github.com/sentienttechnologies/studio-go-runner@v0.0.0-20201118202441-6d21f2ced8ee/examples/local/deployment.yaml (about)

     1  # Copyright (c) 2020 Cognizant Digital Business, Evolutionary AI. All rights reserved. Issued under the Apache 2.0 License.
     2  ---
     3  apiVersion: v1
     4  kind: Namespace
     5  metadata:
     6    name: {{ default "local-go-runner" .Namespace }}
     7  ---
     8  apiVersion: v1
     9  kind: ConfigMap
    10  metadata:
    11   name: studioml-env
    12   namespace: {{ default "local-go-runner" .Namespace }}
    13  data:
    14   LOGXI_FORMAT: "happy,maxcol=1024"
    15   LOGXI: "*=DBG"
    16   MESSAGE_CRYPT: "./certs/message"
    17   RABBITMQ_DEFAULT_USER: "UserUser"
    18   RABBITMQ_DEFAULT_PASS: "PasswordPassword"
    19   MINIO_ACCESS_KEY: "UserUser"
    20   MINIO_SECRET_KEY: "PasswordPassword"
    21   MINIO_TEST_SERVER: "${MINIO_SERVICE_SERVICE_HOST}:${MINIO_SERVICE_SERVICE_PORT}"
    22   AMQP_URL: "amqp://${RABBITMQ_DEFAULT_USER}:${RABBITMQ_DEFAULT_PASS}@${RABBITMQ_SERVICE_SERVICE_HOST}:${RABBITMQ_SERVICE_SERVICE_PORT}/%2f?connection_attempts=2&retry_delay=.5&socket_timeout=5"
    23   CACHE_SIZE: "10Gib"
    24   CACHE_DIR: "/tmp/cache"
    25   CLEAR_TEXT_MESSAGES: "true"
    26  ---
    27  apiVersion: v1
    28  kind: ServiceAccount
    29  metadata:
    30    name: studioml-account
    31    namespace: {{ default "local-go-runner" .Namespace }}
    32  ---
    33  apiVersion: rbac.authorization.k8s.io/v1
    34  kind: ClusterRole
    35  metadata:
    36    name: studioml-role
    37  rules:
    38  - apiGroups:
    39    - ""
    40    resources:
    41    - configmaps
    42    verbs:
    43    - get
    44    - list
    45    - watch
    46  ---
    47  apiVersion: rbac.authorization.k8s.io/v1
    48  kind: RoleBinding
    49  metadata:
    50    name: studioml-role-bind
    51  subjects:
    52  - kind: ServiceAccount
    53    name: studioml-account
    54    namespace: {{ default "local-go-runner" .Namespace }}
    55  roleRef:
    56    kind: ClusterRole
    57    name: studioml-role
    58    apiGroup: rbac.authorization.k8s.io
    59  ---
    60  # This secret is an open abitrary secret used to confirm the functional encryption and
    61  # MUST never be used for a production system.
    62  apiVersion: v1
    63  kind: Secret
    64  metadata:
    65    name: studioml-runner-passphrase-secret
    66    namespace: {{ default "local-go-runner" .Namespace }}
    67  type: Opaque
    68  data:
    69    ssh-passphrase: UGFzc1BocmFzZQ==
    70  ---
    71  # This secret is an open abitrary secret used to confirm the functional encryption and
    72  # MUST never be used for a production system.
    73  apiVersion: v1
    74  kind: Secret
    75  metadata:
    76    name: studioml-runner-key-secret
    77    namespace: {{ default "local-go-runner" .Namespace }}
    78  type: Opaque
    79  data:
    80    ssh-privatekey: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBBRVMtMTI4LUNCQyw5MjVGMkVCOTgwNjM4OTFENUM0Q0U4MzhFNUEzODdERQoKOG1UOFlNY2RxS2o5M0F6TmRrUGd0R25LQkhwMzB1NlFENWUydC9FbXRLQ2dtQzcyVUVyR1N1a3dJamMvRENPNgptWWRIaU5BYnAxVEloY0ZyNms4eDVFUHRMRjlsUlhnV1FQT1lIUFh5K3NDTXpnNmRDSDZqVXNIQzUrbFFtRGY5ClRvUTdYdVdpUUVFbVhVdUcwNS9kMjYyWHFocktIR0hGOEMwUGdBQ0xoV1g0MW1mMEhpY05DY015WXJ1eURySWkKcDg5SjUrSEZRYzA1QkxuYnBHMDUyNWhyZDhuYWwyTHNUVjExaVpZaGxHVDlUWWM1b3dOUmEvWjlldml6QWdSOApkSkRoR2Q1bkVvN0NjaGI4VzczYVdPbjVrRmtscVk0NzRQMnZzOE13RDFXMjZCYTF2Z25ydWlHeWhoanorWXJsCnZ5MDNueUx1R3BPb24rNFRvTFlhWFRlY0VaYUtIMmNISFZBU0JkL3ZOaFEwTkIvTGgzNmhCTGJjc1kxaDZSM1EKMmxWZGVzRG5LREFEM2JSM3dhaXJGc2tYald2a2Y5UzFBeWN5NldlSGErck15NmlIRy9mdXdFUDlvai9ZR2grZgpmUm83M3RpbVRYWW5NRU8zME02SVBVSkM2T2RCQkphVkg5TzZ1cGRTKzBkU0o4RmZSZXNXRmJheCt3aHFldnFkCkpVeGdHdXp0N2xWanF0Q2Z2b2pnM3gyanB4UnpyRVhKWlRzajlDck51STk0R2lBOVc0aTl1YVR5cmo5empOTlAKa29pQU0rbTFtUGU1VC9ETTVLb3UwR2lvUVBtYlF6Zjh6aGFDR1doVVRvbUVEUWJSbTJhMlUzTllWa0xrQzhJVgpJY3BPOEplSUlxcHJsRW9JVTVGRGQxMU8yMkZSNExyS3VIS0dGaHlxY0F2MGU2SGxDcnZYMW1qZlllUVlUQnoyCkhvV0ErQnNuQXdaWHhwbzdMVzhaMU42S0ZlWFdPc0xyTlpUY3pFY0ZROWZzblk3aUtyTHN2N2tyUHArMHFoNWMKUXBuUDdkSGsycENHWmVXVnBrSU43NXk5QjNQcjd4YmdoalR5SW01cjhQcHNjVXRSdzVmaEVrSkVtWUVFQ3pIRQptN2ZTVzNMU2tuaFZBbXpNUzMyd3ppVjZrWWhiWWgxMmNYSHAvTVZKd3NUSXg1WkpXSURzaWJSS3h1RVhGYTFBCnNwMXY1Wk9Xek9aVDMrZ3NDVitFWExON2o5aG84bkxWRGxFYWJ2UG92NDhFVHBnV3lMV2JsRm5oVnI0Q3psNHcKN1B5cm5hVk5mdUNtS1BFcXVaZ3V3djVuSHdWOUdYOE5vNFZISEpPRCt5YnFZQ2VOMTA0T1NnSi9kaTFTdS9mYgpwQmo3SDFaS3FVRnY0ckYyQklUcFZON2g1emhWN0w2N0Jzd3pNYnRZMTJGRDVvMzhPM0NMK1dsZHZINDB6NW5nClc4UDhyeU5rVW45OU5oZ0VDNHFQVk40clJIYTAzV2pFalY5MXhFcWJZTVErVTc4L0o0Y1FnT3pjV3E3TzJCUXAKUkJLMDM5d1FYd1IrdTJlRFpUY1lnYVorN3haWU9NUVdybVpnVzB5S3I3eXVKQS8yWVVnQTNzM2ZrWVRWL0cxVwpCc0FYZ25yajhKQlE5R3lvMDFhaWs5SDJUYkVmakhSOW04WEJ0VTY4QWdLUlg1b0dZWlJ6STZwdmo2V0xrVmVLClJoc2MvRXRYVnM2b3N6TjF1KzR1SlMyRWtFT21Wbm4xQWRhUnZTb2FWMCtzMEdkMS84L1hqSW5UbUk3KzR6T1EKM1FKektEQ1A4dHQwaC8ycTNkM3ZsK1psblVUQ1g0UUVlZ2RZNU9vZFhsL3ZIc1g3UDJCaGNHLy8xdjNuMXE5dApCL1grejRMTVJhWk9YbzBRcXpVRTZBcGx3eEVqdEZVbGU1UUYvclJUZGV1MytOWUlIZ2JtNHF3VHk3RDAwYzA2CjlMMm5OSmFLTk8wVldhZHBxS3p0ZTF4SWdRUTNobE1UQ2JwU3VBRnNVN2hpUGEzdXphaDQ2ODl3V2hjZWMzQ3gKUHpaejc5b3FobVhsZGxJUFFjbGt1RWFOWEdWQnBCSXBmT0x3YlRaM0VTSFYzOEFWdGR1RHJ3S3U0ZXRDS1NzRQpjd29MRDRreXp0SUVWMkxxd1E0enBGZ1VrWHRpT0RVWnBxVUJyOVJoU0hUSG4zS3dHSmI4NzBJRGJhMVR2Y3R4CmhlamovME1tVEhuWEcxZlU5MmRqYUh6ejBiZWkram0wVDRScTh6M3lITWcwSzhSRTE3NDg3ZkRzYWxWR3JUdTEKMDZUUnQvZFRNUGZ4Uy8vajVuVDA0VFpraVAweUVSZTNPNkFvRVZhdUdSRHNSaE9nSWw1MXdiK0pkbGI1cTdMaQprdjcyRWxhaHBTVFFFbVIxUU1EeTVDV3U4VlQrTkZXSUZNK1N6SUcraStQaXhaVmtIU3VKak80Q0FmRWI5VitpCkQybFpOa1IyRkdkdGV6cjRTM0N6Y1dLdHdOcmtVbytWeDVCSlNsYThNZDd2THlGdEVqZ1lhbVlrdVErOGdmUG0KbnhkRHc2ZTcvdU1ldTRBQ3ZDUTBZbG5pdEc2TWE4UFZRUC90WDRFMy9iMEdhSVZEdDMrOWlVYjlLcFVoU0h2aQpsQXdpck0vVXhxV09SM3BUL1BkMWFPczJEMS8xdGdVZnJIMGswemJiQTN2SDNzSlg0d0VKQjExd0J1V1dicXJNCmhzRFRESGVheEFuRVRSdVZiODM2aUl2WFo5ODgrYUtXb2VuSWw3eXlmei9UbnBuYkhBRWJ2MkFIN0xHUld4cHgKUzZRK0FFT0tFdVp6NzRLY1dFeVpJajRSTGRLRytCVHdJSnE2YkZSQVpiQUxqcmdVQ2ZFWmVkN0dvNTVoU0JregpBQTFXbzJQazRWMC9kV1VuSUtXdURzZHdka0pSVEgyc0FudlNNbm85bmVLUWR2WHNxaXl4bGhDZnQ1bGRhempyCjYyUllpSXBZRE9QWllUc1ZNY1ZMNWZlM0pNbFpvc3JYZVBSdUdZaHhIVUhaeHFpZXVtK3N2UXpLNHIwQXBGNVIKTGhzM0RSSkJwMEZ2c1dtNFk4emlXWXBmT09JQ1Z2TlRuVUFRU2dGRW5PSWNxYk1uRDQ2aWFtU3RxQ1lBZ0YxdQpHRW1TNU9ydUFoVEh5TTcyVlhNdWRNeUZHVXQ4TFc0OWcwOExPQmNka254ZUpOcHdpNEtqcitJQmNDSU1NR2V4CmM3T1AvTEZxdi9XdHU1cDVLUFV0K3RYeEcwcWJLaEs4UXNlMkg4Nmk3M3Y0bG9TempDOWs3TnZreHd1SVM2Mm4KNjNjb2wxdmVacDlQSytkdUpmK1pRTXVIMkR6UmF3Nk9ucnMzTW53QjZlNXNQSnNFeDZybEZOUTN4V3ljV0QzeApkenJWRWk0MHIwUTNVcGhNUHg2V1lCcUtHVXlRajVKSXpHVjh1R1dTNENrdllvdlBIdTVmcjY1SUI4UEtXTyt6CjhZakpiNmlzbkpyTEdrTXpYL1RPZWpsbkFURmtHRFdaV2RKdlJwOWQ0VHE5THNNVXhuaHltbkNmZmI4cXVaKzUKL3JvdFN6RFp6eFFkSjY0K0NEZXVmU2taOXJaR0M3alQ0T09Nc2QyWGpTQzJpdmJQTDNqdkVrQUFWNlNSZE1COAorMG5BTnRZQXFiVlFBam85aER0NlNPQ2FoQ3FWTnRuRnBUUjd2c1dvRG1CbENUL2wrK0lqWTg3OVZrN0RYdG04Ckh5SHlWU0k2REM2bkdWdzlPNENJaXVZTllEc1dEcHRyS3pLNUcrWHN1ZmxlS3dzRCtTRHYvbzJJMlg5b2FtZUgKZWJPK2NkV0ozais4VXhjaVQvQ0N5MUMzYXRwQTFHUEttcXMzUGZXRjI5WkFqaDY1S244b0ZPM3duZ0VyMkI3TApPcENlWkFoVzJob0FTOTJBWFlSTmJUa1lRSzBnVm5kOEZJWUk3a0txcjRGM0xBdXhyYlVwd2VqOVlZSnZvb0VwCm91cUpIdG90NkVmVG11OEY4dXlWRmJOUlhYVld2RkltRmtTYkVPY25SRnFhcDdEa0hFcFRmVHE2ZGF0VWxLRjcKNDh0N2lJRnNXR3RNVDNOdTZRZXJBVVV3WWNKcVhOK3R5eS9ieGpwaFRYRVQ1RitZc0dQb05pQ1V5Mmltek4vOQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
    81    ssh-publickey: LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXdhbDFTWFlvbW5HR3lKRjRzQ2JzaUFyeW9JemI3RFhNci9PN2xINDJ0eHJSanZmY29tK1IKeHhQVmVyMllyVFpRZ3c0bmJ2OER6VXhKZUQzRjFKWXVudkxkZXBRQTlRcjJjYkFRNVdxdnlJRkhXOFZQK2VsWgpFdTByZ0RBdm42SXppT1plZGw1dS9LQVZSZnNqVSszRU93OFgrdlUvK2lwUmFZRjVPNTlXQkd0cWd6UnVPQjhKCjdFUFVpc3QvUWs1ZkVkSlo4cUlyQUtmTDlaSTNwWjlUOHhuRVVsVXdvMTcyR0o3c0NmZUFZeElaMC9YUkphZVIKa2RwM1lmMi94WFlZdytpcExUQmQ2cFBRWUF5NFcyMHVFOTBRR1JMRHV0eGJnM3NySzRYbWRFWGF0ZmE5MGFvagpscUJXOVcwTFV2djZHYlNydWE5TzBrVWdVN2NqdGpxRWd3ZmJBbHR5MUF3UjFGTzhjUTYyTVp5Wk50bVVsSm1lCmZrTjYzRThuR0FsMkRFU1hrL2xCN3lsTXloOXNwTjFCbVlXOTcxU2ZzZVVsK1dmajZJZzNuZFQ4US9ReWd5dFAKdnV0ZnBpZXEyRWpWdnlBSnF1QzRkQlAxZ0FMMExRNTZmYWY5WjEwa2x1S3duUnJUZEZSMHUxci9UYldVZmZJTApIeU4zZWdzb3Nqd1RhZTRPUW51SjQ2ck8wM1dnNEc0UStZTEYrRWRBeUFWOVNNWlZhSTR0ZlhQMlYwR2dVWkhUCmNnbk1WZFAxTmVvS252aEgwQ0hvTzF1NDZGVGxWOTQ4VTZ5a3ZKSlVSUG5GVXo3T09qKzJqb3ppWkVkLzdqZWsKMCtRb0dzY2h5SXpxRmJDQUtQS3FLMnZKQ1pPUHRRWVR3VVc3bGgrQXFpUU9mdE1xbk1mWXhJRUNBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg==
    82  ---
    83  apiVersion: v1
    84  kind: Secret
    85  metadata:
    86    name: studioml-signing
    87    namespace: {{ default "local-go-runner" .Namespace }}
    88  type: Opaque
    89  data:
    90    info: RHVtbXkgU2VjcmV0IHNvIHJlc291cmNlIHJlbWFpbnMgcHJlc2VudA==
    91  ---
    92  # This service exposes rabbit MQ to the cluster members
    93  apiVersion: v1
    94  kind: Service
    95  metadata:
    96    labels:
    97      component: rabbitmq
    98    name: rabbitmq-service
    99    namespace: {{ default "local-go-runner" .Namespace }}
   100  spec:
   101    type: NodePort
   102    ports:
   103    - name: rmq-client
   104      port: 5672
   105    - name: rmq-admin
   106      port: 15672
   107    selector:
   108      app: taskQueue
   109      component: rabbitmq
   110  ---
   111  # The replication controller encapsulates the pod(s) used to run RabbitMQ
   112  apiVersion: v1
   113  kind: ReplicationController
   114  metadata:
   115    labels:
   116      component: rabbitmq
   117    name: rabbitmq-controller
   118    namespace: {{ default "local-go-runner" .Namespace }}
   119  spec:
   120    replicas: 1
   121    template:
   122      metadata:
   123        labels:
   124          app: taskQueue
   125          component: rabbitmq
   126      spec:
   127        containers:
   128        - image: rabbitmq
   129          name: rabbitmq
   130          ports:
   131          - containerPort: 5672
   132          - containerPort: 15672
   133          resources:
   134            limits:
   135              cpu: 1
   136              ephemeral-storage: "4Gi"
   137            requests:
   138              ephemeral-storage: "4Gi"
   139          envFrom:
   140          - configMapRef:
   141              name: studioml-env
   142          lifecycle:
   143            postStart:
   144              exec:
   145                command:
   146                  - "/bin/bash"
   147                  - "-c"
   148                  - >
   149                    set -euo pipefail ;
   150                    IFS=$'\n\t' ;
   151                    echo "Starting the install of the management plugin" ;
   152                    sleep 30 ;
   153                    rabbitmq-plugins enable rabbitmq_management ;
   154                    apt-get -y update ; apt-get install -y wget python ;
   155                    wget -q -O /usr/local/bin/rabbitmqadmin http://localhost:15672/cli/rabbitmqadmin ;
   156                    chmod +x /usr/local/bin/rabbitmqadmin
   157  ---
   158  apiVersion: v1
   159  kind: PersistentVolumeClaim
   160  metadata:
   161    # This name uniquely identifies the PVC. Will be used in deployment below.
   162    name: minio-pv-claim
   163    namespace: {{ default "local-go-runner" .Namespace }}
   164    labels:
   165      app: minio-storage-claim
   166  spec:
   167    # Read more about access modes here: https://kubernetes.io/docs/user-guide/persistent-volumes/#access-modes
   168    accessModes:
   169      - ReadWriteOnce
   170    resources:
   171      # This is the request for storage. Should be available in the cluster.
   172      requests:
   173        storage: 15Gi
   174    # Uncomment and add storageClass specific to your requirements below. Read more https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1
   175    #storageClassName:
   176  ---
   177  apiVersion: apps/v1
   178  kind: Deployment
   179  metadata:
   180    # This name uniquely identifies the Deployment
   181    name: minio-deployment
   182    namespace: {{ default "local-go-runner" .Namespace }}
   183  spec:
   184    strategy:
   185      type: Recreate
   186    selector:
   187      matchLabels:
   188        app: minio
   189    template:
   190      metadata:
   191        labels:
   192          # Label is used as selector in the service.
   193          app: minio
   194      spec:
   195        # Refer to the PVC created earlier
   196        volumes:
   197        - name: storage
   198          persistentVolumeClaim:
   199            # Name of the PVC created earlier
   200            claimName: minio-pv-claim
   201        containers:
   202        - name: minio
   203          # Pulls the default Minio image from Docker Hub
   204          image: minio/minio:RELEASE.2020-05-08T02-40-49Z
   205          args:
   206          - server
   207          - /storage
   208          envFrom:
   209          - configMapRef:
   210              name: studioml-env
   211          ports:
   212          - containerPort: 9000
   213          # Mount the volume into the pod
   214          volumeMounts:
   215          - name: storage # must match the volume name, above
   216            mountPath: "/storage"
   217          # Readiness probe detects situations when MinIO server instance
   218          # is not ready to accept traffic. Kubernetes doesn't forward
   219          # traffic to the pod while readiness checks fail.
   220          readinessProbe:
   221            httpGet:
   222              path: /minio/health/ready
   223              port: 9000
   224            initialDelaySeconds: 120
   225            periodSeconds: 20
   226          # Liveness probe detects situations where MinIO server instance
   227          # is not working properly and needs restart. Kubernetes automatically
   228          # restarts the pods if liveness checks fail.
   229          livenessProbe:
   230            httpGet:
   231              path: /minio/health/live
   232              port: 9000
   233            initialDelaySeconds: 120
   234            periodSeconds: 20
   235  ---
   236  apiVersion: v1
   237  kind: Service
   238  metadata:
   239    name: minio-service
   240    namespace: {{ default "local-go-runner" .Namespace }}
   241  spec:
   242    type: NodePort
   243    ports:
   244      - port: 9000
   245        targetPort: 9000
   246        protocol: TCP
   247    selector:
   248      app: minio
   249  ---
   250  apiVersion: apps/v1
   251  kind: Deployment
   252  metadata:
   253   name: studioml-go-runner-deployment
   254   namespace: {{ default "local-go-runner" .Namespace }}
   255   labels:
   256     app: studioml-go-runner
   257  spec:
   258   progressDeadlineSeconds: 360
   259   selector:
   260     matchLabels:
   261       app: studioml-go-runner
   262   replicas: 1
   263   strategy:
   264     type: RollingUpdate
   265   template:
   266     metadata:
   267       labels:
   268         app: studioml-go-runner
   269     spec:
   270        serviceAccountName: studioml-account
   271        automountServiceAccountToken: true
   272        containers:
   273        - name: studioml-go-runner
   274          envFrom:
   275          - configMapRef:
   276              name: studioml-env
   277          image: {{ .Image }}
   278          imagePullPolicy: Always
   279          resources:
   280            limits:
   281              memory: "8Gi"
   282              cpu: "2"
   283          volumeMounts:
   284          - name: message-encryption
   285            mountPath: "/runner/certs/message/encryption"
   286            readOnly: true
   287          - name: encryption-passphrase
   288            mountPath: "/runner/certs/message/passphrase"
   289            readOnly: true
   290          - name: queue-signing
   291            mountPath: "/runner/certs/queues/signing"
   292            readOnly: true
   293        nodeSelector:
   294          beta.kubernetes.io/os: linux
   295        volumes:
   296          - name: message-encryption
   297            secret:
   298              optional: false
   299              secretName: studioml-runner-key-secret
   300              items:
   301              - key: ssh-privatekey
   302                path: ssh-privatekey
   303              - key: ssh-publickey
   304                path: ssh-publickey
   305          - name: encryption-passphrase
   306            secret:
   307              optional: false
   308              secretName: studioml-runner-passphrase-secret
   309              items:
   310              - key: ssh-passphrase
   311                path: ssh-passphrase
   312          - name: queue-signing
   313            secret:
   314              optional: false
   315              secretName: studioml-signing