Skip to content

Instantly share code, notes, and snippets.

@toloco
Last active February 13, 2023 10:05
Show Gist options
  • Save toloco/8268eea9de547d14df8123460e83e323 to your computer and use it in GitHub Desktop.
Save toloco/8268eea9de547d14df8123460e83e323 to your computer and use it in GitHub Desktop.
Jsonnet example
local v1 = import "v1.libsonnet";
local env = import "env.libsonnet";
local params = v1.params;
local sentry_params = v1.valuesForEnv(
"prod", {creds: "874c6f6d8b51422b9bfc2f6524a7b5b0", uri: "/11"})
.defaults({creds: "f980cfda63194d869e7ca5e0c9bb48cb", uri: "/14"}
);
local processes = v1.valuesForEnv("prod", "8").defaults("2");
local sentry_url = "%(scheme)s://%(creds)s@%(host)s:%(port)d%(uri)s" % (v1.resolveRelation("apps/sentry") + sentry_params);
local default_frontend_url = v1.valuesForEnv({
"prod": "https://rpx.i.nakhoda.ai/",
"rc/master": "https://rpx.rc.i.nakhoda.ai/",
"stag": "https://rpx.stag.i.nakhoda.ai/",
}, "https://rpx.stag.i.nakhoda.ai/");
local keyloader_max_retry_mins = v1.valuesForEnv(
"prod", "10080" # 7 days
).defaults("10");
local cors_on = v1.valuesForEnv("prod", "NO!").defaults("yes");
[
{name: "DEBUG", value: "0"},
{name: "REDIS_URL", value: "redis://"+ params.components.redis.name + ":6379/12"},
{name: "OIDC_BASE_URL", value: v1.resolveRelation("infra/keycloak").URL},
{name: "OIDC_AUTH_URL", value: v1.resolveRelation("infra/keycloak", external=true).URL + "/auth/realms/portal/protocol/openid-connect/auth"},
{name: "OIDC_LOCAL_KEY_FILE_PATH", value:"/oidc/oidc.keys"},
{name: "KEYLOADER_MAX_RETRY", value: keyloader_max_retry_mins},
{name: "SENTRY_HOST", value: sentry_url},
{name: "CI_ENVIRONMENT_NAME", value: v1.envName},
{name: "CI_COMMIT_SHA", value: env["CI_COMMIT_SHA"]},
{name: "GUNICORN_PROCESS", value: processes},
{name: "MINIO_ACCESS_KEY", valueFrom: {secretKeyRef: {name: params.global.name, key: "minio_access_key"}}},
{name: "MINIO_SECRET_KEY", valueFrom: {secretKeyRef: {name: params.global.name, key: "minio_secret_key"}}},
{name: "MINIO_HOST", value: params.components.minio.name + ":9000"},
{name: "RETHINKDB_HOST", value: params.components.rethinkdb.name},
{name: "RETHINKDB_PORT", value: "28015"},
{name: "RETHINKDB_DB", value: "RPX_DB"},
{name: "DUCKLING_URL", value: "http://" + params.components.duckling.name + ":5000/parse"},
{name: "DEFAULT_FRONTEND_URL", value: default_frontend_url},
{name: "CORS_ON", value: cors_on},
]
local v1 = import "v1.libsonnet";
local params = v1.params;
local commonVolumeMounts = [{name: "oidc", mountPath: "/oidc"}];
local genericEnv = import "./commonEnvs.libsonnet";
local email_ip = "10.1.1.15";
local config = import "config.libsonnet";
local resources = v1.valuesForEnv({
prod: {
requests: {cpu: "1", memory: "256Mi"},
limits: {cpu: "2", memory: "2Gi"},
}}, {
requests: {cpu: "250m", memory: "256Mi"},
limits: {cpu: "1", memory: "2Gi"}
});
local key_loader = {
name: "key-loader",
image: "registry.ci.g.nakhoda.ai/pub/key-loader:89ca541fca588d175dbb06eb33dd55f8c364727d",
resources: {
requests: {cpu: "250m", memory: "64Mi"},
limits: {cpu: "1", memory: "128Mi"},
},
env: genericEnv,
volumeMounts: commonVolumeMounts,
};
local podSpecForCron = {
containers_:: {
cron: {
name: "cron",
image: params.components["generic-app"].image,
resources: {
requests: {cpu: "50m", memory: "64Mi"},
limits: {cpu: "1", memory: "128Mi"},
},
args: ["sh", "nightly_jobs.sh"],
env: genericEnv
}
}
};
v1.with("generic-app").deployment.extendContainersByName(
"main", {env+: genericEnv, volumeMounts+: commonVolumeMounts}
)
.livenessFor("main", {initialDelaySeconds: 5, periodSeconds: 20}).http({path:"/ping", port: "http"})
.readinessFor("main", {initialDelaySeconds: 5, periodSeconds: 20}).http({path:"/ping", port:"http"})
.resourcesFor("main").requests(resources.requests)
.resourcesFor("main").limits(resources.limits)
.extend({spec+: {template+: { spec+: {
containers+: [key_loader],
volumes+: [{name: "oidc", emptyDir: {}}]
}}}})
+ v1.allowNetworkTraffic.relations(
from=std.objectFields(params.global.relations.inbound),
to="generic-app", ports=["http"], matchAllInstances=true
)
+ v1.allowNetworkTraffic.relations(
to=std.objectFields(params.global.relations.outbound),
from="generic-app"
)
+ v1.with("generic-app").networkPolicy.egressCIDR({cidr: email_ip+"/32"}, ports=[25])
+ v1.allowNetworkTraffic.components(from="generic-app", to="minio", ports=["minio"])
+ (import "./redis.libsonnet")
+ v1.allowNetworkTraffic.components(from="generic-app", to="redis", ports=["redis"])
+ (import "./duckling.libsonnet")
+ v1.allowNetworkTraffic.components(from="generic-app", to="duckling", ports=["duckling"])
+ (import "./rethinkdb.libsonnet")
+ v1.allowNetworkTraffic.components(from="generic-app", to="rethinkdb", ports=["rethinkdb"])
+ {"minio": super["minio"].withBackups(config.backups.enabled)}
+ v1.with("clean-up").cronJob.schedule(config.cron.schedule)
.podSpec(podSpecForCron)
+ v1.allowNetworkTraffic.components(from="clean-up", to="rethinkdb")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment