47bd341371
- make initcontainers easier to read/follow Reviewed-on: #65
178 lines
5.6 KiB
YAML
178 lines
5.6 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
reloader.stakater.com/auto: "true"
|
|
labels:
|
|
app.kubernetes.io/component: puppetserver
|
|
app.kubernetes.io/instance: puppetserver
|
|
app.kubernetes.io/name: puppetserver
|
|
app.kubernetes.io/version: 8.8.0
|
|
name: puppetserver-master
|
|
namespace: puppet
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/component: puppetserver
|
|
app.kubernetes.io/name: puppetserver
|
|
strategy:
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
reloader.stakater.com/auto: "true"
|
|
labels:
|
|
app.kubernetes.io/component: puppetserver
|
|
app.kubernetes.io/instance: puppetserver
|
|
app.kubernetes.io/name: puppetserver
|
|
app.kubernetes.io/version: 8.8.0
|
|
spec:
|
|
hostname: puppet
|
|
imagePullSecrets: null
|
|
containers:
|
|
- name: puppetserver
|
|
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
|
|
imagePullPolicy: IfNotPresent
|
|
resources:
|
|
limits:
|
|
cpu: 2
|
|
memory: 3500Mi
|
|
requests:
|
|
cpu: 250m
|
|
memory: 1024Mi
|
|
ports:
|
|
- containerPort: 8140
|
|
name: puppetserver
|
|
envFrom:
|
|
- configMapRef:
|
|
name: puppetserver-master-config
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
periodSeconds: 30
|
|
successThreshold: 1
|
|
tcpSocket:
|
|
port: 8140
|
|
timeoutSeconds: 10
|
|
readinessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /status/v1/simple
|
|
port: 8140
|
|
scheme: HTTPS
|
|
periodSeconds: 60
|
|
successThreshold: 1
|
|
timeoutSeconds: 20
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- CAP_CHOWN
|
|
- CAP_SETUID
|
|
- CAP_SETGID
|
|
- CAP_DAC_OVERRIDE
|
|
- CAP_AUDIT_WRITE
|
|
- CAP_FOWNER
|
|
- CHOWN
|
|
- SETUID
|
|
- SETGID
|
|
- DAC_OVERRIDE
|
|
- AUDIT_WRITE
|
|
- FOWNER
|
|
drop:
|
|
- all
|
|
startupProbe:
|
|
failureThreshold: 30
|
|
periodSeconds: 60
|
|
tcpSocket:
|
|
port: 8140
|
|
volumeMounts:
|
|
- mountPath: /etc/puppetlabs/puppet/
|
|
name: puppet-puppet-storage
|
|
- mountPath: /etc/puppetlabs/puppetserver/ca/
|
|
name: puppet-ca-storage
|
|
- mountPath: /var/lib/puppet/keys/
|
|
name: eyaml-keys
|
|
readOnly: true
|
|
- mountPath: /opt/bin/
|
|
name: puppet-shared-bins
|
|
- mountPath: /opt/vault-ca-cert.crt
|
|
name: vault-ca-cert
|
|
subPath: ca.crt
|
|
initContainers:
|
|
- name: perms-and-dirs
|
|
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
|
|
imagePullPolicy: IfNotPresent
|
|
command:
|
|
- sh
|
|
- -c
|
|
args:
|
|
- |
|
|
mkdir -p /etc/puppetlabs/puppet/eyaml/keys
|
|
cp /tmp/puppet/configmap/check_for_masters.sh /etc/puppetlabs/puppet/check_for_masters.sh
|
|
chown puppet:puppet /etc/puppetlabs/puppet/check_for_masters.sh
|
|
chmod +x /etc/puppetlabs/puppet/check_for_masters.sh
|
|
bash /etc/puppetlabs/puppet/check_for_masters.sh
|
|
mkdir -p /etc/puppetlabs/code/environments
|
|
mkdir -p /etc/puppetlabs/puppet/manifests
|
|
chown -R puppet:puppet /etc/puppetlabs
|
|
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/
|
|
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde
|
|
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/
|
|
envFrom:
|
|
- configMapRef:
|
|
name: puppetserver-init-config
|
|
resources:
|
|
limits:
|
|
cpu: 300m
|
|
memory: 256Mi
|
|
requests:
|
|
cpu: 200m
|
|
memory: 128Mi
|
|
securityContext:
|
|
runAsUser: 0
|
|
runAsNonRoot: false
|
|
capabilities:
|
|
add:
|
|
- CAP_CHOWN
|
|
- CAP_SETUID
|
|
- CAP_SETGID
|
|
- CAP_DAC_OVERRIDE
|
|
- CAP_AUDIT_WRITE
|
|
- CAP_FOWNER
|
|
- CHOWN
|
|
- SETUID
|
|
- SETGID
|
|
- DAC_OVERRIDE
|
|
- AUDIT_WRITE
|
|
- FOWNER
|
|
drop:
|
|
- all
|
|
volumeMounts:
|
|
- mountPath: /etc/puppetlabs/puppet/
|
|
name: puppet-puppet-storage
|
|
- mountPath: /tmp/puppet/configmap/check_for_masters.sh
|
|
name: init-masters-volume
|
|
subPath: check_for_masters.sh
|
|
securityContext:
|
|
fsGroup: 999
|
|
volumes:
|
|
- name: puppet-ca-storage
|
|
persistentVolumeClaim:
|
|
claimName: puppetserver-ca-claim
|
|
- name: puppet-puppet-storage
|
|
persistentVolumeClaim:
|
|
claimName: puppetserver-puppet-claim
|
|
- configMap:
|
|
name: puppetserver-init-masters-config
|
|
name: init-masters-volume
|
|
- name: eyaml-keys
|
|
secret:
|
|
secretName: eyaml-keys
|
|
defaultMode: 0600
|
|
- name: puppet-shared-bins
|
|
persistentVolumeClaim:
|
|
claimName: puppet-shared-bins
|
|
- name: vault-ca-cert
|
|
secret:
|
|
secretName: vault-ca-cert
|