Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 5cc6afcffb5cb1bcf29fe1209adb5c003e1bf733 / . / core / installer / values-tmpl / private-network.cue
blob: c22e5fc2cd9e88ad9f0514b21802af28cec8a4ec [file] [log] [blame]
Giorgi Lekveishvilib59b7c22024-04-03 22:17:50 +0400[diff] [blame]1import (
2 "encoding/base64"
3)
4
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]5input: {
6 privateNetwork: {
7 hostname: string
8 username: string
9 ipSubnet: string // TODO(gio): use cidr type
10 }
Giorgi Lekveishvilib59b7c22024-04-03 22:17:50 +0400[diff] [blame]11 sshPrivateKey: string
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]12}
13
Giorgi Lekveishvili03d6f4b2024-03-08 13:05:21 +0400[diff] [blame]14name: "private-network"
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]15namespace: "ingress-private"
16
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]17out: {
18 images: {
19 "ingress-nginx": {
20 registry: "registry.k8s.io"
21 repository: "ingress-nginx"
22 name: "controller"
23 tag: "v1.8.0"
24 pullPolicy: "IfNotPresent"
25 }
26 "tailscale-proxy": {
27 repository: "tailscale"
28 name: "tailscale"
29 tag: "v1.42.0"
30 pullPolicy: "IfNotPresent"
31 }
32 portAllocator: {
33 repository: "giolekva"
34 name: "port-allocator"
35 tag: "latest"
36 pullPolicy: "Always"
37 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]38 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]39
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]40 charts: {
gio4557dc02024-10-04 19:29:25 +0400[diff] [blame]41 "access-secrets": {
42 kind: "GitRepository"
43 address: "https://code.v1.dodo.cloud/helm-charts"
44 branch: "main"
45 path: "charts/access-secrets"
46 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]47 "ingress-nginx": {
48 kind: "GitRepository"
49 address: "https://code.v1.dodo.cloud/helm-charts"
50 branch: "main"
51 path: "charts/ingress-nginx"
52 }
53 "tailscale-proxy": {
54 kind: "GitRepository"
55 address: "https://code.v1.dodo.cloud/helm-charts"
56 branch: "main"
57 path: "charts/tailscale-proxy"
58 }
59 portAllocator: {
60 kind: "GitRepository"
61 address: "https://code.v1.dodo.cloud/helm-charts"
62 branch: "main"
63 path: "charts/port-allocator"
64 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]65 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]66
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]67 _ingressPrivate: "\(global.id)-ingress-private"
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]68
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]69 helm: {
gio4557dc02024-10-04 19:29:25 +0400[diff] [blame]70 "access-secrets": {
71 chart: charts["access-secrets"]
72 values: {
73 serviceAccountName: "default"
74 }
75 }
76 "access-secrets-nginx": {
77 chart: charts["access-secrets"]
78 values: {
79 serviceAccountName: "\(global.id)-nginx-private"
80 }
81 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]82 "ingress-nginx": {
83 chart: charts["ingress-nginx"]
84 values: {
85 fullnameOverride: "\(global.id)-nginx-private"
86 controller: {
87 service: {
88 enabled: true
89 type: "LoadBalancer"
90 annotations: {
91 "metallb.universe.tf/address-pool": _ingressPrivate
92 }
93 }
94 ingressClassByName: true
95 ingressClassResource: {
96 name: _ingressPrivate
97 enabled: true
98 default: false
99 controllerValue: "k8s.io/\(_ingressPrivate)"
100 }
101 config: {
102 "proxy-body-size": "200M" // TODO(giolekva): configurable
103 "force-ssl-redirect": "true"
104 "server-snippet": """
105 more_clear_headers "X-Frame-Options";
106 """
107 }
108 extraArgs: {
109 "default-ssl-certificate": "\(_ingressPrivate)/cert-wildcard.\(global.privateDomain)"
110 }
111 admissionWebhooks: {
112 enabled: false
113 }
114 image: {
115 registry: images["ingress-nginx"].registry
116 image: images["ingress-nginx"].imageName
117 tag: images["ingress-nginx"].tag
118 pullPolicy: images["ingress-nginx"].pullPolicy
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]119 }
120 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]121 }
122 }
123 "tailscale-proxy": {
124 chart: charts["tailscale-proxy"]
125 values: {
126 hostname: input.privateNetwork.hostname
127 apiServer: "http://headscale-api.\(global.namespacePrefix)app-headscale.svc.cluster.local"
128 loginServer: "https://headscale.\(networks.public.domain)" // TODO(gio): take headscale subdomain from configuration
129 ipSubnet: input.privateNetwork.ipSubnet
130 username: input.privateNetwork.username // TODO(gio): maybe install headscale-user chart separately?
131 preAuthKeySecret: "headscale-preauth-key"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]132 image: {
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]133 repository: images["tailscale-proxy"].fullName
134 tag: images["tailscale-proxy"].tag
135 pullPolicy: images["tailscale-proxy"].pullPolicy
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]136 }
137 }
138 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]139 "port-allocator": {
140 chart: charts.portAllocator
141 values: {
142 repoAddr: release.repoAddr
143 sshPrivateKey: base64.Encode(null, input.sshPrivateKey)
144 ingressNginxPath: "\(release.appDir)/resources/ingress-nginx.yaml"
145 image: {
146 repository: images.portAllocator.fullName
147 tag: images.portAllocator.tag
148 pullPolicy: images.portAllocator.pullPolicy
149 }
Giorgi Lekveishvilib59b7c22024-04-03 22:17:50 +0400[diff] [blame]150 }
151 }
152 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]153}