apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ include "pipelines.services.name" . }} labels: {{- include "pipelines.labels" . | nindent 4 }} spec: serviceName: {{ include "pipelines.services.name" . }}-headless {{- if not .Values.pipelines.autoscaling.enabled }} replicas: {{ .Values.pipelines.replicaCount }} {{- end }} updateStrategy: type: {{ .Values.pipelines.updateStrategy }} selector: matchLabels: {{- include "pipelines.selectorLabels" . | nindent 6 }} component: {{ include "pipelines.services.name" . }} template: metadata: labels: {{- include "pipelines.selectorLabels" . | nindent 8 }} component: {{ include "pipelines.services.name" . }} annotations: checksum/systemyaml: {{ include (print $.Template.BasePath "/pipelines-system-yaml.yaml") . | sha256sum }} checksum/secretdb: {{ include (print $.Template.BasePath "/database-secret.yaml") . | sha256sum }} checksum/secretaws: {{ include (print $.Template.BasePath "/buildplane-secret-aws.yaml") . | sha256sum }} checksum/configaws: {{ include (print $.Template.BasePath "/buildplane-config-aws.yaml") . | sha256sum }} checksum/secretk8s: {{ include (print $.Template.BasePath "/buildplane-secret-k8s.yaml") . | sha256sum }} checksum/configk8s: {{ include (print $.Template.BasePath "/buildplane-config-k8s.yaml") . | sha256sum }} checksum/configfilebeat: {{ include (print $.Template.BasePath "/filebeat-config.yaml") . | sha256sum }} spec: serviceAccountName: {{ include "pipelines.fullname" . }} {{- if .Values.imagePullSecrets }} imagePullSecrets: - name: {{ .Values.imagePullSecrets }} {{- end }} initContainers: {{- with .Values.pipelines.customInitContainersBegin }} {{- tpl . $ | nindent 8 }} {{- end }} - name: copy-system-yaml image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} securityContext: allowPrivilegeEscalation: false command: - '/bin/sh' - '-c' - > echo "Copy system.yaml to {{ .Values.pipelines.mountPath }}"; cp -fv /tmp/etc/system.yaml {{ .Values.pipelines.mountPath }}/system.yaml; volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: systemyaml mountPath: "/tmp/etc/system.yaml" subPath: system.yaml - name: wait-for-vault image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} securityContext: allowPrivilegeEscalation: false command: - 'sh' - '-c' - > echo "Waiting for Vault to come up..."; {{- if .Values.vault.enabled }} until nc -z -w 2 {{ include "pipelines.vault.name" . }} {{ .Values.vault.service.port }} && echo Vault ok; do {{- else }} until nc -z -w 2 {{ tpl .Values.global.vault.host . }} {{ .Values.global.vault.port }} && echo Vault ok; do {{- end }} sleep 2; done; - name: pipelines-installer image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.pipelinesInit.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} securityContext: allowPrivilegeEscalation: false runAsUser: 0 env: - name: VAULT_TOKEN valueFrom: secretKeyRef: name: {{ .Values.global.vault.existingSecret | default (printf "%s" "root-vault-secret") }} key: token {{- if .Values.vault.enabled }} - name: PIPELINES_SHARED_DB_CONNECTIONSTRING valueFrom: secretKeyRef: name: {{ .Values.global.postgresql.existingSecret | default (printf "%s-%s" (include "pipelines.fullname" .) "database") }} key: postgresql-url {{- end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: fieldPath: "metadata.name" command: - 'sh' - '-c' - > {{- if .Values.rabbitmq.enabled }} echo "Waiting for RabbitMQ to come up..."; until nc -z -w 2 {{ .Release.Name }}-rabbitmq {{ .Values.rabbitmq.service.port }} && echo rabbitmq ok; do sleep 2; done; {{- end }} {{- if .Values.redis.enabled }} echo "Waiting for Redis to come up..."; until nc -z -w 2 {{ .Release.Name }}-redis-master {{ .Values.redis.redisPort }} && echo redis ok; do sleep 2; done; {{- end }} sleep 20; ./pipelines-k8s; volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} {{- if .Values.buildPlane.dynamic.provider.aws.enabled }} - name: buildplane-creds-aws mountPath: {{ .Values.pipelines.mountPath }}/buildplane-creds readOnly: true - name: buildplane-config-aws mountPath: {{ .Values.pipelines.mountPath }}/buildplane-config readOnly: true {{- end }} {{- if .Values.buildPlane.dynamic.provider.k8s.enabled }} - name: buildplane-creds-k8s mountPath: {{ .Values.pipelines.mountPath }}/buildplane-creds readOnly: true - name: buildplane-config-k8s mountPath: {{ .Values.pipelines.mountPath }}/buildplane-config readOnly: true {{- end }} {{- with .Values.pipelines.customInitContainers }} {{- tpl . $ | nindent 8 }} {{- end }} containers: {{- if .Values.filebeat.enabled }} - name: {{ .Values.filebeat.name }} image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} args: - "-e" - "-E" - "http.enabled=true" securityContext: runAsUser: 0 resources: {{ toYaml .Values.filebeat.resources | nindent 12 }} volumeMounts: - name: filebeat-config mountPath: /usr/share/filebeat/filebeat.yml readOnly: true subPath: filebeat.yml - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} {{- end }} - name: router image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.router.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.router.image.pullPolicy }} env: {{- if not .Values.router.routerConfiguration }} - name: JF_ROUTER_SERVICEREGISTRY_URL value: "{{ tpl .Values.pipelines.jfrogUrl . }}/access" {{- end }} - name: JF_ROUTER_SERVICEREGISTRY_GRPCADDRESS value: "{{ include "pipelines.grpc.url" . }}" - name: JF_ROUTER_ENTRYPOINTS_INTERNALPORT value: "{{ .Values.pipelines.router.internalPort }}" - name: JF_ROUTER_ENTRYPOINTS_EXTERNALPORT value: "{{ .Values.pipelines.router.externalPort }}" - name: JF_ROUTER_LOGGING_ROUTER_LOGLEVEL value: "DEBUG" - name: JF_SHARED_NODE_ID valueFrom: fieldRef: fieldPath: "metadata.name" - name: JF_SHARED_NODE_IP valueFrom: fieldRef: fieldPath: "status.podIP" - name: JF_SHARED_SECURITY_JOINKEY value: "{{ .Values.pipelines.joinKey }}" - name: JF_ROUTER_ENCRYPTSYSTEMCONFIG value: "true" ports: - name: router containerPort: {{ .Values.pipelines.router.internalPort }} securityContext: allowPrivilegeEscalation: false resources: {{ toYaml .Values.pipelines.router.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.router.mountPath }} - name: api image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.api.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.api.image.pullPolicy }} securityContext: allowPrivilegeEscalation: false runAsUser: 0 env: - name: PIPELINES_NODE_ID valueFrom: fieldRef: fieldPath: "metadata.name" ports: - name: api containerPort: 30000 {{- if .Values.pipelines.api.livenessProbe.enabled }} livenessProbe: httpGet: path: {{ .Values.pipelines.api.livenessProbe.path}} port: {{ .Values.pipelines.api.livenessProbe.port}} initialDelaySeconds: {{ .Values.pipelines.api.livenessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.pipelines.api.livenessProbe.timeoutSeconds }} periodSeconds: {{ .Values.pipelines.api.livenessProbe.timeoutSeconds }} failureThreshold: {{ .Values.pipelines.api.livenessProbe.failureThreshold }} successThreshold: {{ .Values.pipelines.api.livenessProbe.successThreshold }} {{- end }} {{- if .Values.pipelines.api.readinessProbe.enabled }} readinessProbe: httpGet: path: {{ .Values.pipelines.api.readinessProbe.path}} port: {{ .Values.pipelines.api.readinessProbe.port}} initialDelaySeconds: {{ .Values.pipelines.api.readinessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.pipelines.api.readinessProbe.timeoutSeconds }} periodSeconds: {{ .Values.pipelines.api.readinessProbe.timeoutSeconds }} failureThreshold: {{ .Values.pipelines.api.readinessProbe.failureThreshold }} successThreshold: {{ .Values.pipelines.api.readinessProbe.successThreshold }} {{- end }} resources: {{- toYaml .Values.pipelines.api.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} {{- with .Values.pipelines.customVolumeMounts }} {{ tpl . $ | nindent 10 }} {{- end }} - name: www image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.www.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.www.image.pullPolicy }} ports: - name: www containerPort: 30001 {{- if .Values.pipelines.www.livenessProbe.enabled }} livenessProbe: httpGet: path: {{ .Values.pipelines.www.livenessProbe.path}} port: {{ .Values.pipelines.www.livenessProbe.port}} initialDelaySeconds: {{ .Values.pipelines.www.livenessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.pipelines.www.livenessProbe.timeoutSeconds }} periodSeconds: {{ .Values.pipelines.www.livenessProbe.timeoutSeconds }} failureThreshold: {{ .Values.pipelines.www.livenessProbe.failureThreshold }} successThreshold: {{ .Values.pipelines.www.livenessProbe.successThreshold }} {{- end }} {{- if .Values.pipelines.www.readinessProbe.enabled }} readinessProbe: httpGet: path: {{ .Values.pipelines.www.readinessProbe.path}} port: {{ .Values.pipelines.www.readinessProbe.port}} initialDelaySeconds: {{ .Values.pipelines.www.readinessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.pipelines.www.readinessProbe.timeoutSeconds }} periodSeconds: {{ .Values.pipelines.www.readinessProbe.timeoutSeconds }} failureThreshold: {{ .Values.pipelines.www.readinessProbe.failureThreshold }} successThreshold: {{ .Values.pipelines.www.readinessProbe.successThreshold }} {{- end }} resources: {{- toYaml .Values.pipelines.www.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} {{- with .Values.pipelines.customVolumeMounts }} {{ tpl . $ | indent 10 }} {{- end }} - name: pipelinesync image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.pipelineSync.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.pipelineSync.image.pullPolicy }} workingDir: /opt/jfrog/pipelines/app/micro/pipelineSync securityContext: allowPrivilegeEscalation: false runAsUser: 0 env: - name: COMPONENT value: pipelinesync resources: {{- toYaml .Values.pipelines.pipelineSync.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} - name: runtrigger image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.runTrigger.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.runTrigger.image.pullPolicy }} workingDir: /opt/jfrog/pipelines/app/micro/runTrigger env: - name: COMPONENT value: runtrigger resources: {{- toYaml .Values.pipelines.runTrigger.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} - name: steptrigger image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.stepTrigger.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.stepTrigger.image.pullPolicy }} workingDir: /opt/jfrog/pipelines/app/micro/stepTrigger env: - name: COMPONENT value: steptrigger resources: {{- toYaml .Values.pipelines.stepTrigger.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} - name: cron image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.cron.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.cron.image.pullPolicy }} workingDir: /opt/jfrog/pipelines/app/micro/cron env: - name: COMPONENT value: cron resources: {{- toYaml .Values.pipelines.cron.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} - name: nexec image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.nexec.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.nexec.image.pullPolicy }} workingDir: /opt/jfrog/pipelines/app/micro/nexec securityContext: allowPrivilegeEscalation: false runAsUser: 0 env: - name: COMPONENT value: nexec resources: {{- toYaml .Values.pipelines.nexec.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} - name: hookhandler image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.hookHandler.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.hookHandler.image.pullPolicy }} workingDir: /opt/jfrog/pipelines/app/micro/hookHandler env: - name: COMPONENT value: hookhandler resources: {{- toYaml .Values.pipelines.hookHandler.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} - name: marshaller image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.marshaller.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.marshaller.image.pullPolicy }} workingDir: /opt/jfrog/pipelines/app/micro/marshaller env: - name: COMPONENT value: marshaller resources: {{- toYaml .Values.pipelines.marshaller.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} - name: logup image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.logup.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.logup.image.pullPolicy }} workingDir: /opt/jfrog/pipelines/app/micro/logup env: - name: COMPONENT value: logup resources: {{- toYaml .Values.pipelines.logup.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} - name: extensionsync image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.extensionSync.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" imagePullPolicy: {{ .Values.pipelines.extensionSync.image.pullPolicy }} workingDir: /opt/jfrog/pipelines/app/micro/extensionSync env: - name: COMPONENT value: extensionsync resources: {{- toYaml .Values.pipelines.extensionSync.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} {{- with .Values.pipelines.customSidecarContainers }} {{ tpl . $ | nindent 8 }} {{- end }} {{- with .Values.pipelines.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.pipelines.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.pipelines.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} volumes: {{- with .Values.pipelines.customVolumes }} {{ tpl . $ | nindent 6 }} {{- end }} - name: jfrog-pipelines-folder emptyDir: {} - name: jfrog-pipelines-logs emptyDir: {} - name: systemyaml secret: secretName: {{ .Values.existingSecret | default (printf "%s-%s" (include "pipelines.fullname" .) "system-yaml") }} {{- if .Values.pipelines.configMaps }} - name: pipelines-configmaps configMap: name: {{ include "pipelines.fullname" . }}-configmaps {{- end }} {{- if .Values.buildPlane.dynamic.provider.aws.enabled }} - name: buildplane-creds-aws secret: secretName: {{ .Values.buildPlane.dynamic.provider.aws.existingSecret | default (printf "%s-dynamic-buildplane-creds-aws" (include "pipelines.fullname" .)) }} - name: buildplane-config-aws configMap: name: {{ include "pipelines.fullname" . }}-dynamic-buildplane-config-aws {{- end }} {{- if .Values.buildPlane.dynamic.provider.k8s.enabled }} - name: buildplane-creds-k8s secret: secretName: {{ .Values.buildPlane.dynamic.provider.k8s.existingSecret | default (printf "%s-dynamic-buildplane-creds-k8s" (include "pipelines.fullname" .)) }} - name: buildplane-config-k8s configMap: name: {{ include "pipelines.fullname" . }}-dynamic-buildplane-config-k8s {{- end }} {{- if .Values.filebeat.enabled }} - name: filebeat-config configMap: name: {{ include "pipelines.fullname" . }}-filebeat-config {{- end }}