mirror of https://gerrit.hackerspace.pl/hscloud
bgpwtf/internet: clean up, use unprivileged nginx
Change-Id: I6f1291c2facf35f4871283c28a4e6f771a3b5102 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1813 Reviewed-by: q3k <q3k@hackerspace.pl>changes/13/1813/5
parent
f5b311794e
commit
304515b58b
|
@ -1,3 +1,3 @@
|
|||
FROM nginx:1.17.1-alpine
|
||||
FROM nginxinc/nginx-unprivileged:stable-alpine
|
||||
|
||||
COPY static /usr/share/nginx/html
|
||||
|
|
|
@ -4,47 +4,30 @@ local kube = import '../../../kube/hscloud.libsonnet';
|
|||
local top = self,
|
||||
local cfg = top.cfg,
|
||||
cfg:: {
|
||||
name: "internet-landing",
|
||||
namespace: "internet",
|
||||
appName: "internet-landing",
|
||||
domain: "internet.hackerspace.pl",
|
||||
|
||||
tag: "202108261700",
|
||||
image: "registry.k0.hswaw.net/q3k/internet:" + cfg.tag,
|
||||
image: "registry.k0.hswaw.net/radex/internet:20231124144325",
|
||||
|
||||
resources: {
|
||||
requests: {
|
||||
cpu: "25m",
|
||||
memory: "50Mi",
|
||||
},
|
||||
limits: {
|
||||
cpu: "100m",
|
||||
memory: "200Mi",
|
||||
},
|
||||
requests: { cpu: "25m", memory: "50Mi" },
|
||||
limits: { cpu: "100m", memory: "200Mi" },
|
||||
},
|
||||
},
|
||||
|
||||
local ns = kube.Namespace(cfg.namespace),
|
||||
|
||||
metadata(component):: {
|
||||
namespace: cfg.namespace,
|
||||
labels: {
|
||||
"app.kubernetes.io/name": cfg.appName,
|
||||
"app.kubernetes.io/managed-by": "kubecfg",
|
||||
"app.kubernetes.io/component": component,
|
||||
},
|
||||
},
|
||||
|
||||
deployment: kube.Deployment("nginx") {
|
||||
metadata+: top.metadata("nginx"),
|
||||
deployment: ns.Contain(kube.Deployment(cfg.name)) {
|
||||
spec+: {
|
||||
replicas: 1,
|
||||
template+: {
|
||||
spec+: {
|
||||
containers_: {
|
||||
nginx: kube.Container("nginx") {
|
||||
default: kube.Container("default") {
|
||||
image: cfg.image,
|
||||
ports_: {
|
||||
http: { containerPort: 80 },
|
||||
http: { containerPort: 8080 },
|
||||
},
|
||||
resources: cfg.resources,
|
||||
},
|
||||
|
@ -54,14 +37,12 @@ local kube = import '../../../kube/hscloud.libsonnet';
|
|||
},
|
||||
},
|
||||
|
||||
svc: kube.Service("frontend") {
|
||||
metadata+: top.metadata("frontend"),
|
||||
service: ns.Contain(kube.Service(cfg.name)) {
|
||||
target:: top.deployment,
|
||||
},
|
||||
|
||||
ingress: kube.SimpleIngress("frontend") {
|
||||
ingress: ns.Contain(kube.SimpleIngress(cfg.name)) {
|
||||
hosts:: [cfg.domain],
|
||||
target:: top.svc,
|
||||
metadata+: top.metadata("frontend"),
|
||||
target:: top.service,
|
||||
},
|
||||
}
|
||||
|
|
|
@ -313,7 +313,6 @@ local admins = import "lib/admins.libsonnet";
|
|||
policies.AllowNamespaceInsecure("ceph-waw3"),
|
||||
policies.AllowNamespaceInsecure("matrix"),
|
||||
policies.AllowNamespaceInsecure("registry"),
|
||||
policies.AllowNamespaceInsecure("internet"),
|
||||
# TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
|
||||
policies.AllowNamespaceInsecure("implr-vpn"),
|
||||
// For SourceGraph's tini container mess.
|
||||
|
|
Loading…
Reference in New Issue