Files
@ 0aabbb905eae
Branch filter:
Location: pomerium/kube/20-deployment.yaml - annotation
0aabbb905eae
3.4 KiB
text/x-yaml
projects is now its own deployment
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 | 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 | apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: pomerium
name: autocert-data
spec:
storageClassName: ""
volumeName: "autocert-data"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-metrics
namespace: pomerium
spec:
ports:
- { name: metrics, port: 9090, protocol: TCP, targetPort: metrics }
selector: { app.kubernetes.io/name: pomerium }
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-proxy
namespace: pomerium
spec:
ports:
- { name: https, port: 443, protocol: TCP, targetPort: https }
- { name: http, port: 80, protocol: TCP, targetPort: http }
selector: { app.kubernetes.io/name: pomerium }
type: LoadBalancer
externalIPs:
# prime forwards to this
- 10.5.0.1
# local dns picks this
- 10.2.0.1
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels: { app.kubernetes.io/name: pomerium }
name: pomerium
namespace: pomerium
spec:
replicas: 1
selector:
matchLabels: { app.kubernetes.io/name: pomerium }
template:
metadata:
labels: { app.kubernetes.io/name: pomerium }
spec:
containers:
- args:
- all-in-one
- --pomerium-config=global
- --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
- --metrics-bind-address=$(POD_IP):9090
env:
- { name: TMPDIR, value: /tmp }
- { name: XDG_CACHE_HOME, value: /tmp }
- name: POMERIUM_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: pomerium/ingress-controller:sha-5294279
imagePullPolicy: IfNotPresent
name: pomerium
ports:
- { containerPort: 8443, name: https, protocol: TCP }
- { containerPort: 8080, name: http, protocol: TCP }
- { containerPort: 9090, name: metrics, protocol: TCP }
resources:
limits: { cpu: 5000m, memory: 1Gi }
requests: { cpu: 300m, memory: 200Mi }
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- { mountPath: /tmp, name: tmp }
- { mountPath: /data/autocert, name: autocert }
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: pomerium-controller
terminationGracePeriodSeconds: 10
volumes:
- { name: tmp, emptyDir: {} }
- { name: autocert, persistentVolumeClaim: { claimName: autocert-data } }
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: "kubernetes.io/hostname"
operator: In
values: ["bang"]
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium
spec:
controller: pomerium.io/ingress-controller
|