From 4f61f0d742b386a699cb9ee3359a18b746cca2d5 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 18 Feb 2018 19:56:15 +0100 Subject: onion-service allmost works now --- .../default/kubernetes/onion-service-role.yml.j2 | 12 ++++++ templates/default/kubernetes/sfive-deploy.yml.j2 | 44 ++++++++++++++++++++++ .../kubernetes/sfive-onion-rolebinding.yml.j2 | 13 +++++++ templates/default/kubernetes/sfive-sa.yml.j2 | 5 +++ 4 files changed, 74 insertions(+) create mode 100644 templates/default/kubernetes/onion-service-role.yml.j2 create mode 100644 templates/default/kubernetes/sfive-onion-rolebinding.yml.j2 create mode 100644 templates/default/kubernetes/sfive-sa.yml.j2 (limited to 'templates/default/kubernetes') diff --git a/templates/default/kubernetes/onion-service-role.yml.j2 b/templates/default/kubernetes/onion-service-role.yml.j2 new file mode 100644 index 0000000..eb7a6ca --- /dev/null +++ b/templates/default/kubernetes/onion-service-role.yml.j2 @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ namespace }} + name: onion-service +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - patch diff --git a/templates/default/kubernetes/sfive-deploy.yml.j2 b/templates/default/kubernetes/sfive-deploy.yml.j2 index 06c84dc..65b97e9 100644 --- a/templates/default/kubernetes/sfive-deploy.yml.j2 +++ b/templates/default/kubernetes/sfive-deploy.yml.j2 @@ -20,8 +20,12 @@ spec: labels: app: sfive worker: {{ worker.name }} +{% if worker.flags.sfive == 'proxy' and 'stream-onion' in worker.flags %} + spreadspace.org/onion-service: {{ worker.flags['stream-onion'] }} +{% endif %} spec: nodeName: {{ worker.name }} + serviceAccountName: sfive securityContext: runAsUser: 998 fsGroup: 998 @@ -41,6 +45,41 @@ spec: mountPath: /srv - name: proxy-config mountPath: /srv/config +{% if 'stream-onion' in worker.flags %} + - name: proxy-onion + image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }} + imagePullPolicy: Always + args: + - s5proxy + - -config + - /srv/config/proxy-onion.json + volumeMounts: + - name: home + mountPath: /srv + - name: proxy-config + mountPath: /srv/config + - name: onion-service + image: spreadspace/onion-service:{{ desc.globals.deployment.parameter.onion_service_image_version }} + imagePullPolicy: Always + env: + - name: ONION_HOST + value: "127.0.0.1" + - name: ONION_PORT + value: "8001" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: onion-lib + mountPath: /var/lib/tor + - name: proxy-config + mountPath: /srv/config +{% endif %} {% endif %} - name: hub image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }} @@ -63,6 +102,11 @@ spec: - name: home emptyDir: medium: Memory +{% if worker.flags.sfive == 'proxy' and 'stream-onion' in worker.flags %} + - name: onion-lib + emptyDir: + medium: Memory +{% endif %} - name: proxy-config configMap: name: sfive-{{ worker.name }} diff --git a/templates/default/kubernetes/sfive-onion-rolebinding.yml.j2 b/templates/default/kubernetes/sfive-onion-rolebinding.yml.j2 new file mode 100644 index 0000000..f3e0489 --- /dev/null +++ b/templates/default/kubernetes/sfive-onion-rolebinding.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: {{ namespace }} + name: sfive-onion +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: onion-service +subjects: +- kind: ServiceAccount + name: sfive + namespace: {{ namespace }} diff --git a/templates/default/kubernetes/sfive-sa.yml.j2 b/templates/default/kubernetes/sfive-sa.yml.j2 new file mode 100644 index 0000000..c25f644 --- /dev/null +++ b/templates/default/kubernetes/sfive-sa.yml.j2 @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ namespace }} + name: sfive -- cgit v1.2.3