Compare commits
24 commits
1b40d136ad
...
a79a37d4d4
Author | SHA1 | Date | |
---|---|---|---|
a79a37d4d4 | |||
fba2a495e2 | |||
bba058afa0 | |||
12034502ac | |||
4881ea3c0d | |||
38183f7bf1 | |||
62fb2a37a0 | |||
aec67352d5 | |||
3f0de27055 | |||
7d21f5aff1 | |||
260d086232 | |||
56b843981f | |||
777b94a340 | |||
d9cb19242b | |||
010ab3d8fd | |||
054e6954af | |||
2a6b6ccf3f | |||
13e718ca37 | |||
52e43fe23c | |||
a63f170ace | |||
220eb337f9 | |||
8a3194e715 | |||
c5e777c9c5 | |||
1ed850aea2 |
5 changed files with 63 additions and 5 deletions
2
build.py
2
build.py
|
@ -56,7 +56,7 @@ def test_schema(project):
|
|||
"java -jar target/uberjar/c4k-forgejo-standalone.jar "
|
||||
+ "src/test/resources/forgejo-test/valid-config.yaml "
|
||||
+ "src/test/resources/forgejo-test/valid-auth.yaml | "
|
||||
+ "kubeconform --kubernetes-version 1.23.0 --strict --skip Certificate -",
|
||||
+ """kubeconform --kubernetes-version 1.23.0 --strict --skip "Certificate, Middleware" -""",
|
||||
shell=True,
|
||||
check=True,
|
||||
)
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
[dda.c4k-common.postgres :as postgres]))
|
||||
|
||||
(def config-defaults {:issuer "staging", :deploy-federated "false"})
|
||||
(def rate-limit-defaults {:max-rate 10, :max-concurrent-requests 5})
|
||||
|
||||
(def config? (s/keys :req-un [::forgejo/fqdn
|
||||
::forgejo/mailer-from
|
||||
|
@ -30,7 +31,7 @@
|
|||
|
||||
(def vol? (s/keys :req-un [::forgejo/volume-total-storage-size]))
|
||||
|
||||
(defn k8s-objects [config auth]
|
||||
(defn k8s-objects [config auth] ; ToDo: ADR for generate functions - vector or no vector?
|
||||
(let [storage-class (if (contains? config :postgres-data-volume-path) :manual :local-path)]
|
||||
(map yaml/to-string
|
||||
(filter #(not (nil? %))
|
||||
|
@ -46,11 +47,12 @@
|
|||
(postgres/generate-service)
|
||||
(forgejo/generate-deployment config)
|
||||
(forgejo/generate-service)
|
||||
(forgejo/generate-service-ssh)
|
||||
(forgejo/generate-service-ssh)
|
||||
(forgejo/generate-data-volume config)
|
||||
(forgejo/generate-appini-env config)
|
||||
(forgejo/generate-secrets auth)]
|
||||
(forgejo/generate-ingress-and-cert config)
|
||||
(forgejo/generate-secrets auth)
|
||||
(forgejo/generate-rate-limit-middleware rate-limit-defaults)] ; this does not have a vector as output
|
||||
(forgejo/generate-rate-limit-ingress-and-cert config) ; this function has a vector as output
|
||||
(when (contains? config :restic-repository)
|
||||
[(backup/generate-config config)
|
||||
(backup/generate-secret auth)
|
||||
|
|
|
@ -42,6 +42,8 @@
|
|||
(s/def ::mailer-pw pred/bash-env-string?)
|
||||
(s/def ::issuer pred/letsencrypt-issuer?)
|
||||
(s/def ::volume-total-storage-size (partial pred/int-gt-n? 5))
|
||||
(s/def ::max-rate int?)
|
||||
(s/def ::max-concurrent-requests int?)
|
||||
|
||||
(def config? (s/keys :req-un [::fqdn
|
||||
::mailer-from
|
||||
|
@ -53,6 +55,9 @@
|
|||
::default-app-name
|
||||
::service-domain-whitelist]))
|
||||
|
||||
(def rate-limit-config? (s/keys :req-un [::max-rate
|
||||
::max-concurrent-requests]))
|
||||
|
||||
(def auth? (s/keys :req-un [::postgres/postgres-db-user ::postgres/postgres-db-password ::mailer-user ::mailer-pw]))
|
||||
|
||||
(def vol? (s/keys :req-un [::volume-total-storage-size]))
|
||||
|
@ -119,6 +124,26 @@
|
|||
:fqdns [fqdn]}
|
||||
config))))
|
||||
|
||||
(defn-spec generate-rate-limit-ingress-and-cert pred/map-or-seq?
|
||||
[config config?]
|
||||
(->
|
||||
(generate-ingress-and-cert config) ; returns a vector
|
||||
(#(assoc-in % ; Attention: heavily relying on the output order of ing/generate-ingress-and-cert
|
||||
[1 :metadata :annotations :traefik.ingress.kubernetes.io/router.middlewares]
|
||||
(str
|
||||
(-> (second %) :metadata :annotations :traefik.ingress.kubernetes.io/router.middlewares)
|
||||
", default-ratelimit@kubernetescrd")))))
|
||||
|
||||
|
||||
; using :average and :burst seems sensible, :period may be interesting for fine tuning later on
|
||||
(defn-spec generate-rate-limit-middleware pred/map-or-seq?
|
||||
[config rate-limit-config?]
|
||||
(let [{:keys [max-rate max-concurrent-requests]} config]
|
||||
(->
|
||||
(yaml/load-as-edn "forgejo/middleware-ratelimit.yaml")
|
||||
(cm/replace-key-value :average max-rate)
|
||||
(cm/replace-key-value :burst max-concurrent-requests))))
|
||||
|
||||
(defn-spec generate-data-volume pred/map-or-seq?
|
||||
[config vol?]
|
||||
(let [{:keys [volume-total-storage-size]} config
|
||||
|
|
8
src/main/resources/forgejo/middleware-ratelimit.yaml
Normal file
8
src/main/resources/forgejo/middleware-ratelimit.yaml
Normal file
|
@ -0,0 +1,8 @@
|
|||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: ratelimit
|
||||
spec:
|
||||
rateLimit: # Config options for rate limiting: https://doc.traefik.io/traefik/middlewares/http/ratelimit/
|
||||
average: AVG
|
||||
burst: BRS
|
|
@ -130,3 +130,26 @@
|
|||
:storage-c2 "15Gi"}
|
||||
(th/map-diff (cut/generate-data-volume {:volume-total-storage-size 1})
|
||||
(cut/generate-data-volume {:volume-total-storage-size 15})))))
|
||||
|
||||
(deftest should-generate-middleware-ratelimit
|
||||
(is (= {:apiVersion "traefik.containo.us/v1alpha1",
|
||||
:kind "Middleware",
|
||||
:metadata {:name "ratelimit"},
|
||||
:spec {:rateLimit {:average 10, :burst 5}}}
|
||||
(cut/generate-rate-limit-middleware {:max-rate 10, :max-concurrent-requests 5}))))
|
||||
|
||||
(deftest should-generate-middleware-ratelimit-ingress-and-cert
|
||||
(is (= {:traefik.ingress.kubernetes.io/router.entrypoints "web, websecure",
|
||||
:traefik.ingress.kubernetes.io/router.middlewares
|
||||
"default-redirect-https@kubernetescrd, default-ratelimit@kubernetescrd",
|
||||
:metallb.universe.tf/address-pool "public"}
|
||||
(-> (second
|
||||
(cut/generate-rate-limit-ingress-and-cert
|
||||
{:fqdn "test.de"
|
||||
:mailer-from ""
|
||||
:mailer-host "m.t.de"
|
||||
:mailer-port "123"
|
||||
:service-noreply-address ""
|
||||
:average 10
|
||||
:burst 5}))
|
||||
:metadata :annotations))))
|
||||
|
|
Loading…
Reference in a new issue