zware/JFrog-Cloud-Installers
1
0
Fork 0
mirror of https://github.com/ZwareBear/JFrog-Cloud-Installers.git synced 2026-01-21 07:06:56 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
5eea6a893b53194589168356bd8372ecb0a4b128
JFrog-Cloud-Installers/Openshift4/helm/openshift-pipelines/charts/pipelines/templates/vault-statefulset.yaml
John Peterson c19effd7e7 JFrog Pipelines v1.8.0 as Openshift helm and operator
2020-10-12 10:19:10 -07:00

198 lines
7.0 KiB
YAML
Raw Blame History

{{- if .Values.vault.enabled }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "pipelines.vault.name" . }}
labels:
{{- include "pipelines.labels" . | nindent 4 }}
component: {{ include "pipelines.vault.name" . }}
spec:
serviceName: {{ include "pipelines.vault.name" . }}-headless
replicas: 1
updateStrategy:
type: {{ .Values.vault.updateStrategy }}
selector:
matchLabels:
{{- include "pipelines.selectorLabels" . | nindent 6 }}
component: {{ include "pipelines.vault.name" . }}
template:
metadata:
labels:
{{- include "pipelines.selectorLabels" . | nindent 8 }}
component: {{ include "pipelines.vault.name" . }}
spec:
serviceAccountName: {{ include "pipelines.vault.name" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
initContainers:
{{- with .Values.vault.customInitContainersBegin }}
{{- tpl . $ | nindent 8 }}
{{- end }}
- name: config
image: '{{ .Values.initContainer.image }}'
imagePullPolicy: {{ .Values.initContainer.pullPolicy }}
resources:
{{ toYaml .Values.initContainers.resources | nindent 12 }}
env:
- name: PIPELINES_SHARED_DB_CONNECTIONSTRING
valueFrom:
secretKeyRef:
name: {{ .Values.global.postgresql.existingSecret | default (printf "%s-%s" (include "pipelines.fullname" .) "database") }}
key: postgresql-url
command: ["/bin/sh", "-c"]
args:
- |
cat > /etc/vault/config/vault.hcl <<EOF
listener "tcp" {
address = "0.0.0.0:30100"
tls_disable = 1
}
storage "postgresql" {
connection_url = "${PIPELINES_SHARED_DB_CONNECTIONSTRING}"
}
max_lease_ttl = "768h"
disable_mlock = {{ .Values.vault.disablemlock }}
EOF
volumeMounts:
- name: vault-config
mountPath: /etc/vault/config
- name: wait-for-db
image: '{{ .Values.initContainer.image }}'
imagePullPolicy: {{ .Values.initContainer.pullPolicy }}
resources:
{{ toYaml .Values.initContainers.resources | nindent 12 }}
command:
- 'sh'
- '-c'
- >
echo "Waiting for Postgres to come up...";
{{- if .Values.postgresql.enabled }}
until nc -z -w 2 {{ .Release.Name }}-postgresql {{ .Values.postgresql.service.port }} && echo database ok; do
{{- else }}
until nc -z -w 2 {{ tpl .Values.global.postgresql.host . }} {{ .Values.global.postgresql.port }} && echo database ok; do
{{- end }}
sleep 2;
done;
sleep 10;
- name: create-vault-table
image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.pipelinesInit.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}"
imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }}
resources:
{{ toYaml .Values.initContainers.resources | nindent 12 }}
env:
- name: PIPELINES_SHARED_DB_CONNECTIONSTRING
valueFrom:
secretKeyRef:
name: {{ .Values.global.postgresql.existingSecret | default (printf "%s-%s" (include "pipelines.fullname" .) "database") }}
key: postgresql-url
command:
- 'sh'
- '-c'
- >
echo "Copy system.yaml to {{ .Values.pipelines.mountPath }}";
cp -fv /tmp/etc/system.yaml {{ .Values.pipelines.mountPath }}/system.yaml;
echo "Creating Vault Table...";
./pipelines-k8s initVault;
volumeMounts:
- name: jfrog-pipelines-folder
mountPath: {{ .Values.pipelines.mountPath }}
- name: systemyaml
mountPath: "/tmp/etc/system.yaml"
subPath: system.yaml
{{- with .Values.vault.customInitContainers }}
{{- tpl . $ | nindent 8 }}
{{- end }}
containers:
- name: vault-init
image: "{{ .Values.imageRegistry }}/{{ .Values.vault.init.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}"
imagePullPolicy: {{ .Values.vault.init.image.pullPolicy }}
env:
- name: CHECK_INTERVAL
value: "10s"
- name: VAULT_NAMESPACE
value: {{ .Release.Namespace }}
- name: VAULT_ADDRESS
value: "http://localhost:30100"
resources:
requests:
memory: 10Mi
cpu: 10m
limits:
memory: 50Mi
cpu: 50m
- name: vault
image: "{{ .Values.vault.image.repository }}:{{ .Values.vault.image.tag }}"
imagePullPolicy: {{ .Values.vault.image.pullPolicy }}
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: "status.podIP"
- name: "VAULT_API_ADDR"
value: "http://$(POD_IP):30100"
- name: "VAULT_CLUSTER_ADDR"
value: "http://$(POD_IP):30101"
args:
- "server"
- "-config=/etc/vault/config/vault.hcl"
ports:
- name: http
containerPort: 30100
protocol: "TCP"
- name: server
containerPort: 30101
protocol: "TCP"
readinessProbe:
httpGet:
path: "/v1/sys/health?standbyok=true"
port: 30100
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
resources:
{{- toYaml .Values.vault.resources | nindent 12 }}
securityContext:
capabilities:
add:
- IPC_LOCK
volumeMounts:
- name: vault-config
mountPath: /etc/vault/config
{{- with .Values.vault.customVolumeMounts }}
{{ tpl . $ | indent 12 }}
{{- end }}
{{- with .Values.vault.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.vault.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.vault.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
volumes:
{{- with .Values.vault.customVolumes }}
{{ tpl . $ | nindent 8 }}
{{- end }}
- name: vault-config
emptyDir: {}
- name: jfrog-pipelines-folder
emptyDir: {}
- name: systemyaml
secret:
secretName: {{ .Values.existingSecret | default (printf "%s-%s" (include "pipelines.fullname" .) "system-yaml") }}
{{- if .Values.vault.configMaps }}
- name: vault-configmaps
configMap:
name: {{ include "pipelines.vault.name" . }}-configmaps
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink