From 304515b58b72443e98d4733fa04391f7f3092527 Mon Sep 17 00:00:00 2001 From: radex Date: Fri, 24 Nov 2023 14:50:48 +0100 Subject: [PATCH] bgpwtf/internet: clean up, use unprivileged nginx Change-Id: I6f1291c2facf35f4871283c28a4e6f771a3b5102 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1813 Reviewed-by: q3k --- bgpwtf/internet/Dockerfile | 2 +- bgpwtf/internet/kube/prod.jsonnet | 39 ++++++++----------------------- cluster/kube/k0.libsonnet | 1 - 3 files changed, 11 insertions(+), 31 deletions(-) diff --git a/bgpwtf/internet/Dockerfile b/bgpwtf/internet/Dockerfile index 0fbe1ab3..f10c75ed 100644 --- a/bgpwtf/internet/Dockerfile +++ b/bgpwtf/internet/Dockerfile @@ -1,3 +1,3 @@ -FROM nginx:1.17.1-alpine +FROM nginxinc/nginx-unprivileged:stable-alpine COPY static /usr/share/nginx/html diff --git a/bgpwtf/internet/kube/prod.jsonnet b/bgpwtf/internet/kube/prod.jsonnet index 695b4a12..1f3927ba 100644 --- a/bgpwtf/internet/kube/prod.jsonnet +++ b/bgpwtf/internet/kube/prod.jsonnet @@ -4,47 +4,30 @@ local kube = import '../../../kube/hscloud.libsonnet'; local top = self, local cfg = top.cfg, cfg:: { + name: "internet-landing", namespace: "internet", - appName: "internet-landing", domain: "internet.hackerspace.pl", - tag: "202108261700", - image: "registry.k0.hswaw.net/q3k/internet:" + cfg.tag, + image: "registry.k0.hswaw.net/radex/internet:20231124144325", resources: { - requests: { - cpu: "25m", - memory: "50Mi", - }, - limits: { - cpu: "100m", - memory: "200Mi", - }, + requests: { cpu: "25m", memory: "50Mi" }, + limits: { cpu: "100m", memory: "200Mi" }, }, }, local ns = kube.Namespace(cfg.namespace), - metadata(component):: { - namespace: cfg.namespace, - labels: { - "app.kubernetes.io/name": cfg.appName, - "app.kubernetes.io/managed-by": "kubecfg", - "app.kubernetes.io/component": component, - }, - }, - - deployment: kube.Deployment("nginx") { - metadata+: top.metadata("nginx"), + deployment: ns.Contain(kube.Deployment(cfg.name)) { spec+: { replicas: 1, template+: { spec+: { containers_: { - nginx: kube.Container("nginx") { + default: kube.Container("default") { image: cfg.image, ports_: { - http: { containerPort: 80 }, + http: { containerPort: 8080 }, }, resources: cfg.resources, }, @@ -54,14 +37,12 @@ local kube = import '../../../kube/hscloud.libsonnet'; }, }, - svc: kube.Service("frontend") { - metadata+: top.metadata("frontend"), + service: ns.Contain(kube.Service(cfg.name)) { target:: top.deployment, }, - ingress: kube.SimpleIngress("frontend") { + ingress: ns.Contain(kube.SimpleIngress(cfg.name)) { hosts:: [cfg.domain], - target:: top.svc, - metadata+: top.metadata("frontend"), + target:: top.service, }, } diff --git a/cluster/kube/k0.libsonnet b/cluster/kube/k0.libsonnet index ed245650..73856a5a 100644 --- a/cluster/kube/k0.libsonnet +++ b/cluster/kube/k0.libsonnet @@ -313,7 +313,6 @@ local admins = import "lib/admins.libsonnet"; policies.AllowNamespaceInsecure("ceph-waw3"), policies.AllowNamespaceInsecure("matrix"), policies.AllowNamespaceInsecure("registry"), - policies.AllowNamespaceInsecure("internet"), # TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root policies.AllowNamespaceInsecure("implr-vpn"), // For SourceGraph's tini container mess.