3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-30 01:17:21 +02:00
Code Issues Projects Releases Packages Wiki Activity

zero/k8s: deployment manifests (#4763)

Browse source 
* zero/k8s: deployment manifests

* convert to statefulset so that it has persistent volume claim

* use standard ports to avoid config customization for k8s

* add XDG_DATA_HOME mapping
This commit is contained in:
Denis Mishin 2024-01-08 12:08:14 -05:00 committed by GitHub
parent ca71b3ae60
commit c84a251c93
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 244 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
k8s/zero/deployment/base.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
serviceName: "pomerium-proxy"
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: pomerium-zero
template:
spec:
containers:
- name: pomerium
terminationGracePeriodSeconds: 10

25
k8s/zero/deployment/env.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
containers:
- name: pomerium
env:
- name: POMERIUM_ZERO_TOKEN
valueFrom:
secretKeyRef:
name: pomerium
key: pomerium_zero_token
optional: false
- name: POMERIUM_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP

12
k8s/zero/deployment/image.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
replicas: 1
template:
spec:
containers:
- name: pomerium
image: pomerium/pomerium:main
imagePullPolicy: Always

10
k8s/zero/deployment/kustomization.yaml Normal file
View file

@ -0,0 +1,10 @@
resources:
- base.yaml
patchesStrategicMerge:
- env.yaml
- image.yaml
- ports.yaml
- resources.yaml
- no-root.yaml
- readonly-root-fs.yaml
- volumes.yaml

22
k8s/zero/deployment/no-root.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
securityContext:
fsGroup: 1000
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 1000
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "80"
containers:
- name: pomerium
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL

19
k8s/zero/deployment/ports.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
containers:
- name: pomerium
ports:
- containerPort: 443
name: https
protocol: TCP
- name: http
containerPort: 80
protocol: TCP
- name: metrics
containerPort: 9090
protocol: TCP

11
k8s/zero/deployment/readonly-root-fs.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
containers:
- name: pomerium
securityContext:
readOnlyRootFilesystem: true

16
k8s/zero/deployment/resources.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
containers:
- name: pomerium
resources:
limits:
cpu: 5000m
memory: 1Gi
requests:
cpu: 300m
memory: 200Mi

34
k8s/zero/deployment/volumes.yaml Normal file
View file

@ -0,0 +1,34 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- name: pomerium
env:
- name: TMPDIR
value: "/tmp/pomerium"
- name: XDG_CACHE_HOME
value: "/var/cache"
- name: XDG_DATA_HOME
value: "/var/cache"
volumeMounts:
- mountPath: "/tmp/pomerium"
name: tmp
- mountPath: "/var/cache"
name: pomerium-cache
volumes:
- name: tmp
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: pomerium-cache
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 100Mi