--- apiVersion: v1 kind: ServiceAccount metadata: name: nats labels: app.kubernetes.io/part-of: nginx-service-mesh imagePullSecrets: - name: {{ include "registry-key-name" . }} --- apiVersion: v1 kind: ConfigMap metadata: name: nats-config labels: app.kubernetes.io/part-of: nginx-service-mesh data: nats.conf: {{ .Files.Get "configs/nats.conf" | quote }} {{- if eq .Values.environment "openshift" }} --- apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: nginx-mesh-nats-permissions labels: app.kubernetes.io/part-of: nginx-service-mesh groups: [] allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false allowedCapabilities: - NET_ADMIN - KILL defaultAddCapabilities: null fsGroup: type: MustRunAs priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: MustRunAs uid: 2102 seLinuxContext: type: MustRunAs supplementalGroups: type: MustRunAs users: [] volumes: - secret - csi - configMap - emptyDir --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system:openshift:scc:nginx-mesh-nats-permissions labels: app.kubernetes.io/part-of: nginx-service-mesh rules: - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] resourceNames: ["nginx-mesh-nats-permissions"] verbs: ["use"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: system:openshift:scc:nginx-mesh-nats-permissions labels: app.kubernetes.io/part-of: nginx-service-mesh roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:openshift:scc:nginx-mesh-nats-permissions subjects: - kind: ServiceAccount name: nats namespace: {{ .Release.Namespace }} {{- end }} --- apiVersion: v1 kind: Service metadata: name: nats-server labels: app.kubernetes.io/name: nats-server app.kubernetes.io/part-of: nginx-service-mesh spec: selector: app.kubernetes.io/name: nats-server app.kubernetes.io/part-of: nginx-service-mesh clusterIP: None ports: - name: client port: 4222 - name: monitor port: 8222 --- apiVersion: apps/v1 kind: Deployment metadata: name: nats-server labels: app.kubernetes.io/name: nats-server app.kubernetes.io/part-of: nginx-service-mesh spec: selector: matchLabels: app.kubernetes.io/name: nats-server app.kubernetes.io/part-of: nginx-service-mesh replicas: 1 template: metadata: labels: app.kubernetes.io/name: nats-server app.kubernetes.io/part-of: nginx-service-mesh spiffe.io/spiffeid: "true" spec: serviceAccountName: nats volumes: - name: config-volume configMap: name: nats-config - name: pid emptyDir: {} - name: tls emptyDir: {} - name: spire-agent-socket {{ if eq .Values.environment "openshift" -}} csi: driver: csi.spiffe.io readOnly: true {{- else -}} hostPath: path: "/run/spire/sockets" type: DirectoryOrCreate {{- end }} shareProcessNamespace: true terminationGracePeriodSeconds: 60 initContainers: - name: nginx-mesh-cert-reloader-init image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }} imagePullPolicy: {{ .Values.registry.imagePullPolicy }} securityContext: allowPrivilegeEscalation: false privileged: false runAsUser: 2102 capabilities: drop: - all add: - NET_ADMIN - KILL volumeMounts: - name: tls mountPath: /etc/ssl - name: spire-agent-socket mountPath: /run/spire/sockets containers: - name: nginx-mesh-cert-reloader image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }} imagePullPolicy: {{ .Values.registry.imagePullPolicy }} args: - -pid - /var/run/nats/nats.pid - -is-daemon volumeMounts: - name: pid mountPath: /var/run/nats - name: tls mountPath: /etc/ssl - name: spire-agent-socket mountPath: /run/spire/sockets - name: nats-server image: {{ include "nats.image-server" . }}nats:2.9-alpine imagePullPolicy: {{ .Values.registry.imagePullPolicy }} ports: - containerPort: 4222 name: client - containerPort: 8222 name: monitor command: - nats-server - --config - /etc/nats-config/nats.conf securityContext: allowPrivilegeEscalation: false privileged: false runAsUser: 2102 capabilities: drop: - all add: - NET_ADMIN env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: CLUSTER_ADVERTISE value: "$(POD_NAME).nats-server.$(POD_NAMESPACE).svc" volumeMounts: - name: config-volume mountPath: /etc/nats-config - name: pid mountPath: /var/run/nats - name: tls mountPath: /etc/ssl livenessProbe: httpGet: path: / port: 8222 initialDelaySeconds: 10 timeoutSeconds: 5 readinessProbe: httpGet: path: / port: 8222 initialDelaySeconds: 10 timeoutSeconds: 5 lifecycle: preStop: exec: command: - /bin/sh - -c - /nats-server -sl=ldm=/var/run/nats/nats.pid && /bin/sleep 60