From 4f61f0d742b386a699cb9ee3359a18b746cca2d5 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 18 Feb 2018 19:56:15 +0100 Subject: onion-service allmost works now --- src/examples/elevate2018.yml | 4 +- src/flufigut.py | 27 +++++++++++-- .../default/kubernetes/onion-service-role.yml.j2 | 12 ++++++ templates/default/kubernetes/sfive-deploy.yml.j2 | 44 ++++++++++++++++++++++ .../kubernetes/sfive-onion-rolebinding.yml.j2 | 13 +++++++ templates/default/kubernetes/sfive-sa.yml.j2 | 5 +++ 6 files changed, 100 insertions(+), 5 deletions(-) create mode 100644 templates/default/kubernetes/onion-service-role.yml.j2 create mode 100644 templates/default/kubernetes/sfive-onion-rolebinding.yml.j2 create mode 100644 templates/default/kubernetes/sfive-sa.yml.j2 diff --git a/src/examples/elevate2018.yml b/src/examples/elevate2018.yml index 4d8b7be..ba84345 100644 --- a/src/examples/elevate2018.yml +++ b/src/examples/elevate2018.yml @@ -58,7 +58,7 @@ globals: flumotion_image_version: 12 nginx_image_version: 4 sfive_image_version: 2 - onion_service_image_version: 3 + onion_service_image_version: master-23 inputs: sdi-orig: type: decklink @@ -107,7 +107,7 @@ streams: burst-on-connect: 5 hostname: "emc-%02i.spreadspace.org" repeater: True - onion-service: True + onion-service: "dear-nicoo-this-is-just-a-place-holder-for-now.onion" records: av: mux: avr diff --git a/src/flufigut.py b/src/flufigut.py index 366c13e..0289abd 100755 --- a/src/flufigut.py +++ b/src/flufigut.py @@ -507,7 +507,7 @@ class Planet: def __generate_stream_mux_instance(self, stream_name, stream, mux, format, profile, idx, cnt, porter): muxer_feed = 'mux-%s-%s-%s' % (mux, format, profile) feeder = muxer_feed - if 'repeater' in stream: + if 'repeater' in stream and stream['repeater']: feeder = self.__generate_stream_mux_repeater(stream_name, mux, format, profile, muxer_feed) comp_name = '%s-%s%i-stream-%s-%s-%s' % (stream['type'], stream_name, idx + 1, mux, format, profile) @@ -545,6 +545,8 @@ class Planet: self.__add_worker_flag_exclusive(worker, "stream", stream_name) self.__add_worker_flag_exclusive(worker, "stream-hostname", hostname) self.__add_worker_flag_exclusive(worker, "stream-index", idx) + if 'onion-service' in stream and stream['onion-service']: + self.__add_worker_flag_exclusive(worker, "stream-onion", stream['onion-service']) if 'sfive' in self._desc.globals['stats']: self.__add_worker_flag_exclusive(worker, "sfive", self._desc.globals['stats']['sfive']['type']) @@ -673,6 +675,10 @@ class K8sDeployment: kubernetes.config.load_kube_config() kubernetes.client.user_agent = 'flufigut' + self.__has_onion_service = False + self.__has_sfive = False + self.__has_sfive_onion = False + def __create_namespace(self, v1): ns = kubernetes.client.V1Namespace() ns.metadata = kubernetes.client.V1ObjectMeta() @@ -742,13 +748,15 @@ class K8sDeployment: if 'sfive' not in worker['flags']: return + self.__has_sfive = True cm = self.__generate_object(tmpl_env, 'sfive-cm.yml', worker) if 'data' not in cm or not cm['data']: cm['data'] = {} if worker['flags']['sfive'] == 'proxy' and 'stream' in worker['flags']: cm['data']['proxy.json'] = json.dumps(self._planet.sfive_proxy_config(worker['name'])) - stream_name = worker['flags']['stream'] - if 'onion-service' in self._desc.streams[stream_name] and len(self._desc.streams[stream_name]['nginx-muxes']) > 0: + if 'stream-onion' in worker['flags']: + self.__has_onion_service = True + self.__has_sfive_onion = True cm['data']['proxy-onion.json'] = json.dumps(self._planet.sfive_proxy_config(worker['name'], True)) v1.create_namespaced_config_map(self._namespace, cm) @@ -759,6 +767,7 @@ class K8sDeployment: def deploy(self, template_dir): v1 = kubernetes.client.CoreV1Api() appsV1 = kubernetes.client.AppsV1Api() + rbacV1 = kubernetes.client.RbacAuthorizationV1Api() self.__create_namespace(v1) loader = jinja2.FileSystemLoader(os.path.join(template_dir, self._desc.globals['templates'], 'kubernetes')) @@ -775,6 +784,18 @@ class K8sDeployment: self._deploy_nginx_worker(template_dir, tmpl_env, v1, appsV1, worker) self._deploy_sfive_worker(template_dir, tmpl_env, v1, appsV1, worker) + if self.__has_onion_service: + role = self.__generate_object(tmpl_env, 'onion-service-role.yml', worker) + rbacV1.create_namespaced_role(self._namespace, role) + + if self.__has_sfive: + sa = self.__generate_object(tmpl_env, 'sfive-sa.yml', worker) + v1.create_namespaced_service_account(self._namespace, sa) + + if self.__has_sfive_onion: + rb = self.__generate_object(tmpl_env, 'sfive-onion-rolebinding.yml', worker) + rbacV1.create_namespaced_role_binding(self._namespace, rb) + def wipe(self): v1 = kubernetes.client.CoreV1Api() self.__delete_namespace(v1) diff --git a/templates/default/kubernetes/onion-service-role.yml.j2 b/templates/default/kubernetes/onion-service-role.yml.j2 new file mode 100644 index 0000000..eb7a6ca --- /dev/null +++ b/templates/default/kubernetes/onion-service-role.yml.j2 @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ namespace }} + name: onion-service +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - patch diff --git a/templates/default/kubernetes/sfive-deploy.yml.j2 b/templates/default/kubernetes/sfive-deploy.yml.j2 index 06c84dc..65b97e9 100644 --- a/templates/default/kubernetes/sfive-deploy.yml.j2 +++ b/templates/default/kubernetes/sfive-deploy.yml.j2 @@ -20,8 +20,12 @@ spec: labels: app: sfive worker: {{ worker.name }} +{% if worker.flags.sfive == 'proxy' and 'stream-onion' in worker.flags %} + spreadspace.org/onion-service: {{ worker.flags['stream-onion'] }} +{% endif %} spec: nodeName: {{ worker.name }} + serviceAccountName: sfive securityContext: runAsUser: 998 fsGroup: 998 @@ -41,6 +45,41 @@ spec: mountPath: /srv - name: proxy-config mountPath: /srv/config +{% if 'stream-onion' in worker.flags %} + - name: proxy-onion + image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }} + imagePullPolicy: Always + args: + - s5proxy + - -config + - /srv/config/proxy-onion.json + volumeMounts: + - name: home + mountPath: /srv + - name: proxy-config + mountPath: /srv/config + - name: onion-service + image: spreadspace/onion-service:{{ desc.globals.deployment.parameter.onion_service_image_version }} + imagePullPolicy: Always + env: + - name: ONION_HOST + value: "127.0.0.1" + - name: ONION_PORT + value: "8001" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: onion-lib + mountPath: /var/lib/tor + - name: proxy-config + mountPath: /srv/config +{% endif %} {% endif %} - name: hub image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }} @@ -63,6 +102,11 @@ spec: - name: home emptyDir: medium: Memory +{% if worker.flags.sfive == 'proxy' and 'stream-onion' in worker.flags %} + - name: onion-lib + emptyDir: + medium: Memory +{% endif %} - name: proxy-config configMap: name: sfive-{{ worker.name }} diff --git a/templates/default/kubernetes/sfive-onion-rolebinding.yml.j2 b/templates/default/kubernetes/sfive-onion-rolebinding.yml.j2 new file mode 100644 index 0000000..f3e0489 --- /dev/null +++ b/templates/default/kubernetes/sfive-onion-rolebinding.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: {{ namespace }} + name: sfive-onion +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: onion-service +subjects: +- kind: ServiceAccount + name: sfive + namespace: {{ namespace }} diff --git a/templates/default/kubernetes/sfive-sa.yml.j2 b/templates/default/kubernetes/sfive-sa.yml.j2 new file mode 100644 index 0000000..c25f644 --- /dev/null +++ b/templates/default/kubernetes/sfive-sa.yml.j2 @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ namespace }} + name: sfive -- cgit v1.2.3