Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / ec71cb50bde7b836a3ee2eda2e07e6f1e53274ef / . / bgpwtf / cccampix / kube / ix.libsonnet
blob: ff74f2b1217b6bb127d6205d878aa81d4ef8716b [file] [log] [blame]
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]1local kube = import "../../../kube/kube.libsonnet";
2
3{
4 IX: {
5 local ix = self,
6 local cfg = ix.cfg,
7 cfg:: {
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame^]8 image: "registry.k0.hswaw.net/bgpwtf/cccampix:1566475793-53f188c8fe83781ac057a3442830c6aa3dce5269",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]9
10 domain: "ix-status.bgp.wtf",
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame^]11 grpcDomain: "ix-grpc.bgp.wtf",
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]12 octorpki: {
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame^]13 image: cfg.image,
Sergiusz Bazanskiddfd6592019-08-09 18:24:00 +0200[diff] [blame]14 storageClassName: "waw-hdd-redundant-2",
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]15 resources: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]16 requests: { cpu: "200m", memory: "1Gi" },
17 limits: { cpu: "1", memory: "2Gi" },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]18 },
19 },
20
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]21 verifier: {
22 image: cfg.image,
23 db: {
24 host: "public.crdb-waw1.svc.cluster.local",
25 port: 26257,
26 username: "cccampix",
27 name: "cccampix",
28 tlsSecret: "client-cccampix-certificate",
29 },
30 },
31
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]32 pgpencryptor: {
33 image: cfg.image,
34 db: {
35 host: "public.crdb-waw1.svc.cluster.local",
36 port: 26257,
37 username: "cccampix",
38 name: "cccampix-pgpencryptor",
39 tlsSecret: "client-cccampix-certificate",
40 },
41 },
42
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]43 irr: {
44 image: cfg.image,
45 },
46
47 peeringdb: {
48 image: cfg.image,
49 },
50
51 frontend: {
52 image: cfg.image,
53 },
54
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]55 appName: "ix",
56 namespace: error "namespace must be defined",
57 prefix: "",
58 },
59
60 namespace: kube.Namespace(cfg.namespace),
61 name(component):: cfg.prefix + component,
62 metadata(component):: {
63 namespace: cfg.namespace,
64 labels: {
65 "app.kubernetes.io/name": cfg.appName,
66 "app.kubernetes.io/managed-by": "kubecfg",
67 "app.kubernetes.io/component": component,
68 },
69 },
70
71 octorpki: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]72 address:: "%s.%s.svc.cluster.local:%d" % [
73 "octorpki",
74 ix.cfg.namespace,
75 8080,
76 ],
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]77 cache: kube.PersistentVolumeClaim(ix.name("octorpki")) {
78 metadata+: ix.metadata("octorpki"),
79 spec+: {
80 storageClassName: cfg.octorpki.storageClassName,
81 accessModes: [ "ReadWriteOnce" ],
82 resources: {
83 requests: {
84 storage: "2Gi",
85 },
86 },
87 },
88 },
89 deployment: kube.Deployment(ix.name("octorpki")) {
90 metadata+: ix.metadata("octorpki"),
91 spec+: {
92 template+: {
93 spec+: {
94 volumes_: {
95 cache: kube.PersistentVolumeClaimVolume(ix.octorpki.cache),
96 },
97 containers_: {
98 octorpki: kube.Container(ix.name("octorpki")){
99 image: cfg.octorpki.image,
100 args: [
101 "/octorpki/entrypoint.sh",
102 ],
103 ports_: {
104 client: { containerPort: 8080 },
105 },
106 volumeMounts_: {
107 cache: { mountPath: "/cache" },
108 },
109 resources: cfg.octorpki.resources,
110 },
111 },
112 },
113 },
114 },
115 },
116 svc: kube.Service(ix.name("octorpki")) {
117 metadata+: ix.metadata("octorpki"),
118 target_pod:: ix.octorpki.deployment.spec.template,
119 spec+: {
120 ports: [
121 { name: "client", port: 8080, targetPort: 8080, protocol: "TCP" },
122 ],
123 },
124 },
125 },
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]126
127 component(name):: {
128 local component = self,
129 args:: error "args must be set",
130 name:: name,
131 port:: 4200,
132 volumes:: {},
133 volumeMounts:: {},
134
135 deployment: kube.Deployment(ix.name(name)) {
136 metadata+: ix.metadata(name),
137 spec+: {
138 template+: {
139 spec+: {
140 volumes_: component.volumes,
141 containers_: {
142 [name]: kube.Container(ix.name(name)) {
143 image: cfg[name].image,
144 args: component.args,
145 volumeMounts_: component.volumeMounts,
146 },
147 },
148 },
149 },
150 },
151 },
152 svc: kube.Service(ix.name(name)) {
153 metadata+: ix.metadata(name),
154 target_pod:: component.deployment.spec.template,
155 spec+: {
156 ports: [
157 { name: "client", port: component.port, targetPort: component.port, protocol: "TCP" },
158 ],
159 },
160 },
161
162 address:: "%s.%s.svc.cluster.local:%d" % [
163 component.name,
164 ix.cfg.namespace,
165 component.port,
166 ],
167 },
168
169 irr: ix.component("irr") {
170 args: [
171 "/ix/irr",
172 "-hspki_disable",
173 "-listen_address=0.0.0.0:4200",
174 ],
175 },
176
177 peeringdb: ix.component("peeringdb") {
178 args: [
179 "/ix/peeringdb",
180 "-hspki_disable",
181 "-listen_address=0.0.0.0:4200",
182 ],
183 },
184
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]185 crdb:: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]186 volumes: {
187 tls: {
188 secret: {
189 secretName: cfg.verifier.db.tlsSecret,
190 defaultMode: kube.parseOctal("0400"),
191 },
192 },
193 },
194 volumeMounts: {
195 tls: {
196 mountPath: "/tls",
197 },
198 },
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]199 args(dbconf): [
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]200 "-dsn", "postgres://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]201 dbconf.username,
202 dbconf.host,
203 dbconf.port,
204 dbconf.name,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]205 "/tls/ca.crt",
206 "/tls/tls.crt",
207 "/tls/tls.key",
208 ],
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]209 ]
210 },
211
212 verifier: ix.component("verifier") {
213 volumes: ix.crdb.volumes,
214 volumeMounts: ix.crdb.volumeMounts,
215 args: [
216 "/ix/verifier",
217 "-hspki_disable",
218 "-listen_address=0.0.0.0:4200",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]219 "-peeringdb=" + ix.peeringdb.address,
220 "-irr=" + ix.irr.address,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]221 "-octorpki=" + ix.octorpki.address,
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame^]222 "-pgpencryptor=" + ix.pgpencryptor.address,
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]223 ] + ix.crdb.args(cfg.verifier.db),
224 },
225
226 pgpencryptor: ix.component("pgpencryptor") {
227 volumes: ix.crdb.volumes,
228 volumeMounts: ix.crdb.volumeMounts,
229 args: [
230 "/ix/pgpencryptor",
231 "-hspki_disable",
232 "-listen_address=0.0.0.0:4200",
233 ] + ix.crdb.args(cfg.pgpencryptor.db),
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]234 },
235
236 frontend: ix.component("frontend") {
237 port: 8080,
238 args: [
239 "/ix/frontend.par",
240 "--flask_secret=dupa",
241 "--listen=0.0.0.0:8080",
242 "--verifier=" + ix.verifier.address,
243 ],
244 },
245
Serge Bazanski821fa5f2019-08-14 14:33:30 +0200[diff] [blame]246 ripeSync: kube.CronJob(ix.name("ripe-sync")) {
247 metadata+: ix.metadata("ripe-sync"),
248 spec+: {
249 schedule: "*/5 * * * *",
250 jobTemplate+: {
251 spec+: {
252 selector:: null,
253 template+: {
254 spec+: {
255 containers_: {
256 "ripe-sync": kube.Container(ix.name("ripe-sync")) {
257 image: cfg.image,
258 args: [
259 "/ix/ripe-sync.par",
260 "$(PASSWORD)",
261 ix.verifier.address,
262 ],
263 env_: {
264 PASSWORD: {
265 secretKeyRef: {
266 name: ix.name("ripe-sync"),
267 key: "password",
268 },
269 },
270 },
271 },
272 },
273 },
274 },
275 },
276 },
277 },
278 },
279
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]280 ingress: kube.Ingress("ingress") {
281 metadata+: ix.metadata("public") {
282 annotations+: {
283 "kubernetes.io/tls-acme": "true",
284 "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
285 "nginx.ingress.kubernetes.io/proxy-body-size": "0",
286 },
287 },
288 spec+: {
289 tls: [
290 { hosts: [cfg.domain], secretName: "public-tls"}
291 ],
292 rules: [
293 {
294 host: cfg.domain,
295 http: {
296 paths: [
297 { path: "/", backend: ix.frontend.svc.name_port },
298 ],
299 },
300 },
301 ],
302 },
303 },
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame^]304
305 grpcIngress: kube.Ingress("grpc") {
306 metadata+: ix.metadata("grpc") {
307 annotations+: {
308 "kubernetes.io/tls-acme": "true",
309 "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
310 "kubernetes.io/ingress.class": "nginx",
311 "nginx.ingress.kubernetes.io/ssl-redirect": "true",
312 "nginx.ingress.kubernetes.io/backend-protocol": "GRPC",
313 "nginx.ingress.kubernetes.io/whitelist-source-range": "185.236.240.34/32",
314 },
315 },
316 spec+: {
317 tls: [
318 { hosts: [cfg.grpcDomain], secretName: "grpc-tls"}
319 ],
320 rules: [
321 {
322 host: cfg.grpcDomain,
323 http: {
324 paths: [
325 { path: "/", backend: ix.verifier.svc.name_port },
326 ],
327 },
328 },
329 ],
330 },
331 },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]332 },
333}