236 lines
		
	
	
		
			5.6 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			236 lines
		
	
	
		
			5.6 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| ---
 | |
| apiVersion: v1
 | |
| kind: Namespace
 | |
| metadata:
 | |
|   name: atat
 | |
| ---
 | |
| apiVersion: extensions/v1beta1
 | |
| kind: Deployment
 | |
| metadata:
 | |
|   labels:
 | |
|     app: atst
 | |
|   name: atst
 | |
|   namespace: atat
 | |
| spec:
 | |
|   selector:
 | |
|     matchLabels:
 | |
|       role: web
 | |
|   replicas: 2
 | |
|   strategy:
 | |
|     type: RollingUpdate
 | |
|   template:
 | |
|     metadata:
 | |
|       labels:
 | |
|         app: atst
 | |
|         role: web
 | |
|     spec:
 | |
|       securityContext:
 | |
|         fsGroup: 101
 | |
|       containers:
 | |
|         - name: atst
 | |
|           image: registry.atat.codes:443/atst-prod:50f0843c
 | |
|           resources:
 | |
|             requests:
 | |
|                memory: "2500Mi"
 | |
|           envFrom:
 | |
|           - configMapRef:
 | |
|               name: atst-envvars
 | |
|           volumeMounts:
 | |
|             - name: atst-config
 | |
|               mountPath: "/opt/atat/atst/atst-overrides.ini"
 | |
|               subPath: atst-overrides.ini
 | |
|             - name: nginx-client-ca-bundle
 | |
|               mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
 | |
|               subPath: client-ca-bundle.pem
 | |
|             - name: uwsgi-config
 | |
|               mountPath: "/opt/atat/atst/uwsgi-config.ini"
 | |
|               subPath: uwsgi-config.ini
 | |
|             - name: uwsgi-socket-dir
 | |
|               mountPath: "/var/run/uwsgi"
 | |
|         - name: atst-nginx
 | |
|           image: nginx:alpine
 | |
|           ports:
 | |
|             - containerPort: 8442
 | |
|               name: http
 | |
|             - containerPort: 8443
 | |
|               name: https
 | |
|           volumeMounts:
 | |
|             - name: nginx-auth-tls
 | |
|               mountPath: "/etc/ssl/private"
 | |
|             - name: nginx-client-ca-bundle
 | |
|               mountPath: "/etc/ssl/client-ca-bundle.pem"
 | |
|               subPath: client-ca-bundle.pem
 | |
|             - name: nginx-config
 | |
|               mountPath: "/etc/nginx/conf.d/atst.conf"
 | |
|               subPath: atst.conf
 | |
|             - name: nginx-dhparam
 | |
|               mountPath: "/etc/ssl/dhparam.pem"
 | |
|               subPath: dhparam.pem
 | |
|             - name: nginx-htpasswd
 | |
|               mountPath: "/etc/nginx/.htpasswd"
 | |
|               subPath: .htpasswd
 | |
|             - name: uwsgi-socket-dir
 | |
|               mountPath: "/var/run/uwsgi"
 | |
|       imagePullSecrets:
 | |
|         - name: regcred
 | |
|       volumes:
 | |
|         - name: atst-config
 | |
|           secret:
 | |
|             secretName: atst-config-ini
 | |
|             items:
 | |
|             - key: override.ini
 | |
|               path: atst-overrides.ini
 | |
|               mode: 0644
 | |
|         - name: nginx-auth-tls
 | |
|           secret:
 | |
|             secretName: auth-atst-ingress-tls
 | |
|             items:
 | |
|             - key: tls.crt
 | |
|               path: auth.atat.crt
 | |
|               mode: 0644
 | |
|             - key: tls.key
 | |
|               path: auth.atat.key
 | |
|               mode: 0640
 | |
|         - name: nginx-client-ca-bundle
 | |
|           secret:
 | |
|             secretName: nginx-client-ca-bundle
 | |
|             items:
 | |
|             - key: client-ca-bundle.pem
 | |
|               path: client-ca-bundle.pem
 | |
|               mode: 0666
 | |
|         - name: nginx-config
 | |
|           configMap:
 | |
|             name: atst-nginx
 | |
|             items:
 | |
|             - key: nginx-config
 | |
|               path: atst.conf
 | |
|         - name: nginx-dhparam
 | |
|           secret:
 | |
|             secretName: dhparam-4096
 | |
|             items:
 | |
|             - key: dhparam.pem
 | |
|               path: dhparam.pem
 | |
|               mode: 0640
 | |
|         - name: nginx-htpasswd
 | |
|           secret:
 | |
|             secretName: atst-nginx-htpasswd
 | |
|             items:
 | |
|             - key: htpasswd
 | |
|               path: .htpasswd
 | |
|               mode: 0640
 | |
|         - name: uwsgi-config
 | |
|           configMap:
 | |
|             name: atst-config
 | |
|             items:
 | |
|             - key: uwsgi-config
 | |
|               path: uwsgi-config.ini
 | |
|               mode: 0644
 | |
|         - name: uwsgi-socket-dir
 | |
|           emptyDir:
 | |
|             medium: Memory
 | |
| ---
 | |
| apiVersion: extensions/v1beta1
 | |
| kind: Deployment
 | |
| metadata:
 | |
|   labels:
 | |
|     app: atst
 | |
|   name: atst-worker
 | |
|   namespace: atat
 | |
| spec:
 | |
|   selector:
 | |
|     matchLabels:
 | |
|       role: worker
 | |
|   replicas: 1
 | |
|   strategy:
 | |
|     type: RollingUpdate
 | |
|   template:
 | |
|     metadata:
 | |
|       labels:
 | |
|         app: atst
 | |
|         role: worker
 | |
|     spec:
 | |
|       securityContext:
 | |
|         fsGroup: 101
 | |
|       containers:
 | |
|         - name: atst-worker
 | |
|           image: registry.atat.codes:443/atst-prod:50f0843c
 | |
|           args: ["/bin/bash", "-c", "/opt/atat/atst/script/rq_worker"]
 | |
|           resources:
 | |
|             requests:
 | |
|                memory: "500Mi"
 | |
|           envFrom:
 | |
|           - configMapRef:
 | |
|               name: atst-envvars
 | |
|           - configMapRef:
 | |
|               name: atst-worker-envvars
 | |
|           volumeMounts:
 | |
|             - name: atst-config
 | |
|               mountPath: "/opt/atat/atst/atst-overrides.ini"
 | |
|               subPath: atst-overrides.ini
 | |
|       imagePullSecrets:
 | |
|         - name: regcred
 | |
|       volumes:
 | |
|         - name: atst-config
 | |
|           secret:
 | |
|             secretName: atst-config-ini
 | |
|             items:
 | |
|             - key: override.ini
 | |
|               path: atst-overrides.ini
 | |
|               mode: 0644
 | |
| ---
 | |
| apiVersion: v1
 | |
| kind: Service
 | |
| metadata:
 | |
|   labels:
 | |
|     app: atst
 | |
|   name: atst
 | |
|   namespace: atat
 | |
| spec:
 | |
|   ports:
 | |
|   - name: http
 | |
|     port: 80
 | |
|     targetPort: 8442
 | |
|   selector:
 | |
|     role: web
 | |
| ---
 | |
| apiVersion: v1
 | |
| kind: Service
 | |
| metadata:
 | |
|   labels:
 | |
|     app: atst
 | |
|   name: atst-auth
 | |
|   namespace: atat
 | |
| spec:
 | |
|   type: NodePort
 | |
|   ports:
 | |
|   - name: https
 | |
|     protocol: TCP
 | |
|     nodePort: 32751
 | |
|     port: 8443
 | |
|   selector:
 | |
|     role: web
 | |
| ---
 | |
| apiVersion: extensions/v1beta1
 | |
| kind: Ingress
 | |
| metadata:
 | |
|   name: atst
 | |
|   namespace: atat
 | |
|   annotations:
 | |
|     kubernetes.io/tls-acme: "true"
 | |
|     kubernetes.io/ingress.class: "nginx"
 | |
|     nginx.ingress.kubernetes.io/proxy-body-size: 10m
 | |
| spec:
 | |
|   tls:
 | |
|   - secretName: atst-ingress-tls
 | |
|     hosts:
 | |
|     - atat.code.mil
 | |
|     - www.atat.code.mil
 | |
|   rules:
 | |
|   - host: www.atat.code.mil
 | |
|     http:
 | |
|       paths:
 | |
|       - path: /
 | |
|         backend:
 | |
|           serviceName: atst
 | |
|           servicePort: 80
 |