-
Notifications
You must be signed in to change notification settings - Fork 0
/
rollout.yaml
163 lines (163 loc) · 4.25 KB
/
rollout.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
apiVersion: apps/v1
kind: Deployment
metadata:
name: jarvis
spec:
replicas: 1
selector:
matchLabels:
app: jarvis
template:
metadata:
labels:
app: jarvis
spec:
nodeSelector:
"kubernetes.io/os": linux
containers:
- name: jarvis
image: ghcr.io/joshspicer/jarvis:latest
imagePullPolicy: Always
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
ports:
- containerPort: 80
volumeMounts:
- name: secrets-store01-inline
mountPath: "/mnt/secrets-store"
readOnly: true
env:
- name: PORT
value: "80"
- name: GIN_MODE
value: "release"
- name: TELEGRAM_BOT_TOKEN
valueFrom:
secretKeyRef:
name: env-secrets
key: TelegramBotToken
- name: VALID_TELEGRAM_SENDERS
valueFrom:
secretKeyRef:
name: env-secrets
key: ValidTelegramSenders
- name: VALID_TELEGRAM_GROUPS
valueFrom:
secretKeyRef:
name: env-secrets
key: ValidTelegramGroups
- name: TRUSTED_ACTORS
valueFrom:
secretKeyRef:
name: env-secrets
key: TrustedActors
volumes:
- name: secrets-store01-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "azure-jarviskv-secrets"
---
apiVersion: v1
kind: Service
metadata:
name: jarvis
spec:
type: ClusterIP
ports:
- port: 80
selector:
app: jarvis
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: azure-jarviskv-secrets
spec:
provider: azure
parameters:
usePodIdentity: "false"
useVMManagedIdentity: "true" # Set to true for using managed identity
userAssignedIdentityID: 334bf547-5989-4300-be4d-ed7a90894a03 # Set the clientID of the user-assigned managed identity to use
keyvaultName: secret-store-5h7SuPk389 # Set to the name of your key vault
objects: |
array:
- |
objectName: TelegramBotToken
objectType: secret
- |
objectName: ValidTelegramSenders
objectType: secret
- |
objectName: ValidTelegramGroups
objectType: secret
- |
objectName: TrustedActors
objectType: secret
tenantId: 0ad1a6ca-bf0b-4eea-b39d-a0a369403977 # The tenant ID of the key vault
secretObjects:
- data:
- key: TelegramBotToken # data field to populate
objectName: TelegramBotToken # name of the mounted content to sync; this could be the object name or the object alias
- key: ValidTelegramSenders
objectName: ValidTelegramSenders
- key: ValidTelegramGroups
objectName: ValidTelegramGroups
- key: TrustedActors
objectName: TrustedActors
secretName: env-secrets
type: Opaque
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: jarvis@spicer.dev
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class: nginx
podTemplate:
spec:
nodeSelector:
"kubernetes.io/os": linux
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jarvis-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/limit-rpm: "5"
nginx.ingress.kubernetes.io/limit-rps: "2"
nginx.ingress.kubernetes.io/limit-burst-multiplier: "1"
cert-manager.io/cluster-issuer: letsencrypt
spec:
ingressClassName: nginx
rules:
- host: jarvis.spicer.dev
http:
paths:
- pathType: Prefix
backend:
service:
name: jarvis
port:
number: 80
path: /(.*)
tls:
- hosts:
- jarvis.spicer.dev
secretName: tls-secret