Files
argocd-apps/apps/base/artifactapi/api-deployment.yaml
T
unkinben 9d4739505d
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
feat(artifactapi): mount terraform registry signing key
Wires the GPG signing key the terraform provider registry needs into the api
deployment. The secret is mounted optional so the pod runs before it exists;
artifactapi leaves the registry disabled until a readable key is present.

- mount secret artifactapi-tf-signing at /etc/artifactapi/tf-signing (optional)
- set TF_SIGNING_KEY_PATH, and TF_SIGNING_KEY_PASSPHRASE from the secret's
  optional passphrase key

Create the secret out of band with an armored private key:
  kubectl -n artifactapi create secret generic artifactapi-tf-signing \
    --from-file=private-key.asc=./private-key.asc
2026-07-03 18:40:08 +10:00

111 lines
3.1 KiB
YAML

---
apiVersion: apps/v1
kind: Deployment
metadata:
name: api
namespace: artifactapi
annotations:
reloader.stakater.com/auto: "true"
spec:
selector:
matchLabels:
app: api
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: api
spec:
automountServiceAccountToken: true
initContainers:
- name: combine-certs
image: alpine:3
command:
- sh
- -c
- cat /etc/ssl/certs/ca-certificates.crt /custom-ca/ca.crt > /combined-certs/ca-certificates.crt
volumeMounts:
- name: vault-ca-cert
mountPath: /custom-ca
readOnly: true
- name: combined-certs
mountPath: /combined-certs
containers:
- name: api
image: git.unkin.net/unkin/artifactapi:v3.7.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8000
name: http
protocol: TCP
envFrom:
- configMapRef:
name: api-env
optional: false
- secretRef:
name: environment
optional: false
env:
# Terraform provider registry signing. The secret is mounted
# optional, so the pod runs before it exists; artifactapi keeps the
# registry disabled until a readable key is present.
- name: TF_SIGNING_KEY_PATH
value: /etc/artifactapi/tf-signing/private-key.asc
- name: TF_SIGNING_KEY_PASSPHRASE
valueFrom:
secretKeyRef:
name: artifactapi-tf-signing
key: passphrase
optional: true
volumeMounts:
- name: combined-certs
mountPath: /etc/ssl/combined
readOnly: true
- name: tf-signing-key
mountPath: /etc/artifactapi/tf-signing
readOnly: true
livenessProbe:
failureThreshold: 3
httpGet:
path: /health
port: http
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
failureThreshold: 3
httpGet:
path: /health
port: http
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: "1"
memory: 4Gi
requests:
cpu: 100m
memory: 256Mi
volumes:
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
items:
- key: ca.crt
path: ca.crt
- name: combined-certs
emptyDir: {}
- name: tf-signing-key
secret:
secretName: artifactapi-tf-signing
optional: true
restartPolicy: Always