zero/k8s: use deployments (#5248)

* zero/k8s: use deployments * secret mount readonly Co-authored-by: Joe Kralicky <joekralicky@gmail.com> * adjust according to comments --------- Co-authored-by: Joe Kralicky <joekralicky@gmail.com>
2025-04-28 18:06:34 +02:00 · 2024-08-29 15:16:32 -04:00 · 2024-08-29 15:16:32 -04:00 · 5fd8cf60d5
commit 5fd8cf60d5
parent ef08c32c82
13 changed files with 61 additions and 21 deletions
--- a/k8s/zero/deployment/base.yaml
+++ b/k8s/zero/deployment/base.yaml
@ -1,15 +1,15 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
-  serviceName: "pomerium-proxy"
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: pomerium-zero
  template:
    spec:
+      serviceAccountName: pomerium-zero
      containers:
        - name: pomerium
      terminationGracePeriodSeconds: 10
--- a/k8s/zero/deployment/env.yaml
+++ b/k8s/zero/deployment/env.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
@ -19,6 +19,10 @@ spec:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
+            - name: BOOTSTRAP_CONFIG_FILE
+              value: "/var/run/secrets/pomerium/bootstrap.dat"
+            - name: BOOTSTRAP_CONFIG_WRITEBACK_URI
+              value: "secret://$(POMERIUM_NAMESPACE)/pomerium/bootstrap"
            - name: POD_IP
              valueFrom:
                fieldRef:
--- a/k8s/zero/deployment/image.yaml
+++ b/k8s/zero/deployment/image.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
--- a/k8s/zero/deployment/no-root.yaml
+++ b/k8s/zero/deployment/no-root.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
--- a/k8s/zero/deployment/ports.yaml
+++ b/k8s/zero/deployment/ports.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
--- a/k8s/zero/deployment/readonly-root-fs.yaml
+++ b/k8s/zero/deployment/readonly-root-fs.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
--- a/k8s/zero/deployment/resources.yaml
+++ b/k8s/zero/deployment/resources.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
--- a/k8s/zero/deployment/volumes.yaml
+++ b/k8s/zero/deployment/volumes.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
@ -13,22 +13,22 @@ spec:
            - name: TMPDIR
              value: "/tmp/pomerium"
            - name: XDG_CACHE_HOME
-              value: "/var/cache"
+              value: "/tmp/pomerium/cache"
            - name: XDG_DATA_HOME
-              value: "/var/cache"
+              value: "/tmp/pomerium/cache"
          volumeMounts:
            - mountPath: "/tmp/pomerium"
              name: tmp
-            - mountPath: "/var/cache"
-              name: pomerium-cache
+            - mountPath: "/var/run/secrets/pomerium"
+              name: bootstrap
+              readOnly: true
      volumes:
        - name: tmp
          emptyDir: {}
-  volumeClaimTemplates:
-  - metadata:
-      name: pomerium-cache
-    spec:
-      accessModes: [ "ReadWriteOnce" ]
-      resources:
-        requests:
-          storage: 100Mi
+        - name: bootstrap
+          secret:
+            optional: true
+            secretName: pomerium
+            items:
+              - key: bootstrap
+                path: bootstrap.dat
--- a/k8s/zero/kustomization.yaml
+++ b/k8s/zero/kustomization.yaml
@ -3,5 +3,6 @@ commonLabels:
  app.kubernetes.io/name: pomerium-zero
 resources:
  - namespace.yaml
+  - ./rbac
  - ./deployment
  - ./service
--- a/k8s/zero/rbac/kustomization.yaml
+++ b/k8s/zero/rbac/kustomization.yaml
@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- role.yaml
+- role_binding.yaml
+- service_account.yaml
--- a/k8s/zero/rbac/role.yaml
+++ b/k8s/zero/rbac/role.yaml
@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pomerium-zero
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - patch
+    resourceNames:
+      - pomerium
--- a/k8s/zero/rbac/role_binding.yaml
+++ b/k8s/zero/rbac/role_binding.yaml
@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pomerium-zero
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pomerium-zero
+subjects:
+  - kind: ServiceAccount
+    name: pomerium-zero
--- a/k8s/zero/rbac/service_account.yaml
+++ b/k8s/zero/rbac/service_account.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pomerium-zero