pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
20c7e943c8c1fb31e070196a4de35435a3d010f8
atst/deploy/azure/azure.yml
tomdds 728bb5713f Fix flexVol serving of nginx certificates 
FlexVol requires that you specify certificates as secrets in order to get both the certificate and private key in the appropriate format for nginx to consume. Additionally, flexvol shouldn't interfer with other secrets mounted in it's host directory.
2019-12-02 15:45:16 -05:00

308 lines
7.8 KiB
YAML
Raw Blame History

---
apiVersion: v1
kind: Namespace
metadata:
name: atat
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: atst
name: atst
namespace: atat
spec:
selector:
matchLabels:
role: web
replicas: 4
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: atst
role: web
aadpodidbinding: atat-kv-id-binding
spec:
securityContext:
fsGroup: 101
containers:
- name: atst
image: $CONTAINER_IMAGE
envFrom:
- configMapRef:
name: atst-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: nginx-client-ca-bundle
mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
subPath: client-ca-bundle.pem
- name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi"
- name: crls-vol
mountPath: "/opt/atat/atst/crls"
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
- name: uwsgi-config
mountPath: "/opt/atat/atst/uwsgi.ini"
subPath: uwsgi.ini
- name: nginx
image: nginx:alpine
ports:
- containerPort: 8342
name: main-upgrade
- containerPort: 8442
name: main
- containerPort: 8343
name: auth-upgrade
- containerPort: 8443
name: auth
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/"
- name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi"
- name: nginx-htpasswd
mountPath: "/etc/nginx/.htpasswd"
subPath: .htpasswd
- name: nginx-client-ca-bundle
mountPath: "/etc/ssl/client-ca-bundle.pem"
subPath: "client-ca-bundle.pem"
- name: acme
mountPath: "/usr/share/nginx/html/.well-known/acme-challenge/"
- name: snippets
mountPath: "/etc/nginx/snippets/"
- name: nginx-secret
mountPath: "/etc/ssl/"
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: nginx-client-ca-bundle
configMap:
name: nginx-client-ca-bundle
defaultMode: 0444
items:
- key: "client-ca-bundle.pem"
path: "client-ca-bundle.pem"
- name: nginx-config
configMap:
name: atst-nginx
- name: uwsgi-socket-dir
emptyDir:
medium: Memory
- name: nginx-htpasswd
secret:
secretName: atst-nginx-htpasswd
items:
- key: htpasswd
path: .htpasswd
mode: 0640
- name: crls-vol
persistentVolumeClaim:
claimName: crls-vol-claim
- name: pgsslrootcert
configMap:
name: pgsslrootcert
items:
- key: cert
path: pgsslrootcert.crt
mode: 0666
- name: acme
configMap:
name: acme-challenges
defaultMode: 0666
- name: uwsgi-config
configMap:
name: uwsgi-config
defaultMode: 0666
items:
- key: uwsgi.ini
path: uwsgi.ini
mode: 0644
- name: snippets
configMap:
name: nginx-snippets
- name: nginx-secret
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true"
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "dhparam4096;master-cert;master-cert"
keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt"
keyvaultobjecttypes: "secret;secret;secret"
tenantid: $TENANT_ID
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: atst
name: atst-worker
namespace: atat
spec:
selector:
matchLabels:
role: worker
replicas: 2
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: atst
role: worker
spec:
securityContext:
fsGroup: 101
containers:
- name: atst-worker
image: $CONTAINER_IMAGE
args:
[
"/opt/atat/atst/.venv/bin/python",
"/opt/atat/atst/.venv/bin/celery",
"-A",
"celery_worker.celery",
"worker",
"--loglevel=info",
]
envFrom:
- configMapRef:
name: atst-envvars
- configMapRef:
name: atst-worker-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: pgsslrootcert
configMap:
name: pgsslrootcert
items:
- key: cert
path: pgsslrootcert.crt
mode: 0666
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: atst
name: atst-beat
namespace: atat
spec:
selector:
matchLabels:
role: beat
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: atst
role: beat
spec:
securityContext:
fsGroup: 101
containers:
- name: atst-beat
image: $CONTAINER_IMAGE
args:
[
"/opt/atat/atst/.venv/bin/python",
"/opt/atat/atst/.venv/bin/celery",
"-A",
"celery_worker.celery",
"beat",
"--loglevel=info",
]
envFrom:
- configMapRef:
name: atst-envvars
- configMapRef:
name: atst-worker-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: pgsslrootcert
configMap:
name: pgsslrootcert
items:
- key: cert
path: pgsslrootcert.crt
mode: 0666
---
apiVersion: v1
kind: Service
metadata:
labels:
app: atst
name: atst-main
namespace: atat
spec:
loadBalancerIP: 13.92.235.6
ports:
- port: 80
targetPort: 8342
name: http
- port: 443
targetPort: 8442
name: https
selector:
role: web
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app: atst
name: atst-auth
namespace: atat
spec:
loadBalancerIP: 23.100.24.41
ports:
- port: 80
targetPort: 8343
name: http
- port: 443
targetPort: 8443
name: https
selector:
role: web
type: LoadBalancer
Reference in New Issue View Git Blame Copy Permalink