fix port forwarded by onion-service

4 files changed, 82 insertions, 40 deletions

diff --git a/src/examples/elevate2018.yml b/src/examples/elevate2018.yml
index 4bb1860..20b1eb0 100644
--- a/src/examples/elevate2018.yml
+++ b/src/examples/elevate2018.yml
@@ -91,25 +91,25 @@ muxes:
       mp3: [ high, medium, low, mini ]
 streams:
   local:
-     muxes: [ av-orig, audio-orig ]
-     nginx-muxes: [ av-orig ]
-     type: http
-     count: 1
-     port: 8000
-     max-con: 100
-     burst-on-connect: 5
-     hostname: elevate-feed.spreadspace.org
+    muxes: [ av-orig, audio-orig ]
+    nginx-muxes: [ av-orig ]
+    type: http
+    count: 1
+    port: 8000
+    max-con: 100
+    burst-on-connect: 5
+    hostname: elevate-feed.spreadspace.org
   public:
-     muxes: [ av-orig, audio-orig ]
-     nginx-muxes: [ av-orig ]
-     type: http
-     count: 4
-     port: 8000
-     max-bw: 290000000
-     burst-on-connect: 5
-     hostname: "emc-%02i.spreadspace.org"
-     repeater: True
-     onion-service: "elevateh7tpoo7eg.onion"
+    muxes: [ av-orig, audio-orig ]
+    nginx-muxes: [ av-orig ]
+    type: http
+    count: 4
+    port: 8000
+    max-bw: 290000000
+    burst-on-connect: 5
+    hostname: "emc-%02i.spreadspace.org"
+    repeater: True
+    onion-service: "elevateh7tpoo7eg.onion"
 records:
   av:
     mux: avr
diff --git a/src/flufigut.py b/src/flufigut.py
index f13c5b4..94c393d 100755
--- a/src/flufigut.py
+++ b/src/flufigut.py
@@ -765,6 +765,19 @@ class K8sDeployment:
         deploy = self.__generate_object(tmpl_env, 'sfive-deploy.yml', {'worker': worker})
         appsV1.create_namespaced_deployment(self._namespace, deploy)
 
+    def _deploy_onion_service_config(self, template_dir, tmpl_env, v1, stream_name, stream):
+        deploy = {'stream': stream_name}
+        deploy['onion_services'] = {}
+        # TODO: hardcoded value (sync with sfive_proxy_config)
+        deploy['onion_services'][stream['port']] = {'host': '127.0.0.1', 'port': 8001}
+        # TODO: add port 80 -> onion streaming site
+        cm = self.__generate_object(tmpl_env, 'onion-service-cm.yml', deploy)
+        v1.create_namespaced_config_map(self._namespace, cm)
+
+    def _deploy_stream_website(self, template_dir, tmpl_env, v1, appsV1, stream_name, stream):
+        # TODO: add me
+        pass
+
     def _deploy_onionbalance(self, template_dir, tmpl_env, v1, appsV1, rbacV1):
         sa = self.__generate_object(tmpl_env, 'onionbalance-sa.yml')
         v1.create_namespaced_service_account(self._namespace, sa)
@@ -776,6 +789,10 @@ class K8sDeployment:
         rbacV1.create_namespaced_role_binding(self._namespace, rb)
 
         secret = self.__generate_object(tmpl_env, 'onionbalance-secret.yml')
+        # TODO: for _, stream in self._desc.streams:
+        #         if 'onion-service' in stream:
+        #            key = ~~~~get_key(stream['onion-service'])
+        #            secret['data'][stream['onion-service']] = base64.b64encode(key).decode('ascii')
         v1.create_namespaced_secret(self._namespace, secret)
 
         worker = self._planet.workers[self._desc.globals['deployment']['parameter']['onionbalance_worker']]
@@ -802,6 +819,11 @@ class K8sDeployment:
             self._deploy_nginx_worker(template_dir, tmpl_env, v1, appsV1, worker)
             self._deploy_sfive_worker(template_dir, tmpl_env, v1, appsV1, worker)
 
+        for stream_name, stream in self._desc.streams.items():
+            self._deploy_stream_website(template_dir, tmpl_env, v1, appsV1, stream_name, stream)
+            if 'onion-service' in stream:
+                self._deploy_onion_service_config(template_dir, tmpl_env, v1, stream_name, stream)
+
         if self.__has_onion_service:
             role = self.__generate_object(tmpl_env, 'onion-service-role.yml')
             rbacV1.create_namespaced_role(self._namespace, role)
diff --git a/templates/default/kubernetes/onion-service-cm.yml.j2 b/templates/default/kubernetes/onion-service-cm.yml.j2
new file mode 100644
index 0000000..f980637
--- /dev/null
+++ b/templates/default/kubernetes/onion-service-cm.yml.j2
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: {{ deploy.namespace }}
+  name: onion-service-{{ deploy.stream }}
+data:
+  torrc: |
+    ## Set DataDirectory
+    DataDirectory /var/lib/tor
+
+    ## Do not act as a SOCKS proxy
+    SOCKSPort 0
+
+    ## Publish a hidden service
+    HiddenServiceDir /var/lib/tor/onion_service/
+{% for port, svc in deploy.onion_services.items() %}
+    HiddenServicePort {{ port }} {{ svc.host }}:{{ svc.port }}
+{% endfor %}
+    HiddenServiceNonAnonymousMode 1
+    HiddenServiceSingleHopMode 1
diff --git a/templates/default/kubernetes/sfive-deploy.yml.j2 b/templates/default/kubernetes/sfive-deploy.yml.j2
index fe9766b..68d907f 100644
--- a/templates/default/kubernetes/sfive-deploy.yml.j2
+++ b/templates/default/kubernetes/sfive-deploy.yml.j2
@@ -49,16 +49,28 @@ spec:
         volumeMounts:
         - name: onion-lib
           mountPath: /var/lib/tor
+      - name: generate-onion-key
+        image: spreadspace/onion-service:{{ desc.globals.deployment.parameter.onion_service_image_version }}
+        command: ['sh', '-c', '/keygen.py && touch /var/lib/tor/onion_service/onion_service_non_anonymous']
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: onion-lib
+          mountPath: /var/lib/tor
 {% endif %}
       containers:
 {% if deploy.worker.flags.sfive == 'proxy' %}
       - name: proxy
         image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }}
         imagePullPolicy: Always
-        args:
-        - s5proxy
-        - -config
-        - /srv/config/proxy.json
+        args: [ 's5proxy', '-config', '/srv/config/proxy.json' ]
         volumeMounts:
         - name: home
           mountPath: /srv
@@ -68,10 +80,7 @@ spec:
       - name: proxy-onion
         image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }}
         imagePullPolicy: Always
-        args:
-        - s5proxy
-        - -config
-        - /srv/config/proxy-onion.json
+        args: [ 's5proxy', '-config', '/srv/config/proxy-onion.json' ]
         volumeMounts:
         - name: home
           mountPath: /srv
@@ -80,23 +89,11 @@ spec:
       - name: onion-service
         image: spreadspace/onion-service:{{ desc.globals.deployment.parameter.onion_service_image_version }}
         imagePullPolicy: Always
-        env:
-        - name: ONION_HOST
-          value: "127.0.0.1"
-        - name: ONION_PORT
-          value: "8001"
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
+        args: [ '/usr/bin/tor', '-f', '/srv/config/torrc', '--RunAsDaemon', '0' ]
         volumeMounts:
         - name: onion-lib
           mountPath: /var/lib/tor
-        - name: proxy-config
+        - name: onion-config
           mountPath: /srv/config
 {%   endif %}
 {% endif %}
@@ -125,6 +122,9 @@ spec:
       - name: onion-lib
         emptyDir:
           medium: Memory
+      - name: onion-config
+        configMap:
+          name: onion-service-{{ deploy.worker.flags.stream }}
 {% endif %}
       - name: proxy-config
         configMap: