Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / ef93747aec53bb5c826e0b1316cd5d534f9b1112 / . / bgpwtf / cccampix / kube / ix.libsonnet
blob: 7496dadc1d093f763502e4fd576529bbc2d56112 [file] [log] [blame]
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]1local kube = import "../../../kube/kube.libsonnet";
2
3{
4 IX: {
5 local ix = self,
6 local cfg = ix.cfg,
7 cfg:: {
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame^]8 image: "registry.k0.hswaw.net/bgpwtf/cccampix:1566584484-a2960f526c36de0dbcd911f05ee9db587e63eb9b",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]9
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame^]10
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]11 octorpki: {
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]12 image: cfg.image,
Sergiusz Bazanskiddfd6592019-08-09 18:24:00 +0200[diff] [blame]13 storageClassName: "waw-hdd-redundant-2",
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]14 resources: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]15 requests: { cpu: "200m", memory: "1Gi" },
16 limits: { cpu: "1", memory: "2Gi" },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]17 },
18 },
19
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]20 verifier: {
21 image: cfg.image,
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame^]22 domain: "ix-grpc.bgp.wtf",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]23 db: {
24 host: "public.crdb-waw1.svc.cluster.local",
25 port: 26257,
26 username: "cccampix",
27 name: "cccampix",
28 tlsSecret: "client-cccampix-certificate",
29 },
30 },
31
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]32 pgpencryptor: {
33 image: cfg.image,
34 db: {
35 host: "public.crdb-waw1.svc.cluster.local",
36 port: 26257,
37 username: "cccampix",
38 name: "cccampix-pgpencryptor",
39 tlsSecret: "client-cccampix-certificate",
40 },
41 },
42
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]43 irr: {
44 image: cfg.image,
45 },
46
47 peeringdb: {
48 image: cfg.image,
49 },
50
51 frontend: {
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame^]52 domain: "ix-status.bgp.wtf",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]53 image: cfg.image,
54 },
55
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame^]56 alice: {
57 domain: "ix-lg.bgp.wtf",
58 image: "registry.k0.hswaw.net/q3k/alice-lg:20190823-1557",
59 },
60
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]61 appName: "ix",
62 namespace: error "namespace must be defined",
63 prefix: "",
64 },
65
66 namespace: kube.Namespace(cfg.namespace),
67 name(component):: cfg.prefix + component,
68 metadata(component):: {
69 namespace: cfg.namespace,
70 labels: {
71 "app.kubernetes.io/name": cfg.appName,
72 "app.kubernetes.io/managed-by": "kubecfg",
73 "app.kubernetes.io/component": component,
74 },
75 },
76
77 octorpki: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]78 address:: "%s.%s.svc.cluster.local:%d" % [
79 "octorpki",
80 ix.cfg.namespace,
81 8080,
82 ],
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]83 cache: kube.PersistentVolumeClaim(ix.name("octorpki")) {
84 metadata+: ix.metadata("octorpki"),
85 spec+: {
86 storageClassName: cfg.octorpki.storageClassName,
87 accessModes: [ "ReadWriteOnce" ],
88 resources: {
89 requests: {
90 storage: "2Gi",
91 },
92 },
93 },
94 },
95 deployment: kube.Deployment(ix.name("octorpki")) {
96 metadata+: ix.metadata("octorpki"),
97 spec+: {
98 template+: {
99 spec+: {
100 volumes_: {
101 cache: kube.PersistentVolumeClaimVolume(ix.octorpki.cache),
102 },
103 containers_: {
104 octorpki: kube.Container(ix.name("octorpki")){
105 image: cfg.octorpki.image,
106 args: [
107 "/octorpki/entrypoint.sh",
108 ],
109 ports_: {
110 client: { containerPort: 8080 },
111 },
112 volumeMounts_: {
113 cache: { mountPath: "/cache" },
114 },
115 resources: cfg.octorpki.resources,
116 },
117 },
118 },
119 },
120 },
121 },
122 svc: kube.Service(ix.name("octorpki")) {
123 metadata+: ix.metadata("octorpki"),
124 target_pod:: ix.octorpki.deployment.spec.template,
125 spec+: {
126 ports: [
127 { name: "client", port: 8080, targetPort: 8080, protocol: "TCP" },
128 ],
129 },
130 },
131 },
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]132
133 component(name):: {
134 local component = self,
135 args:: error "args must be set",
136 name:: name,
137 port:: 4200,
138 volumes:: {},
139 volumeMounts:: {},
140
141 deployment: kube.Deployment(ix.name(name)) {
142 metadata+: ix.metadata(name),
143 spec+: {
144 template+: {
145 spec+: {
146 volumes_: component.volumes,
147 containers_: {
148 [name]: kube.Container(ix.name(name)) {
149 image: cfg[name].image,
150 args: component.args,
151 volumeMounts_: component.volumeMounts,
152 },
153 },
154 },
155 },
156 },
157 },
158 svc: kube.Service(ix.name(name)) {
159 metadata+: ix.metadata(name),
160 target_pod:: component.deployment.spec.template,
161 spec+: {
162 ports: [
163 { name: "client", port: component.port, targetPort: component.port, protocol: "TCP" },
164 ],
165 },
166 },
167
168 address:: "%s.%s.svc.cluster.local:%d" % [
169 component.name,
170 ix.cfg.namespace,
171 component.port,
172 ],
173 },
174
175 irr: ix.component("irr") {
176 args: [
177 "/ix/irr",
178 "-hspki_disable",
179 "-listen_address=0.0.0.0:4200",
180 ],
181 },
182
183 peeringdb: ix.component("peeringdb") {
184 args: [
185 "/ix/peeringdb",
186 "-hspki_disable",
187 "-listen_address=0.0.0.0:4200",
188 ],
189 },
190
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]191 crdb:: {
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]192 volumes: {
193 tls: {
194 secret: {
195 secretName: cfg.verifier.db.tlsSecret,
196 defaultMode: kube.parseOctal("0400"),
197 },
198 },
199 },
200 volumeMounts: {
201 tls: {
202 mountPath: "/tls",
203 },
204 },
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]205 args(dbconf): [
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]206 "-dsn", "postgres://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]207 dbconf.username,
208 dbconf.host,
209 dbconf.port,
210 dbconf.name,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]211 "/tls/ca.crt",
212 "/tls/tls.crt",
213 "/tls/tls.key",
214 ],
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]215 ]
216 },
217
218 verifier: ix.component("verifier") {
219 volumes: ix.crdb.volumes,
220 volumeMounts: ix.crdb.volumeMounts,
221 args: [
222 "/ix/verifier",
223 "-hspki_disable",
224 "-listen_address=0.0.0.0:4200",
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]225 "-peeringdb=" + ix.peeringdb.address,
226 "-irr=" + ix.irr.address,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]227 "-octorpki=" + ix.octorpki.address,
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]228 "-pgpencryptor=" + ix.pgpencryptor.address,
Serge Bazanski915b2652019-08-14 18:50:10 +0200[diff] [blame]229 ] + ix.crdb.args(cfg.verifier.db),
230 },
231
232 pgpencryptor: ix.component("pgpencryptor") {
233 volumes: ix.crdb.volumes,
234 volumeMounts: ix.crdb.volumeMounts,
235 args: [
236 "/ix/pgpencryptor",
237 "-hspki_disable",
238 "-listen_address=0.0.0.0:4200",
239 ] + ix.crdb.args(cfg.pgpencryptor.db),
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]240 },
241
242 frontend: ix.component("frontend") {
243 port: 8080,
244 args: [
245 "/ix/frontend.par",
246 "--flask_secret=dupa",
247 "--listen=0.0.0.0:8080",
248 "--verifier=" + ix.verifier.address,
249 ],
250 },
251
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame^]252 alice: ix.component("alice") {
253 port: 7340,
254 volumes: {
255 config: kube.ConfigMapVolume(ix.alice.configMap),
256 theme: kube.ConfigMapVolume(ix.alice.themeMap),
257 },
258 volumeMounts: {
259 config: {
260 mountPath: "/etc/alice",
261 },
262 theme: {
263 mountPath: "/etc/alice-theme",
264 },
265 },
266 args: [
267 "/usr/bin/alice-lg",
268 "-config", "/etc/alice/alice",
269 ],
270
271 themeMap: kube.ConfigMap(ix.name("alice-theme")) {
272 metadata+: ix.metadata("alice-theme"),
273 data: {
274 "content.js": |||
275 Alice.updateContent({
276 header: {
277 title: "CCCampIX Looking Glass",
278 tagline: "powered by alice-lg"
279 },
280 welcome: {
281 title: "CCCampIX Looking Glass",
282 tagline: "BGP to the tent."
283 }
284 });
285 |||,
286 },
287 },
288 configMap: kube.ConfigMap(ix.name("alice")) {
289 metadata+: ix.metadata("alice"),
290 data: {
291 config: |||
292 [server]
293 listen_http = 0.0.0.0:7340
294 enable_neighbors_status_refresh = false
295 asn = 208521
296
297 [housekeeping]
298 interval = 5
299 force_release_memory = true
300
301 [theme]
302 path = /etc/alice-theme
303
304 [pagination]
305 routes_filtered_page_size = 250
306 routes_accepted_page_size = 250
307 routes_not_exported_page_size = 250
308
309 [rejection_reasons]
310 208521:65666:1 = An IP Bogon was detected
311 208521:65666:2 = Prefix is longer than 64
312 208521:65666:3 = Prefix is longer than 24
313 208521:65666:4 = AS path contains a bogon AS
314 208521:65666:5 = AS path length is longer than 64
315 208521:65666:6 = BGP Path invalid (must be only peer)
316 208521:65666:9 = Prefix not found in RPKI for Origin AS
317
318 [neighbours_columns]
319 Description = Description
320 address = Neighbour
321 asn = ASN
322 state = State
323 Uptime = Uptime
324 routes_received = Routes Received
325 routes_filtered = Filtered
326
327 [routes_columns]
328 network = Network
329 gateway = Gateway
330 interface = Interface
331 metric = Metric
332 bgp.as_path = AS Path
333
334 [lookup_columns]
335 network = Network
336 gateway = Gateway
337 neighbour.asn = ASN
338 neighbour.description = Description
339 bgp.as_path = AS Path
340 routeserver.name = RS
341
342 [source.rs1-camp-v4]
343 name = rs1.camp.bgp.wtf (IPv4)
344 group = Camp
345 [source.rs1-camp-v4.birdwatcher]
346 timezone = UTC
347 api = http://isw01.camp.bgp.wtf:3000/
348 type = single_table
349 neighbors_refresh_timeout = 2
350 servertime = 2006-01-02T15:04:05Z
351 servertime_short = 2006-01-02 15:04:05
352 servertime_ext = 2006-01-02 15:04:05
353
354 [source.rs1-camp-v6]
355 name = rs1.camp.bgp.wtf (IPv6)
356 group = Camp
357 [source.rs1-camp-v6.birdwatcher]
358 timezone = UTC
359 api = http://isw01.camp.bgp.wtf:3001/
360 type = single_table
361 neighbors_refresh_timeout = 2
362 servertime = 2006-01-02T15:04:05Z
363 servertime_short = 2006-01-02 15:04:05
364 servertime_ext = 2006-01-02 15:04:05
365
366 [source.rs2-camp-v4]
367 name = rs2.camp.bgp.wtf (IPv4)
368 group = Camp
369 [source.rs2-camp-v4.birdwatcher]
370 timezone = UTC
371 api = http://isw01.camp.bgp.wtf:3002/
372 type = single_table
373 neighbors_refresh_timeout = 2
374 servertime = 2006-01-02T15:04:05Z
375 servertime_short = 2006-01-02 15:04:05
376 servertime_ext = 2006-01-02 15:04:05
377
378 [source.rs2-camp-v6]
379 name = rs2.camp.bgp.wtf (IPv6)
380 group = Camp
381 [source.rs2-camp-v6.birdwatcher]
382 timezone = UTC
383 api = http://isw01.camp.bgp.wtf:3003/
384 type = single_table
385 neighbors_refresh_timeout = 2
386 servertime = 2006-01-02T15:04:05Z
387 servertime_short = 2006-01-02 15:04:05
388 servertime_ext = 2006-01-02 15:04:05
389 |||,
390 },
391 },
392 },
393
Serge Bazanski821fa5f2019-08-14 14:33:30 +0200[diff] [blame]394 ripeSync: kube.CronJob(ix.name("ripe-sync")) {
395 metadata+: ix.metadata("ripe-sync"),
396 spec+: {
397 schedule: "*/5 * * * *",
398 jobTemplate+: {
399 spec+: {
400 selector:: null,
401 template+: {
402 spec+: {
403 containers_: {
404 "ripe-sync": kube.Container(ix.name("ripe-sync")) {
405 image: cfg.image,
406 args: [
407 "/ix/ripe-sync.par",
408 "$(PASSWORD)",
409 ix.verifier.address,
410 ],
411 env_: {
412 PASSWORD: {
413 secretKeyRef: {
414 name: ix.name("ripe-sync"),
415 key: "password",
416 },
417 },
418 },
419 },
420 },
421 },
422 },
423 },
424 },
425 },
426 },
427
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]428 ingress: kube.Ingress("ingress") {
429 metadata+: ix.metadata("public") {
430 annotations+: {
431 "kubernetes.io/tls-acme": "true",
432 "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
433 "nginx.ingress.kubernetes.io/proxy-body-size": "0",
434 },
435 },
436 spec+: {
437 tls: [
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame^]438 { hosts: [cfg.frontend.domain], secretName: "public-tls"}
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]439 ],
440 rules: [
441 {
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame^]442 host: cfg.frontend.domain,
Sergiusz Bazanski1fad2e52019-08-01 20:16:27 +0200[diff] [blame]443 http: {
444 paths: [
445 { path: "/", backend: ix.frontend.svc.name_port },
446 ],
447 },
448 },
449 ],
450 },
451 },
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]452
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame^]453 aliceIngress: kube.Ingress("alice") {
454 metadata+: ix.metadata("alice") {
455 annotations+: {
456 "kubernetes.io/tls-acme": "true",
457 "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
458 "nginx.ingress.kubernetes.io/proxy-body-size": "0",
459 },
460 },
461 spec+: {
462 tls: [
463 { hosts: [cfg.alice.domain], secretName: "alice-tls"}
464 ],
465 rules: [
466 {
467 host: cfg.alice.domain,
468 http: {
469 paths: [
470 { path: "/", backend: ix.alice.svc.name_port },
471 ],
472 },
473 },
474 ],
475 },
476 },
477
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]478 grpcIngress: kube.Ingress("grpc") {
479 metadata+: ix.metadata("grpc") {
480 annotations+: {
481 "kubernetes.io/tls-acme": "true",
482 "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
483 "kubernetes.io/ingress.class": "nginx",
484 "nginx.ingress.kubernetes.io/ssl-redirect": "true",
485 "nginx.ingress.kubernetes.io/backend-protocol": "GRPC",
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]486 },
487 },
488 spec+: {
489 tls: [
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame^]490 { hosts: [cfg.verifier.domain], secretName: "grpc-tls"}
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]491 ],
492 rules: [
493 {
Serge Bazanskief937472019-08-29 14:53:18 +0200[diff] [blame^]494 host: cfg.verifier.domain,
Serge Bazanskiec71cb52019-08-22 18:13:13 +0200[diff] [blame]495 http: {
496 paths: [
497 { path: "/", backend: ix.verifier.svc.name_port },
498 ],
499 },
500 },
501 ],
502 },
503 },
Serge Bazanskibeefe442019-07-30 13:03:03 +0200[diff] [blame]504 },
505}