API Server authenticates with a certificate whose CN is == to the FQDN of the cluster.
				57	name: fqdn,
				58	},
				59	],
Sergiusz Bazanski	49b9a13	2019-01-14 00:02:59 +0100	[diff] [blame]	60	},
				61
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	62	// This ClusteRole is bound to all humans that log in via prodaccess/prodvider/SSO.
				63	// It should allow viewing of non-sensitive data for debugability and openness.
				64	crViewer: kube.ClusterRole("system:viewer") {
				65	rules: [
				66	{
				67	apiGroups: [""],
				68	resources: [
				69	"nodes",
				70	"namespaces",
				71	"pods",
				72	"configmaps",
				73	"services",
				74	],
				75	verbs: ["list"],
				76	},
				77	{
				78	apiGroups: ["metrics.k8s.io"],
				79	resources: [
				80	"nodes",
				81	"pods",
				82	],
				83	verbs: ["list"],
				84	},
				85	{
				86	apiGroups: ["apps"],
				87	resources: [
				88	"statefulsets",
				89	],
				90	verbs: ["list"],
				91	},
				92	{
				93	apiGroups: ["extensions"],
				94	resources: [
				95	"deployments",
				96	"ingresses",
				97	],
				98	verbs: ["list"],
				99	}
				100	],
				101	},
				102	// This ClusterRole is applied (scoped to personal namespace) to all humans.
				103	crFullInNamespace: kube.ClusterRole("system:admin-namespace") {
				104	rules: [
				105	{
				106	apiGroups: ["*"],
				107	resources: ["*"],
				108	verbs: ["*"],
				109	},
				110	],
				111	},
				112	// This ClusterRoleBindings allows root access to cluster admins.
				113	crbAdmins: kube.ClusterRoleBinding("system:admins") {
				114	roleRef: {
				115	apiGroup: "rbac.authorization.k8s.io",
				116	kind: "ClusterRole",
				117	name: "cluster-admin",
				118	},
				119	subjects: [
				120	{
				121	apiGroup: "rbac.authorization.k8s.io",
				122	kind: "User",
				123	name: user + "@hackerspace.pl",
				124	} for user in [
				125	"q3k",
				126	"implr",
				127	"informatic",
				128	]
				129	],
				130	},
				131
				132	podSecurityPolicies: policies.Cluster {},
				133
				134	allowInsecureNamespaces: [
				135	policies.AllowNamespaceInsecure("kube-system"),
				136	# TODO(q3k): fix this?
				137	policies.AllowNamespaceInsecure("ceph-waw2"),
Sergiusz Bazanski	5f3a5e0	2019-09-25 02:51:51 +0200	[diff] [blame]	138	policies.AllowNamespaceInsecure("matrix"),
				139	policies.AllowNamespaceInsecure("registry"),
				140	policies.AllowNamespaceInsecure("internet"),
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	141	],
				142
				143	// Allow all service accounts (thus all controllers) to create secure pods.
				144	crbAllowServiceAccountsSecure: kube.ClusterRoleBinding("policy:allow-all-secure") {
				145	roleRef_: cluster.podSecurityPolicies.secureRole,
				146	subjects: [
				147	{
				148	kind: "Group",
				149	apiGroup: "rbac.authorization.k8s.io",
				150	name: "system:serviceaccounts",
				151	}
				152	],
				153	},
				154
Sergiusz Bazanski	af3be42	2019-01-17 18:57:19 +0100	[diff] [blame]	155	// Calico network fabric
				156	calico: calico.Environment {},
Sergiusz Bazanski	49b9a13	2019-01-14 00:02:59 +0100	[diff] [blame]	157	// CoreDNS for this cluster.
Sergiusz Bazanski	54490d3	2019-10-02 20:47:18 +0200	[diff] [blame]	158	dns: coredns.Environment {
				159	cfg+: {
				160	cluster_domains: [
				161	"cluster.local",
				162	fqdn,
				163	],
				164	},
				165	},
Sergiusz Bazanski	af3be42	2019-01-17 18:57:19 +0100	[diff] [blame]	166	// Metrics Server
				167	metrics: metrics.Environment {},
Sergiusz Bazanski	1e565dc	2019-01-18 09:40:59 +0100	[diff] [blame]	168	// Metal Load Balancer
Sergiusz Bazanski	14cbacb	2019-04-01 18:00:44 +0200	[diff] [blame]	169	metallb: metallb.Environment {
				170	cfg+: {
				171	addressPools: [
				172	{ name: "public-v4-1", protocol: "layer2", addresses: ["185.236.240.50-185.236.240.63"] },
				173	],
				174	},
				175	},
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	176	// Main nginx Ingress Controller
				177	nginx: nginx.Environment {},
Piotr Dobrowolski	79ddbc5	2019-04-02 13:20:15 +0200	[diff] [blame]	178	certmanager: certmanager.Environment {},
Sergiusz Bazanski	e31d64f	2019-10-02 20:59:26 +0200	[diff] [blame^]	179	issuer: kube.ClusterIssuer("letsencrypt-prod") {
Piotr Dobrowolski	3187c59	2019-04-02 14:44:04 +0200	[diff] [blame]	180	spec: {
				181	acme: {
				182	server: "https://acme-v02.api.letsencrypt.org/directory",
				183	email: "bofh@hackerspace.pl",
				184	privateKeySecretRef: {
				185	name: "letsencrypt-prod"
				186	},
				187	http01: {},
				188	},
				189	},
				190	},
Sergiusz Bazanski	c6da127	2019-04-02 00:06:13 +0200	[diff] [blame]	191
Sergiusz Bazanski	b7fcc67	2019-04-01 18:40:50 +0200	[diff] [blame]	192	// Rook Ceph storage
Sergiusz Bazanski	c3b0f76	2019-06-20 16:42:19 +0200	[diff] [blame]	193	rook: rook.Operator {
				194	operator+: {
				195	spec+: {
				196	// TODO(q3k): Bring up the operator again when stability gets fixed
				197	// See: https://github.com/rook/rook/issues/3059#issuecomment-492378873
Sergiusz Bazanski	d07861b	2019-08-08 17:48:25 +0200	[diff] [blame]	198	replicas: 1,
Sergiusz Bazanski	c3b0f76	2019-06-20 16:42:19 +0200	[diff] [blame]	199	},
				200	},
				201	},
Sergiusz Bazanski	4d61d20	2019-07-21 16:56:41 +0200	[diff] [blame]	202
				203	// Docker registry
				204	registry: registry.Environment {
				205	cfg+: {
				206	domain: "registry.%s" % [fqdn],
Sergiusz Bazanski	d07861b	2019-08-08 17:48:25 +0200	[diff] [blame]	207	storageClassName: cfg.storageClassNameParanoid,
				208	objectStorageName: "waw-hdd-redundant-2-object",
Sergiusz Bazanski	4d61d20	2019-07-21 16:56:41 +0200	[diff] [blame]	209	},
				210	},
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	211
				212	// Prodvider
				213	prodvider: prodvider.Environment {},
Sergiusz Bazanski	4d9e72c	2019-01-13 22:06:33 +0100	[diff] [blame]	214	};
				215
Sergiusz Bazanski	49b9a13	2019-01-14 00:02:59 +0100	[diff] [blame]	216
Sergiusz Bazanski	4d9e72c	2019-01-13 22:06:33 +0100	[diff] [blame]	217	{
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	218	k0: {
				219	local k0 = self,
Sergiusz Bazanski	4d61d20	2019-07-21 16:56:41 +0200	[diff] [blame]	220	cluster: Cluster("k0.hswaw.net") {
				221	cfg+: {
Sergiusz Bazanski	d07861b	2019-08-08 17:48:25 +0200	[diff] [blame]	222	storageClassNameParanoid: k0.ceph.blockParanoid.name,
Sergiusz Bazanski	4d61d20	2019-07-21 16:56:41 +0200	[diff] [blame]	223	},
				224	},
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	225	cockroach: {
Sergiusz Bazanski	d533892	2019-08-09 14:13:50 +0200	[diff] [blame]	226	waw2: cockroachdb.Cluster("crdb-waw1") {
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	227	cfg+: {
				228	topology: [
Sergiusz Bazanski	184678b	2019-06-22 02:07:41 +0200	[diff] [blame]	229	{ name: "bc01n01", node: "bc01n01.hswaw.net" },
				230	{ name: "bc01n02", node: "bc01n02.hswaw.net" },
				231	{ name: "bc01n03", node: "bc01n03.hswaw.net" },
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	232	],
Sergiusz Bazanski	d533892	2019-08-09 14:13:50 +0200	[diff] [blame]	233	hostPath: "/var/db/crdb-waw1",
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	234	},
				235	},
Sergiusz Bazanski	1fad2e5	2019-08-01 20:16:27 +0200	[diff] [blame]	236	clients: {
				237	cccampix: k0.cockroach.waw2.Client("cccampix"),
				238	cccampixDev: k0.cockroach.waw2.Client("cccampix-dev"),
				239	},
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	240	},
				241	ceph: {
Sergiusz Bazanski	d07861b	2019-08-08 17:48:25 +0200	[diff] [blame]	242	// waw1 cluster - dead as of 2019/08/06, data corruption
				243	// waw2 cluster
				244	waw2: rook.Cluster(k0.cluster.rook, "ceph-waw2") {
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	245	spec: {
				246	mon: {
				247	count: 3,
				248	allowMultiplePerNode: false,
				249	},
				250	storage: {
				251	useAllNodes: false,
				252	useAllDevices: false,
				253	config: {
				254	databaseSizeMB: "1024",
				255	journalSizeMB: "1024",
				256	},
				257	nodes: [
				258	{
				259	name: "bc01n01.hswaw.net",
				260	location: "rack=dcr01 chassis=bc01 host=bc01n01",
				261	devices: [ { name: "sda" } ],
				262	},
				263	{
				264	name: "bc01n02.hswaw.net",
				265	location: "rack=dcr01 chassis=bc01 host=bc01n02",
				266	devices: [ { name: "sda" } ],
				267	},
				268	{
				269	name: "bc01n03.hswaw.net",
				270	location: "rack=dcr01 chassis=bc01 host=bc01n03",
				271	devices: [ { name: "sda" } ],
				272	},
				273	],
				274	},
Sergiusz Bazanski	13bb1bf	2019-08-31 16:33:29 +0200	[diff] [blame]	275	benji:: {
				276	metadataStorageClass: "waw-hdd-paranoid-2",
				277	encryptionPassword: std.split((importstr "../secrets/plain/k0-benji-encryption-password"), '\n')[0],
				278	pools: [
				279	"waw-hdd-redundant-2",
				280	"waw-hdd-redundant-2-metadata",
				281	"waw-hdd-paranoid-2",
				282	"waw-hdd-yolo-2",
				283	],
				284	s3Configuration: {
				285	awsAccessKeyId: "RPYZIROFXNLQVU2WJ4R3",
				286	awsSecretAccessKey: std.split((importstr "../secrets/plain/k0-benji-secret-access-key"), '\n')[0],
				287	bucketName: "benji-k0-backups",
				288	endpointUrl: "https://s3.eu-central-1.wasabisys.com/",
				289	},
				290	}
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	291	},
				292	},
				293	// redundant block storage
Sergiusz Bazanski	d07861b	2019-08-08 17:48:25 +0200	[diff] [blame]	294	blockRedundant: rook.ECBlockPool(k0.ceph.waw2, "waw-hdd-redundant-2") {
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	295	spec: {
				296	failureDomain: "host",
				297	erasureCoded: {
				298	dataChunks: 2,
				299	codingChunks: 1,
				300	},
				301	},
				302	},
Sergiusz Bazanski	d07861b	2019-08-08 17:48:25 +0200	[diff] [blame]	303	// paranoid block storage (3 replicas)
				304	blockParanoid: rook.ReplicatedBlockPool(k0.ceph.waw2, "waw-hdd-paranoid-2") {
				305	spec: {
				306	failureDomain: "host",
				307	replicated: {
				308	size: 3,
				309	},
				310	},
				311	},
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	312	// yolo block storage (no replicas!)
Sergiusz Bazanski	d07861b	2019-08-08 17:48:25 +0200	[diff] [blame]	313	blockYolo: rook.ReplicatedBlockPool(k0.ceph.waw2, "waw-hdd-yolo-2") {
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	314	spec: {
				315	failureDomain: "host",
				316	replicated: {
				317	size: 1,
				318	},
				319	},
				320	},
Sergiusz Bazanski	d07861b	2019-08-08 17:48:25 +0200	[diff] [blame]	321	objectRedundant: rook.S3ObjectStore(k0.ceph.waw2, "waw-hdd-redundant-2-object") {
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	322	spec: {
				323	metadataPool: {
				324	failureDomain: "host",
				325	replicated: { size: 3 },
				326	},
				327	dataPool: {
				328	failureDomain: "host",
				329	erasureCoded: {
				330	dataChunks: 2,
				331	codingChunks: 1,
				332	},
				333	},
				334	},
				335	},
				336	},
Sergiusz Bazanski	9496d99	2019-09-02 16:32:40 +0200	[diff] [blame]	337
				338	# Used for owncloud.hackerspace.pl, which for now lices on boston-packets.hackerspace.pl.
				339	nextcloud: kube._Object("ceph.rook.io/v1", "CephObjectStoreUser", "nextcloud") {
				340	metadata+: {
				341	namespace: "ceph-waw2",
				342	},
				343	spec: {
				344	store: "waw-hdd-redundant-2-object",
				345	displayName: "nextcloud",
				346	},
				347	},
Sergiusz Bazanski	c7258f4	2019-06-21 00:24:09 +0200	[diff] [blame]	348	},
Sergiusz Bazanski	4d9e72c	2019-01-13 22:06:33 +0100	[diff] [blame]	349	}