zero/k8s: use deployments (#5248)

* zero/k8s: use deployments * secret mount readonly Co-authored-by: Joe Kralicky <joekralicky@gmail.com> * adjust according to comments --------- Co-authored-by: Joe Kralicky <joekralicky@gmail.com>
2025-06-01 18:33:19 +02:00 · 2024-08-29 15:16:32 -04:00 · 2024-08-29 15:16:32 -04:00 · 5fd8cf60d5
commit 5fd8cf60d5
parent ef08c32c82
13 changed files with 61 additions and 21 deletions
--- a/k8s/zero/deployment/base.yaml
+++ b/k8s/zero/deployment/base.yaml
@ -1,15 +1,15 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
-  serviceName: "pomerium-proxy"
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: pomerium-zero
  template:
    spec:
+      serviceAccountName: pomerium-zero
      containers:
        - name: pomerium
      terminationGracePeriodSeconds: 10
--- a/k8s/zero/deployment/env.yaml
+++ b/k8s/zero/deployment/env.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
@ -19,6 +19,10 @@ spec:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
+            - name: BOOTSTRAP_CONFIG_FILE
+              value: "/var/run/secrets/pomerium/bootstrap.dat"
+            - name: BOOTSTRAP_CONFIG_WRITEBACK_URI
+              value: "secret://$(POMERIUM_NAMESPACE)/pomerium/bootstrap"
            - name: POD_IP
              valueFrom:
                fieldRef:
--- a/k8s/zero/deployment/image.yaml
+++ b/k8s/zero/deployment/image.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
--- a/k8s/zero/deployment/no-root.yaml
+++ b/k8s/zero/deployment/no-root.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
--- a/k8s/zero/deployment/ports.yaml
+++ b/k8s/zero/deployment/ports.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
--- a/k8s/zero/deployment/readonly-root-fs.yaml
+++ b/k8s/zero/deployment/readonly-root-fs.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
--- a/k8s/zero/deployment/resources.yaml
+++ b/k8s/zero/deployment/resources.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
--- a/k8s/zero/deployment/volumes.yaml
+++ b/k8s/zero/deployment/volumes.yaml
@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: pomerium
 spec:
@ -13,22 +13,22 @@ spec:
            - name: TMPDIR
              value: "/tmp/pomerium"
            - name: XDG_CACHE_HOME
-              value: "/var/cache"
+              value: "/tmp/pomerium/cache"
            - name: XDG_DATA_HOME
-              value: "/var/cache"
+              value: "/tmp/pomerium/cache"
          volumeMounts:
            - mountPath: "/tmp/pomerium"
              name: tmp
-            - mountPath: "/var/cache"
-              name: pomerium-cache
+            - mountPath: "/var/run/secrets/pomerium"
+              name: bootstrap
+              readOnly: true
      volumes:
        - name: tmp
          emptyDir: {}
-  volumeClaimTemplates:
-  - metadata:
-      name: pomerium-cache
-    spec:
-      accessModes: [ "ReadWriteOnce" ]
-      resources:
-        requests:
-          storage: 100Mi
+        - name: bootstrap
+          secret:
+            optional: true
+            secretName: pomerium
+            items:
+              - key: bootstrap
+                path: bootstrap.dat