templates/default/kubernetes/sfive-deploy.yml.j2


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: {{ deploy.namespace }}
  name: sfive-{{ deploy.worker.name }}
  labels:
    app: sfive
    worker: {{ deploy.worker.name }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sfive
      worker: {{ deploy.worker.name }}
  strategy:
    type: Recreate
  revisionHistoryLimit: 5
  template:
    metadata:
      labels:
        app: sfive
        worker: {{ deploy.worker.name }}
{% if deploy.worker.flags.sfive == 'proxy' and 'stream-onion' in deploy.worker.flags %}
        spreadspace.org/onion-service: {{ deploy.worker.flags['stream-onion'] }}
{% endif %}
    spec:
      nodeName: {{ deploy.worker.name }}
      serviceAccountName: sfive
      securityContext:
        runAsUser: 998
        fsGroup: 998
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      terminationGracePeriodSeconds: 0
      initContainers:
      - name: prepare-hub-data
        image: busybox
        command: ['sh', '-c', 'chown 998:998 /srv/data && chmod 0750 /srv/data']
        securityContext:
          runAsUser: 0
        volumeMounts:
        - name: hub-data
          mountPath: /srv/data
      - name: copy-certificates
        image: busybox
        command: ['sh', '-c', 'chmod 0750 /srv/acme && cp /var/lib/acme/live/{{ deploy.worker.flags['stream-hostname'] }}/* /srv/acme && chown -R 998 /srv/acme']
        securityContext:
          runAsUser: 0
        volumeMounts:
        - name: proxy-cert
          mountPath: /srv/acme
        - name: acme-lib
          mountPath: /var/lib/acme
{% if deploy.worker.flags.sfive == 'proxy' and 'stream-onion' in deploy.worker.flags %}
      - name: prepare-onion-lib
        image: busybox
        command: ['sh', '-c', 'chown 998:998 /var/lib/tor && chmod 0750 /var/lib/tor']
        securityContext:
          runAsUser: 0
        volumeMounts:
        - name: onion-lib
          mountPath: /var/lib/tor
      - name: generate-onion-key
        image: spreadspace/onion-service:{{ desc.globals.deployment.parameter.onion_service_image_version }}
        command: ['sh', '-c', '/keygen.py && touch /var/lib/tor/onion_service/onion_service_non_anonymous']
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        volumeMounts:
        - name: onion-lib
          mountPath: /var/lib/tor
{% endif %}
      containers:
{% if deploy.worker.flags.sfive == 'proxy' %}
      - name: proxy
        image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }}
        imagePullPolicy: Always
        args: [ 's5proxy', '-config', '/srv/config/proxy.json' ]
        volumeMounts:
        - name: home
          mountPath: /srv
        - name: proxy-config
          mountPath: /srv/config
        - name: proxy-cert
          mountPath: /srv/acme
{%   if 'stream-onion' in deploy.worker.flags %}
      - name: proxy-onion
        image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }}
        imagePullPolicy: Always
        args: [ 's5proxy', '-config', '/srv/config/proxy-onion.json' ]
        volumeMounts:
        - name: home
          mountPath: /srv
        - name: proxy-config
          mountPath: /srv/config
      - name: onion-service
        image: spreadspace/onion-service:{{ desc.globals.deployment.parameter.onion_service_image_version }}
        imagePullPolicy: Always
        args: [ '/usr/bin/tor', '-f', '/srv/config/torrc', '--RunAsDaemon', '0' ]
        volumeMounts:
        - name: onion-lib
          mountPath: /var/lib/tor
        - name: onion-config
          mountPath: /srv/config
{%   endif %}
{% endif %}
      - name: hub
        image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }}
        imagePullPolicy: Always
        args:
        - sfive-hub
        - -db
        - /srv/data/db.bolt
        - -start-pipe-server=false
        - -start-web-server=false
        - -start-pipegram-server
        - -pipegram
        - /srv/hub.sock
        - -forward-graphite=stats-graphite.emc.svc.cluster.local:2003
        - -graphite-base-path=sfive.{{ desc.globals.name }}
        volumeMounts:
        - name: home
          mountPath: /srv
        - name: hub-data
          mountPath: /srv/data
      volumes:
      - name: home
        emptyDir:
          medium: Memory
      - name: hub-data
        hostPath:
          type: DirectoryOrCreate
          path: /var/lib/sfive/{{ desc.globals.name }}
{% if deploy.worker.flags.sfive == 'proxy' and 'stream-onion' in deploy.worker.flags %}
      - name: onion-config
        configMap:
          name: onion-service-{{ deploy.worker.flags.stream }}
      - name: onion-lib
        emptyDir:
          medium: Memory
{% endif %}
      - name: proxy-config
        configMap:
          name: sfive-{{ deploy.worker.name }}
      - name: proxy-cert
        emptyDir:
          medium: Memory
      - name: acme-lib
        hostPath:
          type: Directory
          path: /var/lib/acme
          readOnly: yes