--- apiVersion: v1 kind: Namespace metadata: name: atat --- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: atst name: atst namespace: atat spec: selector: matchLabels: role: web replicas: 4 strategy: type: RollingUpdate template: metadata: labels: app: atst role: web aadpodidbinding: atat-kv-id-binding spec: securityContext: fsGroup: 101 containers: - name: atst image: $CONTAINER_IMAGE envFrom: - configMapRef: name: atst-envvars volumeMounts: - name: nginx-client-ca-bundle mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem" subPath: client-ca-bundle.pem - name: uwsgi-socket-dir mountPath: "/var/run/uwsgi" - name: crls-vol mountPath: "/opt/atat/atst/crls" - name: pgsslrootcert mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" subPath: pgsslrootcert.crt - name: uwsgi-config mountPath: "/opt/atat/atst/uwsgi.ini" subPath: uwsgi.ini - name: flask-secret mountPath: "/config" - name: nginx image: nginx:alpine ports: - containerPort: 8342 name: main-upgrade - containerPort: 8442 name: main - containerPort: 8343 name: auth-upgrade - containerPort: 8443 name: auth volumeMounts: - name: nginx-config mountPath: "/etc/nginx/conf.d/" - name: uwsgi-socket-dir mountPath: "/var/run/uwsgi" - name: nginx-htpasswd mountPath: "/etc/nginx/.htpasswd" subPath: .htpasswd - name: nginx-client-ca-bundle mountPath: "/etc/ssl/client-ca-bundle.pem" subPath: "client-ca-bundle.pem" - name: acme mountPath: "/usr/share/nginx/html/.well-known/acme-challenge/" - name: snippets mountPath: "/etc/nginx/snippets/" - name: nginx-secret mountPath: "/etc/ssl/" volumes: - name: nginx-client-ca-bundle configMap: name: nginx-client-ca-bundle defaultMode: 0444 items: - key: "client-ca-bundle.pem" path: "client-ca-bundle.pem" - name: nginx-config configMap: name: atst-nginx - name: uwsgi-socket-dir emptyDir: medium: Memory - name: nginx-htpasswd secret: secretName: atst-nginx-htpasswd items: - key: htpasswd path: .htpasswd mode: 0640 - name: crls-vol persistentVolumeClaim: claimName: crls-vol-claim - name: pgsslrootcert configMap: name: pgsslrootcert items: - key: cert path: pgsslrootcert.crt mode: 0666 - name: acme configMap: name: acme-challenges defaultMode: 0666 - name: uwsgi-config configMap: name: uwsgi-config defaultMode: 0666 items: - key: uwsgi.ini path: uwsgi.ini mode: 0644 - name: snippets configMap: name: nginx-snippets - name: nginx-secret flexVolume: driver: "azure/kv" options: usepodidentity: "true" keyvaultname: "atat-vault-test" keyvaultobjectnames: "dhparam4096;master-cert;master-cert" keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt" keyvaultobjecttypes: "secret;secret;secret" tenantid: $TENANT_ID - name: flask-secret flexVolume: driver: "azure/kv" options: usepodidentity: "true" keyvaultname: "atat-vault-test" keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" keyvaultobjecttypes: "secret;secret;secret;secret;key" tenantid: $TENANT_ID --- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: atst name: atst-worker namespace: atat spec: selector: matchLabels: role: worker replicas: 2 strategy: type: RollingUpdate template: metadata: labels: app: atst role: worker aadpodidbinding: atat-kv-id-binding spec: securityContext: fsGroup: 101 containers: - name: atst-worker image: $CONTAINER_IMAGE args: [ "/opt/atat/atst/.venv/bin/python", "/opt/atat/atst/.venv/bin/celery", "-A", "celery_worker.celery", "worker", "--loglevel=info", ] envFrom: - configMapRef: name: atst-envvars - configMapRef: name: atst-worker-envvars volumeMounts: - name: pgsslrootcert mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" subPath: pgsslrootcert.crt - name: flask-secret mountPath: "/config" volumes: - name: pgsslrootcert configMap: name: pgsslrootcert items: - key: cert path: pgsslrootcert.crt mode: 0666 - name: flask-secret flexVolume: driver: "azure/kv" options: usepodidentity: "true" keyvaultname: "atat-vault-test" keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" keyvaultobjecttypes: "secret;secret;secret;secret;key" tenantid: $TENANT_ID --- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: atst name: atst-beat namespace: atat spec: selector: matchLabels: role: beat replicas: 1 strategy: type: RollingUpdate template: metadata: labels: app: atst role: beat aadpodidbinding: atat-kv-id-binding spec: securityContext: fsGroup: 101 containers: - name: atst-beat image: $CONTAINER_IMAGE args: [ "/opt/atat/atst/.venv/bin/python", "/opt/atat/atst/.venv/bin/celery", "-A", "celery_worker.celery", "beat", "--loglevel=info", ] envFrom: - configMapRef: name: atst-envvars - configMapRef: name: atst-worker-envvars volumeMounts: - name: pgsslrootcert mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" subPath: pgsslrootcert.crt - name: flask-secret mountPath: "/config" volumes: - name: pgsslrootcert configMap: name: pgsslrootcert items: - key: cert path: pgsslrootcert.crt mode: 0666 - name: flask-secret flexVolume: driver: "azure/kv" options: usepodidentity: "true" keyvaultname: "atat-vault-test" keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" keyvaultobjecttypes: "secret;secret;secret;secret;key" tenantid: $TENANT_ID --- apiVersion: v1 kind: Service metadata: labels: app: atst name: atst-main namespace: atat spec: loadBalancerIP: 13.92.235.6 ports: - port: 80 targetPort: 8342 name: http - port: 443 targetPort: 8442 name: https selector: role: web type: LoadBalancer --- apiVersion: v1 kind: Service metadata: labels: app: atst name: atst-auth namespace: atat spec: loadBalancerIP: 23.100.24.41 ports: - port: 80 targetPort: 8343 name: http - port: 443 targetPort: 8443 name: https selector: role: web type: LoadBalancer