ec638d6b01
This does the following: - Removes references to the atst-override.ini file, now deprecated. - Adds all non-secret data that was managed in the override file to the relevant K8s ConfigMaps. - Adds additional documentation explaining out use of Key Vault for secrets management.
316 lines
8.7 KiB
YAML
316 lines
8.7 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: atat
|
|
---
|
|
apiVersion: extensions/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: atst
|
|
name: atst
|
|
namespace: atat
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
role: web
|
|
replicas: 4
|
|
strategy:
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: atst
|
|
role: web
|
|
aadpodidbinding: atat-kv-id-binding
|
|
spec:
|
|
securityContext:
|
|
fsGroup: 101
|
|
containers:
|
|
- name: atst
|
|
image: $CONTAINER_IMAGE
|
|
envFrom:
|
|
- configMapRef:
|
|
name: atst-envvars
|
|
volumeMounts:
|
|
- name: nginx-client-ca-bundle
|
|
mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
|
|
subPath: client-ca-bundle.pem
|
|
- name: uwsgi-socket-dir
|
|
mountPath: "/var/run/uwsgi"
|
|
- name: crls-vol
|
|
mountPath: "/opt/atat/atst/crls"
|
|
- name: pgsslrootcert
|
|
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
|
subPath: pgsslrootcert.crt
|
|
- name: uwsgi-config
|
|
mountPath: "/opt/atat/atst/uwsgi.ini"
|
|
subPath: uwsgi.ini
|
|
- name: flask-secret
|
|
mountPath: "/config"
|
|
- name: nginx
|
|
image: nginx:alpine
|
|
ports:
|
|
- containerPort: 8342
|
|
name: main-upgrade
|
|
- containerPort: 8442
|
|
name: main
|
|
- containerPort: 8343
|
|
name: auth-upgrade
|
|
- containerPort: 8443
|
|
name: auth
|
|
volumeMounts:
|
|
- name: nginx-config
|
|
mountPath: "/etc/nginx/conf.d/"
|
|
- name: uwsgi-socket-dir
|
|
mountPath: "/var/run/uwsgi"
|
|
- name: nginx-htpasswd
|
|
mountPath: "/etc/nginx/.htpasswd"
|
|
subPath: .htpasswd
|
|
- name: nginx-client-ca-bundle
|
|
mountPath: "/etc/ssl/client-ca-bundle.pem"
|
|
subPath: "client-ca-bundle.pem"
|
|
- name: acme
|
|
mountPath: "/usr/share/nginx/html/.well-known/acme-challenge/"
|
|
- name: snippets
|
|
mountPath: "/etc/nginx/snippets/"
|
|
- name: nginx-secret
|
|
mountPath: "/etc/ssl/"
|
|
volumes:
|
|
- name: nginx-client-ca-bundle
|
|
configMap:
|
|
name: nginx-client-ca-bundle
|
|
defaultMode: 0444
|
|
items:
|
|
- key: "client-ca-bundle.pem"
|
|
path: "client-ca-bundle.pem"
|
|
- name: nginx-config
|
|
configMap:
|
|
name: atst-nginx
|
|
- name: uwsgi-socket-dir
|
|
emptyDir:
|
|
medium: Memory
|
|
- name: nginx-htpasswd
|
|
secret:
|
|
secretName: atst-nginx-htpasswd
|
|
items:
|
|
- key: htpasswd
|
|
path: .htpasswd
|
|
mode: 0640
|
|
- name: crls-vol
|
|
persistentVolumeClaim:
|
|
claimName: crls-vol-claim
|
|
- name: pgsslrootcert
|
|
configMap:
|
|
name: pgsslrootcert
|
|
items:
|
|
- key: cert
|
|
path: pgsslrootcert.crt
|
|
mode: 0666
|
|
- name: acme
|
|
configMap:
|
|
name: acme-challenges
|
|
defaultMode: 0666
|
|
- name: uwsgi-config
|
|
configMap:
|
|
name: uwsgi-config
|
|
defaultMode: 0666
|
|
items:
|
|
- key: uwsgi.ini
|
|
path: uwsgi.ini
|
|
mode: 0644
|
|
- name: snippets
|
|
configMap:
|
|
name: nginx-snippets
|
|
- name: nginx-secret
|
|
flexVolume:
|
|
driver: "azure/kv"
|
|
options:
|
|
usepodidentity: "true"
|
|
keyvaultname: "atat-vault-test"
|
|
keyvaultobjectnames: "dhparam4096;master-cert;master-cert"
|
|
keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt"
|
|
keyvaultobjecttypes: "secret;secret;secret"
|
|
tenantid: $TENANT_ID
|
|
- name: flask-secret
|
|
flexVolume:
|
|
driver: "azure/kv"
|
|
options:
|
|
usepodidentity: "true"
|
|
keyvaultname: "atat-vault-test"
|
|
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
|
|
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
|
|
keyvaultobjecttypes: "secret;secret;secret;secret;key"
|
|
tenantid: $TENANT_ID
|
|
---
|
|
apiVersion: extensions/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: atst
|
|
name: atst-worker
|
|
namespace: atat
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
role: worker
|
|
replicas: 2
|
|
strategy:
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: atst
|
|
role: worker
|
|
aadpodidbinding: atat-kv-id-binding
|
|
spec:
|
|
securityContext:
|
|
fsGroup: 101
|
|
containers:
|
|
- name: atst-worker
|
|
image: $CONTAINER_IMAGE
|
|
args:
|
|
[
|
|
"/opt/atat/atst/.venv/bin/python",
|
|
"/opt/atat/atst/.venv/bin/celery",
|
|
"-A",
|
|
"celery_worker.celery",
|
|
"worker",
|
|
"--loglevel=info",
|
|
]
|
|
envFrom:
|
|
- configMapRef:
|
|
name: atst-envvars
|
|
- configMapRef:
|
|
name: atst-worker-envvars
|
|
volumeMounts:
|
|
- name: pgsslrootcert
|
|
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
|
subPath: pgsslrootcert.crt
|
|
- name: flask-secret
|
|
mountPath: "/config"
|
|
volumes:
|
|
- name: pgsslrootcert
|
|
configMap:
|
|
name: pgsslrootcert
|
|
items:
|
|
- key: cert
|
|
path: pgsslrootcert.crt
|
|
mode: 0666
|
|
- name: flask-secret
|
|
flexVolume:
|
|
driver: "azure/kv"
|
|
options:
|
|
usepodidentity: "true"
|
|
keyvaultname: "atat-vault-test"
|
|
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
|
|
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
|
|
keyvaultobjecttypes: "secret;secret;secret;secret;key"
|
|
tenantid: $TENANT_ID
|
|
---
|
|
apiVersion: extensions/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: atst
|
|
name: atst-beat
|
|
namespace: atat
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
role: beat
|
|
replicas: 1
|
|
strategy:
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: atst
|
|
role: beat
|
|
aadpodidbinding: atat-kv-id-binding
|
|
spec:
|
|
securityContext:
|
|
fsGroup: 101
|
|
containers:
|
|
- name: atst-beat
|
|
image: $CONTAINER_IMAGE
|
|
args:
|
|
[
|
|
"/opt/atat/atst/.venv/bin/python",
|
|
"/opt/atat/atst/.venv/bin/celery",
|
|
"-A",
|
|
"celery_worker.celery",
|
|
"beat",
|
|
"--loglevel=info",
|
|
]
|
|
envFrom:
|
|
- configMapRef:
|
|
name: atst-envvars
|
|
- configMapRef:
|
|
name: atst-worker-envvars
|
|
volumeMounts:
|
|
- name: pgsslrootcert
|
|
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
|
subPath: pgsslrootcert.crt
|
|
- name: flask-secret
|
|
mountPath: "/config"
|
|
volumes:
|
|
- name: pgsslrootcert
|
|
configMap:
|
|
name: pgsslrootcert
|
|
items:
|
|
- key: cert
|
|
path: pgsslrootcert.crt
|
|
mode: 0666
|
|
- name: flask-secret
|
|
flexVolume:
|
|
driver: "azure/kv"
|
|
options:
|
|
usepodidentity: "true"
|
|
keyvaultname: "atat-vault-test"
|
|
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
|
|
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
|
|
keyvaultobjecttypes: "secret;secret;secret;secret;key"
|
|
tenantid: $TENANT_ID
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app: atst
|
|
name: atst-main
|
|
namespace: atat
|
|
spec:
|
|
loadBalancerIP: 13.92.235.6
|
|
ports:
|
|
- port: 80
|
|
targetPort: 8342
|
|
name: http
|
|
- port: 443
|
|
targetPort: 8442
|
|
name: https
|
|
selector:
|
|
role: web
|
|
type: LoadBalancer
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app: atst
|
|
name: atst-auth
|
|
namespace: atat
|
|
spec:
|
|
loadBalancerIP: 23.100.24.41
|
|
ports:
|
|
- port: 80
|
|
targetPort: 8343
|
|
name: http
|
|
- port: 443
|
|
targetPort: 8443
|
|
name: https
|
|
selector:
|
|
role: web
|
|
type: LoadBalancer
|