-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathsession.yaml
149 lines (148 loc) · 4.43 KB
/
session.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# For networking, we want to users to be connect to the server via port 22
# (ssh), and port 443 (websockets). These connections are latency sensitive.
# We also want the servers to be able to know the user's IP.
# We'd like to have one session server in a few datacenters to provide low
# latency around the globe.
#
# We have a few options:
# 1) Use a load balancer. Because we are using SSH, we can't have a special
# Client IP header. So we need to use the "PROXY protocol", which many load
# balancers support. We have to write a bit of code to support the PROXY
# protocol. This also increases the bill for each datacenter we want to
# have a presence on.
# 2) Using a public IP on the node, and hostPort. Unfortunately, the SSH server
# does not see the Client IP as connections are getting NATed.
# 3) Using a public IP on the node, and hostNetwork: true. This works, but
# we have to relocate the port of the node's OpenSSH server on the machine.
#
# Using the node's public IP is not great as it's likely that things will go
# sour when doing k8s upgrades. Nodes may get recycled. Relocating the
# host SSH server is also a PITA. So We'll go with option 1) to avoid hassles.
apiVersion: apps/v1
kind: Deployment
metadata:
name: session
labels:
app: session
spec:
replicas: 1
selector:
matchLabels:
app: session
template:
metadata:
labels:
app: session
version: "1"
spec:
terminationGracePeriodSeconds: 5
volumes:
- name: secret-ssh-keys
secret:
secretName: ssh-keys
- name: tmate-unix-sockets
emptyDir: {}
containers:
- name: tmate-ssh-server
image: tmate/tmate-ssh-server:prod
# args: [-v]
securityContext:
capabilities:
add: [SYS_ADMIN] # needed to spawn containers (CLONE_NEWPID, etc.)
env:
- name: USE_PROXY_PROTOCOL
value: "1"
- name: HAS_WEBSOCKET
value: "1"
- name: SSH_KEYS_PATH
value: /etc/tmate-keys
- name: SSH_PORT_ADVERTISE
value: "22"
- name: SSH_HOSTNAME
valueFrom:
configMapKeyRef:
name: config
key: hostname
ports:
- containerPort: 2200
name: ssh
readinessProbe:
tcpSocket:
port: 2200
volumeMounts:
- name: secret-ssh-keys
mountPath: /etc/tmate-keys
- name: tmate-unix-sockets
mountPath: /tmp/tmate/sessions
- name: tmate-websocket
image: tmate/tmate-websocket:latest
env:
- name: DAEMON_HMAC_KEY
valueFrom:
secretKeyRef:
name: misc
key: hmac_key
- name: USE_PROXY_PROTOCOL
value: "1"
- name: WEBSOCKET_BASE_URL
valueFrom:
configMapKeyRef:
name: config
key: websocket_base_url
- name: MASTER_BASE_URL
valueFrom:
configMapKeyRef:
name: config
key: master_base_url
- name: USER_FACING_BASE_URL
valueFrom:
configMapKeyRef:
name: config
key: user_facing_base_url
- name: INTERNAL_API_AUTH_TOKEN
valueFrom:
secretKeyRef:
name: misc
key: wsapi_key
- name: ERL_NODE_NAME
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ERL_COOKIE
valueFrom:
secretKeyRef:
name: misc
key: erl_cookie
ports:
- containerPort: 4001
name: http
- containerPort: 4002
name: daemon
readinessProbe:
tcpSocket:
port: 4002
volumeMounts:
- name: tmate-unix-sockets
mountPath: /tmp/tmate/sessions
---
kind: Service
apiVersion: v1
metadata:
name: session
annotations:
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
service.beta.kubernetes.io/do-loadbalancer-healthcheck-check-interval-seconds: "10"
service.beta.kubernetes.io/do-loadbalancer-certificate-id: 98e61172-5967-4b5e-b7c1-629e147f27e2
service.beta.kubernetes.io/do-loadbalancer-tls-ports: "443"
spec:
selector:
app: session
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: ssh
port: 22
targetPort: ssh
- name: https
port: 443
targetPort: http