bgpwtf/internet: clean up, use unprivileged nginx

Change-Id: I6f1291c2facf35f4871283c28a4e6f771a3b5102 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1813 Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-24 14:50:48 +01:00 · 2023-11-24 14:50:48 +01:00 · 304515b58b
parent f5b311794e
commit 304515b58b
3 changed files with 11 additions and 31 deletions
--- a/bgpwtf/internet/Dockerfile
+++ b/bgpwtf/internet/Dockerfile
@ -1,3 +1,3 @@
-FROM nginx:1.17.1-alpine
+FROM nginxinc/nginx-unprivileged:stable-alpine

 COPY static /usr/share/nginx/html
--- a/bgpwtf/internet/kube/prod.jsonnet
+++ b/bgpwtf/internet/kube/prod.jsonnet
@ -4,47 +4,30 @@ local kube = import '../../../kube/hscloud.libsonnet';
    local top = self,
    local cfg = top.cfg,
    cfg:: {
+        name: "internet-landing",
        namespace: "internet",
-        appName: "internet-landing",
        domain: "internet.hackerspace.pl",

-        tag: "202108261700",
-        image: "registry.k0.hswaw.net/q3k/internet:" + cfg.tag,
+        image: "registry.k0.hswaw.net/radex/internet:20231124144325",

        resources: {
-            requests: {
-                cpu: "25m",
-                memory: "50Mi",
-            },
-            limits: {
-                cpu: "100m",
-                memory: "200Mi",
-            },
+            requests: { cpu: "25m", memory: "50Mi" },
+            limits: { cpu: "100m", memory: "200Mi" },
        },
    },

    local ns = kube.Namespace(cfg.namespace),

-    metadata(component):: {
-        namespace: cfg.namespace,
-        labels: {
-            "app.kubernetes.io/name": cfg.appName,
-            "app.kubernetes.io/managed-by": "kubecfg",
-            "app.kubernetes.io/component": component,
-        },
-    },
-
-    deployment: kube.Deployment("nginx") {
-        metadata+: top.metadata("nginx"),
+    deployment: ns.Contain(kube.Deployment(cfg.name)) {
        spec+: {
            replicas: 1,
            template+: {
                 spec+: {
                     containers_: {
-                         nginx: kube.Container("nginx") {
+                         default: kube.Container("default") {
                             image: cfg.image,
                             ports_: {
-                                 http: { containerPort: 80 },
+                                 http: { containerPort: 8080 },
                             },
                             resources: cfg.resources,
                         },
@ -54,14 +37,12 @@ local kube = import '../../../kube/hscloud.libsonnet';
        },
    },

-    svc: kube.Service("frontend") {
-        metadata+: top.metadata("frontend"),
+    service: ns.Contain(kube.Service(cfg.name)) {
        target:: top.deployment,
    },

-    ingress: kube.SimpleIngress("frontend") {
+    ingress: ns.Contain(kube.SimpleIngress(cfg.name)) {
        hosts:: [cfg.domain],
-        target:: top.svc,
-        metadata+: top.metadata("frontend"),
+        target:: top.service,
    },
 }
--- a/cluster/kube/k0.libsonnet
+++ b/cluster/kube/k0.libsonnet
@ -313,7 +313,6 @@ local admins = import "lib/admins.libsonnet";
            policies.AllowNamespaceInsecure("ceph-waw3"),
            policies.AllowNamespaceInsecure("matrix"),
            policies.AllowNamespaceInsecure("registry"),
-            policies.AllowNamespaceInsecure("internet"),
            # TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
            policies.AllowNamespaceInsecure("implr-vpn"),
            // For SourceGraph's tini container mess.