tea/browsertrix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
68ec582f73
browsertrix/chart/templates/signer.yaml
Ilya Kreymer bf79959a5a refactoring to use statefulsets + job (#245) 
- use statefulsets instead of deployments for mongo, redis, signer
- use k8s job + statefulset for running crawls
- use separate statefulset for crawl (scaled) and single-replica redis stateful set
- move crawl job update login to crawl_updater
- remove shared redis chart

package refactor:
- move to shared code to 'btrixcloud'
- move k8s to 'btrixcloud.k8s'
- move docker to 'btrixcloud.docker'
2022-06-05 10:37:17 -07:00

156 lines
3.9 KiB
YAML
Raw Blame History

{{- if .Values.signer.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: auth-signer-config
namespace: {{ .Release.Namespace }}
type: Opaque
stringData:
config.yaml: |
signing:
domain: {{ .Values.signer.host }} # domain to retrieve a cert for (passed to ACME servers, required)
email: {{ .Values.signer.cert_email }} # email for acme auth (passed to ACME servers, required)
port: 80 # local port for acme domain check (should be 80, change if running behind a proxy)
output: /data # dir to store the keys and certs (for internal use)
staging: False # generate staging certs
# optional: set a 'cross-singing' CA and private key
# this will be used along with ACME (Lets Encrypt) to sign the same CSR
# csca_cert: <ca-cert.pem>
# csca_private_key: <ca-private-key.pem>
# rfc3161 timestamp authority cert chain + timestamp urls
# at least one required, if multiple, one is selected at random
timestamping:
# time server cert chain (cert + ca cert)
# pkg:// url to load from python package data
- certfile: pkg://authsign.trusted/ts-chain.pem
url: http://freetsa.org/tsr # timeserver URL
# default trusted roots stored in authsign.trusted package
# uncomment to override
# trusted_roots: pkg://authsign.trusted/roots.yaml
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: auth-signer
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: auth-signer
replicas: {{ .Values.api_num_replicas }}
serviceName: auth-signer
volumeClaimTemplates:
- metadata:
name: signer-storage
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
{{- if .Values.volume_storage_class }}
storageClassName: {{ .Values.volume_storage_class }}
{{- end }}
template:
metadata:
labels:
app: auth-signer
annotations:
# force update if signer_update is set
{{- if .Values.signer_update }}
"helm.update": {{ randAlphaNum 5 | quote }}
{{- end }}
spec:
{{- if .Values.main_node_type }}
nodeSelector:
nodeType: {{ .Values.main_node_type }}
{{- end }}
volumes:
- name: signer-config
secret:
secretName: auth-signer-config
items:
- key: config.yaml
path: config.yaml
containers:
- name: signer
image: {{ .Values.signer.image }}
imagePullPolicy: {{ .Values.signer.image_pull_policy }}
command: ["uvicorn", "authsign.main:app", "--port", "5053", "--host", "0.0.0.0", "--log-config", "/app/log.json"]
env:
- name: CONFIG
value: "/app-config/config.yaml"
- name: AUTH_TOKEN
value: "{{ .Values.signer.auth_token }}"
volumeMounts:
- name: signer-config
mountPath: /app-config
readOnly: true
- name: signer-storage
mountPath: /data
subPath: signer
resources:
limits:
cpu: {{ .Values.signer_limits_cpu }}
memory: {{ .Values.signer_limits_memory }}
requests:
cpu: {{ .Values.signer_requests_cpu }}
memory: {{ .Values.signer_requests_memory }}
---
apiVersion: v1
kind: Service
metadata:
namespace: {{ .Release.Namespace }}
name: auth-signer
labels:
app: auth-signer
spec:
selector:
app: auth-signer
{{- if .Values.service }}
{{- if .Values.service.type }}
type: {{ .Values.service.type | quote }}
{{- end }}
{{- end }}
clusterIP: None
ports:
- protocol: TCP
port: 80
name: signer-cert
- protocol: TCP
port: 5053
name: signer-api
{{- end }}
Reference in New Issue View Git Blame Copy Permalink