tea/browsertrix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ac947421c0
browsertrix/chart/templates/signer.yaml
Ilya Kreymer ccd87e0dff
Rename api / nginx settings -> backend / frontend, set pull policy job images (#504) 
* rename config values
- api -> backend
- nginx -> frontend

* job pods:
- set job_pull_policy from api_pull_policy (same as backend image)
- default to Always, but can be overridden for local deployment (same as backend image)

typo fix: CRAWL_NAMESPACE -> CRAWLER_NAMESPACE (part of #491)
ansible: set default label to :latest instead of :dev for
2023-01-18 20:21:36 -08:00

150 lines
3.7 KiB
YAML
Raw Blame History

{{- if .Values.signer.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: auth-signer-config
namespace: {{ .Release.Namespace }}
type: Opaque
stringData:
config.yaml: |
signing:
domain: {{ .Values.signer.host }} # domain to retrieve a cert for (passed to ACME servers, required)
email: {{ .Values.signer.cert_email }} # email for acme auth (passed to ACME servers, required)
port: 80 # local port for acme domain check (should be 80, change if running behind a proxy)
output: /data # dir to store the keys and certs (for internal use)
staging: False # generate staging certs
# optional: set a 'cross-singing' CA and private key
# this will be used along with ACME (Lets Encrypt) to sign the same CSR
# csca_cert: <ca-cert.pem>
# csca_private_key: <ca-private-key.pem>
# rfc3161 timestamp authority cert chain + timestamp urls
# at least one required, if multiple, one is selected at random
timestamping:
# time server cert chain (cert + ca cert)
# pkg:// url to load from python package data
- certfile: pkg://authsign.trusted/ts-chain.pem
url: http://freetsa.org/tsr # timeserver URL
# default trusted roots stored in authsign.trusted package
# uncomment to override
# trusted_roots: pkg://authsign.trusted/roots.yaml
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: auth-signer
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: auth-signer
replicas: {{ .Values.backend_num_replicas }}
serviceName: auth-signer
volumeClaimTemplates:
- metadata:
name: signer-storage
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
{{- if .Values.volume_storage_class }}
storageClassName: {{ .Values.volume_storage_class }}
{{- end }}
template:
metadata:
labels:
app: auth-signer
annotations:
# force update if signer_update is set
{{- if .Values.signer_update }}
"helm.update": {{ randAlphaNum 5 | quote }}
{{- end }}
spec:
{{- if .Values.main_node_type }}
nodeSelector:
nodeType: {{ .Values.main_node_type }}
{{- end }}
volumes:
- name: signer-config
secret:
secretName: auth-signer-config
items:
- key: config.yaml
path: config.yaml
containers:
- name: signer
image: {{ .Values.signer.image }}
imagePullPolicy: {{ .Values.signer.image_pull_policy }}
command: ["uvicorn", "authsign.main:app", "--port", "5053", "--host", "0.0.0.0", "--log-config", "/app/log.json"]
env:
- name: CONFIG
value: "/app-config/config.yaml"
- name: AUTH_TOKEN
value: "{{ .Values.signer.auth_token }}"
volumeMounts:
- name: signer-config
mountPath: /app-config
readOnly: true
- name: signer-storage
mountPath: /data
subPath: signer
resources:
limits:
cpu: {{ .Values.signer_limits_cpu }}
memory: {{ .Values.signer_limits_memory }}
requests:
cpu: {{ .Values.signer_requests_cpu }}
memory: {{ .Values.signer_requests_memory }}
---
apiVersion: v1
kind: Service
metadata:
namespace: {{ .Release.Namespace }}
name: auth-signer
labels:
app: auth-signer
spec:
selector:
app: auth-signer
clusterIP: None
ports:
- protocol: TCP
port: 80
name: signer-cert
- protocol: TCP
port: 5053
name: signer-api
{{- end }}
Reference in New Issue View Git Blame Copy Permalink