mirror of https://gerrit.hackerspace.pl/hscloud
kube: migrate devtools/hackdoc from mirko.libsonnet to new hspki.libsonnet
Change-Id: I28bd444d729c2f18fe2b7e44ef120c867f541351 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1751 Reviewed-by: q3k <q3k@hackerspace.pl>changes/51/1751/12
parent
ec11a8173e
commit
56b2e04106
|
@ -0,0 +1,60 @@
|
||||||
|
local kube = import "../../kube/hscloud.libsonnet";
|
||||||
|
local hspki = import "../../kube/hspki.libsonnet";
|
||||||
|
|
||||||
|
{
|
||||||
|
local top = self,
|
||||||
|
local cfg = self.cfg,
|
||||||
|
|
||||||
|
cfg:: {
|
||||||
|
name: 'hackdoc',
|
||||||
|
namespace: 'hackdoc',
|
||||||
|
domain: 'hackdoc.hackerspace.pl',
|
||||||
|
depotviewUrl: 'depotview.devtools-prod.svc.cluster.local:4200',
|
||||||
|
image: 'registry.k0.hswaw.net/q3k/hackdoc:315532800-f4d02581f60b18a8635d026079ed67039cdc45e6',
|
||||||
|
},
|
||||||
|
|
||||||
|
local ns = kube.Namespace(cfg.namespace),
|
||||||
|
|
||||||
|
deployment: ns.Contain(kube.Deployment(cfg.name)) {
|
||||||
|
spec+: {
|
||||||
|
replicas: 1,
|
||||||
|
template+: {
|
||||||
|
spec+: top.pki.PodSpec {
|
||||||
|
containers_: {
|
||||||
|
default: top.pki.GoContainer("default") {
|
||||||
|
image: cfg.image,
|
||||||
|
executable_: "/devtools/hackdoc",
|
||||||
|
command+: [
|
||||||
|
"-depotview=%s" % [cfg.depotviewUrl],
|
||||||
|
"-hackdoc_url=https://%s" % [cfg.domain],
|
||||||
|
"-pub_listen=0.0.0.0:8080",
|
||||||
|
],
|
||||||
|
resources: {
|
||||||
|
requests: { cpu: "25m", memory: "64Mi" },
|
||||||
|
limits: { cpu: "500m", memory: "128Mi" },
|
||||||
|
},
|
||||||
|
ports_: {
|
||||||
|
http: { containerPort: 8080 },
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
|
service: ns.Contain(kube.Service(cfg.name)) {
|
||||||
|
target:: top.deployment,
|
||||||
|
},
|
||||||
|
|
||||||
|
ingress: ns.Contain(kube.SimpleIngress(cfg.name)) {
|
||||||
|
hosts:: [cfg.domain],
|
||||||
|
target:: top.service,
|
||||||
|
},
|
||||||
|
|
||||||
|
pki: ns.Contain(hspki) {
|
||||||
|
cfg+: {
|
||||||
|
name: cfg.name,
|
||||||
|
}
|
||||||
|
},
|
||||||
|
}
|
|
@ -1,31 +0,0 @@
|
||||||
local mirko = import "../../kube/mirko.libsonnet";
|
|
||||||
local kube = import "../../kube/kube.libsonnet";
|
|
||||||
|
|
||||||
{
|
|
||||||
cfg:: {
|
|
||||||
image: "registry.k0.hswaw.net/q3k/hackdoc:315532800-f4d02581f60b18a8635d026079ed67039cdc45e6",
|
|
||||||
publicFQDN: error "public FQDN must be set",
|
|
||||||
},
|
|
||||||
|
|
||||||
component(cfg ,env):: mirko.Component(env, "hackdoc") {
|
|
||||||
local hackdoc = self,
|
|
||||||
cfg+: {
|
|
||||||
image: cfg.image,
|
|
||||||
container: hackdoc.GoContainer("main", "/devtools/hackdoc") {
|
|
||||||
command+: [
|
|
||||||
"-depotview=depotview.devtools-prod.svc.cluster.local:4200",
|
|
||||||
"-hackdoc_url=https://%s" % [cfg.publicFQDN],
|
|
||||||
"-pub_listen=0.0.0.0:8080",
|
|
||||||
],
|
|
||||||
},
|
|
||||||
ports+: {
|
|
||||||
publicHTTP: {
|
|
||||||
public: {
|
|
||||||
port: 8080,
|
|
||||||
dns: cfg.publicFQDN,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -2,7 +2,6 @@ local mirko = import "../../kube/mirko.libsonnet";
|
||||||
local policies = import "../../kube/policies.libsonnet";
|
local policies = import "../../kube/policies.libsonnet";
|
||||||
|
|
||||||
local depotview = import "depotview.libsonnet";
|
local depotview = import "depotview.libsonnet";
|
||||||
local hackdoc = import "hackdoc.libsonnet";
|
|
||||||
local sourcegraph = import "sourcegraph.libsonnet";
|
local sourcegraph = import "sourcegraph.libsonnet";
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -12,9 +11,6 @@ local sourcegraph = import "sourcegraph.libsonnet";
|
||||||
|
|
||||||
cfg+: {
|
cfg+: {
|
||||||
depotview: depotview.cfg,
|
depotview: depotview.cfg,
|
||||||
hackdoc: hackdoc.cfg {
|
|
||||||
publicFQDN: "hackdoc.hackerspace.pl",
|
|
||||||
},
|
|
||||||
sourcegraph: sourcegraph.cfg {
|
sourcegraph: sourcegraph.cfg {
|
||||||
publicFQDN: "cs.hackerspace.pl",
|
publicFQDN: "cs.hackerspace.pl",
|
||||||
},
|
},
|
||||||
|
@ -22,7 +18,6 @@ local sourcegraph = import "sourcegraph.libsonnet";
|
||||||
|
|
||||||
components: {
|
components: {
|
||||||
depotview: depotview.component(cfg.depotview, env),
|
depotview: depotview.component(cfg.depotview, env),
|
||||||
hackdoc: hackdoc.component(cfg.hackdoc, env),
|
|
||||||
// This is configurated manually through the web interface, q3k has an account
|
// This is configurated manually through the web interface, q3k has an account
|
||||||
// and can create more administrative ones if needed.
|
// and can create more administrative ones if needed.
|
||||||
sourcegraph: sourcegraph.component(cfg.sourcegraph, env),
|
sourcegraph: sourcegraph.component(cfg.sourcegraph, env),
|
||||||
|
|
|
@ -0,0 +1,76 @@
|
||||||
|
local kube = import "kube.libsonnet";
|
||||||
|
|
||||||
|
// HSPKI support
|
||||||
|
// (This is meant to be a simpler abstraction than mirko.libsonnet)
|
||||||
|
// To connect certificate to a HSPKI/Mirko service, use PodSpec and Container() or GoContainer()
|
||||||
|
{
|
||||||
|
local top = self,
|
||||||
|
local cfg = top.cfg,
|
||||||
|
|
||||||
|
metadata:: {
|
||||||
|
namespace: error "namespace must be set",
|
||||||
|
},
|
||||||
|
|
||||||
|
cfg:: {
|
||||||
|
// name is used to generate certificate and secret names
|
||||||
|
// and should match name of the Service
|
||||||
|
name: error "name must be set",
|
||||||
|
namespace: top.metadata.namespace,
|
||||||
|
|
||||||
|
certName: cfg.name + '-cert',
|
||||||
|
secretName: cfg.name + '-cert',
|
||||||
|
|
||||||
|
realm: "hswaw.net",
|
||||||
|
clusterFQDN: "k0.hswaw.net",
|
||||||
|
},
|
||||||
|
|
||||||
|
local ns = kube.Namespace(cfg.namespace),
|
||||||
|
|
||||||
|
cert: ns.Contain(kube.Certificate(cfg.certName)) {
|
||||||
|
spec: {
|
||||||
|
secretName: cfg.secretName,
|
||||||
|
duration: "35040h0m0s", // 4 years
|
||||||
|
issuerRef: {
|
||||||
|
// Contract with cluster/lib/pki.libsonnet.
|
||||||
|
name: "pki-ca",
|
||||||
|
kind: "ClusterIssuer",
|
||||||
|
},
|
||||||
|
local name = cfg.name,
|
||||||
|
local namespace = cfg.namespace,
|
||||||
|
commonName: "%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN],
|
||||||
|
dnsNames: [
|
||||||
|
"%s" % [name],
|
||||||
|
"%s.%s" % [name, namespace],
|
||||||
|
"%s.%s.svc" % [name, namespace],
|
||||||
|
"%s.%s.svc.cluster.local" % [name, namespace],
|
||||||
|
"%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN],
|
||||||
|
],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
|
PodSpec:: kube.PodSpec {
|
||||||
|
volumes_+: {
|
||||||
|
hspki: { secret: { secretName: cfg.secretName } },
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
|
Container(name):: kube.Container(name) {
|
||||||
|
volumeMounts_+: {
|
||||||
|
hspki: { mountPath: "/mnt/pki" },
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
|
GoContainer(name):: top.Container(name) {
|
||||||
|
executable_:: error "executable_ must be set",
|
||||||
|
command: [
|
||||||
|
self.executable_,
|
||||||
|
"-hspki_realm", cfg.realm,
|
||||||
|
"-hspki_cluster", cfg.clusterFQDN,
|
||||||
|
"-hspki_tls_ca_path", "/mnt/pki/ca.crt",
|
||||||
|
"-hspki_tls_certificate_path", "/mnt/pki/tls.crt",
|
||||||
|
"-hspki_tls_key_path", "/mnt/pki/tls.key",
|
||||||
|
// TODO: Remove this after go/hspki services are updated not to require it
|
||||||
|
"-logtostderr",
|
||||||
|
],
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue