4
0
Fork 2
mirror of https://gerrit.hackerspace.pl/hscloud synced 2025-01-21 21:13:53 +00:00

cluster/registry: clean up jsonnet

Refactoring registry to use newer syntax/jsonnet helpers/conventions, in line with the rest of the codebase.

Change-Id: I20508c8f6ef9a2d0e8faa7de3d3b9efcf2c91af3
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2013
Reviewed-by: q3k <q3k@hackerspace.pl>
This commit is contained in:
radex 2024-10-31 23:33:49 +01:00
parent a742bb8495
commit 93b5080a4d
2 changed files with 43 additions and 88 deletions

View file

@ -57,6 +57,15 @@ local admins = import "lib/admins.libsonnet";
domain: "registry.%s" % [k0.cluster.fqdn],
storageClassName: k0.cluster.cfg.storageClassNameParanoid,
objectStorageName: "waw-hdd-redundant-3-object",
pushers: [
{ who: ["q3k", "informatic"], what: "vms/*" },
{ who: ["q3k", "informatic"], what: "app/*" },
{ who: ["q3k", "informatic"], what: "go/svc/*" },
{ who: ["q3k"], what: "bgpwtf/*" },
{ who: ["q3k"], what: "devtools/*" },
{ who: ["q3k"], what: "games/factorio/*" },
{ who: ["q3k", "informatic"], what: "cluster/*" },
],
},
},

View file

@ -4,7 +4,7 @@
# kubectl -n registry create secret generic auth --from-literal=oauth2_secret=...
# kubectl get secrets rook-ceph-object-user-<ceph-pool>-object-registry -n <ceph-namespace> -o yaml --export | kubectl replace -f - -n registry
local kube = import "../../../kube/kube.libsonnet";
local kube = import "../../../kube/hscloud.libsonnet";
{
Environment: {
@ -14,28 +14,18 @@ local kube = import "../../../kube/kube.libsonnet";
namespace: "registry",
domain: error "domain must be set",
storageClassName: error "storageClassName must be set",
objectStoreName: error "objectStoreName must be set",
objectStorageName: error "objectStorageName must be set",
pushers: [],
},
metadata(component):: {
namespace: cfg.namespace,
labels: {
"app.kubernetes.io/name": "registry",
"app.kubernetes.io/managed-by": "kubecfg",
"app.kubernetes.io/component": component,
},
},
local ns = kube.Namespace(cfg.namespace),
namespace: kube.Namespace(cfg.namespace),
registryIssuer: kube.Issuer("registry-issuer") {
metadata+: env.metadata("registry-issuer"),
registryIssuer: ns.Contain(kube.Issuer("registry-issuer")) {
spec: {
selfSigned: {},
},
},
authCertificate: kube.Certificate("auth") {
metadata+: env.metadata("auth"),
authCertificate: ns.Contain(kube.Certificate("auth")) {
spec: {
secretName: "auth-internal",
duration: "43800h0m0s", // 5 years
@ -45,8 +35,7 @@ local kube = import "../../../kube/kube.libsonnet";
commonName: "auth.registry",
},
},
registryCertificate: kube.Certificate("registry") {
metadata+: env.metadata("registry"),
registryCertificate: ns.Contain(kube.Certificate("registry")) {
spec: {
secretName: "registry-internal",
duration: "43800h0m0s", // 5 years
@ -57,8 +46,7 @@ local kube = import "../../../kube/kube.libsonnet";
},
},
registryConfig: kube.ConfigMap("registry-config") {
metadata+: env.metadata("registry-config"),
registryConfig: ns.Contain(kube.ConfigMap("registry-config")) {
data: {
"config.yml": std.manifestYamlDoc({
version: "0.1",
@ -110,14 +98,12 @@ local kube = import "../../../kube/kube.libsonnet";
},
},
authVolumeClaim: kube.PersistentVolumeClaim("auth-token-storage-3") {
metadata+: env.metadata("auth-token-storage-3"),
authVolumeClaim: ns.Contain(kube.PersistentVolumeClaim("auth-token-storage-3")) {
storage:: "1Gi",
storageClass:: cfg.storageClassName,
},
authConfig: kube.ConfigMap("auth-config") {
metadata+: env.metadata("auth-config"),
authConfig: ns.Contain(kube.ConfigMap("auth-config")) {
data: {
"auth_config.yml": std.manifestYamlDoc({
server: {
@ -143,16 +129,6 @@ local kube = import "../../../kube/kube.libsonnet";
users: {
[""]: {}, // '' user are anonymous users.
},
local data = self,
pushers:: [
{ who: ["q3k", "informatic"], what: "vms/*" },
{ who: ["q3k", "informatic"], what: "app/*" },
{ who: ["q3k", "informatic"], what: "go/svc/*" },
{ who: ["q3k"], what: "bgpwtf/*" },
{ who: ["q3k"], what: "devtools/*" },
{ who: ["q3k"], what: "games/factorio/*" },
{ who: ["q3k", "informatic"], what: "cluster/*" },
],
acl: [
{
match: {
@ -162,7 +138,7 @@ local kube = import "../../../kube/kube.libsonnet";
actions: ["*"],
comment: "%s can push to %s" % [std.join(", ", p.who), p.what],
}
for p in data.pushers
for p in cfg.pushers
] + [
{
match: {account: "/.+/", name: "${account}/*"},
@ -184,8 +160,7 @@ local kube = import "../../../kube/kube.libsonnet";
}
},
authDeployment: kube.Deployment("auth") {
metadata+: env.metadata("auth"),
authDeployment: ns.Contain(kube.Deployment("registry-auth")) {
spec+: {
replicas: 1,
template+: {
@ -202,7 +177,13 @@ local kube = import "../../../kube/kube.libsonnet";
},
containers_: {
auth: kube.Container("auth") {
// NOTE: Source - https://github.com/Informatic/docker_auth
// We should be able to migrate back to upstream, see:
// https://github.com/cesanta/docker_auth/blob/main/examples/reference.yml#L176
image: "informatic/docker_auth:2019040307",
ports_: {
auth: { containerPort: 5001 },
},
volumeMounts_: {
config: { mountPath: "/config" },
certs: { mountPath: "/certs" },
@ -215,18 +196,10 @@ local kube = import "../../../kube/kube.libsonnet";
},
},
},
authService: kube.Service("auth") {
metadata+: env.metadata("auth"),
authService: ns.Contain(kube.Service("registry-auth")) {
target:: env.authDeployment,
spec+: {
type: "ClusterIP",
ports: [
{ name: "auth", port: 5001, targetPort: 5001, protocol: "TCP" },
],
}
},
registryDeployment: kube.Deployment("docker-registry") {
metadata+: env.metadata("docker-registry"),
registryDeployment: ns.Contain(kube.Deployment("registry")) {
spec+: {
replicas: 1,
template+: {
@ -244,20 +217,18 @@ local kube = import "../../../kube/kube.libsonnet";
registry: kube.Container("docker-registry") {
image: "registry:2.7.1",
args: ["/config/config.yml"],
ports_: {
registry: { containerPort: 5000 },
},
volumeMounts_: {
config: { mountPath: "/config" },
certs: { mountPath: "/certs" },
authcerts: { mountPath: "/authcerts" },
},
env_: {
REGISTRY_STORAGE_S3_ACCESSKEY: { secretKeyRef: {
name: "rook-ceph-object-user-%(objectStorageName)s-registry" % {objectStorageName: cfg.objectStorageName},
key: "AccessKey"
}},
REGISTRY_STORAGE_S3_SECRETKEY: { secretKeyRef: {
name: "rook-ceph-object-user-%(objectStorageName)s-registry" % {objectStorageName: cfg.objectStorageName},
key: "SecretKey",
}},
local cephSecretName = "rook-ceph-object-user-%s-registry" % [cfg.objectStorageName],
REGISTRY_STORAGE_S3_ACCESSKEY: { secretKeyRef: { name: cephSecretName, key: "AccessKey" } },
REGISTRY_STORAGE_S3_SECRETKEY: { secretKeyRef: { name: cephSecretName, key: "SecretKey" } },
},
},
},
@ -265,45 +236,20 @@ local kube = import "../../../kube/kube.libsonnet";
},
},
},
registryService: kube.Service("docker-registry") {
metadata+: env.metadata("docker-registry"),
registryService: ns.Contain(kube.Service("registry")) {
target:: env.registryDeployment,
spec+: {
type: "ClusterIP",
ports: [
{ name: "registry", port: 5000, targetPort: 5000, protocol: "TCP" },
],
}
},
registryIngress: kube.Ingress("registry") {
metadata+: env.metadata("registry") {
registryIngress: ns.Contain(kube.SimpleIngress("registry")) {
metadata+: {
annotations+: {
"kubernetes.io/tls-acme": "true",
"cert-manager.io/cluster-issuer": "letsencrypt-prod",
"nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
"nginx.ingress.kubernetes.io/proxy-body-size": "0",
},
},
spec+: {
tls: [
{
hosts: [cfg.domain],
secretName: "registry-tls",
},
],
rules: [
{
host: cfg.domain,
http: {
paths: [
{ path: "/auth", backend: env.authService.name_port },
{ path: "/", backend: env.authService.name_port },
{ path: "/v2/", backend: env.registryService.name_port },
]
},
}
],
},
hosts:: [cfg.domain],
target:: env.authService,
extraPaths:: [
{ path: "/v2/", backend: env.registryService.name_port },
],
},
registryStorageUser: kube.CephObjectStoreUser("registry") {