github.com/freiheit-com/kuberpult@v1.24.2-0.20240328135542-315d5630abe6/charts/kuberpult/templates/cd-service.yaml (about) 1 # This file is part of kuberpult. 2 3 # Kuberpult is free software: you can redistribute it and/or modify 4 # it under the terms of the Expat(MIT) License as published by 5 # the Free Software Foundation. 6 7 # Kuberpult is distributed in the hope that it will be useful, 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 # MIT License for more details. 11 12 # You should have received a copy of the MIT License 13 # along with kuberpult. If not, see <https://directory.fsf.org/wiki/License:Expat>. 14 15 # Copyright 2023 freiheit.com 16 # This file is part of kuberpult. 17 18 # Kuberpult is free software: you can redistribute it and/or modify 19 # it under the terms of the Expat(MIT) License as published by 20 # the Free Software Foundation. 21 22 # Kuberpult is distributed in the hope that it will be useful, 23 # but WITHOUT ANY WARRANTY; without even the implied warranty of 24 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 25 # MIT License for more details. 26 27 # You should have received a copy of the MIT License 28 # along with kuberpult. If not, see <https://directory.fsf.org/wiki/License:Expat>. 29 30 # Copyright 2023 freiheit.com 31 32 {{- if .Values.cd.tag }} 33 {{ fail "Values.cd.tag cannot be used anymore. We only support the same appVersion for all services at this point."}} 34 {{ end -}} 35 36 --- 37 apiVersion: apps/v1 38 kind: Deployment 39 metadata: 40 name: kuberpult-cd-service 41 labels: 42 app: kuberpult-cd-service 43 {{- if .Values.datadogTracing.enabled }} 44 tags.datadoghq.com/service: kuberpult-cd-service 45 tags.datadoghq.com/version: {{ $.Chart.AppVersion }} 46 tags.datadoghq.com/env: {{ .Values.datadogTracing.environment }} 47 {{- end }} 48 spec: 49 # Generally, it is possible to have multiple instances of the cd-service. 50 # However, most time is spent in a `git push`, which cannot be parallelized much. 51 # Having multiple instances works when there are only few requests/sec, 52 # but it may get inefficient if there are many, since kuberpult then needs 53 # to `pull` and `push` more often due to possible conflicts. 54 # Therefore, we only allow 1 instance of the cd-service. 55 # If you temporarily need 2, that will also work. 56 replicas: 1 57 selector: 58 matchLabels: 59 app: kuberpult-cd-service 60 template: 61 metadata: 62 labels: 63 app: kuberpult-cd-service 64 {{- if .Values.datadogTracing.enabled }} 65 tags.datadoghq.com/env: {{ .Values.datadogTracing.environment }} 66 tags.datadoghq.com/service: kuberpult-cd-service 67 tags.datadoghq.com/version: {{ $.Chart.AppVersion }} 68 annotations: 69 apm.datadoghq.com/env: '{"DD_SERVICE":"kuberpult-cd-service","DD_ENV":"{{ .Values.datadogTracing.environment }}","DD_VERSION":"{{ $.Chart.AppVersion }}"}' 70 {{- end }} 71 spec: 72 {{- with .Values.imagePullSecrets }} 73 imagePullSecrets: 74 {{- toYaml . | nindent 8 }} 75 {{- end }} 76 containers: 77 - name: service 78 image: "{{ .Values.hub }}/{{ .Values.cd.image }}:{{ $.Chart.AppVersion }}" 79 ports: 80 - name: http 81 containerPort: 8080 82 protocol: TCP 83 - name: grpc 84 containerPort: 8443 85 protocol: TCP 86 readinessProbe: 87 httpGet: 88 path: /healthz 89 port: http 90 initialDelaySeconds: {{ .Values.cd.probes.readiness.initialDelaySeconds }} 91 periodSeconds: {{ .Values.cd.probes.readiness.periodSeconds }} 92 successThreshold: {{ .Values.cd.probes.readiness.successThreshold }} 93 timeoutSeconds: {{ .Values.cd.probes.readiness.timeoutSeconds }} 94 failureThreshold: {{ .Values.cd.probes.readiness.failureThreshold }} 95 livenessProbe: 96 httpGet: 97 path: /healthz 98 port: http 99 initialDelaySeconds: {{ .Values.cd.probes.liveness.initialDelaySeconds }} 100 periodSeconds: {{ .Values.cd.probes.liveness.periodSeconds }} 101 successThreshold: {{ .Values.cd.probes.liveness.successThreshold }} 102 timeoutSeconds: {{ .Values.cd.probes.liveness.timeoutSeconds }} 103 failureThreshold: {{ .Values.cd.probes.liveness.failureThreshold }} 104 resources: 105 limits: 106 cpu: "{{ .Values.cd.resources.limits.cpu }}" 107 memory: "{{ .Values.cd.resources.limits.memory }}" 108 requests: 109 cpu: "{{ .Values.cd.resources.requests.cpu }}" 110 memory: "{{ .Values.cd.resources.requests.memory }}" 111 env: 112 - name: KUBERPULT_GIT_URL 113 value: {{ required ".Values.git.url is required" .Values.git.url | quote }} 114 - name: KUBERPULT_GIT_BRANCH 115 value: {{ .Values.git.branch | quote }} 116 - name: LOG_FORMAT 117 value: {{ .Values.log.format | quote }} 118 - name: LOG_LEVEL 119 value: {{ .Values.log.level | quote }} 120 {{- if .Values.argocd.sendWebhook }} 121 - name: KUBERPULT_ARGO_CD_SERVER 122 value: {{ .Values.argocd.server | quote }} 123 {{- else }} 124 - name: KUBERPULT_ARGO_CD_SERVER 125 value: "" 126 {{- end }} 127 - name: KUBERPULT_ARGO_CD_INSECURE 128 value: {{ .Values.argocd.insecure | quote }} 129 - name: KUBERPULT_GIT_WEB_URL 130 value: {{ .Values.git.webUrl | quote }} 131 {{- if .Values.datadogTracing.enabled }} 132 - name: DD_AGENT_HOST 133 valueFrom: 134 fieldRef: 135 fieldPath: status.hostIP 136 - name: DD_ENV 137 valueFrom: 138 fieldRef: 139 fieldPath: metadata.labels['tags.datadoghq.com/env'] 140 - name: DD_SERVICE 141 valueFrom: 142 fieldRef: 143 fieldPath: metadata.labels['tags.datadoghq.com/service'] 144 - name: DD_VERSION 145 valueFrom: 146 fieldRef: 147 fieldPath: metadata.labels['tags.datadoghq.com/version'] 148 - name: KUBERPULT_ENABLE_TRACING 149 value: "{{ .Values.datadogTracing.enabled }}" 150 {{- end }} 151 {{- if .Values.datadogTracing.enabled }} 152 - name: DD_API_KEY_LOCATION 153 value: "/etc/datadog/api-key" 154 {{- end }} 155 156 {{- if .Values.datadogTracing.enabled }} 157 - name: DD_TRACE_DEBUG 158 value: "{{ .Values.datadogTracing.debugging }}" 159 {{- end }} 160 {{- if .Values.dogstatsdMetrics.enabled }} 161 - name: KUBERPULT_ENABLE_METRICS 162 value: "{{ .Values.dogstatsdMetrics.enabled }}" 163 - name: KUBERPULT_ENABLE_EVENTS 164 value: "{{ .Values.dogstatsdMetrics.eventsEnabled }}" 165 - name: KUBERPULT_DOGSTATSD_ADDR 166 value: "{{ .Values.dogstatsdMetrics.address }}" 167 {{- end }} 168 {{- if .Values.pgp.keyRing }} 169 - name: KUBERPULT_PGP_KEY_RING_PATH 170 value: /keyring/keyring.gpg 171 {{- end }} 172 {{- if .Values.auth.dexAuth.enabled }} 173 - name: KUBERPULT_DEX_RBAC_POLICY_PATH 174 value: /kuberpult-rbac/policy.csv 175 {{- end }} 176 - name: KUBERPULT_AZURE_ENABLE_AUTH 177 value: "{{ .Values.auth.azureAuth.enabled }}" 178 - name: KUBERPULT_DEX_ENABLED 179 value: "{{ .Values.auth.dexAuth.enabled }}" 180 {{- if .Values.environment_configs.bootstrap_mode }} 181 - name: KUBERPULT_BOOTSTRAP_MODE 182 value: "{{ .Values.environment_configs.bootstrap_mode }}" 183 {{- end }} 184 - name: KUBERPULT_ENABLE_SQLITE 185 value: "{{ .Values.cd.enableSqlite }}" 186 - name: KUBERPULT_GIT_NETWORK_TIMEOUT 187 value: "{{ .Values.git.networkTimeout }}" 188 - name: KUBERPULT_GIT_WRITE_COMMIT_DATA 189 value: "{{ .Values.git.enableWritingCommitData }}" 190 - name: KUBERPULT_GIT_MAXIMUM_COMMITS_PER_PUSH 191 value: "{{ .Values.git.maximumCommitsPerPush }}" 192 - name: KUBERPULT_ENABLE_PROFILING 193 value: "{{ .Values.datadogProfiling.enabled }}" 194 - name: KUBERPULT_MAXIMUM_QUEUE_SIZE 195 value: "{{ .Values.cd.backendConfig.queueSize }}" 196 volumeMounts: 197 - name: repository 198 mountPath: /repository 199 - name: ssh 200 mountPath: /etc/ssh 201 {{- if .Values.datadogProfiling.enabled }} 202 - name: datadog 203 mountPath: /etc/datadog/ 204 {{- end }} 205 {{- if .Values.pgp.keyRing }} 206 - name: keyring 207 mountPath: /keyring 208 {{- end }} 209 {{- if .Values.auth.dexAuth.enabled }} 210 - name: kuberpult-rbac 211 mountPath: /kuberpult-rbac 212 {{- end }} 213 {{- if .Values.dogstatsdMetrics.enabled }} 214 - name: dsdsocket 215 mountPath: {{ .Values.dogstatsdMetrics.hostSocketPath }} 216 readOnly: true 217 {{- end }} 218 {{- if .Values.environment_configs.bootstrap_mode }} 219 - name: environment-configs 220 mountPath: /environment_configs.json 221 subPath: environment_configs.json 222 {{- end }} 223 volumes: 224 - name: repository 225 # We use emptyDir, because none of our data needs to survive for long (it's all in the github repo). 226 # EmptyDir has the nice advantage, that it triggers a restart of the pod and creates a new volume when the current one is full 227 # Because of an issue in gitlib2, this actually happens. 228 emptyDir: 229 sizeLimit: 10Gi 230 - name: ssh 231 secret: 232 secretName: kuberpult-ssh 233 {{- if .Values.datadogProfiling.enabled }} 234 - name: datadog 235 secret: 236 secretName: kuberpult-datadog 237 {{- end }} 238 {{- if .Values.pgp.keyRing }} 239 - name: keyring 240 configMap: 241 name: kuberpult-keyring 242 {{- end }} 243 {{- if .Values.environment_configs.bootstrap_mode }} 244 - name: environment-configs 245 configMap: 246 items: 247 - key: environment_configs.json 248 path: environment_configs.json 249 name: environment-configs 250 {{- end }} 251 {{- if .Values.auth.dexAuth.enabled }} 252 - name: kuberpult-rbac 253 configMap: 254 name: kuberpult-rbac 255 {{- end }} 256 {{- if .Values.dogstatsdMetrics.enabled }} 257 - name: dsdsocket 258 hostPath: 259 path: {{ .Values.dogstatsdMetrics.hostSocketPath }} 260 {{- end }} 261 --- 262 apiVersion: v1 263 kind: Service 264 metadata: 265 name: kuberpult-cd-service 266 {{- if .Values.cd.backendConfig.create }} 267 annotations: 268 cloud.google.com/backend-config: '{"default": "kuberpult-cd-service"}' 269 {{- end }} 270 spec: 271 ports: 272 - name: http 273 port: 80 274 targetPort: http 275 - name: grpc 276 port: 8443 277 targetPort: grpc 278 selector: 279 app: kuberpult-cd-service 280 type: NodePort 281 --- 282 apiVersion: v1 283 kind: Secret 284 metadata: 285 name: kuberpult-ssh 286 data: 287 identity: {{ .Values.ssh.identity | b64enc | quote }} 288 ssh_known_hosts: {{ .Values.ssh.known_hosts | b64enc | quote }} 289 --- 290 {{- if .Values.datadogProfiling.enabled }} 291 apiVersion: v1 292 kind: Secret 293 metadata: 294 name: kuberpult-datadog 295 data: 296 api-key: {{ .Values.datadogProfiling.apiKey | b64enc | quote }} 297 --- 298 {{- end }} 299 300 {{- if .Values.pgp.keyRing }} 301 {{- if not (mustRegexMatch "^-----BEGIN PGP PUBLIC KEY BLOCK-----" .Values.pgp.keyRing) }} 302 {{ fail "The pgp keyring is invalid. Please export it using `gpg --armor --export`"}} 303 {{ end -}} 304 apiVersion: v1 305 kind: ConfigMap 306 metadata: 307 name: kuberpult-keyring 308 data: 309 keyring.gpg: {{ .Values.pgp.keyRing | quote }} 310 --- 311 {{- end }} 312 {{- if .Values.cd.backendConfig.create }} 313 --- 314 apiVersion: cloud.google.com/v1beta1 315 kind: BackendConfig 316 metadata: 317 name: kuberpult-cd-service 318 spec: 319 healthCheck: 320 type: HTTP 321 requestPath: /healthz 322 timeoutSec: {{ .Values.cd.backendConfig.timeoutSec }} 323 {{- end }} 324 {{- if .Values.environment_configs.bootstrap_mode }} 325 --- 326 apiVersion: v1 327 kind: ConfigMap 328 metadata: 329 name: environment-configs 330 data: 331 environment_configs.json: {{ required ".Values.environment_configs.environment_configs_json is required when .Values.environment_configs.bootstrap is true" .Values.environment_configs.environment_configs_json | quote }} 332 {{- end }} 333 {{- if .Values.auth.dexAuth.enabled }} 334 --- 335 apiVersion: v1 336 kind: ConfigMap 337 metadata: 338 name: kuberpult-rbac 339 data: 340 policy.csv: {{ .Values.auth.dexAuth.policy_csv | quote}} 341 {{- end }}