tea/browsertrix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
aabb0b2a92
browsertrix/chart/templates/signer.yaml
Ilya Kreymer aabb0b2a92
chart / deployment fixes to run on microk8s: (fixes #385) (#387) 
- ingress: fix proxying /data to minio, use another ingress which proxies correct host to ensure presigned urls work
- presigning: determine if signing endpoint url (minio) or access endpoint (cloud bucket) based on if access endpoint is provided, set bool on storage object
- chart: fix indent on incorrect storageClassName configs
- ingress: make 'ingress_class' configurable (set to 'public' for microk8s, default to 'nginx')
- minio: use older minio image which supports legacy fs based setup (for now)
- nginx service: add 'nginx_service_use_node_port' config setting: if true, will use NodePort for frontend,
other will use default (ClusterIP) and only for the frontend / nginx
- chart: remove changing service type for other services
2022-11-30 09:21:58 -08:00

150 lines
3.7 KiB
YAML
Raw Blame History

{{- if .Values.signer.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: auth-signer-config
namespace: {{ .Release.Namespace }}
type: Opaque
stringData:
config.yaml: |
signing:
domain: {{ .Values.signer.host }} # domain to retrieve a cert for (passed to ACME servers, required)
email: {{ .Values.signer.cert_email }} # email for acme auth (passed to ACME servers, required)
port: 80 # local port for acme domain check (should be 80, change if running behind a proxy)
output: /data # dir to store the keys and certs (for internal use)
staging: False # generate staging certs
# optional: set a 'cross-singing' CA and private key
# this will be used along with ACME (Lets Encrypt) to sign the same CSR
# csca_cert: <ca-cert.pem>
# csca_private_key: <ca-private-key.pem>
# rfc3161 timestamp authority cert chain + timestamp urls
# at least one required, if multiple, one is selected at random
timestamping:
# time server cert chain (cert + ca cert)
# pkg:// url to load from python package data
- certfile: pkg://authsign.trusted/ts-chain.pem
url: http://freetsa.org/tsr # timeserver URL
# default trusted roots stored in authsign.trusted package
# uncomment to override
# trusted_roots: pkg://authsign.trusted/roots.yaml
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: auth-signer
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: auth-signer
replicas: {{ .Values.api_num_replicas }}
serviceName: auth-signer
volumeClaimTemplates:
- metadata:
name: signer-storage
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
{{- if .Values.volume_storage_class }}
storageClassName: {{ .Values.volume_storage_class }}
{{- end }}
template:
metadata:
labels:
app: auth-signer
annotations:
# force update if signer_update is set
{{- if .Values.signer_update }}
"helm.update": {{ randAlphaNum 5 | quote }}
{{- end }}
spec:
{{- if .Values.main_node_type }}
nodeSelector:
nodeType: {{ .Values.main_node_type }}
{{- end }}
volumes:
- name: signer-config
secret:
secretName: auth-signer-config
items:
- key: config.yaml
path: config.yaml
containers:
- name: signer
image: {{ .Values.signer.image }}
imagePullPolicy: {{ .Values.signer.image_pull_policy }}
command: ["uvicorn", "authsign.main:app", "--port", "5053", "--host", "0.0.0.0", "--log-config", "/app/log.json"]
env:
- name: CONFIG
value: "/app-config/config.yaml"
- name: AUTH_TOKEN
value: "{{ .Values.signer.auth_token }}"
volumeMounts:
- name: signer-config
mountPath: /app-config
readOnly: true
- name: signer-storage
mountPath: /data
subPath: signer
resources:
limits:
cpu: {{ .Values.signer_limits_cpu }}
memory: {{ .Values.signer_limits_memory }}
requests:
cpu: {{ .Values.signer_requests_cpu }}
memory: {{ .Values.signer_requests_memory }}
---
apiVersion: v1
kind: Service
metadata:
namespace: {{ .Release.Namespace }}
name: auth-signer
labels:
app: auth-signer
spec:
selector:
app: auth-signer
clusterIP: None
ports:
- protocol: TCP
port: 80
name: signer-cert
- protocol: TCP
port: 5053
name: signer-api
{{- end }}
Reference in New Issue View Git Blame Copy Permalink