Blame - core/installer/values-tmpl/private-network.cue - pcloud

blob: b43ab1d476b8cf78e03adde877a5518eceaab04a [file] [log] [blame]

Giorgi Lekveishvili	b59b7c2	2024-04-03 22:17:50 +0400	[diff] [blame]	1	import (
				2	"encoding/base64"
				3	)
				4
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	5	input: {
				6	privateNetwork: {
				7	hostname: string
				8	username: string
				9	ipSubnet: string // TODO(gio): use cidr type
				10	}
Giorgi Lekveishvili	b59b7c2	2024-04-03 22:17:50 +0400	[diff] [blame]	11	sshPrivateKey: string
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	12	}
				13
Giorgi Lekveishvili	03d6f4b	2024-03-08 13:05:21 +0400	[diff] [blame]	14	name: "private-network"
Giorgi Lekveishvili	08af67a	2024-01-18 08:53:05 +0400	[diff] [blame]	15	namespace: "ingress-private"
				16
gio	7fbd4ad	2024-08-27 10:06:39 +0400	[diff] [blame]	17	out: {
				18	images: {
				19	"ingress-nginx": {
				20	registry: "registry.k8s.io"
				21	repository: "ingress-nginx"
				22	name: "controller"
				23	tag: "v1.8.0"
				24	pullPolicy: "IfNotPresent"
				25	}
gio	3cabc3e	2024-10-06 18:37:27 +0400	[diff] [blame]	26	nginx: {
				27	repository: "library"
				28	name: "nginx"
				29	tag: "1.27.1-alpine3.20-slim"
				30	pullPolicy: "IfNotPresent"
				31	}
				32	tailscale: {
gio	7fbd4ad	2024-08-27 10:06:39 +0400	[diff] [blame]	33	repository: "tailscale"
				34	name: "tailscale"
				35	tag: "v1.42.0"
				36	pullPolicy: "IfNotPresent"
				37	}
				38	portAllocator: {
				39	repository: "giolekva"
				40	name: "port-allocator"
				41	tag: "latest"
				42	pullPolicy: "Always"
				43	}
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	44	}
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	45
gio	7fbd4ad	2024-08-27 10:06:39 +0400	[diff] [blame]	46	charts: {
gio	4557dc0	2024-10-04 19:29:25 +0400	[diff] [blame]	47	"access-secrets": {
				48	kind: "GitRepository"
				49	address: "https://code.v1.dodo.cloud/helm-charts"
				50	branch: "main"
				51	path: "charts/access-secrets"
				52	}
gio	3cabc3e	2024-10-06 18:37:27 +0400	[diff] [blame]	53	service: {
				54	kind: "GitRepository"
				55	address: "https://code.v1.dodo.cloud/helm-charts"
				56	branch: "main"
				57	path: "charts/service"
				58	}
gio	7fbd4ad	2024-08-27 10:06:39 +0400	[diff] [blame]	59	"ingress-nginx": {
				60	kind: "GitRepository"
				61	address: "https://code.v1.dodo.cloud/helm-charts"
				62	branch: "main"
				63	path: "charts/ingress-nginx"
				64	}
				65	"tailscale-proxy": {
				66	kind: "GitRepository"
				67	address: "https://code.v1.dodo.cloud/helm-charts"
				68	branch: "main"
				69	path: "charts/tailscale-proxy"
				70	}
				71	portAllocator: {
				72	kind: "GitRepository"
				73	address: "https://code.v1.dodo.cloud/helm-charts"
				74	branch: "main"
				75	path: "charts/port-allocator"
				76	}
gio	3cabc3e	2024-10-06 18:37:27 +0400	[diff] [blame]	77	headscaleUser: {
				78	kind: "GitRepository"
				79	address: "https://code.v1.dodo.cloud/helm-charts"
				80	branch: "main"
				81	path: "charts/headscale-user"
				82	}
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	83	}
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	84
gio	7fbd4ad	2024-08-27 10:06:39 +0400	[diff] [blame]	85	_ingressPrivate: "\(global.id)-ingress-private"
gio	7841f4f	2024-07-26 19:53:49 +0400	[diff] [blame]	86
gio	7fbd4ad	2024-08-27 10:06:39 +0400	[diff] [blame]	87	helm: {
gio	4557dc0	2024-10-04 19:29:25 +0400	[diff] [blame]	88	"access-secrets": {
				89	chart: charts["access-secrets"]
				90	values: {
				91	serviceAccountName: "default"
				92	}
				93	}
				94	"access-secrets-nginx": {
				95	chart: charts["access-secrets"]
				96	values: {
				97	serviceAccountName: "\(global.id)-nginx-private"
				98	}
				99	}
gio	3cabc3e	2024-10-06 18:37:27 +0400	[diff] [blame]	100	"headscale-user": {
				101	chart: charts.headscaleUser
				102	values: {
				103	resourceName: "private-network-proxy-backend"
				104	username: "private-network-proxy"
				105	headscaleApiAddress: "http://headscale-api.\(global.namespacePrefix)app-headscale.svc.cluster.local"
				106	preAuthKey: {
				107	enabled: true
				108	secretName: _clusterProxySecretName
				109	}
				110	}
				111	}
gio	7fbd4ad	2024-08-27 10:06:39 +0400	[diff] [blame]	112	"ingress-nginx": {
				113	chart: charts["ingress-nginx"]
				114	values: {
				115	fullnameOverride: "\(global.id)-nginx-private"
				116	controller: {
				117	service: {
				118	enabled: true
				119	type: "LoadBalancer"
				120	annotations: {
				121	"metallb.universe.tf/address-pool": _ingressPrivate
				122	}
				123	}
				124	ingressClassByName: true
				125	ingressClassResource: {
				126	name: _ingressPrivate
				127	enabled: true
				128	default: false
				129	controllerValue: "k8s.io/\(_ingressPrivate)"
				130	}
				131	config: {
				132	"proxy-body-size": "200M" // TODO(giolekva): configurable
				133	"force-ssl-redirect": "true"
				134	"server-snippet": """
				135	more_clear_headers "X-Frame-Options";
				136	"""
				137	}
				138	extraArgs: {
				139	"default-ssl-certificate": "\(_ingressPrivate)/cert-wildcard.\(global.privateDomain)"
				140	}
gio	3cabc3e	2024-10-06 18:37:27 +0400	[diff] [blame]	141	extraVolumes: [{
				142	name: _proxyBackendConfigName
				143	configMap: {
				144	name: _proxyBackendConfigName
				145	}
				146	}]
				147	extraContainers: [{
				148	name: "proxy"
				149	image: images.tailscale.fullNameWithTag
				150	securityContext: {
				151	capabilities: {
				152	add: ["NET_ADMIN"]
				153	}
				154	privileged: true
				155	}
				156	env: [{
				157	name: "TS_KUBE_SECRET"
				158	value: _clusterProxySecretName
				159	}, {
				160	name: "TS_HOSTNAME"
				161	value: "cluster-proxy"
				162	}, {
				163	name: "TS_EXTRA_ARGS"
				164	value: "--login-server=https://headscale.\(global.domain)"
				165	}, {
				166	name: "TS_USERSPACE"
				167	value: "false"
				168	}]
				169	}, {
				170	name: "proxy-backend"
				171	image: images.nginx.fullNameWithTag
				172	imagePullPolicy: images.nginx.pullPolicy
				173	ports: [{
				174	name: "proxy"
				175	containerPort: 9090
				176	protocol: "TCP"
				177	}]
				178	volumeMounts: [{
				179	name: _proxyBackendConfigName
				180	mountPath: "/etc/nginx"
				181	readOnly: true
				182	}]
				183	}]
gio	7fbd4ad	2024-08-27 10:06:39 +0400	[diff] [blame]	184	admissionWebhooks: {
				185	enabled: false
				186	}
				187	image: {
				188	registry: images["ingress-nginx"].registry
				189	image: images["ingress-nginx"].imageName
				190	tag: images["ingress-nginx"].tag
				191	pullPolicy: images["ingress-nginx"].pullPolicy
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	192	}
				193	}
gio	7fbd4ad	2024-08-27 10:06:39 +0400	[diff] [blame]	194	}
				195	}
				196	"tailscale-proxy": {
				197	chart: charts["tailscale-proxy"]
				198	values: {
				199	hostname: input.privateNetwork.hostname
				200	apiServer: "http://headscale-api.\(global.namespacePrefix)app-headscale.svc.cluster.local"
				201	loginServer: "https://headscale.\(networks.public.domain)" // TODO(gio): take headscale subdomain from configuration
				202	ipSubnet: input.privateNetwork.ipSubnet
				203	username: input.privateNetwork.username // TODO(gio): maybe install headscale-user chart separately?
				204	preAuthKeySecret: "headscale-preauth-key"
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	205	image: {
gio	3cabc3e	2024-10-06 18:37:27 +0400	[diff] [blame]	206	repository: images.tailscale.fullName
				207	tag: images.tailscale.tag
				208	pullPolicy: images.tailscale.pullPolicy
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	209	}
				210	}
				211	}
gio	7fbd4ad	2024-08-27 10:06:39 +0400	[diff] [blame]	212	"port-allocator": {
				213	chart: charts.portAllocator
				214	values: {
				215	repoAddr: release.repoAddr
				216	sshPrivateKey: base64.Encode(null, input.sshPrivateKey)
				217	ingressNginxPath: "\(release.appDir)/resources/ingress-nginx.yaml"
				218	image: {
				219	repository: images.portAllocator.fullName
				220	tag: images.portAllocator.tag
				221	pullPolicy: images.portAllocator.pullPolicy
				222	}
Giorgi Lekveishvili	b59b7c2	2024-04-03 22:17:50 +0400	[diff] [blame]	223	}
				224	}
gio	3cabc3e	2024-10-06 18:37:27 +0400	[diff] [blame]	225	// TODO(gio): Generate proxy-backend-config as well
				226	"proxy-backend-service": {
				227	chart: charts.service
				228	values: {
				229	name: "proxy-backend-service"
				230	type: "ClusterIP"
				231	selector: {
				232	"app.kubernetes.io/component": "controller"
				233	"app.kubernetes.io/instance": "ingress-nginx"
				234	"app.kubernetes.io/name": "ingress-nginx"
				235	}
				236	ports:[{
				237	name: "http"
				238	port: 80
				239	targetPort: 9090
				240	protocol: "TCP"
				241	}]
				242	}
				243	}
Giorgi Lekveishvili	b59b7c2	2024-04-03 22:17:50 +0400	[diff] [blame]	244	}
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	245	}
gio	3cabc3e	2024-10-06 18:37:27 +0400	[diff] [blame]	246	resources: {
				247	"proxy-backend-config": {
				248	apiVersion: "v1"
				249	kind: "ConfigMap"
				250	metadata: {
				251	name: "proxy-backend-config"
				252	namespace: release.namespace
				253	}
				254	data: {
				255	"nginx.conf": """
				256	worker_processes 1;
				257	worker_rlimit_nofile 8192;
				258	events {
				259	worker_connections 1024;
				260	}
				261	http {
				262	map $http_host $backend {
				263	}
				264	server {
				265	listen 9090;
				266	location / {
				267	resolver 135.181.48.180;
				268	proxy_pass http://$backend;
				269	}
				270	}
				271	}
				272	"""
				273	}
				274	}
				275	}
				276
				277	_clusterProxySecretName: "cluster-proxy-preauthkey"
				278	_proxyBackendConfigName: "proxy-backend-config"