From 7ae2c0a221dae2368844e32a5646e0d94b48c37a Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 18 Feb 2018 23:09:27 +0100 Subject: onionbalance should be working now --- src/examples/elevate2018.yml | 4 +- src/flufigut.py | 24 +++++++-- .../default/kubernetes/onionbalance-deploy.yml.j2 | 63 ++++++++++++++++++++++ .../default/kubernetes/onionbalance-role.yml.j2 | 14 +++++ .../kubernetes/onionbalance-rolebinding.yml.j2 | 13 +++++ .../default/kubernetes/onionbalance-sa.yml.j2 | 5 ++ .../default/kubernetes/onionbalance-secret.yml.j2 | 9 ++++ templates/default/kubernetes/sfive-deploy.yml.j2 | 2 +- 8 files changed, 129 insertions(+), 5 deletions(-) create mode 100644 templates/default/kubernetes/onionbalance-deploy.yml.j2 create mode 100644 templates/default/kubernetes/onionbalance-role.yml.j2 create mode 100644 templates/default/kubernetes/onionbalance-rolebinding.yml.j2 create mode 100644 templates/default/kubernetes/onionbalance-sa.yml.j2 create mode 100644 templates/default/kubernetes/onionbalance-secret.yml.j2 diff --git a/src/examples/elevate2018.yml b/src/examples/elevate2018.yml index ba84345..6d193e9 100644 --- a/src/examples/elevate2018.yml +++ b/src/examples/elevate2018.yml @@ -59,6 +59,8 @@ globals: nginx_image_version: 4 sfive_image_version: 2 onion_service_image_version: master-23 + onionbalance_image_version: master-16 + onionbalance_worker: emc-00 inputs: sdi-orig: type: decklink @@ -107,7 +109,7 @@ streams: burst-on-connect: 5 hostname: "emc-%02i.spreadspace.org" repeater: True - onion-service: "dear-nicoo-this-is-just-a-place-holder-for-now.onion" + onion-service: "elevateynzm6opkp.onion" records: av: mux: avr diff --git a/src/flufigut.py b/src/flufigut.py index 0289abd..7117318 100755 --- a/src/flufigut.py +++ b/src/flufigut.py @@ -764,6 +764,23 @@ class K8sDeployment: deploy = self.__generate_object(tmpl_env, 'sfive-deploy.yml', worker) appsV1.create_namespaced_deployment(self._namespace, deploy) + def _deploy_onionbalance(self, template_dir, tmpl_env, v1, appsV1, rbacV1): + sa = self.__generate_object(tmpl_env, 'onionbalance-sa.yml') + v1.create_namespaced_service_account(self._namespace, sa) + + role = self.__generate_object(tmpl_env, 'onionbalance-role.yml') + rbacV1.create_namespaced_role(self._namespace, role) + + rb = self.__generate_object(tmpl_env, 'onionbalance-rolebinding.yml') + rbacV1.create_namespaced_role_binding(self._namespace, rb) + + secret = self.__generate_object(tmpl_env, 'onionbalance-secret.yml') + v1.create_namespaced_secret(self._namespace, secret) + + worker = self._planet.workers[self._desc.globals['deployment']['parameter']['onionbalance_worker']] + deploy = self.__generate_object(tmpl_env, 'onionbalance-deploy.yml', worker) + appsV1.create_namespaced_deployment(self._namespace, deploy) + def deploy(self, template_dir): v1 = kubernetes.client.CoreV1Api() appsV1 = kubernetes.client.AppsV1Api() @@ -785,15 +802,16 @@ class K8sDeployment: self._deploy_sfive_worker(template_dir, tmpl_env, v1, appsV1, worker) if self.__has_onion_service: - role = self.__generate_object(tmpl_env, 'onion-service-role.yml', worker) + role = self.__generate_object(tmpl_env, 'onion-service-role.yml') rbacV1.create_namespaced_role(self._namespace, role) + self._deploy_onionbalance(template_dir, tmpl_env, v1, appsV1, rbacV1) if self.__has_sfive: - sa = self.__generate_object(tmpl_env, 'sfive-sa.yml', worker) + sa = self.__generate_object(tmpl_env, 'sfive-sa.yml') v1.create_namespaced_service_account(self._namespace, sa) if self.__has_sfive_onion: - rb = self.__generate_object(tmpl_env, 'sfive-onion-rolebinding.yml', worker) + rb = self.__generate_object(tmpl_env, 'sfive-onion-rolebinding.yml') rbacV1.create_namespaced_role_binding(self._namespace, rb) def wipe(self): diff --git a/templates/default/kubernetes/onionbalance-deploy.yml.j2 b/templates/default/kubernetes/onionbalance-deploy.yml.j2 new file mode 100644 index 0000000..c63b247 --- /dev/null +++ b/templates/default/kubernetes/onionbalance-deploy.yml.j2 @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ namespace }} + name: onionbalance + labels: + app: onionbalance +spec: + replicas: 1 + selector: + matchLabels: + app: onionbalance + strategy: + type: Recreate + revisionHistoryLimit: 5 + template: + metadata: + labels: + app: onionbalance + spec: + nodeName: {{ worker.name }} + serviceAccountName: onionbalance + securityContext: + runAsUser: 998 + fsGroup: 998 + containers: + - name: tor + image: spreadspace/onionbalance:{{ desc.globals.deployment.parameter.onionbalance_image_version }} + imagePullPolicy: Always + args: + - /run-tor.sh + volumeMounts: + - name: onion-run + mountPath: /var/run/tor + - name: onion-lib + mountPath: /var/lib/tor + - name: balance + image: spreadspace/onionbalance:{{ desc.globals.deployment.parameter.onionbalance_image_version }} + imagePullPolicy: Always + args: + - /run-balance.sh + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: onion-run + mountPath: /var/run/tor + - name: onion-keys + readOnly: true + mountPath: /var/run/secrets/spreadspace.org/onionbalance + volumes: + - name: onion-run + emptyDir: + medium: Memory + - name: onion-lib + hostPath: + type: DirectoryOrCreate + path: /var/lib/tor/{{ desc.globals.name }}/_balance + - name: onion-keys + secret: + secretName: onionbalance diff --git a/templates/default/kubernetes/onionbalance-role.yml.j2 b/templates/default/kubernetes/onionbalance-role.yml.j2 new file mode 100644 index 0000000..bd4f743 --- /dev/null +++ b/templates/default/kubernetes/onionbalance-role.yml.j2 @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ namespace }} + name: onionbalance +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch diff --git a/templates/default/kubernetes/onionbalance-rolebinding.yml.j2 b/templates/default/kubernetes/onionbalance-rolebinding.yml.j2 new file mode 100644 index 0000000..6623d6c --- /dev/null +++ b/templates/default/kubernetes/onionbalance-rolebinding.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: {{ namespace }} + name: onionbalance +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: onionbalance +subjects: +- kind: ServiceAccount + name: onionbalance + namespace: {{ namespace }} diff --git a/templates/default/kubernetes/onionbalance-sa.yml.j2 b/templates/default/kubernetes/onionbalance-sa.yml.j2 new file mode 100644 index 0000000..d92b374 --- /dev/null +++ b/templates/default/kubernetes/onionbalance-sa.yml.j2 @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ namespace }} + name: onionbalance diff --git a/templates/default/kubernetes/onionbalance-secret.yml.j2 b/templates/default/kubernetes/onionbalance-secret.yml.j2 new file mode 100644 index 0000000..73ee05e --- /dev/null +++ b/templates/default/kubernetes/onionbalance-secret.yml.j2 @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ namespace }} + name: onionbalance + labels: + app: onionbalance +type: Opaque +data: diff --git a/templates/default/kubernetes/sfive-deploy.yml.j2 b/templates/default/kubernetes/sfive-deploy.yml.j2 index 4613a03..aafb468 100644 --- a/templates/default/kubernetes/sfive-deploy.yml.j2 +++ b/templates/default/kubernetes/sfive-deploy.yml.j2 @@ -106,7 +106,7 @@ spec: - name: onion-lib hostPath: type: DirectoryOrCreate - path: /var/lib/tor/{{ desc.globals.name }} + path: /var/lib/tor/{{ desc.globals.name }}/{{ worker.flags.stream }} {% endif %} - name: proxy-config configMap: -- cgit v1.2.3