tea/browsertrix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7ea6d76f10
browsertrix/chart/templates/signer.yaml
Ilya Kreymer 7ea6d76f10
Resource Constraints Cleanup: (fixes #895) (#1019) 
* resource constraints: (fixes #895)
- for cpu, only set cpu requests
- for memory, set mem requests == mem limits
- add missing resource constraints for minio and scheduled job
- for crawler, set mem and cpu constraints per browser, scale based on browser instances per crawler
- add comments in values.yaml for crawler values being multiplied
- default values: bump crawler to 650 millicpu per browser instance just in case

cleanup: remove unused entries from main backend configmap
2023-08-01 00:11:16 -07:00

149 lines
3.7 KiB
YAML
Raw Blame History

{{- if .Values.signer.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: auth-signer-config
namespace: {{ .Release.Namespace }}
type: Opaque
stringData:
config.yaml: |
signing:
domain: {{ .Values.signer.host }} # domain to retrieve a cert for (passed to ACME servers, required)
email: {{ .Values.signer.cert_email }} # email for acme auth (passed to ACME servers, required)
port: 80 # local port for acme domain check (should be 80, change if running behind a proxy)
output: /data # dir to store the keys and certs (for internal use)
staging: False # generate staging certs
# optional: set a 'cross-singing' CA and private key
# this will be used along with ACME (Lets Encrypt) to sign the same CSR
# csca_cert: <ca-cert.pem>
# csca_private_key: <ca-private-key.pem>
# rfc3161 timestamp authority cert chain + timestamp urls
# at least one required, if multiple, one is selected at random
timestamping:
# time server cert chain (cert + ca cert)
# pkg:// url to load from python package data
- certfile: pkg://authsign.trusted/ts-chain.pem
url: http://freetsa.org/tsr # timeserver URL
# default trusted roots stored in authsign.trusted package
# uncomment to override
# trusted_roots: pkg://authsign.trusted/roots.yaml
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: auth-signer
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: auth-signer
replicas: {{ .Values.backend_num_replicas }}
serviceName: auth-signer
volumeClaimTemplates:
- metadata:
name: signer-storage
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
{{- if .Values.volume_storage_class }}
storageClassName: {{ .Values.volume_storage_class }}
{{- end }}
template:
metadata:
labels:
app: auth-signer
annotations:
# force update if signer_update is set
{{- if .Values.signer_update }}
"helm.update": {{ randAlphaNum 5 | quote }}
{{- end }}
spec:
{{- if .Values.main_node_type }}
nodeSelector:
nodeType: {{ .Values.main_node_type }}
{{- end }}
volumes:
- name: signer-config
secret:
secretName: auth-signer-config
items:
- key: config.yaml
path: config.yaml
containers:
- name: signer
image: {{ .Values.signer.image }}
imagePullPolicy: {{ .Values.signer.image_pull_policy }}
command: ["uvicorn", "authsign.main:app", "--port", "5053", "--host", "0.0.0.0", "--log-config", "/app/log.json"]
env:
- name: CONFIG
value: "/app-config/config.yaml"
- name: AUTH_TOKEN
value: "{{ .Values.signer.auth_token }}"
volumeMounts:
- name: signer-config
mountPath: /app-config
readOnly: true
- name: signer-storage
mountPath: /data
subPath: signer
resources:
limits:
memory: {{ .Values.signer_memory }}
requests:
cpu: {{ .Values.signer_cpu }}
memory: {{ .Values.signer_memory }}
---
apiVersion: v1
kind: Service
metadata:
namespace: {{ .Release.Namespace }}
name: auth-signer
labels:
app: auth-signer
spec:
selector:
app: auth-signer
clusterIP: None
ports:
- protocol: TCP
port: 80
name: signer-cert
- protocol: TCP
port: 5053
name: signer-api
{{- end }}
Reference in New Issue View Git Blame Copy Permalink