rancher-charts/charts/epinio/101.0.0+up1.4.0/templates/server.yaml

353 lines
7.1 KiB
YAML

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: epinio-server
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: epinio-server-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: epinio-server
namespace: {{ .Release.Namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: epinio-server
rules:
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- create
- delete
- list
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- apiGroups:
- ""
resources:
- services
verbs:
- create
- get
- update
- delete
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- get
- post
- apiGroups:
- ""
resources:
- pods/portforward
verbs:
- get
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- create
- update
- delete
- get
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- update
- patch
- apiGroups:
- servicecatalog.k8s.io
resources:
- servicebindings
verbs:
- create
- get
- delete
- list
- apiGroups:
- servicecatalog.k8s.io
resources:
- serviceinstances
verbs:
- create
- delete
- get
- list
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- create
- delete
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- delete
- apiGroups:
- "cert-manager.io"
resources:
- certificates
verbs:
- create
- apiGroups:
- application.epinio.io
resources:
- apps
verbs:
- get
- list
- create
- delete
- patch
- update
- apiGroups:
- "metrics.k8s.io"
resources:
- pods
verbs:
- list
- apiGroups:
- apps
resources:
- replicasets
verbs:
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: epinio-server-cluster-role
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: epinio-server
subjects:
- kind: ServiceAccount
name: epinio-server
namespace: {{ .Release.Namespace }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: epinio-server
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- create
- delete
- list
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: epinio-server-role
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: epinio-server
subjects:
- kind: ServiceAccount
name: epinio-server
namespace: {{ .Release.Namespace }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: epinio
app.kubernetes.io/instance: default
app.kubernetes.io/name: epinio-server
app.kubernetes.io/part-of: epinio
app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }}
name: epinio-server
namespace: {{ .Release.Namespace }}
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: epinio-server
app.kubernetes.io/instance: default
app.kubernetes.io/name: epinio-server
app.kubernetes.io/part-of: epinio
template:
metadata:
labels:
app.kubernetes.io/component: epinio-server
app.kubernetes.io/instance: default
app.kubernetes.io/name: epinio-server
app.kubernetes.io/part-of: epinio
app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }}
name: epinio-server
spec:
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
serviceAccountName: epinio-server
volumes:
- name: tmp-volume
emptyDir: {}
- name: asset-volume
secret:
secretName: epinio-assets
- name: dex-tls
secret:
secretName: dex-tls
optional: false
containers:
- command: ["/epinio", "server"]
args: ["--port", "8030"]
env:
- name: EPINIO_SETTINGS
value: /tmp/settings.yaml
- name: NAMESPACE
value: "{{ .Release.Namespace }}"
- name: ACCESS_CONTROL_ALLOW_ORIGIN
value: "{{ .Values.server.accessControlAllowOrigin }}"
- name: EPINIO_TIMEOUT_MULTIPLIER
value: "{{ .Values.server.timeoutMultiplier }}"
- name: TLS_ISSUER
value: "{{ .Values.global.tlsIssuer }}"
- name: TRACE_LEVEL
value: "{{ .Values.server.traceLevel }}"
{{- if or .Values.s3.certificateSecret .Values.minio.enabled }}
- name: S3_CERTIFICATE_SECRET
value: {{ default "minio-tls" .Values.s3.certificateSecret }}
{{- end }}
{{- if .Values.containerregistry.enabled }}
- name: REGISTRY_CERTIFICATE_SECRET
value: "epinio-registry-tls"
{{- end }}
{{- if .Values.ingress.ingressClassName }}
- name: INGRESS_CLASS_NAME
value: "{{ .Values.ingress.ingressClassName }}"
{{- end }}
{{- if .Values.extraEnv }}
{{- toYaml .Values.extraEnv | nindent 12 -}}
{{- end }}
image: "{{ default .Values.image.epinio.registry (include "registry-url" .) }}{{ .Values.image.epinio.repository }}:{{ default .Chart.AppVersion .Values.image.epinio.tag }}"
livenessProbe:
httpGet:
path: /ready
port: 8030
name: epinio-server
ports:
- containerPort: 8030
volumeMounts:
- name: tmp-volume
mountPath: /tmp
- name: asset-volume
mountPath: /assets
- name: dex-tls
mountPath: /etc/ssl/certs/dex-tls.pem
subPath: tls.crt
readinessProbe:
httpGet:
path: /ready
port: 8030
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 3000
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: epinio
app.kubernetes.io/instance: default
app.kubernetes.io/name: epinio-server
app.kubernetes.io/part-of: epinio
app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }}
name: epinio-server
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8030
selector:
app.kubernetes.io/name: epinio-server