K8s configuration for mounting application config.
This adds an additional volume mount for Flask application secrets. These will be mounted into the ATST container so that their values can be read in as config.
This commit is contained in:
dandds
parent
2d714cae39
commit
972cf14a66
@ -50,6 +50,8 @@ spec:
|
||||
- name: uwsgi-config
|
||||
mountPath: "/opt/atat/atst/uwsgi.ini"
|
||||
subPath: uwsgi.ini
|
||||
- name: flask-secret
|
||||
mountPath: "/config"
|
||||
- name: nginx
|
||||
image: nginx:alpine
|
||||
ports:
|
||||
@ -141,6 +143,16 @@ spec:
|
||||
keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt"
|
||||
keyvaultobjecttypes: "secret;secret;secret"
|
||||
tenantid: $TENANT_ID
|
||||
- name: flask-secret
|
||||
flexVolume:
|
||||
driver: "azure/kv"
|
||||
options:
|
||||
usepodidentity: "true"
|
||||
keyvaultname: "atat-vault-test"
|
||||
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
|
||||
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
|
||||
keyvaultobjecttypes: "secret;secret;secret;secret;key"
|
||||
tenantid: $TENANT_ID
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
@ -161,6 +173,7 @@ spec:
|
||||
labels:
|
||||
app: atst
|
||||
role: worker
|
||||
aadpodidbinding: atat-kv-id-binding
|
||||
spec:
|
||||
securityContext:
|
||||
fsGroup: 101
|
||||
@ -188,6 +201,8 @@ spec:
|
||||
- name: pgsslrootcert
|
||||
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
||||
subPath: pgsslrootcert.crt
|
||||
- name: flask-secret
|
||||
mountPath: "/config"
|
||||
volumes:
|
||||
- name: atst-config
|
||||
secret:
|
||||
@ -203,6 +218,16 @@ spec:
|
||||
- key: cert
|
||||
path: pgsslrootcert.crt
|
||||
mode: 0666
|
||||
- name: flask-secret
|
||||
flexVolume:
|
||||
driver: "azure/kv"
|
||||
options:
|
||||
usepodidentity: "true"
|
||||
keyvaultname: "atat-vault-test"
|
||||
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
|
||||
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
|
||||
keyvaultobjecttypes: "secret;secret;secret;secret;key"
|
||||
tenantid: $TENANT_ID
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
@ -223,6 +248,7 @@ spec:
|
||||
labels:
|
||||
app: atst
|
||||
role: beat
|
||||
aadpodidbinding: atat-kv-id-binding
|
||||
spec:
|
||||
securityContext:
|
||||
fsGroup: 101
|
||||
@ -250,6 +276,8 @@ spec:
|
||||
- name: pgsslrootcert
|
||||
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
||||
subPath: pgsslrootcert.crt
|
||||
- name: flask-secret
|
||||
mountPath: "/config"
|
||||
volumes:
|
||||
- name: atst-config
|
||||
secret:
|
||||
@ -265,6 +293,16 @@ spec:
|
||||
- key: cert
|
||||
path: pgsslrootcert.crt
|
||||
mode: 0666
|
||||
- name: flask-secret
|
||||
flexVolume:
|
||||
driver: "azure/kv"
|
||||
options:
|
||||
usepodidentity: "true"
|
||||
keyvaultname: "atat-vault-test"
|
||||
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
|
||||
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
|
||||
keyvaultobjecttypes: "secret;secret;secret;secret;key"
|
||||
tenantid: $TENANT_ID
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
|
||||
@ -10,6 +10,11 @@ spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: atst
|
||||
role: crl-sync
|
||||
aadpodidbinding: atat-kv-id-binding
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
containers:
|
||||
@ -32,6 +37,8 @@ spec:
|
||||
subPath: atst-overrides.ini
|
||||
- name: crls-vol
|
||||
mountPath: "/opt/atat/atst/crls"
|
||||
- name: flask-secret
|
||||
mountPath: "/config"
|
||||
volumes:
|
||||
- name: atst-config
|
||||
secret:
|
||||
@ -43,3 +50,13 @@ spec:
|
||||
- name: crls-vol
|
||||
persistentVolumeClaim:
|
||||
claimName: crls-vol-claim
|
||||
- name: flask-secret
|
||||
flexVolume:
|
||||
driver: "azure/kv"
|
||||
options:
|
||||
usepodidentity: "true"
|
||||
keyvaultname: "atat-vault-test"
|
||||
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
|
||||
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
|
||||
keyvaultobjecttypes: "secret;secret;secret;secret;key"
|
||||
tenantid: $TENANT_ID
|
||||
|
||||
@ -11,3 +11,52 @@ spec:
|
||||
options:
|
||||
keyvaultname: "atat-vault-test"
|
||||
keyvaultobjectnames: "dhparam4096;staging-cert;staging-cert"
|
||||
- name: flask-secret
|
||||
flexVolume:
|
||||
options:
|
||||
keyvaultname: "atat-vault-test"
|
||||
keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY"
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: atst-worker
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
volumes:
|
||||
- name: flask-secret
|
||||
flexVolume:
|
||||
options:
|
||||
keyvaultname: "atat-vault-test"
|
||||
keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY"
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: atst-beat
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
volumes:
|
||||
- name: flask-secret
|
||||
flexVolume:
|
||||
options:
|
||||
keyvaultname: "atat-vault-test"
|
||||
keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY"
|
||||
---
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: crls
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
volumes:
|
||||
- name: flask-secret
|
||||
flexVolume:
|
||||
options:
|
||||
keyvaultname: "atat-vault-test"
|
||||
keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY"
|
||||
|
||||
@ -7,6 +7,11 @@ spec:
|
||||
ttlSecondsAfterFinished: 100
|
||||
backoffLimit: 2
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: atst
|
||||
role: migration
|
||||
aadpodidbinding: atat-kv-id-binding
|
||||
spec:
|
||||
containers:
|
||||
- name: migration
|
||||
@ -28,20 +33,12 @@ spec:
|
||||
- configMapRef:
|
||||
name: atst-worker-envvars
|
||||
volumeMounts:
|
||||
- name: atst-config
|
||||
mountPath: "/opt/atat/atst/atst-overrides.ini"
|
||||
subPath: atst-overrides.ini
|
||||
- name: pgsslrootcert
|
||||
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
||||
subPath: pgsslrootcert.crt
|
||||
- name: flask-secret
|
||||
mountPath: "/config"
|
||||
volumes:
|
||||
- name: atst-config
|
||||
secret:
|
||||
secretName: atst-config-ini
|
||||
items:
|
||||
- key: override.ini
|
||||
path: atst-overrides.ini
|
||||
mode: 0644
|
||||
- name: pgsslrootcert
|
||||
configMap:
|
||||
name: pgsslrootcert
|
||||
@ -49,4 +46,14 @@ spec:
|
||||
- key: cert
|
||||
path: pgsslrootcert.crt
|
||||
mode: 0666
|
||||
- name: flask-secret
|
||||
flexVolume:
|
||||
driver: "azure/kv"
|
||||
options:
|
||||
usepodidentity: "true"
|
||||
keyvaultname: "atat-vault-test"
|
||||
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
|
||||
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
|
||||
keyvaultobjecttypes: "secret;secret;secret;secret;key"
|
||||
tenantid: $TENANT_ID
|
||||
restartPolicy: Never
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user