""" VAPORA Kubernetes Cluster Configuration Defines K8s cluster, networking, storage, and service mesh """ import k.api.all as k # ===== CLUSTER DEFINITION ===== cluster = k.Cluster { name = "vapora-cluster" version = "1.30" region = "us-east-1" cloud_provider = "aws" # aws | gcp | azure | on-premise # Networking network = { vpc_cidr = "10.0.0.0/16" service_cidr = "10.96.0.0/12" pod_cidr = "10.244.0.0/16" cni = "cilium" # cilium | flannel | weave serviceMesh = "istio" networkPolicy = true } # Node configuration nodes = { master = { count = 3 instance_type = "t3.large" # 2 vCPU, 8Gi RAM zone = "us-east-1a" disk_size = 100 disk_type = "gp3" } worker = { count = 5 instance_type = "t3.xlarge" # 4 vCPU, 16Gi RAM zone = "us-east-1b" disk_size = 200 disk_type = "gp3" taints = [ {"key": "workload", "value": "vapora", "effect": "NoSchedule"} ] } } # Storage storage = { provider = "rook-ceph" # rook-ceph | ebs | local replication_factor = 3 pools = [ { name = "ssd" device_class = "ssd" size = "500Gi" }, { name = "hdd" device_class = "hdd" size = "2Ti" } ] } # Monitoring stack monitoring = { prometheus = true grafana = true loki = true alert_manager = true } # Security security = { mTLS = true network_policies = true pod_security_policy = true rbac = true audit_logging = true } # Ingress ingress = { provider = "istio" # istio | nginx | haproxy domain = "vapora.example.com" tls = true cert_provider = "letsencrypt" } } # ===== NAMESPACES ===== namespaces = [ { name = "vapora-system" labels = {"app": "vapora"} }, { name = "istio-system" labels = {"istio-injection": "enabled"} }, { name = "monitoring" labels = {"monitoring": "true"} }, { name = "rook-ceph" labels = {"storage": "ceph"} } ] # ===== ISTIO SERVICE MESH ===== istio = { enabled = true version = "1.18" # Traffic management traffic_policy = { connection_pool = { http = { http1MaxPendingRequests = 100 maxRequestsPerConnection = 2 h2UpgradePolicy = "UPGRADE" } tcp = { maxConnections = 100 } } outlier_detection = { consecutive5xxErrors = 5 interval = "30s" baseEjectionTime = "30s" } } # Authorization policies authz_policies = { deny_all = true allow_prometheus = true allow_inter_service_mtls = true } # Virtual Service for VAPORA frontend virtual_services = [ { name = "vapora-frontend" namespace = "vapora-system" hosts = ["vapora.example.com"] routes = [ { destination = "vapora-frontend" weight = 100 timeout = "10s" retries = { attempts = 3 perTryTimeout = "2s" } } ] } ] # Gateway gateway = { name = "vapora-gateway" selector = {"istio": "ingressgateway"} servers = [ { port = {number = 80, name = "http", protocol = "HTTP"} hosts = ["vapora.example.com"] redirectPort = 443 }, { port = {number = 443, name = "https", protocol = "HTTPS"} hosts = ["vapora.example.com"] tls = { mode = "SIMPLE" credentialName = "vapora-tls" } } ] } } # ===== RESOURCE QUOTAS ===== resource_quotas = [ { namespace = "vapora-system" hard = { requests.cpu = "100" requests.memory = "200Gi" limits.cpu = "200" limits.memory = "400Gi" pods = "500" services = "50" configmaps = "100" secrets = "100" } } ] # ===== PERSISTENT VOLUMES ===== persistent_volumes = [ { name = "vapora-data-ssd" storage_class = "ssd" size = "500Gi" access_mode = "ReadWriteOnce" reclaim_policy = "Retain" }, { name = "vapora-backup-hdd" storage_class = "hdd" size = "2Ti" access_mode = "ReadWriteOnce" reclaim_policy = "Retain" } ] # ===== OUTPUT ===== output = { cluster_info = cluster namespaces = namespaces istio_config = istio storage_config = cluster.storage }