Mercurial > code > home > repos > pomerium
diff kube/20-deployment.yaml @ 0:6bf643829330
start
| author | drewp@bigasterisk.com |
|---|---|
| date | Sun, 11 Sep 2022 01:24:55 -0700 |
| parents | |
| children |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/kube/20-deployment.yaml Sun Sep 11 01:24:55 2022 -0700 @@ -0,0 +1,123 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: pomerium + name: autocert-data +spec: + storageClassName: "" + volumeName: "autocert-data" + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-metrics + namespace: pomerium +spec: + ports: + - { name: metrics, port: 9090, protocol: TCP, targetPort: metrics } + selector: { app.kubernetes.io/name: pomerium } + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-proxy + namespace: pomerium +spec: + ports: + - { name: https, port: 443, protocol: TCP, targetPort: https } + - { name: http, port: 80, protocol: TCP, targetPort: http } + selector: { app.kubernetes.io/name: pomerium } + type: LoadBalancer + externalIPs: + # prime forwards to this + - 10.5.0.1 + # local dns picks this + - 10.2.0.1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: { app.kubernetes.io/name: pomerium } + name: pomerium + namespace: pomerium +spec: + replicas: 1 + selector: + matchLabels: { app.kubernetes.io/name: pomerium } + template: + metadata: + labels: { app.kubernetes.io/name: pomerium } + spec: + containers: + - args: + - all-in-one + - --pomerium-config=global + - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy + - --metrics-bind-address=$(POD_IP):9090 + env: + - { name: TMPDIR, value: /tmp } + - { name: XDG_CACHE_HOME, value: /tmp } + - name: POMERIUM_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: pomerium/ingress-controller:sha-5294279 + imagePullPolicy: IfNotPresent + name: pomerium + ports: + - { containerPort: 8443, name: https, protocol: TCP } + - { containerPort: 8080, name: http, protocol: TCP } + - { containerPort: 9090, name: metrics, protocol: TCP } + resources: + limits: { cpu: 5000m, memory: 1Gi } + requests: { cpu: 300m, memory: 200Mi } + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + volumeMounts: + - { mountPath: /tmp, name: tmp } + - { mountPath: /data/autocert, name: autocert } + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + serviceAccountName: pomerium-controller + terminationGracePeriodSeconds: 10 + volumes: + - { name: tmp, emptyDir: {} } + - { name: autocert, persistentVolumeClaim: { claimName: autocert-data } } + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: In + values: ["bang"] +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium +spec: + controller: pomerium.io/ingress-controller