move to improved onion service handlingonion

(not finished yet)

5 files changed, 42 insertions, 12 deletions

diff --git a/src/examples/elevate2018.yml b/src/examples/elevate2018.yml
index eabf4f7..1f33fe7 100644
--- a/src/examples/elevate2018.yml
+++ b/src/examples/elevate2018.yml
@@ -114,9 +114,10 @@ streams:
     hostname: "emc-%02i.spreadspace.org"
     repeater: True
     lb-hostname: "elevate-live.spreadspace.org"
+    lb-onion: "elevatexfonbiisp.onion"
     lb-worker: emc-00
-    onion-service: "elevateh7tpoo7eg.onion"
     site-hostname: "stream.elevate.at"
+    site-onion: "elevaterdemr4cey.onion"
     site-worker: emc-00
 records:
   av:
diff --git a/src/flufigut.py b/src/flufigut.py
index 96e8260..0367513 100755
--- a/src/flufigut.py
+++ b/src/flufigut.py
@@ -545,8 +545,8 @@ class Planet:
         self.__add_worker_flag_exclusive(worker, "stream", stream_name)
         self.__add_worker_flag_exclusive(worker, "stream-hostname", hostname)
         self.__add_worker_flag_exclusive(worker, "stream-index", idx)
-        if 'onion-service' in stream and stream['onion-service']:
-            self.__add_worker_flag_exclusive(worker, "stream-onion", stream['onion-service'])
+        if 'lb-onion' in stream and stream['lb-onion']:
+            self.__add_worker_flag_exclusive(worker, "stream-onion", stream['lb-onion'])
         if 'sfive' in self._desc.globals['stats']:
             self.__add_worker_flag_exclusive(worker, "sfive", self._desc.globals['stats']['sfive']['type'])
 
@@ -774,12 +774,19 @@ class K8sDeployment:
         deploy = self.__generate_object(tmpl_env, 'sfive-deploy.yml', {'worker': worker})
         appsV1.create_namespaced_deployment(self._namespace, deploy)
 
-    def _deploy_onion_service_config(self, template_dir, tmpl_env, v1, stream_name, stream):
-        deploy = {'stream': stream_name}
+    def _deploy_onion_service_lb_config(self, template_dir, tmpl_env, v1, stream_name, stream):
+        deploy = {'stream': stream_name, 'onion_type': 'lb'}
         deploy['onion_services'] = {}
         # TODO: hardcoded value (sync with sfive_proxy_config)
         deploy['onion_services'][stream['port']] = {'host': '127.0.0.1', 'port': 8001}
-        # TODO: add port 80 -> onion streaming site
+        cm = self.__generate_object(tmpl_env, 'onion-service-cm.yml', deploy)
+        v1.create_namespaced_config_map(self._namespace, cm)
+
+    def _deploy_onion_service_site_config(self, template_dir, tmpl_env, v1, stream_name, stream):
+        deploy = {'stream': stream_name, 'onion_type': 'site'}
+        deploy['onion_services'] = {}
+        # TODO: hardcoded value (sync with site port)
+        deploy['onion_services'][stream['port']] = {'host': '127.0.0.1', 'port': 8080}
         cm = self.__generate_object(tmpl_env, 'onion-service-cm.yml', deploy)
         v1.create_namespaced_config_map(self._namespace, cm)
 
@@ -831,11 +838,15 @@ class K8sDeployment:
         rb = self.__generate_object(tmpl_env, 'onionbalance-rolebinding.yml')
         rbacV1.create_namespaced_role_binding(self._namespace, rb)
 
+        # TODO:
         # secret = self.__generate_object(tmpl_env, 'onionbalance-secret.yml')
-        # TODO: for _, stream in self._desc.streams:
-        # if 'onion-service' in stream:
-        # key = ~~~~get_key(stream['onion-service'])
-        # secret['data'][stream['onion-service']] = base64.b64encode(key).decode('ascii')
+        # for _, stream in self._desc.streams:
+        #   if 'lb-onion' in stream:
+        #     key = ~~~~get_key(stream['lb-onion'])
+        #     secret['data'][stream['lb-onion']] = base64.b64encode(key).decode('ascii')
+        #   if 'site-onion' in stream:
+        #     key = ~~~~get_key(stream['site-onion'])
+        #     secret['data'][stream['site-onion']] = base64.b64encode(key).decode('ascii')
         # v1.create_namespaced_secret(self._namespace, secret)
 
         worker = self._planet.workers[self._desc.globals['deployment']['parameter']['onionbalance_worker']]
@@ -868,7 +879,7 @@ class K8sDeployment:
         for stream_name, stream in self._desc.streams.items():
             if 'lb-hostname' in stream:
                 self._deploy_stream_loadbalancer(template_dir, tmpl_env, v1, appsV1, stream_name, stream)
-            if 'onion-service' in stream:
+            if 'lb-onion' in stream:
                 self._deploy_onion_service_config(template_dir, tmpl_env, v1, stream_name, stream)
             self._deploy_stream_website(template_dir, tmpl_env, v1, appsV1, extV1beta1, stream_name, stream)
 
diff --git a/templates/default/kubernetes/onion-service-cm.yml.j2 b/templates/default/kubernetes/onion-service-cm.yml.j2
index f980637..7501209 100644
--- a/templates/default/kubernetes/onion-service-cm.yml.j2
+++ b/templates/default/kubernetes/onion-service-cm.yml.j2
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   namespace: {{ deploy.namespace }}
-  name: onion-service-{{ deploy.stream }}
+  name: onion-service-{{ deploy.stream }}-{{ deploy.onion_type }}
 data:
   torrc: |
     ## Set DataDirectory
diff --git a/templates/default/kubernetes/stream-site-onion-rolebinding.yml.j2 b/templates/default/kubernetes/stream-site-onion-rolebinding.yml.j2
new file mode 100644
index 0000000..7b3ef4f
--- /dev/null
+++ b/templates/default/kubernetes/stream-site-onion-rolebinding.yml.j2
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: {{ deploy.namespace }}
+  name: site-onion
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: onion-service
+subjects:
+- kind: ServiceAccount
+  name: site-onion
+  namespace: {{ deploy.namespace }}
diff --git a/templates/default/kubernetes/stream-site-sa.yml.j2 b/templates/default/kubernetes/stream-site-sa.yml.j2
new file mode 100644
index 0000000..2d20a29
--- /dev/null
+++ b/templates/default/kubernetes/stream-site-sa.yml.j2
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ deploy.namespace }}
+  name: site-onion