mirror of
https://gerrit.hackerspace.pl/hscloud
synced 2025-01-21 21:13:53 +00:00
cluster/registry: clean up jsonnet
Refactoring registry to use newer syntax/jsonnet helpers/conventions, in line with the rest of the codebase. Change-Id: I20508c8f6ef9a2d0e8faa7de3d3b9efcf2c91af3 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2013 Reviewed-by: q3k <q3k@hackerspace.pl>
This commit is contained in:
parent
a742bb8495
commit
93b5080a4d
2 changed files with 43 additions and 88 deletions
|
@ -57,6 +57,15 @@ local admins = import "lib/admins.libsonnet";
|
|||
domain: "registry.%s" % [k0.cluster.fqdn],
|
||||
storageClassName: k0.cluster.cfg.storageClassNameParanoid,
|
||||
objectStorageName: "waw-hdd-redundant-3-object",
|
||||
pushers: [
|
||||
{ who: ["q3k", "informatic"], what: "vms/*" },
|
||||
{ who: ["q3k", "informatic"], what: "app/*" },
|
||||
{ who: ["q3k", "informatic"], what: "go/svc/*" },
|
||||
{ who: ["q3k"], what: "bgpwtf/*" },
|
||||
{ who: ["q3k"], what: "devtools/*" },
|
||||
{ who: ["q3k"], what: "games/factorio/*" },
|
||||
{ who: ["q3k", "informatic"], what: "cluster/*" },
|
||||
],
|
||||
},
|
||||
},
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# kubectl -n registry create secret generic auth --from-literal=oauth2_secret=...
|
||||
# kubectl get secrets rook-ceph-object-user-<ceph-pool>-object-registry -n <ceph-namespace> -o yaml --export | kubectl replace -f - -n registry
|
||||
|
||||
local kube = import "../../../kube/kube.libsonnet";
|
||||
local kube = import "../../../kube/hscloud.libsonnet";
|
||||
|
||||
{
|
||||
Environment: {
|
||||
|
@ -14,28 +14,18 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
namespace: "registry",
|
||||
domain: error "domain must be set",
|
||||
storageClassName: error "storageClassName must be set",
|
||||
objectStoreName: error "objectStoreName must be set",
|
||||
objectStorageName: error "objectStorageName must be set",
|
||||
pushers: [],
|
||||
},
|
||||
|
||||
metadata(component):: {
|
||||
namespace: cfg.namespace,
|
||||
labels: {
|
||||
"app.kubernetes.io/name": "registry",
|
||||
"app.kubernetes.io/managed-by": "kubecfg",
|
||||
"app.kubernetes.io/component": component,
|
||||
},
|
||||
},
|
||||
local ns = kube.Namespace(cfg.namespace),
|
||||
|
||||
namespace: kube.Namespace(cfg.namespace),
|
||||
|
||||
registryIssuer: kube.Issuer("registry-issuer") {
|
||||
metadata+: env.metadata("registry-issuer"),
|
||||
registryIssuer: ns.Contain(kube.Issuer("registry-issuer")) {
|
||||
spec: {
|
||||
selfSigned: {},
|
||||
},
|
||||
},
|
||||
authCertificate: kube.Certificate("auth") {
|
||||
metadata+: env.metadata("auth"),
|
||||
authCertificate: ns.Contain(kube.Certificate("auth")) {
|
||||
spec: {
|
||||
secretName: "auth-internal",
|
||||
duration: "43800h0m0s", // 5 years
|
||||
|
@ -45,8 +35,7 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
commonName: "auth.registry",
|
||||
},
|
||||
},
|
||||
registryCertificate: kube.Certificate("registry") {
|
||||
metadata+: env.metadata("registry"),
|
||||
registryCertificate: ns.Contain(kube.Certificate("registry")) {
|
||||
spec: {
|
||||
secretName: "registry-internal",
|
||||
duration: "43800h0m0s", // 5 years
|
||||
|
@ -57,8 +46,7 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
},
|
||||
},
|
||||
|
||||
registryConfig: kube.ConfigMap("registry-config") {
|
||||
metadata+: env.metadata("registry-config"),
|
||||
registryConfig: ns.Contain(kube.ConfigMap("registry-config")) {
|
||||
data: {
|
||||
"config.yml": std.manifestYamlDoc({
|
||||
version: "0.1",
|
||||
|
@ -110,14 +98,12 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
},
|
||||
},
|
||||
|
||||
authVolumeClaim: kube.PersistentVolumeClaim("auth-token-storage-3") {
|
||||
metadata+: env.metadata("auth-token-storage-3"),
|
||||
authVolumeClaim: ns.Contain(kube.PersistentVolumeClaim("auth-token-storage-3")) {
|
||||
storage:: "1Gi",
|
||||
storageClass:: cfg.storageClassName,
|
||||
},
|
||||
|
||||
authConfig: kube.ConfigMap("auth-config") {
|
||||
metadata+: env.metadata("auth-config"),
|
||||
authConfig: ns.Contain(kube.ConfigMap("auth-config")) {
|
||||
data: {
|
||||
"auth_config.yml": std.manifestYamlDoc({
|
||||
server: {
|
||||
|
@ -143,16 +129,6 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
users: {
|
||||
[""]: {}, // '' user are anonymous users.
|
||||
},
|
||||
local data = self,
|
||||
pushers:: [
|
||||
{ who: ["q3k", "informatic"], what: "vms/*" },
|
||||
{ who: ["q3k", "informatic"], what: "app/*" },
|
||||
{ who: ["q3k", "informatic"], what: "go/svc/*" },
|
||||
{ who: ["q3k"], what: "bgpwtf/*" },
|
||||
{ who: ["q3k"], what: "devtools/*" },
|
||||
{ who: ["q3k"], what: "games/factorio/*" },
|
||||
{ who: ["q3k", "informatic"], what: "cluster/*" },
|
||||
],
|
||||
acl: [
|
||||
{
|
||||
match: {
|
||||
|
@ -162,7 +138,7 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
actions: ["*"],
|
||||
comment: "%s can push to %s" % [std.join(", ", p.who), p.what],
|
||||
}
|
||||
for p in data.pushers
|
||||
for p in cfg.pushers
|
||||
] + [
|
||||
{
|
||||
match: {account: "/.+/", name: "${account}/*"},
|
||||
|
@ -184,8 +160,7 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
}
|
||||
},
|
||||
|
||||
authDeployment: kube.Deployment("auth") {
|
||||
metadata+: env.metadata("auth"),
|
||||
authDeployment: ns.Contain(kube.Deployment("registry-auth")) {
|
||||
spec+: {
|
||||
replicas: 1,
|
||||
template+: {
|
||||
|
@ -202,7 +177,13 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
},
|
||||
containers_: {
|
||||
auth: kube.Container("auth") {
|
||||
// NOTE: Source - https://github.com/Informatic/docker_auth
|
||||
// We should be able to migrate back to upstream, see:
|
||||
// https://github.com/cesanta/docker_auth/blob/main/examples/reference.yml#L176
|
||||
image: "informatic/docker_auth:2019040307",
|
||||
ports_: {
|
||||
auth: { containerPort: 5001 },
|
||||
},
|
||||
volumeMounts_: {
|
||||
config: { mountPath: "/config" },
|
||||
certs: { mountPath: "/certs" },
|
||||
|
@ -215,18 +196,10 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
},
|
||||
},
|
||||
},
|
||||
authService: kube.Service("auth") {
|
||||
metadata+: env.metadata("auth"),
|
||||
authService: ns.Contain(kube.Service("registry-auth")) {
|
||||
target:: env.authDeployment,
|
||||
spec+: {
|
||||
type: "ClusterIP",
|
||||
ports: [
|
||||
{ name: "auth", port: 5001, targetPort: 5001, protocol: "TCP" },
|
||||
],
|
||||
}
|
||||
},
|
||||
registryDeployment: kube.Deployment("docker-registry") {
|
||||
metadata+: env.metadata("docker-registry"),
|
||||
registryDeployment: ns.Contain(kube.Deployment("registry")) {
|
||||
spec+: {
|
||||
replicas: 1,
|
||||
template+: {
|
||||
|
@ -244,20 +217,18 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
registry: kube.Container("docker-registry") {
|
||||
image: "registry:2.7.1",
|
||||
args: ["/config/config.yml"],
|
||||
ports_: {
|
||||
registry: { containerPort: 5000 },
|
||||
},
|
||||
volumeMounts_: {
|
||||
config: { mountPath: "/config" },
|
||||
certs: { mountPath: "/certs" },
|
||||
authcerts: { mountPath: "/authcerts" },
|
||||
},
|
||||
env_: {
|
||||
REGISTRY_STORAGE_S3_ACCESSKEY: { secretKeyRef: {
|
||||
name: "rook-ceph-object-user-%(objectStorageName)s-registry" % {objectStorageName: cfg.objectStorageName},
|
||||
key: "AccessKey"
|
||||
}},
|
||||
REGISTRY_STORAGE_S3_SECRETKEY: { secretKeyRef: {
|
||||
name: "rook-ceph-object-user-%(objectStorageName)s-registry" % {objectStorageName: cfg.objectStorageName},
|
||||
key: "SecretKey",
|
||||
}},
|
||||
local cephSecretName = "rook-ceph-object-user-%s-registry" % [cfg.objectStorageName],
|
||||
REGISTRY_STORAGE_S3_ACCESSKEY: { secretKeyRef: { name: cephSecretName, key: "AccessKey" } },
|
||||
REGISTRY_STORAGE_S3_SECRETKEY: { secretKeyRef: { name: cephSecretName, key: "SecretKey" } },
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -265,45 +236,20 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
},
|
||||
},
|
||||
},
|
||||
registryService: kube.Service("docker-registry") {
|
||||
metadata+: env.metadata("docker-registry"),
|
||||
registryService: ns.Contain(kube.Service("registry")) {
|
||||
target:: env.registryDeployment,
|
||||
spec+: {
|
||||
type: "ClusterIP",
|
||||
ports: [
|
||||
{ name: "registry", port: 5000, targetPort: 5000, protocol: "TCP" },
|
||||
],
|
||||
}
|
||||
},
|
||||
registryIngress: kube.Ingress("registry") {
|
||||
metadata+: env.metadata("registry") {
|
||||
registryIngress: ns.Contain(kube.SimpleIngress("registry")) {
|
||||
metadata+: {
|
||||
annotations+: {
|
||||
"kubernetes.io/tls-acme": "true",
|
||||
"cert-manager.io/cluster-issuer": "letsencrypt-prod",
|
||||
"nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
|
||||
"nginx.ingress.kubernetes.io/proxy-body-size": "0",
|
||||
},
|
||||
},
|
||||
spec+: {
|
||||
tls: [
|
||||
{
|
||||
hosts: [cfg.domain],
|
||||
secretName: "registry-tls",
|
||||
},
|
||||
],
|
||||
rules: [
|
||||
{
|
||||
host: cfg.domain,
|
||||
http: {
|
||||
paths: [
|
||||
{ path: "/auth", backend: env.authService.name_port },
|
||||
{ path: "/", backend: env.authService.name_port },
|
||||
{ path: "/v2/", backend: env.registryService.name_port },
|
||||
]
|
||||
},
|
||||
}
|
||||
],
|
||||
},
|
||||
hosts:: [cfg.domain],
|
||||
target:: env.authService,
|
||||
extraPaths:: [
|
||||
{ path: "/v2/", backend: env.registryService.name_port },
|
||||
],
|
||||
},
|
||||
|
||||
registryStorageUser: kube.CephObjectStoreUser("registry") {
|
||||
|
|
Loading…
Reference in a new issue