tvl-depot/infra/kubernetes/nixery/config.yaml

# Deploys an instance of Nixery into the cluster.
#
# The service via which Nixery is exposed has a private DNS entry
# pointing to it, which makes it possible to resolve `nixery.local`
# in-cluster without things getting nasty.
#
# The 'nixery-keys' secret was configured manually using a created
# service account key. This does not use metadata-based authentication
# due to the requirement for having an actual PEM-key to sign with.
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nixery
  namespace: kube-public
  labels:
    app: nixery
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nixery
  template:
    metadata:
      labels:
        app: nixery
    spec:
      containers:
      - name: nixery
        image: eu.gcr.io/tazjins-infrastructure/nixery:{{ .version }}
        volumeMounts:
          - name: nixery-secrets
            mountPath: /var/nixery
        env:
          - name: BUCKET
            value: {{ .bucket}}
          - name: PORT
            value: "{{ .port }}"
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: /var/nixery/gcs-key.json
          - name: GCS_SIGNING_KEY
            value: /var/nixery/gcs-key.pem
          - name: GCS_SIGNING_ACCOUNT
            value: {{ .account }}
          - name: GIT_SSH_COMMAND
            value: 'ssh -F /var/nixery/ssh_config'
          - name: NIXERY_PKGS_REPO
            value: {{ .repo }}
      volumes:
        - name: nixery-secrets
          secret:
            secretName: nixery-secrets
            defaultMode: 256
---
apiVersion: v1
kind: Service
metadata:
  name: nixery
  namespace: kube-public
  annotations:
    cloud.google.com/load-balancer-type: "Internal"
spec:
  selector:
    app: nixery
  type: LoadBalancer
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8080
feat(infra/k8s): Deploy Nixery instance to cluster 2019-08-16 19:20:20 +02:00			`# Deploys an instance of Nixery into the cluster.`
			`#`
			`# The service via which Nixery is exposed has a private DNS entry`
			# pointing to it, which makes it possible to resolve `nixery.local`
			`# in-cluster without things getting nasty.`
			`#`
			`# The 'nixery-keys' secret was configured manually using a created`
			`# service account key. This does not use metadata-based authentication`
			`# due to the requirement for having an actual PEM-key to sign with.`
			`---`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: nixery`
			`namespace: kube-public`
			`labels:`
			`app: nixery`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: nixery`
			`template:`
			`metadata:`
			`labels:`
			`app: nixery`
			`spec:`
			`containers:`
			`- name: nixery`
chore(infra/k8s): Bump Nixery image to Cachix-enabled one 2019-08-19 03:43:42 +02:00			`image: eu.gcr.io/tazjins-infrastructure/nixery:{{ .version }}`
feat(infra/k8s): Deploy Nixery instance to cluster 2019-08-16 19:20:20 +02:00			`volumeMounts:`
			`- name: nixery-secrets`
			`mountPath: /var/nixery`
			`env:`
			`- name: BUCKET`
			`value: {{ .bucket}}`
			`- name: PORT`
			`value: "{{ .port }}"`
			`- name: GOOGLE_APPLICATION_CREDENTIALS`
			`value: /var/nixery/gcs-key.json`
			`- name: GCS_SIGNING_KEY`
			`value: /var/nixery/gcs-key.pem`
			`- name: GCS_SIGNING_ACCOUNT`
			`value: {{ .account }}`
			`- name: GIT_SSH_COMMAND`
			`value: 'ssh -F /var/nixery/ssh_config'`
			`- name: NIXERY_PKGS_REPO`
			`value: {{ .repo }}`
			`volumes:`
			`- name: nixery-secrets`
			`secret:`
			`secretName: nixery-secrets`
			`defaultMode: 256`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: nixery`
			`namespace: kube-public`
			`annotations:`
			`cloud.google.com/load-balancer-type: "Internal"`
			`spec:`
			`selector:`
			`app: nixery`
			`type: LoadBalancer`
			`ports:`
			`- protocol: TCP`
			`port: 80`
			`targetPort: 8080`