| Radek Pietruszewski | f584431 | 2023-10-27 22:41:18 +0200 | [diff] [blame^] | 1 | local kube = import "../../../kube/hscloud.libsonnet"; |
| Bartosz Stebel | f5b1a21 | 2023-02-04 23:47:44 +0100 | [diff] [blame] | 2 | |
| 3 | { |
| 4 | local app = self, |
| 5 | local cfg = app.cfg, |
| 6 | |
| 7 | cfg:: { |
| 8 | namespace: error "cfg.namespace must be set", |
| 9 | webDomain: error "cfg.webDomain must be set", |
| 10 | images: { |
| 11 | web: "registry.k0.hswaw.net/implr/mailman-web:0.6", |
| 12 | # https://github.com/octeep/wireproxy |
| 13 | wireproxy: "registry.k0.hswaw.net/implr/wireproxy:1.0.5" |
| 14 | }, |
| 15 | passwords: { |
| 16 | postgres: error "cfg.secrets.postgres must be set", |
| 17 | mailmanRest: error "cfg.secrets.mailmanRest must be set", |
| 18 | mailmanArchiver: error "cfg.secrets.mailmanArchiver must be set", |
| 19 | }, |
| 20 | smtp: { |
| 21 | user: "postorius", |
| 22 | # from mail server |
| 23 | password: error "cfg.smtp.password must be set", |
| 24 | }, |
| 25 | secrets: { |
| 26 | djangoSecretKey: error "cfg.secrets.djangoSecretKey must be set", |
| 27 | }, |
| 28 | wg: { |
| 29 | peerPubkey: error "cfg.wg.peerPubkey must be set", |
| 30 | privkey: error "cfg.wg.privkey must be set", |
| 31 | endpoint: error "cfg.wg.endpoint must be set", |
| 32 | }, |
| 33 | }, |
| 34 | |
| 35 | env:: { |
| 36 | WEB_DOMAIN: cfg.webDomain, |
| 37 | BIND_ADDR: "0.0.0.0:8080", |
| 38 | |
| 39 | //DB_HOST: app.postgres.svc.host, |
| 40 | DB_HOST: "boston-packets.hackerspace.pl", |
| 41 | DB_USER: "mailman", |
| 42 | DB_NAME: "mailman-web", |
| 43 | DB_PASS: kube.SecretKeyRef(app.config, "postgres-pass"), |
| 44 | DB_PORT: "5432", |
| 45 | |
| 46 | |
| 47 | SMTP_HOST: "mail.hackerspace.pl", |
| 48 | SMTP_PORT: "587", |
| 49 | SMTP_USER: "postorius", |
| 50 | SMTP_PASSWORD: kube.SecretKeyRef(app.config, "smtp-password"), |
| 51 | |
| 52 | SECRET_KEY: kube.SecretKeyRef(app.config, "django-secret-key"), |
| 53 | MAILMAN_REST_API_PASS: kube.SecretKeyRef(app.config, 'mailman-api-password'), |
| 54 | MAILMAN_ARCHIVER_KEY: kube.SecretKeyRef(app.config, 'mailman-archiver-key'), |
| 55 | |
| 56 | }, |
| 57 | |
| 58 | namespace: kube.Namespace(cfg.namespace), |
| 59 | local ns = self.namespace, |
| 60 | |
| 61 | |
| 62 | web: ns.Contain(kube.Deployment("web")) { |
| 63 | spec+: { |
| 64 | minReadySeconds: 10, |
| 65 | replicas: 1, |
| 66 | template+: { |
| 67 | spec+: { |
| 68 | initContainers_: { |
| 69 | migrate: kube.Container("migrate") { |
| 70 | image: cfg.images.web, |
| 71 | env_: app.env, |
| 72 | args: [ |
| 73 | "manage", "migrate", |
| 74 | ], |
| 75 | }, |
| 76 | }, |
| 77 | volumes_: { |
| 78 | config: kube.SecretVolume(app.wireproxyConfig), |
| 79 | }, |
| 80 | containers_: { |
| 81 | default: kube.Container("default") { |
| 82 | image: cfg.images.web, |
| 83 | env_: app.env, |
| 84 | args: ["serve"], |
| 85 | ports_: { |
| 86 | web: { containerPort: 8080 }, |
| 87 | }, |
| 88 | # readinessProbe: { |
| 89 | # httpGet: { |
| 90 | # path: "/", |
| 91 | # port: "web", |
| 92 | # }, |
| 93 | # failureThreshold: 10, |
| 94 | # periodSeconds: 5, |
| 95 | # }, |
| 96 | resources: { |
| 97 | requests: { |
| 98 | cpu: "250m", |
| 99 | memory: "1024M", |
| 100 | }, |
| 101 | limits: { |
| 102 | cpu: "1", |
| 103 | memory: "1024M", |
| 104 | }, |
| 105 | }, |
| 106 | }, |
| 107 | wireproxy: kube.Container("wireproxy") { |
| 108 | image: cfg.images.wireproxy, |
| 109 | resources: { |
| 110 | requests: { |
| 111 | cpu: "100m", |
| 112 | memory: "64M", |
| 113 | }, |
| 114 | limits: { |
| 115 | cpu: "200m", |
| 116 | memory: "128M", |
| 117 | }, |
| 118 | }, |
| 119 | volumeMounts_: { |
| 120 | config: { mountPath: "/etc/wireproxy/config", subPath: "config" } |
| 121 | }, |
| 122 | }, |
| 123 | }, |
| 124 | }, |
| 125 | }, |
| 126 | }, |
| 127 | }, |
| 128 | |
| 129 | local manifestIniMultisection(sname, values) = std.join('\n', |
| 130 | [std.manifestIni({ |
| 131 | sections: { |
| 132 | [sname]: i, |
| 133 | }}) for i in values]), |
| 134 | wireproxyConfig: ns.Contain(kube.Secret("wireproxy-config")) { |
| 135 | data: { |
| 136 | config: std.base64(std.manifestIni({ |
| 137 | sections: { |
| 138 | Interface: { |
| 139 | Address: cfg.wg.address, |
| 140 | PrivateKey: cfg.wg.privkey, |
| 141 | }, |
| 142 | Peer: { |
| 143 | PublicKey: cfg.wg.peerPubkey, |
| 144 | Endpoint: cfg.wg.endpoint, |
| 145 | }, |
| 146 | |
| 147 | }, |
| 148 | }) + manifestIniMultisection("TCPClientTunnel", [ |
| 149 | # { |
| 150 | # # postgres |
| 151 | # ListenPort: 5432, |
| 152 | # Target: "localhost:5432", |
| 153 | # }, |
| 154 | { |
| 155 | # mailman core api |
| 156 | BindAddress: "127.0.0.1:8001", |
| 157 | Target: "172.17.1.1:8001", |
| 158 | }, |
| 159 | ])), |
| 160 | }, |
| 161 | }, |
| 162 | |
| 163 | |
| 164 | svcWeb: ns.Contain(kube.Service("web")) { |
| 165 | target_pod: app.web.spec.template, |
| 166 | spec+: { |
| 167 | # hax |
| 168 | type: "LoadBalancer", |
| 169 | externalTrafficPolicy: "Local", |
| 170 | }, |
| 171 | }, |
| 172 | |
| 173 | |
| Radek Pietruszewski | f584431 | 2023-10-27 22:41:18 +0200 | [diff] [blame^] | 174 | #ingress: ns.Contain(kube.SimpleIngress("mailman")) { |
| 175 | # hosts:: [cfg.webDomain], |
| 176 | # target_service:: app.svcWeb, |
| Bartosz Stebel | f5b1a21 | 2023-02-04 23:47:44 +0100 | [diff] [blame] | 177 | #}, |
| 178 | |
| 179 | config: ns.Contain(kube.Secret("config")) { |
| 180 | data_: { |
| 181 | "postgres-pass": cfg.passwords.postgres, |
| 182 | "django-secret-key": cfg.secrets.djangoSecretKey, |
| 183 | |
| 184 | "smtp-password": cfg.smtp.password, |
| 185 | |
| 186 | "mailman-api-password": cfg.mailmanCore.mailmanApiPass, |
| 187 | "mailman-archiver-key": cfg.mailmanCore.mailmanArchiverKey, |
| 188 | |
| 189 | }, |
| 190 | }, |
| 191 | } |