3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 03:16:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

zero/k8s: use deployments (#5248)

Browse source 
* zero/k8s: use deployments

* secret mount readonly

Co-authored-by: Joe Kralicky <joekralicky@gmail.com>

* adjust according to comments

---------

Co-authored-by: Joe Kralicky <joekralicky@gmail.com>
This commit is contained in:
Denis Mishin 2024-08-29 15:16:32 -04:00 committed by GitHub
parent ef08c32c82
commit 5fd8cf60d5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 61 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
k8s/zero/deployment/base.yaml
View file

@ -1,15 +1,15 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
name: pomerium name: pomerium
spec: spec:
serviceName: "pomerium-proxy"
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: pomerium-zero app.kubernetes.io/name: pomerium-zero
template: template:
spec: spec:
serviceAccountName: pomerium-zero
containers: containers:
- name: pomerium - name: pomerium
terminationGracePeriodSeconds: 10 terminationGracePeriodSeconds: 10

6
k8s/zero/deployment/env.yaml
View file

@ -1,5 +1,5 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
name: pomerium name: pomerium
spec: spec:
@ -19,6 +19,10 @@ spec:
fieldRef: fieldRef:
apiVersion: v1 apiVersion: v1
fieldPath: metadata.namespace fieldPath: metadata.namespace
- name: BOOTSTRAP_CONFIG_FILE
value: "/var/run/secrets/pomerium/bootstrap.dat"
- name: BOOTSTRAP_CONFIG_WRITEBACK_URI
value: "secret://$(POMERIUM_NAMESPACE)/pomerium/bootstrap"
- name: POD_IP - name: POD_IP
valueFrom: valueFrom:
fieldRef: fieldRef:

2
k8s/zero/deployment/image.yaml
View file

@ -1,5 +1,5 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
name: pomerium name: pomerium
spec: spec:

2
k8s/zero/deployment/no-root.yaml
View file

@ -1,5 +1,5 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
name: pomerium name: pomerium
spec: spec:

2
k8s/zero/deployment/ports.yaml
View file

@ -1,5 +1,5 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
name: pomerium name: pomerium
spec: spec:

2
k8s/zero/deployment/readonly-root-fs.yaml
View file

@ -1,5 +1,5 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
name: pomerium name: pomerium
spec: spec:

2
k8s/zero/deployment/resources.yaml
View file

@ -1,5 +1,5 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
name: pomerium name: pomerium
spec: spec:

26
k8s/zero/deployment/volumes.yaml
View file

@ -1,5 +1,5 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
name: pomerium name: pomerium
spec: spec:
@ -13,22 +13,22 @@ spec:
- name: TMPDIR - name: TMPDIR
value: "/tmp/pomerium" value: "/tmp/pomerium"
- name: XDG_CACHE_HOME - name: XDG_CACHE_HOME
value: "/var/cache" value: "/tmp/pomerium/cache"
- name: XDG_DATA_HOME - name: XDG_DATA_HOME
value: "/var/cache" value: "/tmp/pomerium/cache"
volumeMounts: volumeMounts:
- mountPath: "/tmp/pomerium" - mountPath: "/tmp/pomerium"
name: tmp name: tmp
- mountPath: "/var/cache" - mountPath: "/var/run/secrets/pomerium"
name: pomerium-cache name: bootstrap
readOnly: true
volumes: volumes:
- name: tmp - name: tmp
emptyDir: {} emptyDir: {}
volumeClaimTemplates: - name: bootstrap
- metadata: secret:
name: pomerium-cache optional: true
spec: secretName: pomerium
accessModes: [ "ReadWriteOnce" ] items:
resources: - key: bootstrap
requests: path: bootstrap.dat
storage: 100Mi

1
k8s/zero/kustomization.yaml
View file

@ -3,5 +3,6 @@ commonLabels:
app.kubernetes.io/name: pomerium-zero app.kubernetes.io/name: pomerium-zero
resources: resources:
- namespace.yaml - namespace.yaml
- ./rbac
- ./deployment - ./deployment
- ./service - ./service

6
k8s/zero/rbac/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- role.yaml
- role_binding.yaml
- service_account.yaml

14
k8s/zero/rbac/role.yaml Normal file
View file

@ -0,0 +1,14 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pomerium-zero
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- patch
resourceNames:
- pomerium

11
k8s/zero/rbac/role_binding.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pomerium-zero
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pomerium-zero
subjects:
- kind: ServiceAccount
name: pomerium-zero

4
k8s/zero/rbac/service_account.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: pomerium-zero