ungleich-public/ungleich-k8s
6
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
ungleich-k8s/apps/chartmuseum/templates/deployment.yaml
Nico Schottelius 7a9034df78 Update chartmuseum to use secret and authentication
2021-07-26 14:31:28 +02:00

192 lines
5 KiB
YAML
Raw Permalink Blame History

---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-chartmuseum
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: {{ .Release.Name }}-chartmuseum
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-chartmuseum
use-as-service: {{ .Release.Name }}
spec:
# Wait before trying to start any container
initContainers:
- name: wait-for-cert
image: busybox
command:
- sh
- -c
- until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
containers:
- name: certbot
image: ungleich/ungleich-certbot
imagePullPolicy: Always
ports:
- containerPort: 80
env:
- name: ONLYRENEWCERTS
value: "yes"
- name: DOMAIN
value: "{{ tpl .Values.fqdn . }}"
- name: EMAIL
value: "{{ .Values.email }}"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: chartmuseum
image: ghcr.io/helm/chartmuseum:v{{ .Chart.AppVersion }}
ports:
- containerPort: 443
args:
- --tls-cert=/etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem
- --tls-key=/etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem
env:
- name: STORAGE
value: "local"
- name: STORAGE_LOCAL_ROOTDIR
value: "/charts"
- name: BASIC_AUTH_USER
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}
key: username
- name: BASIC_AUTH_PASS
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}
key: password
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: data
mountPath: "/charts"
volumes:
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
- name: data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-data
---
apiVersion: v1
kind: Service
metadata:
name: {{ tpl .Values.identifier . }}
labels:
app: {{ tpl .Values.identifier . }}
spec:
type: ClusterIP
ports:
- port: 80
name: http
- port: 443
targetPort: 8080
name: https
selector:
use-as-service: {{ .Release.Name }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-letsencrypt-certs
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Mi
storageClassName: rook-cephfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: rook-ceph-block
# ---
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: {{ tpl .Values.identifier . }}-nginx-config
# data:
# default.conf: |
# server {
# listen 443 ssl;
# listen [::]:443 ssl;
# server_name {{ tpl .Values.fqdn . }};
# ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem;
# client_max_body_size 256m;
# location / {
# proxy_pass http://localhost:3000;
# }
# }
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ tpl .Values.identifier . }}-getcert
spec:
template:
metadata:
labels:
app: certbot-letsencrypt-getcert
use-as-service: {{ .Release.Name }}
spec:
restartPolicy: Never
containers:
- name: certbot
image: ungleich/ungleich-certbot
imagePullPolicy: Always
ports:
- containerPort: 80
env:
- name: ONLYGETCERT
value: "yes"
- name: DOMAIN
value: "{{ tpl .Values.fqdn . }}"
- name: EMAIL
value: "{{ .Values.email }}"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
volumes:
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
backoffLimit: 3
---
apiVersion: v1
kind: Secret
metadata:
name: {{ tpl .Values.identifier . }}
annotations:
secret-generator.v1.mittwald.de/type: basic-auth
Reference in a new issue View git blame Copy permalink