Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add emojivoto deployment using nunki TLS certificates #15

Merged
merged 11 commits into from
Dec 19, 2023
20 changes: 20 additions & 0 deletions cli/generate.go
3u13r marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -102,12 +102,32 @@ func findGenerateTargets(args []string) ([]string, error) {
return nil, fmt.Errorf("failed to walk %s: %w", path, err)
}
}

paths = filterNonCoCoRuntime("kata-cc-isolation", paths)

if len(paths) == 0 {
return nil, fmt.Errorf("no .yml/.yaml files found")
}
return paths, nil
}

func filterNonCoCoRuntime(runtimeClassName string, paths []string) []string {
var filtered []string
for _, path := range paths {
data, err := os.ReadFile(path)
if err != nil {
log.Printf("failed to read %s: %v", path, err)
continue
}
if !bytes.Contains(data, []byte(runtimeClassName)) {
log.Printf("%s is not a CoCo runtime, ignoring", path)
continue
}
filtered = append(filtered, path)
}
return filtered
}

func generatePolicies(ctx context.Context, regoPath, policyPath string, yamlPaths []string) error {
for _, yamlPath := range yamlPaths {
policyHash, err := generatePolicyForFile(ctx, regoPath, policyPath, yamlPath)
Expand Down
2 changes: 1 addition & 1 deletion coordinator/intercom.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,6 @@ func (i *intercomServer) NewMeshCert(ctx context.Context, req *intercom.NewMeshC
return &intercom.NewMeshCertResponse{
// TODO(3u13r): Replace the CA Cert the intermediate CA cert
CaCert: i.caChainGetter.GetCACert(),
CertChain: append(intermCert, cert...),
CertChain: append(cert, intermCert...),
}, nil
}
8 changes: 7 additions & 1 deletion coordinator/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package main
import (
"log"
"net"
"os"

"github.com/edgelesssys/nunki/internal/ca"
"github.com/edgelesssys/nunki/internal/coordapi"
Expand All @@ -12,7 +13,12 @@ import (
func main() {
log.Println("Coordinator started")

caInstance, err := ca.New()
namespace, ok := os.LookupEnv("NAMESPACE")
if !ok {
log.Fatalf("NAMESPACE environment variable not set")
}

caInstance, err := ca.New(namespace)
if err != nil {
log.Fatalf("failed to create CA: %v", err)
}
Expand Down
44 changes: 44 additions & 0 deletions deployments/emojivoto/coordinator.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: coordinator-kbs
namespace: edg-emojivoto
spec:
selector:
matchLabels:
run: coordinator-kbs
replicas: 1
template:
metadata:
labels:
run: coordinator-kbs
spec:
runtimeClassName: kata-cc-isolation
containers:
- name: coordinator-kbs
image: "ghcr.io/edgelesssys/nunki/coordinator-kbs:latest"
imagePullPolicy: Always
ports:
- containerPort: 7777
- containerPort: 1313
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
---
apiVersion: v1
kind: Service
metadata:
name: coordinator-kbs
namespace: edg-emojivoto
spec:
ports:
- name: intercom
port: 7777
protocol: TCP
- name: coordapi
port: 1313
protocol: TCP
selector:
run: coordinator-kbs
84 changes: 84 additions & 0 deletions deployments/emojivoto/emoji.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
kind: ServiceAccount
apiVersion: v1
metadata:
name: emoji
namespace: edg-emojivoto
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: emoji
namespace: edg-emojivoto
labels:
app.kubernetes.io/name: emoji
app.kubernetes.io/part-of: emojivoto
app.kubernetes.io/version: v11
spec:
replicas: 1
selector:
matchLabels:
app: emoji-svc
version: v11
template:
metadata:
labels:
app: emoji-svc
version: v11
spec:
runtimeClassName: kata-cc-isolation
initContainers:
- name: initializer
image: "ghcr.io/edgelesssys/nunki/initializer:latest"
imagePullPolicy: Always
env:
- name: COORDINATOR_HOST
value: coordinator-kbs.edg-emojivoto
volumeMounts:
- name: tls-certs
mountPath: /tls-config
serviceAccountName: emoji
containers:
- env:
- name: GRPC_PORT
value: "8080"
- name: PROM_PORT
value: "8801"
- name: EDG_CERT_PATH
value: /tls-config/certChain.pem
- name: EDG_CA_PATH
value: /tls-config/CACert.pem
- name: EDG_KEY_PATH
value: /tls-config/key.pem
image: ghcr.io/3u13r/emojivoto-emoji-svc:coco-1
imagePullPolicy: Always
name: emoji-svc
ports:
- containerPort: 8080
name: grpc
- containerPort: 8801
name: prom
resources:
requests:
cpu: 100m
volumeMounts:
- name: tls-certs
mountPath: /tls-config
volumes:
- name: tls-certs
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: emoji-svc
namespace: edg-emojivoto
spec:
selector:
app: emoji-svc
ports:
- name: grpc
port: 8080
targetPort: 8080
- name: prom
port: 8801
targetPort: 8801
40 changes: 40 additions & 0 deletions deployments/emojivoto/initializer.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: workload
namespace: edg-emojivoto
spec:
selector:
matchLabels:
run: workload
replicas: 1
template:
metadata:
labels:
run: workload
spec:
runtimeClassName: kata-cc-isolation
initContainers:
- name: initializer
image: "ghcr.io/edgelesssys/nunki/initializer:latest"
imagePullPolicy: Always
env:
- name: COORDINATOR_HOST
value: coordinator-kbs.edg-emojivoto
volumeMounts:
- name: tls-certs
mountPath: /tls-config
containers:
- name: workload
image: "fedora:38"
imagePullPolicy: Always
command:
- /bin/bash
- "-c"
- echo Workload started ; sleep inf
volumeMounts:
- name: tls-certs
mountPath: /tls-config
volumes:
- name: tls-certs
emptyDir: {}
4 changes: 4 additions & 0 deletions deployments/emojivoto/ns.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: edg-emojivoto
45 changes: 45 additions & 0 deletions deployments/emojivoto/portforwarder.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
apiVersion: v1
kind: Pod
metadata:
name: port-forwarder-coordinator
namespace: default
spec:
containers:
- name: port-forwarder
image: nixery.dev/shell/socat
env:
- name: LISTEN_PORT
value: "1313"
- name: FORWARD_HOST
value: coordinator-kbs.edg-emojivoto
- name: FORWARD_PORT
value: "1313"
command:
- /bin/bash
- "-c"
- echo Starting port-forward with socat; exec socat -d -d TCP-LISTEN:${LISTEN_PORT},fork TCP:${FORWARD_HOST}:${FORWARD_PORT}
ports:
- containerPort: 1313
---
apiVersion: v1
kind: Pod
metadata:
name: port-forwarder-2
namespace: default
spec:
containers:
- name: port-forwarder
image: nixery.dev/shell/socat
env:
- name: LISTEN_PORT
value: "8080"
- name: FORWARD_HOST
value: web-svc.edg-emojivoto
- name: FORWARD_PORT
value: "443"
command:
- /bin/bash
- "-c"
- echo Starting port-forward with socat; exec socat -d -d TCP-LISTEN:${LISTEN_PORT},fork TCP:${FORWARD_HOST}:${FORWARD_PORT}
ports:
- containerPort: 8080
33 changes: 33 additions & 0 deletions deployments/emojivoto/vote-bot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: vote-bot
namespace: edg-emojivoto
labels:
app.kubernetes.io/name: vote-bot
app.kubernetes.io/part-of: emojivoto
app.kubernetes.io/version: v11
spec:
replicas: 1
selector:
matchLabels:
app: vote-bot
version: v11
template:
metadata:
labels:
app: vote-bot
version: v11
spec:
containers:
- command:
- emojivoto-vote-bot
env:
- name: WEB_HOST
value: web-svc.edg-emojivoto:443
image: ghcr.io/3u13r/emojivoto-web:coco-1
imagePullPolicy: Always
name: vote-bot
resources:
requests:
cpu: 10m
Loading