2020-09-16 14:05:51 +00:00
|
|
|
#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
2020-08-25 01:07:34 +00:00
|
|
|
#! SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
2020-07-07 20:17:34 +00:00
|
|
|
#@ load("@ytt:data", "data")
|
|
|
|
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
|
|
kind: Namespace
|
|
|
|
metadata:
|
|
|
|
name: #@ data.values.namespace
|
|
|
|
labels:
|
|
|
|
name: #@ data.values.namespace
|
2020-07-09 16:42:31 +00:00
|
|
|
---
|
|
|
|
apiVersion: v1
|
2020-07-17 21:42:02 +00:00
|
|
|
kind: ServiceAccount
|
|
|
|
metadata:
|
|
|
|
name: #@ data.values.app_name + "-service-account"
|
|
|
|
namespace: #@ data.values.namespace
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
2020-07-09 16:42:31 +00:00
|
|
|
kind: ConfigMap
|
|
|
|
metadata:
|
|
|
|
name: #@ data.values.app_name + "-config"
|
|
|
|
namespace: #@ data.values.namespace
|
|
|
|
labels:
|
|
|
|
app: #@ data.values.app_name
|
|
|
|
data:
|
2020-07-09 16:58:28 +00:00
|
|
|
#@yaml/text-templated-strings
|
2020-08-20 17:54:15 +00:00
|
|
|
pinniped.yaml: |
|
2020-08-03 14:17:11 +00:00
|
|
|
discovery:
|
2020-08-03 18:36:08 +00:00
|
|
|
url: (@= data.values.discovery_url or "null" @)
|
2020-08-20 21:13:02 +00:00
|
|
|
api:
|
|
|
|
servingCertificate:
|
|
|
|
durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @)
|
|
|
|
renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @)
|
2020-07-07 20:17:34 +00:00
|
|
|
---
|
2020-08-13 00:02:43 +00:00
|
|
|
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
|
|
|
|
apiVersion: v1
|
|
|
|
kind: Secret
|
|
|
|
metadata:
|
|
|
|
name: image-pull-secret
|
|
|
|
namespace: #@ data.values.namespace
|
|
|
|
labels:
|
|
|
|
app: #@ data.values.app_name
|
2020-08-13 20:34:23 +00:00
|
|
|
type: kubernetes.io/dockerconfigjson
|
2020-08-13 00:02:43 +00:00
|
|
|
data:
|
|
|
|
.dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
|
|
|
|
#@ end
|
|
|
|
---
|
2020-07-07 20:17:34 +00:00
|
|
|
apiVersion: apps/v1
|
2020-08-19 18:21:07 +00:00
|
|
|
kind: Deployment
|
2020-07-07 20:17:34 +00:00
|
|
|
metadata:
|
2020-08-12 00:55:34 +00:00
|
|
|
name: #@ data.values.app_name
|
2020-07-07 20:17:34 +00:00
|
|
|
namespace: #@ data.values.namespace
|
|
|
|
labels:
|
|
|
|
app: #@ data.values.app_name
|
|
|
|
spec:
|
2020-09-04 03:52:01 +00:00
|
|
|
replicas: #@ data.values.replicas
|
2020-07-07 20:17:34 +00:00
|
|
|
selector:
|
|
|
|
matchLabels:
|
|
|
|
app: #@ data.values.app_name
|
|
|
|
template:
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app: #@ data.values.app_name
|
2020-08-04 21:34:10 +00:00
|
|
|
annotations:
|
|
|
|
scheduler.alpha.kubernetes.io/critical-pod: ""
|
2020-07-07 20:17:34 +00:00
|
|
|
spec:
|
2020-07-17 21:42:02 +00:00
|
|
|
serviceAccountName: #@ data.values.app_name + "-service-account"
|
2020-08-13 00:02:43 +00:00
|
|
|
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
|
|
|
|
imagePullSecrets:
|
|
|
|
- name: image-pull-secret
|
|
|
|
#@ end
|
2020-07-07 20:17:34 +00:00
|
|
|
containers:
|
2020-08-20 17:54:15 +00:00
|
|
|
- name: pinniped
|
2020-07-09 17:16:46 +00:00
|
|
|
#@ if data.values.image_digest:
|
2020-07-07 20:17:34 +00:00
|
|
|
image: #@ data.values.image_repo + "@" + data.values.image_digest
|
2020-07-09 17:16:46 +00:00
|
|
|
#@ else:
|
|
|
|
image: #@ data.values.image_repo + ":" + data.values.image_tag
|
|
|
|
#@ end
|
2020-07-09 04:39:56 +00:00
|
|
|
imagePullPolicy: IfNotPresent
|
2020-08-28 19:18:48 +00:00
|
|
|
resources:
|
|
|
|
requests:
|
|
|
|
memory: "128Mi"
|
2020-07-17 21:42:02 +00:00
|
|
|
args:
|
2020-08-20 17:54:15 +00:00
|
|
|
- --config=/etc/config/pinniped.yaml
|
2020-07-17 21:42:02 +00:00
|
|
|
- --downward-api-path=/etc/podinfo
|
2020-07-09 16:42:31 +00:00
|
|
|
volumeMounts:
|
2020-07-17 21:42:02 +00:00
|
|
|
- name: config-volume
|
|
|
|
mountPath: /etc/config
|
|
|
|
- name: podinfo
|
|
|
|
mountPath: /etc/podinfo
|
2020-08-17 23:44:42 +00:00
|
|
|
livenessProbe:
|
|
|
|
httpGet:
|
|
|
|
path: /healthz
|
|
|
|
port: 443
|
|
|
|
scheme: HTTPS
|
2020-08-18 16:18:51 +00:00
|
|
|
initialDelaySeconds: 2
|
2020-08-17 23:44:42 +00:00
|
|
|
timeoutSeconds: 15
|
|
|
|
periodSeconds: 10
|
|
|
|
failureThreshold: 5
|
|
|
|
readinessProbe:
|
|
|
|
httpGet:
|
|
|
|
path: /healthz
|
|
|
|
port: 443
|
|
|
|
scheme: HTTPS
|
2020-08-18 16:18:51 +00:00
|
|
|
initialDelaySeconds: 2
|
2020-08-17 23:44:42 +00:00
|
|
|
timeoutSeconds: 3
|
|
|
|
periodSeconds: 10
|
|
|
|
failureThreshold: 3
|
2020-07-09 16:42:31 +00:00
|
|
|
volumes:
|
2020-07-17 21:42:02 +00:00
|
|
|
- name: config-volume
|
|
|
|
configMap:
|
|
|
|
name: #@ data.values.app_name + "-config"
|
2020-07-16 19:24:30 +00:00
|
|
|
- name: podinfo
|
2020-07-17 21:42:02 +00:00
|
|
|
downwardAPI:
|
|
|
|
items:
|
|
|
|
- path: "labels"
|
|
|
|
fieldRef:
|
|
|
|
fieldPath: metadata.labels
|
|
|
|
- path: "namespace"
|
|
|
|
fieldRef:
|
|
|
|
fieldPath: metadata.namespace
|
2020-07-24 20:41:51 +00:00
|
|
|
tolerations:
|
2020-08-12 00:55:34 +00:00
|
|
|
- key: CriticalAddonsOnly
|
|
|
|
operator: Exists
|
2020-08-19 18:21:07 +00:00
|
|
|
- key: node-role.kubernetes.io/master #! Allow running on master nodes too
|
2020-08-12 00:55:34 +00:00
|
|
|
effect: NoSchedule
|
|
|
|
#! "system-cluster-critical" cannot be used outside the kube-system namespace until Kubernetes >= 1.17,
|
|
|
|
#! so we skip setting this for now (see https://github.com/kubernetes/kubernetes/issues/60596).
|
|
|
|
#!priorityClassName: system-cluster-critical
|
2020-08-21 15:14:45 +00:00
|
|
|
#! This will help make sure our multiple pods run on different nodes, making
|
|
|
|
#! our deployment "more" "HA".
|
|
|
|
affinity:
|
|
|
|
podAntiAffinity:
|
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
- weight: 50
|
|
|
|
podAffinityTerm:
|
|
|
|
labelSelector:
|
|
|
|
matchLabels:
|
|
|
|
app: #@ data.values.app_name
|
|
|
|
topologyKey: kubernetes.io/hostname
|
2020-08-04 23:46:27 +00:00
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
|
|
kind: Service
|
|
|
|
metadata:
|
2020-08-20 17:54:15 +00:00
|
|
|
name: pinniped-api #! the golang code assumes this specific name as part of the common name during cert generation
|
2020-08-04 23:46:27 +00:00
|
|
|
namespace: #@ data.values.namespace
|
|
|
|
labels:
|
|
|
|
app: #@ data.values.app_name
|
|
|
|
spec:
|
|
|
|
type: ClusterIP
|
|
|
|
selector:
|
|
|
|
app: #@ data.values.app_name
|
|
|
|
ports:
|
|
|
|
- protocol: TCP
|
|
|
|
port: 443
|
|
|
|
targetPort: 443
|
|
|
|
---
|
|
|
|
apiVersion: apiregistration.k8s.io/v1
|
|
|
|
kind: APIService
|
2020-09-16 20:00:03 +00:00
|
|
|
metadata:
|
|
|
|
name: v1alpha1.login.pinniped.dev
|
|
|
|
labels:
|
|
|
|
app: #@ data.values.app_name
|
|
|
|
spec:
|
|
|
|
version: v1alpha1
|
|
|
|
group: login.pinniped.dev
|
|
|
|
groupPriorityMinimum: 2500
|
|
|
|
versionPriority: 10
|
|
|
|
#! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code.
|
|
|
|
service:
|
|
|
|
name: pinniped-api
|
|
|
|
namespace: #@ data.values.namespace
|
|
|
|
port: 443
|