From c8da8f6acb9cb149d40e22b8727aeeb15a198d57 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 2 Mar 2018 16:19:31 +0100 Subject: move to improved onion service handling (not finished yet) --- src/examples/elevate2018.yml | 3 ++- src/flufigut.py | 31 +++++++++++++++------- .../default/kubernetes/onion-service-cm.yml.j2 | 2 +- .../stream-site-onion-rolebinding.yml.j2 | 13 +++++++++ templates/default/kubernetes/stream-site-sa.yml.j2 | 5 ++++ 5 files changed, 42 insertions(+), 12 deletions(-) create mode 100644 templates/default/kubernetes/stream-site-onion-rolebinding.yml.j2 create mode 100644 templates/default/kubernetes/stream-site-sa.yml.j2 diff --git a/src/examples/elevate2018.yml b/src/examples/elevate2018.yml index eabf4f7..1f33fe7 100644 --- a/src/examples/elevate2018.yml +++ b/src/examples/elevate2018.yml @@ -114,9 +114,10 @@ streams: hostname: "emc-%02i.spreadspace.org" repeater: True lb-hostname: "elevate-live.spreadspace.org" + lb-onion: "elevatexfonbiisp.onion" lb-worker: emc-00 - onion-service: "elevateh7tpoo7eg.onion" site-hostname: "stream.elevate.at" + site-onion: "elevaterdemr4cey.onion" site-worker: emc-00 records: av: diff --git a/src/flufigut.py b/src/flufigut.py index 96e8260..0367513 100755 --- a/src/flufigut.py +++ b/src/flufigut.py @@ -545,8 +545,8 @@ class Planet: self.__add_worker_flag_exclusive(worker, "stream", stream_name) self.__add_worker_flag_exclusive(worker, "stream-hostname", hostname) self.__add_worker_flag_exclusive(worker, "stream-index", idx) - if 'onion-service' in stream and stream['onion-service']: - self.__add_worker_flag_exclusive(worker, "stream-onion", stream['onion-service']) + if 'lb-onion' in stream and stream['lb-onion']: + self.__add_worker_flag_exclusive(worker, "stream-onion", stream['lb-onion']) if 'sfive' in self._desc.globals['stats']: self.__add_worker_flag_exclusive(worker, "sfive", self._desc.globals['stats']['sfive']['type']) @@ -774,12 +774,19 @@ class K8sDeployment: deploy = self.__generate_object(tmpl_env, 'sfive-deploy.yml', {'worker': worker}) appsV1.create_namespaced_deployment(self._namespace, deploy) - def _deploy_onion_service_config(self, template_dir, tmpl_env, v1, stream_name, stream): - deploy = {'stream': stream_name} + def _deploy_onion_service_lb_config(self, template_dir, tmpl_env, v1, stream_name, stream): + deploy = {'stream': stream_name, 'onion_type': 'lb'} deploy['onion_services'] = {} # TODO: hardcoded value (sync with sfive_proxy_config) deploy['onion_services'][stream['port']] = {'host': '127.0.0.1', 'port': 8001} - # TODO: add port 80 -> onion streaming site + cm = self.__generate_object(tmpl_env, 'onion-service-cm.yml', deploy) + v1.create_namespaced_config_map(self._namespace, cm) + + def _deploy_onion_service_site_config(self, template_dir, tmpl_env, v1, stream_name, stream): + deploy = {'stream': stream_name, 'onion_type': 'site'} + deploy['onion_services'] = {} + # TODO: hardcoded value (sync with site port) + deploy['onion_services'][stream['port']] = {'host': '127.0.0.1', 'port': 8080} cm = self.__generate_object(tmpl_env, 'onion-service-cm.yml', deploy) v1.create_namespaced_config_map(self._namespace, cm) @@ -831,11 +838,15 @@ class K8sDeployment: rb = self.__generate_object(tmpl_env, 'onionbalance-rolebinding.yml') rbacV1.create_namespaced_role_binding(self._namespace, rb) + # TODO: # secret = self.__generate_object(tmpl_env, 'onionbalance-secret.yml') - # TODO: for _, stream in self._desc.streams: - # if 'onion-service' in stream: - # key = ~~~~get_key(stream['onion-service']) - # secret['data'][stream['onion-service']] = base64.b64encode(key).decode('ascii') + # for _, stream in self._desc.streams: + # if 'lb-onion' in stream: + # key = ~~~~get_key(stream['lb-onion']) + # secret['data'][stream['lb-onion']] = base64.b64encode(key).decode('ascii') + # if 'site-onion' in stream: + # key = ~~~~get_key(stream['site-onion']) + # secret['data'][stream['site-onion']] = base64.b64encode(key).decode('ascii') # v1.create_namespaced_secret(self._namespace, secret) worker = self._planet.workers[self._desc.globals['deployment']['parameter']['onionbalance_worker']] @@ -868,7 +879,7 @@ class K8sDeployment: for stream_name, stream in self._desc.streams.items(): if 'lb-hostname' in stream: self._deploy_stream_loadbalancer(template_dir, tmpl_env, v1, appsV1, stream_name, stream) - if 'onion-service' in stream: + if 'lb-onion' in stream: self._deploy_onion_service_config(template_dir, tmpl_env, v1, stream_name, stream) self._deploy_stream_website(template_dir, tmpl_env, v1, appsV1, extV1beta1, stream_name, stream) diff --git a/templates/default/kubernetes/onion-service-cm.yml.j2 b/templates/default/kubernetes/onion-service-cm.yml.j2 index f980637..7501209 100644 --- a/templates/default/kubernetes/onion-service-cm.yml.j2 +++ b/templates/default/kubernetes/onion-service-cm.yml.j2 @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: namespace: {{ deploy.namespace }} - name: onion-service-{{ deploy.stream }} + name: onion-service-{{ deploy.stream }}-{{ deploy.onion_type }} data: torrc: | ## Set DataDirectory diff --git a/templates/default/kubernetes/stream-site-onion-rolebinding.yml.j2 b/templates/default/kubernetes/stream-site-onion-rolebinding.yml.j2 new file mode 100644 index 0000000..7b3ef4f --- /dev/null +++ b/templates/default/kubernetes/stream-site-onion-rolebinding.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: {{ deploy.namespace }} + name: site-onion +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: onion-service +subjects: +- kind: ServiceAccount + name: site-onion + namespace: {{ deploy.namespace }} diff --git a/templates/default/kubernetes/stream-site-sa.yml.j2 b/templates/default/kubernetes/stream-site-sa.yml.j2 new file mode 100644 index 0000000..2d20a29 --- /dev/null +++ b/templates/default/kubernetes/stream-site-sa.yml.j2 @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ deploy.namespace }} + name: site-onion -- cgit v1.2.3