Fork 0
Commit Graph

48 Commits (master)

Author SHA1 Message Date
radex f5844311eb */kube: Add kube.SimpleIngress
Change-Id: Iddcac629b9938f228dd93b32e58bb14606d5c6e5
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1745
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-28 17:55:48 +00:00
informatic ea8e3f9112 kube/postgres: pgupgrade automation
Change-Id: Ibcbddf57b8cdcac75ce366a95db63817bec42a22
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1698
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-16 12:02:07 +00:00
informatic 7e841065b0 *: post-certmanager manifests update
Change-Id: I745c850268c31777c5722a9833c8152a55615aed
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1512
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-06-19 21:20:44 +00:00
implr 65b30af78e kube/postgres: add versioned library
also use in mastodon-qa

Change-Id: I628293fcfe9081c350087572ecda9e51ee18238f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1422
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-11-18 14:52:05 +00:00
informatic 529e181497 app/matrix: appservice workers
This change extracts appservice workers (deployed and tested) and prepares for
federation sender workers extraction (still partially broken)

Change-Id: I2d63fe44538ea2a7c5fd492f6ce119bc35a9eb03
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1101
Reviewed-by: informatic <informatic@hackerspace.pl>
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-05-01 08:17:57 +00:00
informatic 21c8cd6833 app/matrix/matrix.hackerspace.pl: finish matrix-media-repo rollout
Change-Id: I7acc34c82c8ffe1334bb9201b993a410eb517b63
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1144
Reviewed-by: informatic <informatic@hackerspace.pl>
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-09-16 18:57:08 +00:00
q3k 9cfc2a0e43 kube.libsonnet: refactor OpenAPI lib, support extra types
This was to be used by a Ceph CRD bump, but we ended up using upstream
yaml instead. But it's a useful change regardless.

I really should document this and write some tests.

Change-Id: I27ce94c6ebe50a4a93baa83418e8d40004755231
2021-09-11 20:49:51 +00:00
implr 3a15b832cd update kube.libsonnet
Change-Id: I130bb2c9d799036daba8be4837f6070e65f31243
2021-06-16 19:14:50 +02:00
informatic 1f717993e5 Merge "kube/postgres: add extra options configuration option" 2021-02-09 08:34:48 +00:00
informatic 3b8f6675b1 kube/postgres: add extra options configuration option
Change-Id: I674740872d9540329711cad2b05007215f90bd9b
2021-02-08 22:44:56 +01:00
q3k 41bbf1436a cluster/kube: deploy admitomatic webhook
This has been (succesfully) tested on prod and then rolled back.

Change-Id: I22657f66b4aeaa8a0ae452035ba18a79f4549b14
2021-02-07 19:19:23 +00:00
q3k 5d67d0c8fc kube/prototext.libsonnet: implement manifestProtoText
This hairy little ball of recursive object manifestation allows emitting
prototext directly from jsonnet.

Change-Id: I8237c629862cfcdf32ca250fba9eda9926c4f9b4
2021-02-07 19:18:29 +00:00
informatic 2759eb7a54 kube/redis: fix /data partition permissions
This has been encountered when introducing redis in our production
matrix deployment. /data partition is owned by root:root by default

Change-Id: Ic148ff25837c6e8da394a5124556481343ea2873
2021-01-31 20:07:29 +01:00
informatic 1816f58448 kube/postgres: expose cfg.initdbArgs
This option allows easy customization of certain initial database
properties, like encoding or collation. See:

Adding this option in already existing deployments will only cause
postgres pod restart, but no data loss or schema changes!

Intended to be used in further matrix deployment cleanups.

Change-Id: I49a017c21a228f983bea6bafa7dac962a75d05c9
2021-01-30 13:14:37 +01:00
informatic 7e3447f3ff Merge "kube/redis: implement optional cfg.password option" 2020-10-10 18:40:37 +00:00
q3k d9e32f19f6 Merge "kube/upstream: bump to 1.14.4" 2020-10-10 18:24:48 +00:00
informatic 89a1ee90cd kube/redis: implement optional cfg.password option
If set, this enables internal redis authentication scheme. Supports
secretRefs, as well as values passed directly.

Change-Id: Ie902b8d79fdc4aa83ad8ad123e79f0bc80c1251f
2020-10-10 19:44:14 +02:00
q3k c0c037aad9 app/matrix: migrate postgres and data to waw3
The way this was migrated is not to be spoken of.

(hint: it involved downtime, and mounting two volumes at once)

appservice-irc has some storage, we should migrate that to waw3, too. But
it's not as critical.

The new storage (waw3) is _much_ faster.

Change-Id: I4b4bd32e4fedc514753d25bac35d001e8a9c5f00
2020-08-24 19:12:08 +00:00
q3k 35d437883b kube/policies: implement mostlysecure
This now allows to run apt and should allow to run most upstream docker
images. In return, we prohibit some mildly sketchy stuff. But this is
safe enough for project namespaces with limited administrative access.

We should still get gvisor sooner than later...

Change-Id: Ida5ccfae440bacb6f3fd55dcc34ca0addfddd5ae
2020-08-23 11:32:44 +00:00
q3k b7898a8038 devtools: fix sourcegraph
Permissions get mangled on container restart. This adds an init
container to fix them.

Change-Id: I37c44e23a75b8ec41e6aba2ed38eee223496b8b9
2020-08-23 11:05:57 +00:00
q3k 0b6d5d526f kube/kube.libsonnet: add OpenAPI.Require
This allows for the following:

    local oa = kube.OpenAPI,

    vaidation: oa.Validation(oa.Dict {
        foo: oa.Required(oa.String),
        bar: oa.Required(oa.Array(oa.Dict {
            baz: oa.Boolean,

No more `oa.String { required:: true }`!

Change-Id: I4ecc5002e83a8a1cfcdf083d425d7decd4cf8871
2020-08-22 19:01:01 +00:00
q3k 5a89d225e7 kube/kube.libsonnet: add Contain to Namespace
This allow for the following:

    ns: kube.Namespace("foo"),

    service: self.ns.Contain(kube.Service("bar")) {
        spec+: {
            // ...

No more `metadata+: { namespace: ... }` !

Change-Id: Iff21654e18919afbe60c574e560356c6bd6d9b89
2020-08-22 18:57:30 +00:00
q3k 394dd83219 kube/kube.libsonnet: add CertificateVolume
CertificateVolume is like SecretVolume, but for secrets generated from

Change-Id: I312be8e84c856221173583df478ec5317aa948c0
2020-08-22 18:56:53 +00:00
q3k 15db04c705 hackdoc: deploy
There's an issue with the registry that forbids me from pushing into
anything but my personal namespace - might have been introduced by
0697e01144 . For now, I move the hackdoc
image to my personal namespace, as at some point in the future I want to
revamp the registry system, anyway.

We also drive-by fix a mirko.libsonnet typo that, for some reason,
hasn't manifested itself yet.

Change-Id: I8544e4a52610fb84c5c9d8b0de449f785248f60f
2020-08-10 18:57:26 +02:00
q3k 91e1a8c9c5 devtools: add sourcegraph
Change-Id: Ic3c40768c761e598e0f42b17a4b9f0d4ebcb2bb2
2020-06-25 12:27:34 +02:00
Rafał Hirsz ccda33361c kube/upstream: bump to 1.14.4
Change-Id: I2aef3a36d523df46a5b6b3464eb25d9aef6fb72d
2020-05-16 21:06:35 +02:00
q3k e3432ee775 kube/policies: implement mostlysecure
Change-Id: I0f5dc29f9fc3ad534ddda766a79bb18e64757a6c
2020-05-11 20:17:11 +02:00
q3k d436de2010 cluster/rook: bump to 1.1.9
This bumps Rook/Ceph. The new resources (mostly RBAC) come from
following https://rook.io/docs/rook/v1.1/ceph-upgrade.html .

It's already deployed on production. The new CSI driver has not been
tested, but the old flexvolume-based provisioners still work. We'll
migrate when Rook offers a nice solution for this.

We've hit a kubecfg bug that does not allow controlling the CephCluster
CRD directly anymore (I had to apply it via kubecfg show / kubectl apply
-f instead). This might be due to our bazel/prod k8s version mismatch,
or it might be related to https://github.com/bitnami/kubecfg/issues/259.

Change-Id: Icd69974b294b823e60b8619a656d4834bd6520fd
2020-05-02 23:30:52 +02:00
q3k 006c1bf8f3 *: add more OWNERS
Change-Id: If2740a0aaee845160b38b8ea0b23fea7bab3bded
2020-04-13 01:46:15 +02:00
q3k 74818e155c hswaw/kube: add pretalx
Change-Id: Ia7512aa988022c3c7fd89f81927fbad03f933cf1
2020-02-18 22:56:21 +01:00
q3k 114edc2398 kube/mirko: add kube.CephObjectStoreUser
Change-Id: I2a67076eeaf41ada41f5ae3ee588025e4c16b9e1
2020-02-18 22:55:13 +01:00
q3k f8b4cd7b06 kube/redis: run as unprivileged user
Change-Id: If117384748cb6d06097742329095ae8936ed001c
2020-02-15 12:39:35 +01:00
q3k c622a19d36 kube/postgres: run bouncer
Change-Id: Id85cf1f32f8d41bf909dae380c4a5b3351cac29b
2020-02-15 12:39:14 +01:00
q3k aa8c2b0cca kube/mirko: allow specifying securityContext
Change-Id: Iebafd6b1480ed1e1c1f3cf83361376987720766e
2020-02-15 12:38:39 +01:00
q3k a2ee865a0c postgres: run unprivilged
Change-Id: I8d7e92093c0df91b6cd601a4d8e2484fca97ee88
2020-01-22 21:48:48 +01:00
q3k 92b48d6216 {matrix,lelegram}: pin to bc01n0{1,2}.hswaw.net
Only these nodes (and bc01n03( are #blesed by freenode.

In the future we should fix this by having custom node labels for
blessed nodes. But this will do for now.

Change-Id: Ia5d7cfcb9329da0de8d596ed40b20b0e0f286f43
2020-01-08 13:59:04 +01:00
q3k c33ebcc79f cluster: add ceph-waw3, move metallb to bgp
Change-Id: Iebf369f9a02e44be163ef4afc2e0f23c4b009898
2019-11-01 18:43:45 +01:00
q3k 6f773e0004 smsgw: productionize, implement kube/mirko
This productionizes smsgw.

We also add some jsonnet machinery to provide a unified service for Go

This machinery provides all the nice stuff:
 - a deployment
 - a service for all your types of pots
 - TLS certificates for HSPKI

We also update and test hspki for a new name scheme.

Change-Id: I292d00f858144903cbc8fe0c1c26eb1180d636bc
2019-10-04 13:52:34 +02:00
q3k e31d64f265 kube: move cert-manager resources to kube.local.libsonnet
This way kubernetes consumers don't have to import anything from
cluster/, hopefully.

We also create a small abstraction for local additions for
kube.libsonnet without having to modify upstream.

Change-Id: I209095781f91c8867250a647fe944370cddd67d0
2019-10-02 21:03:13 +02:00
q3k b13b7ffcdb prod{access,vider}: implement
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
2019-08-30 23:08:18 +02:00
q3k d07861b7df ceph-waw1 -> ceph-waw2
Change-Id: I03d6244b9697a9efc06492114ef90cdb01e17601
2019-08-08 17:49:31 +02:00
q3k 3c117fa841 make cockroachdb into a cluster service 2019-06-20 16:43:01 +02:00
Patryk Jakuszew fae3a9d514 add grace period for client pod, rename volume mounts 2019-06-20 16:43:01 +02:00
Patryk Jakuszew 5dfd4cc799 initial commit of cockroachdb.libsonnet 2019-06-20 16:43:01 +02:00
q3k c3b0f7627c cluster/kube: set operator replicas to 0 2019-06-20 16:42:19 +02:00
q3k 6916f7e244 app/toot: start implementing redis 2019-04-04 16:54:00 +02:00
q3k 5f2dc8530d toot: wip 2019-04-02 02:36:22 +02:00
q3k 4d9e72cb8c cluster/kube: init 2019-01-13 22:06:33 +01:00