stash/hack/deploy/operator.yaml at 4bff70f05edb105c2d6ee1beebfaeb15faaa3db9 · stashed/stash · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
apiVersion: apps/v1
kind: Deployment
metadata:
  name: stash-operator
  namespace: ${STASH_NAMESPACE}
  labels:
    app: stash
spec:
  replicas: 1
  selector:
    matchLabels:
      app: stash
  template:
    metadata:
      labels:
        app: stash
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      serviceAccountName: ${STASH_SERVICE_ACCOUNT}
      imagePullSecrets: [${STASH_IMAGE_PULL_SECRET}]
      containers:
      - name: operator
        image: ${STASH_DOCKER_REGISTRY}/stash:${STASH_IMAGE_TAG}
        imagePullPolicy: ${STASH_IMAGE_PULL_POLICY}
        args:
        - run
        - --v=3
        - --docker-registry=${STASH_DOCKER_REGISTRY}
        - --secure-port=8443
        - --audit-log-path=-
        - --tls-cert-file=/var/serving-cert/tls.crt
        - --tls-private-key-file=/var/serving-cert/tls.key
        - --service-name=${STASH_SERVICE_NAME}
        - --enable-mutating-webhook=${STASH_ENABLE_MUTATING_WEBHOOK}
        - --enable-validating-webhook=${STASH_ENABLE_VALIDATING_WEBHOOK}
        - --bypass-validating-webhook-xray=${STASH_BYPASS_VALIDATING_WEBHOOK_XRAY}
        - --enable-status-subresource=${STASH_ENABLE_STATUS_SUBRESOURCE}
        - --use-kubeapiserver-fqdn-for-aks=${STASH_USE_KUBEAPISERVER_FQDN_FOR_AKS}
        - --enable-analytics=${STASH_ENABLE_ANALYTICS}
        ports:
        - containerPort: 8443
        env:
        - name: MY_POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: MY_POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        resources:
          requests:
            cpu: "100m"
        volumeMounts:
        - mountPath: /var/serving-cert
          name: serving-cert
        readinessProbe:
          httpGet:
            path: /healthz
            port: 8443
            scheme: HTTPS
          initialDelaySeconds: 5
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8443
            scheme: HTTPS
          initialDelaySeconds: 5
      - name: pushgateway
        args:
        - --web.listen-address=:56789
        - --persistence.file=/var/pv/pushgateway.dat
        image: prom/pushgateway:v0.5.2
        ports:
        - containerPort: 56789
          name: pushgateway
          protocol: TCP
        volumeMounts:
        - mountPath: /var/pv
          name: data-volume
        - mountPath: /tmp
          name: stash-scratchdir
      volumes:
      - emptyDir: {}
        name: data-volume
      - emptyDir: {}
        name: stash-scratchdir
      - name: serving-cert
        secret:
          defaultMode: 420
          secretName: stash-apiserver-cert
      tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
      priorityClassName: ${STASH_PRIORITY_CLASS}
---
# kube lacks the service serving cert signer, so provide a manual secret for it
apiVersion: v1
kind: Secret
metadata:
  name: stash-apiserver-cert
  namespace: ${STASH_NAMESPACE}
  labels:
    app: stash
type: kubernetes.io/tls
data:
  tls.crt: ${TLS_SERVING_CERT}
  tls.key: ${TLS_SERVING_KEY}
---
# to be able to expose TSB inside the cluster
apiVersion: v1
kind: Service
metadata:
  name: ${STASH_SERVICE_NAME}
  namespace: ${STASH_NAMESPACE}
  labels:
    app: stash
spec:
  ports:
  - name: api
    port: 443
    targetPort: 8443
  - name: pushgateway
    port: 56789
    targetPort: 56789
  selector:
    app: stash