283951388c
Instead of having a manually prepared secret, use Cloud KMS (as per the previous commits) to decrypt the in-repo secrets and template them into the Secret resource in Kubernetes. Not all of the values are actually secret, it has thus become a bit easier to edit the known hosts, SSH config and such now.
65 lines
1.6 KiB
YAML
65 lines
1.6 KiB
YAML
# Deploys an instance of Nixery into the cluster.
|
|
#
|
|
# The service via which Nixery is exposed has a private DNS entry
|
|
# pointing to it, which makes it possible to resolve `nixery.local`
|
|
# in-cluster without things getting nasty.
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: nixery
|
|
namespace: kube-public
|
|
labels:
|
|
app: nixery
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: nixery
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: nixery
|
|
spec:
|
|
containers:
|
|
- name: nixery
|
|
image: eu.gcr.io/tazjins-infrastructure/nixery:{{ .version }}
|
|
volumeMounts:
|
|
- name: nixery-secrets
|
|
mountPath: /var/nixery
|
|
env:
|
|
- name: BUCKET
|
|
value: {{ .bucket}}
|
|
- name: PORT
|
|
value: "{{ .port }}"
|
|
- name: GOOGLE_APPLICATION_CREDENTIALS
|
|
value: /var/nixery/gcs-key.json
|
|
- name: GCS_SIGNING_KEY
|
|
value: /var/nixery/gcs-key.pem
|
|
- name: GCS_SIGNING_ACCOUNT
|
|
value: {{ .account }}
|
|
- name: GIT_SSH_COMMAND
|
|
value: 'ssh -F /var/nixery/ssh_config'
|
|
- name: NIXERY_PKGS_REPO
|
|
value: {{ .repo }}
|
|
volumes:
|
|
- name: nixery-secrets
|
|
secret:
|
|
secretName: nixery-secrets
|
|
defaultMode: 256
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: nixery
|
|
namespace: kube-public
|
|
annotations:
|
|
cloud.google.com/load-balancer-type: "Internal"
|
|
spec:
|
|
selector:
|
|
app: nixery
|
|
type: LoadBalancer
|
|
ports:
|
|
- protocol: TCP
|
|
port: 80
|
|
targetPort: 8080
|