hscloud/personal/vuko/shells/prod.jsonnet

164 lines
6.4 KiB
Text
Raw Normal View History

# this is libjsonnet library for kubernetes related things
local kube = import '../../../kube/kube.libsonnet';
{
local shells = self,
local cfg = shells.cfg,
# namespace defining parameters used by other functions
# double colon "::" prevents it from appearing in output file
cfg:: {
namespace: "personal-vuko",
appName: "three-shell-system",
domain: "shells.vuko.pl",
nginx_tag: "latest",
nginx_image: "nginxinc/nginx-unprivileged:stable-alpine",
storageClassName: "waw-hdd-redundant-2",
resources: {
requests: {
cpu: "25m",
memory: "50Mi",
},
limits: {
cpu: "100m",
memory: "200Mi",
},
},
},
# kubernete namespace personal-${name} for personal usage
namespace: kube.Namespace(cfg.namespace),
# function used for configuring components metatada
metadata(component):: {
namespace: cfg.namespace,
labels: {
"app.kubernetes.io/name": cfg.appName,
"app.kubernetes.io/managed-by": "kubecfg",
"app.kubernetes.io/component": component,
},
},
# component - persistant (non volatile) memory
# https://kubernetes.io/docs/concepts/storage/persistent-volumes/
dataVolume: kube.PersistentVolumeClaim("html-data") {
# override default PersistentVolumeClaim metatada with values defined
# in medadata function prevoiusly created
# "+" sign before means override
metadata+: shells.metadata("html-data"),
spec+: {
storageClassName: cfg.storageClassName,
# can be connected to multiple containers
accessModes: [ "ReadWriteMany" ],
resources: {
requests: {
# amount of storage space: 500Mb
storage: "500Mi",
},
},
},
},
# deployment declares pods
# https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
deployment: kube.Deployment("shells") {
metadata+: shells.metadata("shells"),
spec+: {
replicas: 1,
template+: {
spec+: {
# names ending with _ have special meaning in this context
# this is specified in ../../../kube/kube.upstream.jsonnet
# volumes_ { key: { ... } } is converted to volumes [{ name: key, ... }]
volumes_: {
# sftp container host keys secrets saved to kubernetes semi-manually using create-secrets.py
# https://kubernetes.io/docs/concepts/configuration/secret/
host_keys: { secret: { secretName: "shells-ssh-host-key-bd65mg4gbt" } },
# sftp container authorized_keys saved to kubernetes using command:
# kubectl -n personal-vuko create secret generic shells-ssh-authorized-keys --from-file="authorized_keys=${HOME}/.ssh/id_ed25519.pub"
authorized_keys: { secret: { secretName: "shells-ssh-authorized-keys", defaultMode: 256 } },
# to use created volume in deployment we need to claim it
html: kube.PersistentVolumeClaimVolume(shells.dataVolume),
},
# here are containers defined
# when they are defined in one deployment
containers_: {
shells: kube.Container("nginx") {
image: cfg.nginx_image,
ports_: {
http: { containerPort: 80 },
},
resources: cfg.resources,
volumeMounts_: {
html: { mountPath: "/usr/share/nginx/html" },
},
},
sftp: kube.Container("sftp") {
image: "registry.k0.hswaw.net/vuko/hs-shells-sftp:latest",
ports_: {
sftp: { containerPort: 2222 },
},
command: [ "/bin/start" ],
resources: cfg.resources,
securityContext: {
# specify uid of user running command
runAsUser: 1,
},
volumeMounts_: {
# here volumes defined in volumes_ can be mounted
host_keys: { mountPath: "/etc/ssh/host" },
authorized_keys: { mountPath: "/etc/ssh/auth" },
html: { mountPath: "/data" },
},
},
},
},
},
},
},
# defining a service of type LoadBancer gives you acces from internet
# run: kubectl -n personal-${user} get services to see ip address
svc: kube.Service("shells") {
metadata+: shells.metadata("shells"),
target_pod:: shells.deployment.spec.template,
spec+: {
ports: [
{ name: "http", port: 80, targetPort: 8080, protocol: "TCP" },
{ name: "sftp", port: 22, targetPort: 2222, protocol: "TCP" },
],
type: "LoadBalancer",
externalTrafficPolicy: "Local",
},
},
# ingress creates VirtualHost on ingress.k0.hswaw.net forwaring http(s)
# requests to your domain to specified Pod/container
ingress: kube.Ingress("frontend") {
metadata+: shells.metadata("frontend") {
annotations+: {
"kubernetes.io/tls-acme": "true",
"cert-manager.io/cluster-issuer": "letsencrypt-prod",
},
},
spec+: {
tls: [
{ hosts: [cfg.domain], secretName: "shells-frontend-tls"}
],
rules: [
{
host: cfg.domain,
http: {
paths: [
{ path: "/", backend: shells.svc.name_port },
],
},
},
],
},
},
}