onion-service allmost works now

4 files changed, 74 insertions, 0 deletions

diff --git a/templates/default/kubernetes/onion-service-role.yml.j2 b/templates/default/kubernetes/onion-service-role.yml.j2
new file mode 100644
index 0000000..eb7a6ca
--- /dev/null
+++ b/templates/default/kubernetes/onion-service-role.yml.j2
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ namespace }}
+  name: onion-service
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - patch
diff --git a/templates/default/kubernetes/sfive-deploy.yml.j2 b/templates/default/kubernetes/sfive-deploy.yml.j2
index 06c84dc..65b97e9 100644
--- a/templates/default/kubernetes/sfive-deploy.yml.j2
+++ b/templates/default/kubernetes/sfive-deploy.yml.j2
@@ -20,8 +20,12 @@ spec:
       labels:
         app: sfive
         worker: {{ worker.name }}
+{% if worker.flags.sfive == 'proxy' and 'stream-onion' in worker.flags %}
+        spreadspace.org/onion-service: {{ worker.flags['stream-onion'] }}
+{% endif %}
     spec:
       nodeName: {{ worker.name }}
+      serviceAccountName: sfive
       securityContext:
         runAsUser: 998
         fsGroup: 998
@@ -41,6 +45,41 @@ spec:
           mountPath: /srv
         - name: proxy-config
           mountPath: /srv/config
+{%   if 'stream-onion' in worker.flags %}
+      - name: proxy-onion
+        image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }}
+        imagePullPolicy: Always
+        args:
+        - s5proxy
+        - -config
+        - /srv/config/proxy-onion.json
+        volumeMounts:
+        - name: home
+          mountPath: /srv
+        - name: proxy-config
+          mountPath: /srv/config
+      - name: onion-service
+        image: spreadspace/onion-service:{{ desc.globals.deployment.parameter.onion_service_image_version }}
+        imagePullPolicy: Always
+        env:
+        - name: ONION_HOST
+          value: "127.0.0.1"
+        - name: ONION_PORT
+          value: "8001"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: onion-lib
+          mountPath: /var/lib/tor
+        - name: proxy-config
+          mountPath: /srv/config
+{%   endif %}
 {% endif %}
       - name: hub
         image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }}
@@ -63,6 +102,11 @@ spec:
       - name: home
         emptyDir:
           medium: Memory
+{% if worker.flags.sfive == 'proxy' and 'stream-onion' in worker.flags %}
+      - name: onion-lib
+        emptyDir:
+          medium: Memory
+{% endif %}
       - name: proxy-config
         configMap:
           name: sfive-{{ worker.name }}
diff --git a/templates/default/kubernetes/sfive-onion-rolebinding.yml.j2 b/templates/default/kubernetes/sfive-onion-rolebinding.yml.j2
new file mode 100644
index 0000000..f3e0489
--- /dev/null
+++ b/templates/default/kubernetes/sfive-onion-rolebinding.yml.j2
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: {{ namespace }}
+  name: sfive-onion
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: onion-service
+subjects:
+- kind: ServiceAccount
+  name: sfive
+  namespace: {{ namespace }}
diff --git a/templates/default/kubernetes/sfive-sa.yml.j2 b/templates/default/kubernetes/sfive-sa.yml.j2
new file mode 100644
index 0000000..c25f644
--- /dev/null
+++ b/templates/default/kubernetes/sfive-sa.yml.j2
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ namespace }}
+  name: sfive