2512ea4256
Apart from the fact that TLS certificate provisioning is very wonky, it seems to be working now. AFAICT the L7 LBs still don't support path rewriting, which means that this is likely not the final configuration and it will move behind nginx instead.
74 lines
1.5 KiB
YAML
74 lines
1.5 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: gcsr-secrets
|
|
type: Opaque
|
|
data:
|
|
username: "Z2l0LXRhemppbi5nbWFpbC5jb20="
|
|
# This credential is a GCSR 'gitcookie' token.
|
|
password: '{{ passLookup "gcsr-tazjin-password" | b64enc }}'
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: cgit
|
|
labels:
|
|
app: cgit
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: cgit
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: cgit
|
|
spec:
|
|
securityContext:
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
containers:
|
|
- name: cgit
|
|
image: nixery.local/shell/services.cgit-taz:{{ gitHEAD }}
|
|
command: [ "cgit-launch" ]
|
|
env:
|
|
- name: HOME
|
|
value: /git
|
|
volumeMounts:
|
|
- name: git-volume
|
|
mountPath: /git
|
|
- name: sync-gcsr
|
|
image: nixery.local/shell/services.sync-gcsr:{{ gitHEAD }}
|
|
command: [ "sync-gcsr" ]
|
|
env:
|
|
- name: SYNC_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcsr-secrets
|
|
key: username
|
|
- name: SYNC_PASS
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcsr-secrets
|
|
key: password
|
|
volumeMounts:
|
|
- name: git-volume
|
|
mountPath: /git
|
|
volumes:
|
|
- name: git-volume
|
|
emptyDir: {}
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: cgit
|
|
spec:
|
|
type: NodePort
|
|
selector:
|
|
app: cgit
|
|
ports:
|
|
- protocol: TCP
|
|
port: 2448 # cgit
|
|
targetPort: 8080
|