Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 4bfed00a3f4078c8d85eab8fe9d956cef6a58503 / . / core / installer / values-tmpl / private-network.cue
blob: c74480f6f62c44f26c4f17ad3e5e4e780c231066 [file] [log] [blame]
Giorgi Lekveishvilib59b7c22024-04-03 22:17:50 +0400[diff] [blame]1import (
2 "encoding/base64"
3)
4
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]5input: {
6 privateNetwork: {
7 hostname: string
8 username: string
9 ipSubnet: string // TODO(gio): use cidr type
10 }
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]11 sshPrivateKey: string
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]12 controllerReplicaCount: int | *3
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]13}
14
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]15name: "private-network"
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]16namespace: "ingress-private"
17
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]18out: {
19 images: {
20 "ingress-nginx": {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]21 registry: "registry.k8s.io"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]22 repository: "ingress-nginx"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]23 name: "controller"
24 tag: "v1.8.0"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]25 pullPolicy: "IfNotPresent"
26 }
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]27 nginx: {
28 repository: "library"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]29 name: "nginx"
30 tag: "1.27.1-alpine3.20-slim"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]31 pullPolicy: "IfNotPresent"
32 }
33 tailscale: {
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]34 repository: "tailscale"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]35 name: "tailscale"
36 tag: "v1.82.0"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]37 pullPolicy: "IfNotPresent"
38 }
39 portAllocator: {
40 repository: "giolekva"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]41 name: "port-allocator"
42 tag: "latest"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]43 pullPolicy: "Always"
44 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]45 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]46
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]47 charts: {
gio4557dc02024-10-04 19:29:25 +0400[diff] [blame]48 "access-secrets": {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]49 kind: "GitRepository"
gio4557dc02024-10-04 19:29:25 +0400[diff] [blame]50 address: "https://code.v1.dodo.cloud/helm-charts"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]51 branch: "main"
52 path: "charts/access-secrets"
gio4557dc02024-10-04 19:29:25 +0400[diff] [blame]53 }
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]54 service: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]55 kind: "GitRepository"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]56 address: "https://code.v1.dodo.cloud/helm-charts"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]57 branch: "main"
58 path: "charts/service"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]59 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]60 "ingress-nginx": {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]61 kind: "GitRepository"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]62 address: "https://code.v1.dodo.cloud/helm-charts"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]63 branch: "main"
64 path: "charts/ingress-nginx"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]65 }
66 "tailscale-proxy": {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]67 kind: "GitRepository"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]68 address: "https://code.v1.dodo.cloud/helm-charts"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]69 branch: "main"
70 path: "charts/tailscale-proxy"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]71 }
72 portAllocator: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]73 kind: "GitRepository"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]74 address: "https://code.v1.dodo.cloud/helm-charts"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]75 branch: "main"
76 path: "charts/port-allocator"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]77 }
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]78 headscaleUser: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]79 kind: "GitRepository"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]80 address: "https://code.v1.dodo.cloud/helm-charts"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]81 branch: "main"
82 path: "charts/headscale-user"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]83 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]84 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]85
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]86 _ingressPrivate: "\(global.id)-ingress-private"
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]87
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]88 helm: {
gio4557dc02024-10-04 19:29:25 +0400[diff] [blame]89 "access-secrets": {
90 chart: charts["access-secrets"]
91 values: {
92 serviceAccountName: "default"
93 }
94 }
95 "access-secrets-nginx": {
96 chart: charts["access-secrets"]
97 values: {
98 serviceAccountName: "\(global.id)-nginx-private"
99 }
100 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]101 "ingress-nginx": {
102 chart: charts["ingress-nginx"]
103 values: {
104 fullnameOverride: "\(global.id)-nginx-private"
105 controller: {
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]106 replicaCount: input.controllerReplicaCount
107 updateStrategy: {
108 type: "RollingUpdate"
109 rollingUpdate: {
110 maxUnavailable: "30%"
111 }
112 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]113 service: {
114 enabled: true
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]115 type: "LoadBalancer"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]116 annotations: {
117 "metallb.universe.tf/address-pool": _ingressPrivate
118 }
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]119 extraPorts: {
120 tcp: {}
121 udp: {}
122 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]123 }
124 ingressClassByName: true
125 ingressClassResource: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]126 name: _ingressPrivate
127 enabled: true
128 default: false
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]129 controllerValue: "k8s.io/\(_ingressPrivate)"
130 }
131 config: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]132 "proxy-body-size": "200M" // TODO(giolekva): configurable
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]133 "force-ssl-redirect": "true"
134 "server-snippet": """
135 more_clear_headers "X-Frame-Options";
136 """
137 }
138 extraArgs: {
139 "default-ssl-certificate": "\(_ingressPrivate)/cert-wildcard.\(global.privateDomain)"
140 }
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]141 extraVolumes: [{
142 name: _proxyBackendConfigName
143 configMap: {
144 name: _proxyBackendConfigName
145 }
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]146 }, {
147 name: "proxy-backend-pid"
148 emptyDir: {
149 size: "2Mi"
150 }
151 }, {
152 name: "ts-proxy-state"
153 emptyDir: {
154 size: "2Mi"
155 }
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]156 }]
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]157 shareProcessNamespace: true
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]158 extraContainers: [{
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]159 name: "proxy"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]160 image: images.tailscale.fullNameWithTag
161 securityContext: {
162 capabilities: {
163 add: ["NET_ADMIN"]
164 }
165 privileged: true
166 }
167 env: [{
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]168 name: "TS_STATE_DIR"
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]169 value: "/ts-state"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]170 }, {
171 name: "TS_HOSTNAME"
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]172 valueFrom: {
173 fieldRef: {
174 fieldPath: "metadata.name"
175 }
176 }
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]177 }, {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]178 name: "TS_EXTRA_ARGS"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]179 value: "--login-server=https://headscale.\(global.domain)"
180 }, {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]181 name: "TS_USERSPACE"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]182 value: "false"
183 }]
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]184 command: ["/bin/sh"]
185 args: [
186 "-c",
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]187 "TS_AUTHKEY=$(wget --post-data=\"\" -O /tmp/authkey http://headscale-api.\(global.namespacePrefix)app-headscale.svc.cluster.local/user/private-network-proxy/preauthkey > /dev/null 2>&1 && cat /tmp/authkey) /usr/local/bin/containerboot",
188 ]
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]189 volumeMounts: [{
190 mountPath: "/ts-state"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]191 name: "ts-proxy-state"
192 readOnly: false
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]193 }]
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]194 }, {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]195 name: "proxy-backend"
196 image: images.nginx.fullNameWithTag
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]197 imagePullPolicy: images.nginx.pullPolicy
198 ports: [{
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]199 name: "proxy"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]200 containerPort: 9090
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]201 protocol: "TCP"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]202 }]
203 volumeMounts: [{
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]204 name: _proxyBackendConfigName
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]205 mountPath: "/etc/nginx"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]206 readOnly: true
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]207 }, {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]208 name: "proxy-backend-pid"
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]209 mountPath: "/var/run/nginx"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]210 readOnly: false
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]211 }]
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]212 }, {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]213 name: "reload-config"
214 image: "giolekva/reload:latest"
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]215 imagePullPolicy: "Always"
216 command: [
217 "/usr/bin/reload",
218 "--watch=/etc/nginx/nginx.conf",
219 "--reload=/var/run/nginx/nginx.pid",
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]220 ]
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]221 volumeMounts: [{
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]222 name: "proxy-backend-config"
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]223 mountPath: "/etc/nginx"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]224 readOnly: true
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]225 }, {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]226 name: "proxy-backend-pid"
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]227 mountPath: "/var/run/nginx"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]228 readOnly: true
giof55ab362025-04-11 17:48:17 +0400[diff] [blame]229 }]
230 securityContext: {
231 capabilities: {
232 add: ["SYS_PTRACE"]
233 }
234 }
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]235 }]
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]236 admissionWebhooks: {
237 enabled: false
238 }
239 image: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]240 registry: images["ingress-nginx"].registry
241 image: images["ingress-nginx"].imageName
242 tag: images["ingress-nginx"].tag
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]243 pullPolicy: images["ingress-nginx"].pullPolicy
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]244 }
245 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]246 }
247 }
248 "tailscale-proxy": {
249 chart: charts["tailscale-proxy"]
250 values: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]251 hostname: input.privateNetwork.hostname
252 apiServer: "http://headscale-api.\(global.namespacePrefix)app-headscale.svc.cluster.local"
253 loginServer: "https://headscale.\(networks.public.domain)" // TODO(gio): take headscale subdomain from configuration
254 ipSubnet: input.privateNetwork.ipSubnet
255 username: input.privateNetwork.username // TODO(gio): maybe install headscale-user chart separately?
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]256 preAuthKeySecret: "headscale-preauth-key"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]257 image: {
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]258 repository: images.tailscale.fullName
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]259 tag: images.tailscale.tag
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]260 pullPolicy: images.tailscale.pullPolicy
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]261 }
262 }
263 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]264 "port-allocator": {
265 chart: charts.portAllocator
266 values: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]267 repoAddr: release.repoAddr
268 sshPrivateKey: base64.Encode(null, input.sshPrivateKey)
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]269 ingressNginxPath: "\(release.appDir)/resources/ingress-nginx.yaml"
270 image: {
271 repository: images.portAllocator.fullName
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]272 tag: images.portAllocator.tag
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]273 pullPolicy: images.portAllocator.pullPolicy
274 }
Giorgi Lekveishvilib59b7c22024-04-03 22:17:50 +0400[diff] [blame]275 }
276 }
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]277 // TODO(gio): Generate proxy-backend-config as well
278 "proxy-backend-service": {
279 chart: charts.service
280 values: {
281 name: "proxy-backend-service"
282 type: "ClusterIP"
283 selector: {
284 "app.kubernetes.io/component": "controller"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]285 "app.kubernetes.io/instance": "ingress-nginx"
286 "app.kubernetes.io/name": "ingress-nginx"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]287 }
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]288 ports: [{
289 name: "http"
290 port: 80
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]291 targetPort: 9090
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]292 protocol: "TCP"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]293 }]
294 }
295 }
Giorgi Lekveishvilib59b7c22024-04-03 22:17:50 +0400[diff] [blame]296 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]297}
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]298resources: {
299 "proxy-backend-config": {
300 apiVersion: "v1"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]301 kind: "ConfigMap"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]302 metadata: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]303 name: "proxy-backend-config"
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]304 namespace: release.namespace
305 }
306 data: {
307 "nginx.conf": """
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]308 worker_processes 1;
309 worker_rlimit_nofile 8192;
310 pid /var/run/nginx/nginx.pid;
311 events {
312 worker_connections 1024;
313 }
314 http {
315 map $http_host $backend {
316 }
317 server {
318 listen 9090;
319 location / {
320 resolver 135.181.48.180;
321 proxy_pass http://$backend;
322 }
323 }
324 }
325 """
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]326 }
327 }
328}
329
gio3cabc3e2024-10-06 18:37:27 +0400[diff] [blame]330_proxyBackendConfigName: "proxy-backend-config"