4
0
Fork 2
mirror of https://gerrit.hackerspace.pl/hscloud synced 2024-10-07 21:17:45 +00:00

devtools/sourcegraph: migrate away from mirko.libsonnet

Change-Id: I842db50b49a5fbcc11e13d250e88c0d6bfc068be
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1769
Reviewed-by: q3k <q3k@hackerspace.pl>
This commit is contained in:
radex 2023-11-03 17:24:07 +01:00 committed by radex
parent bf4ba488e5
commit a4411e57e2
3 changed files with 110 additions and 128 deletions

View file

@ -1,29 +0,0 @@
local mirko = import "../../kube/mirko.libsonnet";
local policies = import "../../kube/policies.libsonnet";
local sourcegraph = import "sourcegraph.libsonnet";
{
devtools(name):: mirko.Environment(name) {
local env = self,
local cfg = self.cfg,
cfg+: {
sourcegraph: sourcegraph.cfg {
publicFQDN: "cs.hackerspace.pl",
},
},
components: {
// This is configurated manually through the web interface, q3k has an account
// and can create more administrative ones if needed.
sourcegraph: sourcegraph.component(cfg.sourcegraph, env),
},
},
prod: self.devtools("devtools-prod") {
local env = self,
// For SourceGraph's tini container mess.
policy: policies.AllowNamespaceMostlySecure(env.cfg.namespace),
},
}

View file

@ -1,99 +0,0 @@
local mirko = import "../../kube/mirko.libsonnet";
local kube = import "../../kube/kube.libsonnet";
// Deploy SourceGraph, a code serach tool. Its configuration is fully managed
// within sourcegraph itself, including user accounts.
{
cfg:: {
image: "sourcegraph/server:3.17.1",
publicFQDN: error "public FQDN must be set",
storageClassName: "waw-hdd-redundant-3",
},
component(cfg, env):: mirko.Component(env, "sourcegraph") {
local sourcegraph = self,
cfg+: {
image: cfg.image,
volumes+: {
data: sourcegraph.pvc.data.volume,
etc: sourcegraph.pvc.etc.volume,
},
securityContext: {
runAsUser: 0,
fsGroup: 0,
},
// This container fixes some permissions that Kubernetes volume mounts break.
initContainer: sourcegraph.Container("fixperms") {
image: "alpine:3",
volumeMounts_+: {
data: { mountPath: "/var/opt/sourcegraph" },
},
ports_: {},
command: [
"sh", "-c",
"chmod 755 /var/opt/sourcegraph; chmod -R 700 /var/opt/sourcegraph/postgresql",
],
},
container: sourcegraph.Container("main") {
volumeMounts_+: {
data: { mountPath: "/var/opt/sourcegraph" },
etc: { mountPath: "/etc/sourcegraph" },
},
resources: {
requests: {
cpu: "100m",
memory: "1Gi",
},
limits: {
cpu: "1",
memory: "2Gi",
},
},
},
ports+: {
publicHTTP: {
public: {
port: 7080,
dns: cfg.publicFQDN,
// Authenticate as 'Anonymous' user by default. This is done in tandem
// with Sourcegraphs authenticate-by-http-header feature, and is a
// workaround for the lack of a public view in the self-hosted free
// version of Sourcegraph.
// https://twitter.com/sqs/status/1272659451292422144
setHeaders: ["X-Forwarded-User Anonymous"],
},
},
},
extraPaths: [
{
// Redirect anonymous user settings to a service that doesn't
// have any endpoints/backends.
path: "/users/Anonymous/settings",
backend: { serviceName: sourcegraph.blocksvc.metadata.name, servicePort: 8080 },
},
],
},
blocksvc: kube.Service(sourcegraph.makeName("blocksvc")) {
metadata+: sourcegraph.metadata,
spec+: {
selector: null,
ports: [{ port: 2137, targetPort: 2137 }],
},
},
pvc: {
data: kube.PersistentVolumeClaim(sourcegraph.makeName("data")) {
metadata+: sourcegraph.metadata,
storage:: "40Gi",
storageClass:: cfg.storageClassName,
},
etc: kube.PersistentVolumeClaim(sourcegraph.makeName("etc")) {
metadata+: sourcegraph.metadata,
storage:: "4Gi",
storageClass:: cfg.storageClassName,
},
},
}
}

View file

@ -0,0 +1,110 @@
local kube = import '../../kube/hscloud.libsonnet';
// Deploy SourceGraph, a code serach tool.
// Its configuration is fully managed within sourcegraph itself, including user accounts.
{
local top = self,
local cfg = top.cfg,
cfg:: {
name: 'sourcegraph',
namespace: 'sourcegraph',
domain: 'cs.hackerspace.pl',
image: "sourcegraph/server:3.17.1",
storageClassName: "waw-hdd-redundant-3",
},
local ns = kube.Namespace(cfg.namespace),
deployment: ns.Contain(kube.Deployment(cfg.name)) {
spec+: {
replicas: 1,
template+: {
spec+: {
volumes_: {
data: top.data.volume,
etc: top.etc.volume,
},
// This container fixes some permissions that Kubernetes volume mounts break.
initContainers_: {
fixperms: kube.Container("fixperms") {
image: "alpine:3",
volumeMounts_+: {
data: { mountPath: "/var/opt/sourcegraph" },
},
command: [
"sh", "-c",
"chmod 755 /var/opt/sourcegraph; chmod -R 700 /var/opt/sourcegraph/postgresql",
],
},
},
containers_: {
default: kube.Container('default') {
image: cfg.image,
ports_: {
http: { containerPort: 7080 },
},
volumeMounts_: {
data: { mountPath: "/var/opt/sourcegraph" },
etc: { mountPath: "/etc/sourcegraph" },
},
resources: {
requests: { cpu: "100m", memory: "1Gi" },
limits: { cpu: "1", memory: "2Gi" },
},
},
},
securityContext: {
runAsUser: 0,
fsGroup: 0,
},
},
}
}
},
data: ns.Contain(kube.PersistentVolumeClaim(cfg.name + "-data")) {
storage: "40Gi",
storageClass: cfg.storageClassName,
},
etc: ns.Contain(kube.PersistentVolumeClaim(cfg.name + "-etc")) {
storage: "4Gi",
storageClass: cfg.storageClassName,
},
service: ns.Contain(kube.Service(cfg.name)) {
target:: top.deployment,
},
// Fake service that doesn't point to anything
blockService: ns.Contain(kube.Service(cfg.name + "-block")) {
spec+: {
selector: null,
ports: [{ port: 2137, targetPort: 2137 }],
},
},
ingress: ns.Contain(kube.SimpleIngress(cfg.name)) {
hosts:: [cfg.domain],
target:: top.service,
metadata+: {
annotations+: {
// Authenticate as 'Anonymous' user by default. This is done in tandem
// with Sourcegraphs authenticate-by-http-header feature, and is a
// workaround for the lack of a public view in the self-hosted free
// version of Sourcegraph.
// https://twitter.com/sqs/status/1272659451292422144
"nginx.ingress.kubernetes.io/configuration-snippet": "proxy_set_header X-Forwarded-User Anonymous;"
},
},
extraPaths:: [
{
// Redirect anonymous user settings to a service that doesn't
// have any endpoints/backends.
path: "/users/Anonymous/settings",
backend: { serviceName: top.blockService.metadata.name, servicePort: 8080 },
},
],
},
}