mirror of
https://gerrit.hackerspace.pl/hscloud
synced 2024-10-18 03:07:44 +00:00
bgpwtf/internet: clean up, use unprivileged nginx
Change-Id: I6f1291c2facf35f4871283c28a4e6f771a3b5102 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1813 Reviewed-by: q3k <q3k@hackerspace.pl>
This commit is contained in:
parent
f5b311794e
commit
304515b58b
3 changed files with 11 additions and 31 deletions
|
@ -1,3 +1,3 @@
|
||||||
FROM nginx:1.17.1-alpine
|
FROM nginxinc/nginx-unprivileged:stable-alpine
|
||||||
|
|
||||||
COPY static /usr/share/nginx/html
|
COPY static /usr/share/nginx/html
|
||||||
|
|
|
@ -4,47 +4,30 @@ local kube = import '../../../kube/hscloud.libsonnet';
|
||||||
local top = self,
|
local top = self,
|
||||||
local cfg = top.cfg,
|
local cfg = top.cfg,
|
||||||
cfg:: {
|
cfg:: {
|
||||||
|
name: "internet-landing",
|
||||||
namespace: "internet",
|
namespace: "internet",
|
||||||
appName: "internet-landing",
|
|
||||||
domain: "internet.hackerspace.pl",
|
domain: "internet.hackerspace.pl",
|
||||||
|
|
||||||
tag: "202108261700",
|
image: "registry.k0.hswaw.net/radex/internet:20231124144325",
|
||||||
image: "registry.k0.hswaw.net/q3k/internet:" + cfg.tag,
|
|
||||||
|
|
||||||
resources: {
|
resources: {
|
||||||
requests: {
|
requests: { cpu: "25m", memory: "50Mi" },
|
||||||
cpu: "25m",
|
limits: { cpu: "100m", memory: "200Mi" },
|
||||||
memory: "50Mi",
|
|
||||||
},
|
|
||||||
limits: {
|
|
||||||
cpu: "100m",
|
|
||||||
memory: "200Mi",
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
local ns = kube.Namespace(cfg.namespace),
|
local ns = kube.Namespace(cfg.namespace),
|
||||||
|
|
||||||
metadata(component):: {
|
deployment: ns.Contain(kube.Deployment(cfg.name)) {
|
||||||
namespace: cfg.namespace,
|
|
||||||
labels: {
|
|
||||||
"app.kubernetes.io/name": cfg.appName,
|
|
||||||
"app.kubernetes.io/managed-by": "kubecfg",
|
|
||||||
"app.kubernetes.io/component": component,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
|
|
||||||
deployment: kube.Deployment("nginx") {
|
|
||||||
metadata+: top.metadata("nginx"),
|
|
||||||
spec+: {
|
spec+: {
|
||||||
replicas: 1,
|
replicas: 1,
|
||||||
template+: {
|
template+: {
|
||||||
spec+: {
|
spec+: {
|
||||||
containers_: {
|
containers_: {
|
||||||
nginx: kube.Container("nginx") {
|
default: kube.Container("default") {
|
||||||
image: cfg.image,
|
image: cfg.image,
|
||||||
ports_: {
|
ports_: {
|
||||||
http: { containerPort: 80 },
|
http: { containerPort: 8080 },
|
||||||
},
|
},
|
||||||
resources: cfg.resources,
|
resources: cfg.resources,
|
||||||
},
|
},
|
||||||
|
@ -54,14 +37,12 @@ local kube = import '../../../kube/hscloud.libsonnet';
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
svc: kube.Service("frontend") {
|
service: ns.Contain(kube.Service(cfg.name)) {
|
||||||
metadata+: top.metadata("frontend"),
|
|
||||||
target:: top.deployment,
|
target:: top.deployment,
|
||||||
},
|
},
|
||||||
|
|
||||||
ingress: kube.SimpleIngress("frontend") {
|
ingress: ns.Contain(kube.SimpleIngress(cfg.name)) {
|
||||||
hosts:: [cfg.domain],
|
hosts:: [cfg.domain],
|
||||||
target:: top.svc,
|
target:: top.service,
|
||||||
metadata+: top.metadata("frontend"),
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
@ -313,7 +313,6 @@ local admins = import "lib/admins.libsonnet";
|
||||||
policies.AllowNamespaceInsecure("ceph-waw3"),
|
policies.AllowNamespaceInsecure("ceph-waw3"),
|
||||||
policies.AllowNamespaceInsecure("matrix"),
|
policies.AllowNamespaceInsecure("matrix"),
|
||||||
policies.AllowNamespaceInsecure("registry"),
|
policies.AllowNamespaceInsecure("registry"),
|
||||||
policies.AllowNamespaceInsecure("internet"),
|
|
||||||
# TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
|
# TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
|
||||||
policies.AllowNamespaceInsecure("implr-vpn"),
|
policies.AllowNamespaceInsecure("implr-vpn"),
|
||||||
// For SourceGraph's tini container mess.
|
// For SourceGraph's tini container mess.
|
||||||
|
|
Loading…
Reference in a new issue