Serge Bazanski | beefe44 | 2019-07-30 13:03:03 +0200 | [diff] [blame] | 1 | local kube = import "../../../kube/kube.libsonnet"; |
| 2 | |
| 3 | { |
| 4 | IX: { |
| 5 | local ix = self, |
| 6 | local cfg = ix.cfg, |
| 7 | cfg:: { |
Serge Bazanski | ec71cb5 | 2019-08-22 18:13:13 +0200 | [diff] [blame^] | 8 | image: "registry.k0.hswaw.net/bgpwtf/cccampix:1566475793-53f188c8fe83781ac057a3442830c6aa3dce5269", |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 9 | |
| 10 | domain: "ix-status.bgp.wtf", |
Serge Bazanski | ec71cb5 | 2019-08-22 18:13:13 +0200 | [diff] [blame^] | 11 | grpcDomain: "ix-grpc.bgp.wtf", |
Serge Bazanski | beefe44 | 2019-07-30 13:03:03 +0200 | [diff] [blame] | 12 | octorpki: { |
Serge Bazanski | ec71cb5 | 2019-08-22 18:13:13 +0200 | [diff] [blame^] | 13 | image: cfg.image, |
Sergiusz Bazanski | ddfd659 | 2019-08-09 18:24:00 +0200 | [diff] [blame] | 14 | storageClassName: "waw-hdd-redundant-2", |
Serge Bazanski | beefe44 | 2019-07-30 13:03:03 +0200 | [diff] [blame] | 15 | resources: { |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 16 | requests: { cpu: "200m", memory: "1Gi" }, |
| 17 | limits: { cpu: "1", memory: "2Gi" }, |
Serge Bazanski | beefe44 | 2019-07-30 13:03:03 +0200 | [diff] [blame] | 18 | }, |
| 19 | }, |
| 20 | |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 21 | verifier: { |
| 22 | image: cfg.image, |
| 23 | db: { |
| 24 | host: "public.crdb-waw1.svc.cluster.local", |
| 25 | port: 26257, |
| 26 | username: "cccampix", |
| 27 | name: "cccampix", |
| 28 | tlsSecret: "client-cccampix-certificate", |
| 29 | }, |
| 30 | }, |
| 31 | |
Serge Bazanski | 915b265 | 2019-08-14 18:50:10 +0200 | [diff] [blame] | 32 | pgpencryptor: { |
| 33 | image: cfg.image, |
| 34 | db: { |
| 35 | host: "public.crdb-waw1.svc.cluster.local", |
| 36 | port: 26257, |
| 37 | username: "cccampix", |
| 38 | name: "cccampix-pgpencryptor", |
| 39 | tlsSecret: "client-cccampix-certificate", |
| 40 | }, |
| 41 | }, |
| 42 | |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 43 | irr: { |
| 44 | image: cfg.image, |
| 45 | }, |
| 46 | |
| 47 | peeringdb: { |
| 48 | image: cfg.image, |
| 49 | }, |
| 50 | |
| 51 | frontend: { |
| 52 | image: cfg.image, |
| 53 | }, |
| 54 | |
Serge Bazanski | beefe44 | 2019-07-30 13:03:03 +0200 | [diff] [blame] | 55 | appName: "ix", |
| 56 | namespace: error "namespace must be defined", |
| 57 | prefix: "", |
| 58 | }, |
| 59 | |
| 60 | namespace: kube.Namespace(cfg.namespace), |
| 61 | name(component):: cfg.prefix + component, |
| 62 | metadata(component):: { |
| 63 | namespace: cfg.namespace, |
| 64 | labels: { |
| 65 | "app.kubernetes.io/name": cfg.appName, |
| 66 | "app.kubernetes.io/managed-by": "kubecfg", |
| 67 | "app.kubernetes.io/component": component, |
| 68 | }, |
| 69 | }, |
| 70 | |
| 71 | octorpki: { |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 72 | address:: "%s.%s.svc.cluster.local:%d" % [ |
| 73 | "octorpki", |
| 74 | ix.cfg.namespace, |
| 75 | 8080, |
| 76 | ], |
Serge Bazanski | beefe44 | 2019-07-30 13:03:03 +0200 | [diff] [blame] | 77 | cache: kube.PersistentVolumeClaim(ix.name("octorpki")) { |
| 78 | metadata+: ix.metadata("octorpki"), |
| 79 | spec+: { |
| 80 | storageClassName: cfg.octorpki.storageClassName, |
| 81 | accessModes: [ "ReadWriteOnce" ], |
| 82 | resources: { |
| 83 | requests: { |
| 84 | storage: "2Gi", |
| 85 | }, |
| 86 | }, |
| 87 | }, |
| 88 | }, |
| 89 | deployment: kube.Deployment(ix.name("octorpki")) { |
| 90 | metadata+: ix.metadata("octorpki"), |
| 91 | spec+: { |
| 92 | template+: { |
| 93 | spec+: { |
| 94 | volumes_: { |
| 95 | cache: kube.PersistentVolumeClaimVolume(ix.octorpki.cache), |
| 96 | }, |
| 97 | containers_: { |
| 98 | octorpki: kube.Container(ix.name("octorpki")){ |
| 99 | image: cfg.octorpki.image, |
| 100 | args: [ |
| 101 | "/octorpki/entrypoint.sh", |
| 102 | ], |
| 103 | ports_: { |
| 104 | client: { containerPort: 8080 }, |
| 105 | }, |
| 106 | volumeMounts_: { |
| 107 | cache: { mountPath: "/cache" }, |
| 108 | }, |
| 109 | resources: cfg.octorpki.resources, |
| 110 | }, |
| 111 | }, |
| 112 | }, |
| 113 | }, |
| 114 | }, |
| 115 | }, |
| 116 | svc: kube.Service(ix.name("octorpki")) { |
| 117 | metadata+: ix.metadata("octorpki"), |
| 118 | target_pod:: ix.octorpki.deployment.spec.template, |
| 119 | spec+: { |
| 120 | ports: [ |
| 121 | { name: "client", port: 8080, targetPort: 8080, protocol: "TCP" }, |
| 122 | ], |
| 123 | }, |
| 124 | }, |
| 125 | }, |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 126 | |
| 127 | component(name):: { |
| 128 | local component = self, |
| 129 | args:: error "args must be set", |
| 130 | name:: name, |
| 131 | port:: 4200, |
| 132 | volumes:: {}, |
| 133 | volumeMounts:: {}, |
| 134 | |
| 135 | deployment: kube.Deployment(ix.name(name)) { |
| 136 | metadata+: ix.metadata(name), |
| 137 | spec+: { |
| 138 | template+: { |
| 139 | spec+: { |
| 140 | volumes_: component.volumes, |
| 141 | containers_: { |
| 142 | [name]: kube.Container(ix.name(name)) { |
| 143 | image: cfg[name].image, |
| 144 | args: component.args, |
| 145 | volumeMounts_: component.volumeMounts, |
| 146 | }, |
| 147 | }, |
| 148 | }, |
| 149 | }, |
| 150 | }, |
| 151 | }, |
| 152 | svc: kube.Service(ix.name(name)) { |
| 153 | metadata+: ix.metadata(name), |
| 154 | target_pod:: component.deployment.spec.template, |
| 155 | spec+: { |
| 156 | ports: [ |
| 157 | { name: "client", port: component.port, targetPort: component.port, protocol: "TCP" }, |
| 158 | ], |
| 159 | }, |
| 160 | }, |
| 161 | |
| 162 | address:: "%s.%s.svc.cluster.local:%d" % [ |
| 163 | component.name, |
| 164 | ix.cfg.namespace, |
| 165 | component.port, |
| 166 | ], |
| 167 | }, |
| 168 | |
| 169 | irr: ix.component("irr") { |
| 170 | args: [ |
| 171 | "/ix/irr", |
| 172 | "-hspki_disable", |
| 173 | "-listen_address=0.0.0.0:4200", |
| 174 | ], |
| 175 | }, |
| 176 | |
| 177 | peeringdb: ix.component("peeringdb") { |
| 178 | args: [ |
| 179 | "/ix/peeringdb", |
| 180 | "-hspki_disable", |
| 181 | "-listen_address=0.0.0.0:4200", |
| 182 | ], |
| 183 | }, |
| 184 | |
Serge Bazanski | 915b265 | 2019-08-14 18:50:10 +0200 | [diff] [blame] | 185 | crdb:: { |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 186 | volumes: { |
| 187 | tls: { |
| 188 | secret: { |
| 189 | secretName: cfg.verifier.db.tlsSecret, |
| 190 | defaultMode: kube.parseOctal("0400"), |
| 191 | }, |
| 192 | }, |
| 193 | }, |
| 194 | volumeMounts: { |
| 195 | tls: { |
| 196 | mountPath: "/tls", |
| 197 | }, |
| 198 | }, |
Serge Bazanski | 915b265 | 2019-08-14 18:50:10 +0200 | [diff] [blame] | 199 | args(dbconf): [ |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 200 | "-dsn", "postgres://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [ |
Serge Bazanski | 915b265 | 2019-08-14 18:50:10 +0200 | [diff] [blame] | 201 | dbconf.username, |
| 202 | dbconf.host, |
| 203 | dbconf.port, |
| 204 | dbconf.name, |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 205 | "/tls/ca.crt", |
| 206 | "/tls/tls.crt", |
| 207 | "/tls/tls.key", |
| 208 | ], |
Serge Bazanski | 915b265 | 2019-08-14 18:50:10 +0200 | [diff] [blame] | 209 | ] |
| 210 | }, |
| 211 | |
| 212 | verifier: ix.component("verifier") { |
| 213 | volumes: ix.crdb.volumes, |
| 214 | volumeMounts: ix.crdb.volumeMounts, |
| 215 | args: [ |
| 216 | "/ix/verifier", |
| 217 | "-hspki_disable", |
| 218 | "-listen_address=0.0.0.0:4200", |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 219 | "-peeringdb=" + ix.peeringdb.address, |
| 220 | "-irr=" + ix.irr.address, |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 221 | "-octorpki=" + ix.octorpki.address, |
Serge Bazanski | ec71cb5 | 2019-08-22 18:13:13 +0200 | [diff] [blame^] | 222 | "-pgpencryptor=" + ix.pgpencryptor.address, |
Serge Bazanski | 915b265 | 2019-08-14 18:50:10 +0200 | [diff] [blame] | 223 | ] + ix.crdb.args(cfg.verifier.db), |
| 224 | }, |
| 225 | |
| 226 | pgpencryptor: ix.component("pgpencryptor") { |
| 227 | volumes: ix.crdb.volumes, |
| 228 | volumeMounts: ix.crdb.volumeMounts, |
| 229 | args: [ |
| 230 | "/ix/pgpencryptor", |
| 231 | "-hspki_disable", |
| 232 | "-listen_address=0.0.0.0:4200", |
| 233 | ] + ix.crdb.args(cfg.pgpencryptor.db), |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 234 | }, |
| 235 | |
| 236 | frontend: ix.component("frontend") { |
| 237 | port: 8080, |
| 238 | args: [ |
| 239 | "/ix/frontend.par", |
| 240 | "--flask_secret=dupa", |
| 241 | "--listen=0.0.0.0:8080", |
| 242 | "--verifier=" + ix.verifier.address, |
| 243 | ], |
| 244 | }, |
| 245 | |
Serge Bazanski | 821fa5f | 2019-08-14 14:33:30 +0200 | [diff] [blame] | 246 | ripeSync: kube.CronJob(ix.name("ripe-sync")) { |
| 247 | metadata+: ix.metadata("ripe-sync"), |
| 248 | spec+: { |
| 249 | schedule: "*/5 * * * *", |
| 250 | jobTemplate+: { |
| 251 | spec+: { |
| 252 | selector:: null, |
| 253 | template+: { |
| 254 | spec+: { |
| 255 | containers_: { |
| 256 | "ripe-sync": kube.Container(ix.name("ripe-sync")) { |
| 257 | image: cfg.image, |
| 258 | args: [ |
| 259 | "/ix/ripe-sync.par", |
| 260 | "$(PASSWORD)", |
| 261 | ix.verifier.address, |
| 262 | ], |
| 263 | env_: { |
| 264 | PASSWORD: { |
| 265 | secretKeyRef: { |
| 266 | name: ix.name("ripe-sync"), |
| 267 | key: "password", |
| 268 | }, |
| 269 | }, |
| 270 | }, |
| 271 | }, |
| 272 | }, |
| 273 | }, |
| 274 | }, |
| 275 | }, |
| 276 | }, |
| 277 | }, |
| 278 | }, |
| 279 | |
Sergiusz Bazanski | 1fad2e5 | 2019-08-01 20:16:27 +0200 | [diff] [blame] | 280 | ingress: kube.Ingress("ingress") { |
| 281 | metadata+: ix.metadata("public") { |
| 282 | annotations+: { |
| 283 | "kubernetes.io/tls-acme": "true", |
| 284 | "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod", |
| 285 | "nginx.ingress.kubernetes.io/proxy-body-size": "0", |
| 286 | }, |
| 287 | }, |
| 288 | spec+: { |
| 289 | tls: [ |
| 290 | { hosts: [cfg.domain], secretName: "public-tls"} |
| 291 | ], |
| 292 | rules: [ |
| 293 | { |
| 294 | host: cfg.domain, |
| 295 | http: { |
| 296 | paths: [ |
| 297 | { path: "/", backend: ix.frontend.svc.name_port }, |
| 298 | ], |
| 299 | }, |
| 300 | }, |
| 301 | ], |
| 302 | }, |
| 303 | }, |
Serge Bazanski | ec71cb5 | 2019-08-22 18:13:13 +0200 | [diff] [blame^] | 304 | |
| 305 | grpcIngress: kube.Ingress("grpc") { |
| 306 | metadata+: ix.metadata("grpc") { |
| 307 | annotations+: { |
| 308 | "kubernetes.io/tls-acme": "true", |
| 309 | "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod", |
| 310 | "kubernetes.io/ingress.class": "nginx", |
| 311 | "nginx.ingress.kubernetes.io/ssl-redirect": "true", |
| 312 | "nginx.ingress.kubernetes.io/backend-protocol": "GRPC", |
| 313 | "nginx.ingress.kubernetes.io/whitelist-source-range": "185.236.240.34/32", |
| 314 | }, |
| 315 | }, |
| 316 | spec+: { |
| 317 | tls: [ |
| 318 | { hosts: [cfg.grpcDomain], secretName: "grpc-tls"} |
| 319 | ], |
| 320 | rules: [ |
| 321 | { |
| 322 | host: cfg.grpcDomain, |
| 323 | http: { |
| 324 | paths: [ |
| 325 | { path: "/", backend: ix.verifier.svc.name_port }, |
| 326 | ], |
| 327 | }, |
| 328 | }, |
| 329 | ], |
| 330 | }, |
| 331 | }, |
Serge Bazanski | beefe44 | 2019-07-30 13:03:03 +0200 | [diff] [blame] | 332 | }, |
| 333 | } |