From 3ca8454555378740f1e2c5ad0109c492b216ad40 Mon Sep 17 00:00:00 2001 From: radex Date: Sun, 8 Oct 2023 23:52:08 +0200 Subject: [PATCH] hswaw/capacifier: migrate deployment away from mirko Change-Id: Ic15945ae0489cfc3026f4cb11123b8e6b575d471 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1688 Reviewed-by: q3k --- cluster/kube/k0.libsonnet | 1 + hswaw/capacifier/README.md | 2 +- hswaw/capacifier/prod.jsonnet | 76 +++++++++++++++++++++++++++++++++ hswaw/kube/capacifier.libsonnet | 41 ------------------ hswaw/kube/hswaw.jsonnet | 6 --- 5 files changed, 78 insertions(+), 48 deletions(-) create mode 100644 hswaw/capacifier/prod.jsonnet delete mode 100644 hswaw/kube/capacifier.libsonnet diff --git a/cluster/kube/k0.libsonnet b/cluster/kube/k0.libsonnet index 8c91fa4a..6b134e0b 100644 --- a/cluster/kube/k0.libsonnet +++ b/cluster/kube/k0.libsonnet @@ -330,6 +330,7 @@ local rook = import "lib/rook.libsonnet"; { namespace: "covid-formity", dns: "covid.hackerspace.pl" }, { namespace: "covid-formity", dns: "www.covid.hackerspace.pl" }, { namespace: "inventory", dns: "inventory.hackerspace.pl" }, + { namespace: "capacifier", dns: "capacifier.hackerspace.pl" }, { namespace: "ldapweb", dns: "profile.hackerspace.pl" }, { namespace: "devtools-prod", dns: "hackdoc.hackerspace.pl" }, { namespace: "devtools-prod", dns: "cs.hackerspace.pl" }, diff --git a/hswaw/capacifier/README.md b/hswaw/capacifier/README.md index f2b77418..03ba8294 100644 --- a/hswaw/capacifier/README.md +++ b/hswaw/capacifier/README.md @@ -1,7 +1,7 @@ capacifier === -rewrite-in-go of code.haclerspace.pl/tomek/capacifier. +rewrite-in-go of code.hackerspace.pl/tomek/capacifier. This is one of the oldest API services at the Warsaw hackerspace, and exists solely to provide a generic 'is X a member of Y' functionality. It's generally diff --git a/hswaw/capacifier/prod.jsonnet b/hswaw/capacifier/prod.jsonnet new file mode 100644 index 00000000..7984602c --- /dev/null +++ b/hswaw/capacifier/prod.jsonnet @@ -0,0 +1,76 @@ +local kube = import "../../kube/kube.libsonnet"; + +{ + local top = self, + local cfg = self.cfg, + + cfg:: { + name: 'capacifier', + namespace: 'capacifier', + domain: 'capacifier.hackerspace.pl', + image: 'registry.k0.hswaw.net/q3k/capacifier:1680390588', + }, + + ns: kube.Namespace(cfg.namespace), + + deployment: top.ns.Contain(kube.Deployment(cfg.name)) { + spec+: { + replicas: 3, + template+: { + spec+: { + containers_: { + default: kube.Container("default") { + image: cfg.image, + env_: { + LDAP_DN: "cn=capacifier,ou=Services,dc=hackerspace,dc=pl", + LDAP_PW: { secretKeyRef: { name: cfg.name, key: 'ldap_pw' } }, + }, + command: [ + "/hswaw/capacifier/capacifier", + "-hspki_disable", + "-logtostderr", + "-api_listen", "0.0.0.0:8080", + "-ldap_bind_dn", "$(LDAP_DN)", + "-ldap_bind_pw", "$(LDAP_PW)", + ], + resources: { + requests: { cpu: "25m", memory: "64Mi" }, + limits: { cpu: "500m", memory: "128Mi" }, + }, + ports_: { + http: { containerPort: 8080 }, + }, + }, + }, + }, + }, + }, + }, + + service: top.ns.Contain(kube.Service(cfg.name)) { + target_pod:: top.deployment.spec.template, + }, + + ingress: top.ns.Contain(kube.Ingress(cfg.name)) { + metadata+: { + annotations+: { + "kubernetes.io/tls-acme": "true", + "cert-manager.io/cluster-issuer": "letsencrypt-prod", + "nginx.ingress.kubernetes.io/proxy-body-size": "0", + }, + }, + spec+: { + tls: [ { hosts: [ cfg.domain ], secretName: cfg.name + "-tls" } ], + rules: [ + { + host: cfg.domain, + http: { + paths: [ + { path: "/", backend: top.service.name_port }, + ], + }, + }, + ], + }, + }, +} diff --git a/hswaw/kube/capacifier.libsonnet b/hswaw/kube/capacifier.libsonnet deleted file mode 100644 index d1eeec1e..00000000 --- a/hswaw/kube/capacifier.libsonnet +++ /dev/null @@ -1,41 +0,0 @@ -local mirko = import "../../kube/mirko.libsonnet"; -local kube = import "../../kube/kube.libsonnet"; - -{ - cfg:: { - ldapBindPassword: error "ldapBindPassword must be set!", - image: "registry.k0.hswaw.net/q3k/capacifier:1680390588", - fqdn: "capacifier.hackerspace.pl", - }, - - component(cfg, env):: mirko.Component(env, "capacifier") { - local capacifier = self, - cfg+: { - image: cfg.image, - container: capacifier.GoContainer("main", "/hswaw/capacifier/capacifier") { - env_: { - BIND_PW: kube.SecretKeyRef(capacifier.secret, "bindPW"), - }, - command+: [ - "-api_listen", "0.0.0.0:5000", - "-ldap_bind_pw", "$(BIND_PW)", - ], - }, - ports+: { - publicHTTP: { - api: { - port: 5000, - dns: cfg.fqdn, - } - }, - }, - }, - - secret: kube.Secret("capacifier") { - metadata+: capacifier.metadata, - data_: { - bindPW: cfg.ldapBindPassword, - }, - }, - }, -} diff --git a/hswaw/kube/hswaw.jsonnet b/hswaw/kube/hswaw.jsonnet index 76d318e6..f7206ade 100644 --- a/hswaw/kube/hswaw.jsonnet +++ b/hswaw/kube/hswaw.jsonnet @@ -6,7 +6,6 @@ local teleimg = import "teleimg.libsonnet"; local frab = import "frab.libsonnet"; local pretalx = import "pretalx.libsonnet"; local cebulacamp = import "cebulacamp.libsonnet"; -local capacifier = import "capacifier.libsonnet"; { hswaw(name):: mirko.Environment(name) { @@ -19,7 +18,6 @@ local capacifier = import "capacifier.libsonnet"; frab: frab.cfg, pretalx: pretalx.cfg, cebulacamp: cebulacamp.cfg, - capacifier: capacifier.cfg, }, components: { @@ -31,7 +29,6 @@ local capacifier = import "capacifier.libsonnet"; cronjob: null, }, cebulacamp: cebulacamp.component(cfg.cebulacamp, env), - capacifier: capacifier.component(cfg.capacifier, env), }, }, @@ -68,9 +65,6 @@ local capacifier = import "capacifier.libsonnet"; cebulacamp+: { webFQDN: "cebula.camp", }, - capacifier+: { - ldapBindPassword: std.split(importstr "secrets/plain/prod-capacifier-password", "\n")[0], - }, }, },