pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

K8s configuration for mounting application config.

Browse Source 
This adds an additional volume mount for Flask application secrets.
These will be mounted into the ATST container so that their values can
be read in as config.
This commit is contained in:
dandds
2019-12-05 13:18:28 -05:00
parent 2d714cae39
commit 972cf14a66
4 changed files with 121 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
deploy/azure/azure.yml
View File

@@ -50,6 +50,8 @@ spec:
- name: uwsgi-config
mountPath: "/opt/atat/atst/uwsgi.ini"
subPath: uwsgi.ini
- name: flask-secret
mountPath: "/config"
- name: nginx
image: nginx:alpine
ports:
@@ -141,6 +143,16 @@ spec:
keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt"
keyvaultobjecttypes: "secret;secret;secret"
tenantid: $TENANT_ID
- name: flask-secret
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true"
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
keyvaultobjecttypes: "secret;secret;secret;secret;key"
tenantid: $TENANT_ID
---
apiVersion: extensions/v1beta1
kind: Deployment
@@ -161,6 +173,7 @@ spec:
labels:
app: atst
role: worker
aadpodidbinding: atat-kv-id-binding
spec:
securityContext:
fsGroup: 101
@@ -188,6 +201,8 @@ spec:
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
- name: flask-secret
mountPath: "/config"
volumes:
- name: atst-config
secret:
@@ -203,6 +218,16 @@ spec:
- key: cert
path: pgsslrootcert.crt
mode: 0666
- name: flask-secret
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true"
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
keyvaultobjecttypes: "secret;secret;secret;secret;key"
tenantid: $TENANT_ID
---
apiVersion: extensions/v1beta1
kind: Deployment
@@ -223,6 +248,7 @@ spec:
labels:
app: atst
role: beat
aadpodidbinding: atat-kv-id-binding
spec:
securityContext:
fsGroup: 101
@@ -250,6 +276,8 @@ spec:
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
- name: flask-secret
mountPath: "/config"
volumes:
- name: atst-config
secret:
@@ -265,6 +293,16 @@ spec:
- key: cert
path: pgsslrootcert.crt
mode: 0666
- name: flask-secret
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true"
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
keyvaultobjecttypes: "secret;secret;secret;secret;key"
tenantid: $TENANT_ID
---
apiVersion: v1
kind: Service

17
deploy/azure/crls-sync.yaml
View File

@@ -10,6 +10,11 @@ spec:
jobTemplate:
spec:
template:
metadata:
labels:
app: atst
role: crl-sync
aadpodidbinding: atat-kv-id-binding
spec:
restartPolicy: OnFailure
containers:
@@ -32,6 +37,8 @@ spec:
subPath: atst-overrides.ini
- name: crls-vol
mountPath: "/opt/atat/atst/crls"
- name: flask-secret
mountPath: "/config"
volumes:
- name: atst-config
secret:
@@ -43,3 +50,13 @@ spec:
- name: crls-vol
persistentVolumeClaim:
claimName: crls-vol-claim
- name: flask-secret
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true"
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
keyvaultobjecttypes: "secret;secret;secret;secret;key"
tenantid: $TENANT_ID