From dd35be7add227743c6201a8383a8ee29d399dade Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Fri, 16 Aug 2019 18:20:20 +0100 Subject: [PATCH] feat(infra/k8s): Deploy Nixery instance to cluster --- infra/kubernetes/nixery/config.yaml | 69 +++++++++++++++++++++++++++ infra/kubernetes/primary-cluster.yaml | 11 +++++ 2 files changed, 80 insertions(+) create mode 100644 infra/kubernetes/nixery/config.yaml create mode 100644 infra/kubernetes/primary-cluster.yaml diff --git a/infra/kubernetes/nixery/config.yaml b/infra/kubernetes/nixery/config.yaml new file mode 100644 index 000000000..d2b912643 --- /dev/null +++ b/infra/kubernetes/nixery/config.yaml @@ -0,0 +1,69 @@ +# Deploys an instance of Nixery into the cluster. +# +# The service via which Nixery is exposed has a private DNS entry +# pointing to it, which makes it possible to resolve `nixery.local` +# in-cluster without things getting nasty. +# +# The 'nixery-keys' secret was configured manually using a created +# service account key. This does not use metadata-based authentication +# due to the requirement for having an actual PEM-key to sign with. +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nixery + namespace: kube-public + labels: + app: nixery +spec: + replicas: 1 + selector: + matchLabels: + app: nixery + template: + metadata: + labels: + app: nixery + spec: + containers: + - name: nixery + image: eu.gcr.io/tazjins-infrastructure/nixery:demo + volumeMounts: + - name: nixery-secrets + mountPath: /var/nixery + env: + - name: BUCKET + value: {{ .bucket}} + - name: PORT + value: "{{ .port }}" + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/nixery/gcs-key.json + - name: GCS_SIGNING_KEY + value: /var/nixery/gcs-key.pem + - name: GCS_SIGNING_ACCOUNT + value: {{ .account }} + - name: GIT_SSH_COMMAND + value: 'ssh -F /var/nixery/ssh_config' + - name: NIXERY_PKGS_REPO + value: {{ .repo }} + volumes: + - name: nixery-secrets + secret: + secretName: nixery-secrets + defaultMode: 256 +--- +apiVersion: v1 +kind: Service +metadata: + name: nixery + namespace: kube-public + annotations: + cloud.google.com/load-balancer-type: "Internal" +spec: + selector: + app: nixery + type: LoadBalancer + ports: + - protocol: TCP + port: 80 + targetPort: 8080 diff --git a/infra/kubernetes/primary-cluster.yaml b/infra/kubernetes/primary-cluster.yaml new file mode 100644 index 000000000..8204a876b --- /dev/null +++ b/infra/kubernetes/primary-cluster.yaml @@ -0,0 +1,11 @@ +# Kontemplate configuration for the primary GKE cluster in the project +# 'tazjins-infrastructure'. +--- +context: gke_tazjins-infrastructure_europe-north1_tazjin-cluster +include: + - name: nixery + values: + port: 8080 + bucket: tazjins-data + account: nixery@tazjins-infrastructure.iam.gserviceaccount.com + repo: ssh://source.developers.google.com:2022/p/tazjins-infrastructure/r/monorepo