summary refs log tree commit diff
path: root/infra/kubernetes/nixery/config.yaml
blob: 61846eaf0503ee76c9934ee8785c58188d5ac82c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Deploys an instance of Nixery into the cluster.
#
# The service via which Nixery is exposed has a private DNS entry
# pointing to it, which makes it possible to resolve `nixery.local`
# in-cluster without things getting nasty.
#
# The 'nixery-keys' secret was configured manually using a created
# service account key. This does not use metadata-based authentication
# due to the requirement for having an actual PEM-key to sign with.
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nixery
  namespace: kube-public
  labels:
    app: nixery
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nixery
  template:
    metadata:
      labels:
        app: nixery
    spec:
      containers:
      - name: nixery
        image: eu.gcr.io/tazjins-infrastructure/nixery:demo
        imagePullPolicy: Always
        volumeMounts:
          - name: nixery-secrets
            mountPath: /var/nixery
        env:
          - name: BUCKET
            value: {{ .bucket}}
          - name: PORT
            value: "{{ .port }}"
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: /var/nixery/gcs-key.json
          - name: GCS_SIGNING_KEY
            value: /var/nixery/gcs-key.pem
          - name: GCS_SIGNING_ACCOUNT
            value: {{ .account }}
          - name: GIT_SSH_COMMAND
            value: 'ssh -F /var/nixery/ssh_config'
          - name: NIXERY_PKGS_REPO
            value: {{ .repo }}
      volumes:
        - name: nixery-secrets
          secret:
            secretName: nixery-secrets
            defaultMode: 256
---
apiVersion: v1
kind: Service
metadata:
  name: nixery
  namespace: kube-public
  annotations:
    cloud.google.com/load-balancer-type: "Internal"
spec:
  selector:
    app: nixery
  type: LoadBalancer
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8080