mirror of https://gerrit.hackerspace.pl/hscloud
devtools/sourcegraph: migrate away from mirko.libsonnet
Change-Id: I842db50b49a5fbcc11e13d250e88c0d6bfc068be Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1769 Reviewed-by: q3k <q3k@hackerspace.pl>changes/69/1769/8
parent
bf4ba488e5
commit
a4411e57e2
|
@ -1,29 +0,0 @@
|
||||||
local mirko = import "../../kube/mirko.libsonnet";
|
|
||||||
local policies = import "../../kube/policies.libsonnet";
|
|
||||||
|
|
||||||
local sourcegraph = import "sourcegraph.libsonnet";
|
|
||||||
|
|
||||||
{
|
|
||||||
devtools(name):: mirko.Environment(name) {
|
|
||||||
local env = self,
|
|
||||||
local cfg = self.cfg,
|
|
||||||
|
|
||||||
cfg+: {
|
|
||||||
sourcegraph: sourcegraph.cfg {
|
|
||||||
publicFQDN: "cs.hackerspace.pl",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
|
|
||||||
components: {
|
|
||||||
// This is configurated manually through the web interface, q3k has an account
|
|
||||||
// and can create more administrative ones if needed.
|
|
||||||
sourcegraph: sourcegraph.component(cfg.sourcegraph, env),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
|
|
||||||
prod: self.devtools("devtools-prod") {
|
|
||||||
local env = self,
|
|
||||||
// For SourceGraph's tini container mess.
|
|
||||||
policy: policies.AllowNamespaceMostlySecure(env.cfg.namespace),
|
|
||||||
},
|
|
||||||
}
|
|
|
@ -1,99 +0,0 @@
|
||||||
local mirko = import "../../kube/mirko.libsonnet";
|
|
||||||
local kube = import "../../kube/kube.libsonnet";
|
|
||||||
|
|
||||||
// Deploy SourceGraph, a code serach tool. Its configuration is fully managed
|
|
||||||
// within sourcegraph itself, including user accounts.
|
|
||||||
|
|
||||||
{
|
|
||||||
cfg:: {
|
|
||||||
image: "sourcegraph/server:3.17.1",
|
|
||||||
publicFQDN: error "public FQDN must be set",
|
|
||||||
storageClassName: "waw-hdd-redundant-3",
|
|
||||||
},
|
|
||||||
|
|
||||||
component(cfg, env):: mirko.Component(env, "sourcegraph") {
|
|
||||||
local sourcegraph = self,
|
|
||||||
cfg+: {
|
|
||||||
image: cfg.image,
|
|
||||||
volumes+: {
|
|
||||||
data: sourcegraph.pvc.data.volume,
|
|
||||||
etc: sourcegraph.pvc.etc.volume,
|
|
||||||
},
|
|
||||||
securityContext: {
|
|
||||||
runAsUser: 0,
|
|
||||||
fsGroup: 0,
|
|
||||||
},
|
|
||||||
// This container fixes some permissions that Kubernetes volume mounts break.
|
|
||||||
initContainer: sourcegraph.Container("fixperms") {
|
|
||||||
image: "alpine:3",
|
|
||||||
volumeMounts_+: {
|
|
||||||
data: { mountPath: "/var/opt/sourcegraph" },
|
|
||||||
},
|
|
||||||
ports_: {},
|
|
||||||
command: [
|
|
||||||
"sh", "-c",
|
|
||||||
"chmod 755 /var/opt/sourcegraph; chmod -R 700 /var/opt/sourcegraph/postgresql",
|
|
||||||
],
|
|
||||||
},
|
|
||||||
container: sourcegraph.Container("main") {
|
|
||||||
volumeMounts_+: {
|
|
||||||
data: { mountPath: "/var/opt/sourcegraph" },
|
|
||||||
etc: { mountPath: "/etc/sourcegraph" },
|
|
||||||
},
|
|
||||||
resources: {
|
|
||||||
requests: {
|
|
||||||
cpu: "100m",
|
|
||||||
memory: "1Gi",
|
|
||||||
},
|
|
||||||
limits: {
|
|
||||||
cpu: "1",
|
|
||||||
memory: "2Gi",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
ports+: {
|
|
||||||
publicHTTP: {
|
|
||||||
public: {
|
|
||||||
port: 7080,
|
|
||||||
dns: cfg.publicFQDN,
|
|
||||||
// Authenticate as 'Anonymous' user by default. This is done in tandem
|
|
||||||
// with Sourcegraphs authenticate-by-http-header feature, and is a
|
|
||||||
// workaround for the lack of a public view in the self-hosted free
|
|
||||||
// version of Sourcegraph.
|
|
||||||
// https://twitter.com/sqs/status/1272659451292422144
|
|
||||||
setHeaders: ["X-Forwarded-User Anonymous"],
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
extraPaths: [
|
|
||||||
{
|
|
||||||
// Redirect anonymous user settings to a service that doesn't
|
|
||||||
// have any endpoints/backends.
|
|
||||||
path: "/users/Anonymous/settings",
|
|
||||||
backend: { serviceName: sourcegraph.blocksvc.metadata.name, servicePort: 8080 },
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
|
||||||
|
|
||||||
blocksvc: kube.Service(sourcegraph.makeName("blocksvc")) {
|
|
||||||
metadata+: sourcegraph.metadata,
|
|
||||||
spec+: {
|
|
||||||
selector: null,
|
|
||||||
ports: [{ port: 2137, targetPort: 2137 }],
|
|
||||||
},
|
|
||||||
},
|
|
||||||
|
|
||||||
pvc: {
|
|
||||||
data: kube.PersistentVolumeClaim(sourcegraph.makeName("data")) {
|
|
||||||
metadata+: sourcegraph.metadata,
|
|
||||||
storage:: "40Gi",
|
|
||||||
storageClass:: cfg.storageClassName,
|
|
||||||
},
|
|
||||||
etc: kube.PersistentVolumeClaim(sourcegraph.makeName("etc")) {
|
|
||||||
metadata+: sourcegraph.metadata,
|
|
||||||
storage:: "4Gi",
|
|
||||||
storageClass:: cfg.storageClassName,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -0,0 +1,110 @@
|
||||||
|
local kube = import '../../kube/hscloud.libsonnet';
|
||||||
|
|
||||||
|
// Deploy SourceGraph, a code serach tool.
|
||||||
|
// Its configuration is fully managed within sourcegraph itself, including user accounts.
|
||||||
|
{
|
||||||
|
local top = self,
|
||||||
|
local cfg = top.cfg,
|
||||||
|
|
||||||
|
cfg:: {
|
||||||
|
name: 'sourcegraph',
|
||||||
|
namespace: 'sourcegraph',
|
||||||
|
domain: 'cs.hackerspace.pl',
|
||||||
|
image: "sourcegraph/server:3.17.1",
|
||||||
|
storageClassName: "waw-hdd-redundant-3",
|
||||||
|
},
|
||||||
|
|
||||||
|
local ns = kube.Namespace(cfg.namespace),
|
||||||
|
|
||||||
|
deployment: ns.Contain(kube.Deployment(cfg.name)) {
|
||||||
|
spec+: {
|
||||||
|
replicas: 1,
|
||||||
|
template+: {
|
||||||
|
spec+: {
|
||||||
|
volumes_: {
|
||||||
|
data: top.data.volume,
|
||||||
|
etc: top.etc.volume,
|
||||||
|
},
|
||||||
|
// This container fixes some permissions that Kubernetes volume mounts break.
|
||||||
|
initContainers_: {
|
||||||
|
fixperms: kube.Container("fixperms") {
|
||||||
|
image: "alpine:3",
|
||||||
|
volumeMounts_+: {
|
||||||
|
data: { mountPath: "/var/opt/sourcegraph" },
|
||||||
|
},
|
||||||
|
command: [
|
||||||
|
"sh", "-c",
|
||||||
|
"chmod 755 /var/opt/sourcegraph; chmod -R 700 /var/opt/sourcegraph/postgresql",
|
||||||
|
],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
containers_: {
|
||||||
|
default: kube.Container('default') {
|
||||||
|
image: cfg.image,
|
||||||
|
ports_: {
|
||||||
|
http: { containerPort: 7080 },
|
||||||
|
},
|
||||||
|
volumeMounts_: {
|
||||||
|
data: { mountPath: "/var/opt/sourcegraph" },
|
||||||
|
etc: { mountPath: "/etc/sourcegraph" },
|
||||||
|
},
|
||||||
|
resources: {
|
||||||
|
requests: { cpu: "100m", memory: "1Gi" },
|
||||||
|
limits: { cpu: "1", memory: "2Gi" },
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
securityContext: {
|
||||||
|
runAsUser: 0,
|
||||||
|
fsGroup: 0,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
data: ns.Contain(kube.PersistentVolumeClaim(cfg.name + "-data")) {
|
||||||
|
storage: "40Gi",
|
||||||
|
storageClass: cfg.storageClassName,
|
||||||
|
},
|
||||||
|
|
||||||
|
etc: ns.Contain(kube.PersistentVolumeClaim(cfg.name + "-etc")) {
|
||||||
|
storage: "4Gi",
|
||||||
|
storageClass: cfg.storageClassName,
|
||||||
|
},
|
||||||
|
|
||||||
|
service: ns.Contain(kube.Service(cfg.name)) {
|
||||||
|
target:: top.deployment,
|
||||||
|
},
|
||||||
|
|
||||||
|
// Fake service that doesn't point to anything
|
||||||
|
blockService: ns.Contain(kube.Service(cfg.name + "-block")) {
|
||||||
|
spec+: {
|
||||||
|
selector: null,
|
||||||
|
ports: [{ port: 2137, targetPort: 2137 }],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
|
ingress: ns.Contain(kube.SimpleIngress(cfg.name)) {
|
||||||
|
hosts:: [cfg.domain],
|
||||||
|
target:: top.service,
|
||||||
|
metadata+: {
|
||||||
|
annotations+: {
|
||||||
|
// Authenticate as 'Anonymous' user by default. This is done in tandem
|
||||||
|
// with Sourcegraphs authenticate-by-http-header feature, and is a
|
||||||
|
// workaround for the lack of a public view in the self-hosted free
|
||||||
|
// version of Sourcegraph.
|
||||||
|
// https://twitter.com/sqs/status/1272659451292422144
|
||||||
|
"nginx.ingress.kubernetes.io/configuration-snippet": "proxy_set_header X-Forwarded-User Anonymous;"
|
||||||
|
},
|
||||||
|
},
|
||||||
|
extraPaths:: [
|
||||||
|
{
|
||||||
|
// Redirect anonymous user settings to a service that doesn't
|
||||||
|
// have any endpoints/backends.
|
||||||
|
path: "/users/Anonymous/settings",
|
||||||
|
backend: { serviceName: top.blockService.metadata.name, servicePort: 8080 },
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
}
|
Loading…
Reference in New Issue