Compare commits
9 Commits
1a9a403b74
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 904f16bfc0 | |||
| 4f0a0289fc | |||
| 718df09e88 | |||
| 97f4a5e175 | |||
| bb27ca2c86 | |||
| 8927f278f3 | |||
| 7bbb9af15b | |||
| 09ba656ae7 | |||
| 2b8b8390bc |
@@ -40,7 +40,8 @@ kubectl -n <namespace> rollout restart deployment/anyway-backend
|
||||
### CI/CD and credentials
|
||||
For the deployment to work, the CI runner needs to authenticate against the kubernetes cluster. This is done by creating a service account in the cluster and providing the CI runner with the necessary credentials through a kubeconfig file. This file is stored as a repository secret `KUBE_CONFIG` and is used by the `kubectl` command in the CI pipeline.
|
||||
|
||||
The RBAC configuration for the service included for your reference in the file `rbac.yaml`.
|
||||
The RBAC configuration for the service included for your reference in the file `rbac.yaml`. To use it, extract the token from the secret `deployment-token-secret`.
|
||||
Then fill in the token and service account name into the kubeconfig.
|
||||
|
||||
|
||||
### Deployment environments
|
||||
|
||||
@@ -21,12 +21,14 @@ spec:
|
||||
ports:
|
||||
- containerPort: 8000
|
||||
env:
|
||||
- name: MEMCACHED_HOST_PATH
|
||||
value: "memcached:11211"
|
||||
- name: NUM_WORKERS
|
||||
value: "3"
|
||||
- name: OSM_CACHE_DIR
|
||||
value: "/osm-cache"
|
||||
- name: MEMCACHED_HOST_PATH
|
||||
value: "memcached:11211"
|
||||
- name: LOKI_URL
|
||||
value: "http://loki.monitoring.svc:3100/loki/api/v1/push"
|
||||
volumeMounts:
|
||||
- name: osm-cache
|
||||
mountPath: /osm-cache
|
||||
|
||||
@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
# - namespace.yaml
|
||||
- pvc.yaml
|
||||
- deployment.yaml
|
||||
- service.yaml
|
||||
|
||||
@@ -4,7 +4,12 @@ kind: Kustomization
|
||||
resources:
|
||||
- ../../base
|
||||
|
||||
namespace: anyway-prod
|
||||
namespace: anyway-backend
|
||||
nameSuffix: -prod
|
||||
labels:
|
||||
- includeSelectors: true
|
||||
pairs:
|
||||
env: prod
|
||||
|
||||
images:
|
||||
- name: backend-image
|
||||
@@ -16,3 +21,7 @@ patches:
|
||||
target:
|
||||
kind: IngressRoute
|
||||
name: anyway-ingress
|
||||
- path: patch-deployment-memcached-address.yaml
|
||||
target:
|
||||
kind: Deployment
|
||||
name: anyway-backend
|
||||
|
||||
3
overlays/prod/patch-deployment-memcached-address.yaml
Normal file
3
overlays/prod/patch-deployment-memcached-address.yaml
Normal file
@@ -0,0 +1,3 @@
|
||||
- op: replace
|
||||
path: /spec/template/spec/containers/0/env/0/value
|
||||
value: "memcached-prod:11211"
|
||||
@@ -1,3 +1,6 @@
|
||||
- op: replace #action
|
||||
- op: replace
|
||||
path: /spec/routes/0/match
|
||||
value: Host(`anyway.anydev.info`) || Host(`anyway.kluster.moll.re`)
|
||||
- op: replace
|
||||
path: /spec/routes/0/services/0/name
|
||||
value: anyway-backend-prod
|
||||
@@ -4,7 +4,13 @@ kind: Kustomization
|
||||
resources:
|
||||
- ../../base
|
||||
|
||||
namespace: anyway-stg
|
||||
namespace: anyway-backend
|
||||
nameSuffix: -stg
|
||||
labels:
|
||||
- includeSelectors: true
|
||||
pairs:
|
||||
env: stg
|
||||
|
||||
|
||||
images:
|
||||
- name: backend-image
|
||||
@@ -16,3 +22,12 @@ patches:
|
||||
target:
|
||||
kind: IngressRoute
|
||||
name: anyway-ingress
|
||||
- path: patch-deployment-memcached-address.yaml
|
||||
target:
|
||||
kind: Deployment
|
||||
name: anyway-backend
|
||||
- path: patch-deployment.yaml
|
||||
target:
|
||||
kind: Deployment
|
||||
name: anyway-backend
|
||||
|
||||
|
||||
3
overlays/stg/patch-deployment-memcached-address.yaml
Normal file
3
overlays/stg/patch-deployment-memcached-address.yaml
Normal file
@@ -0,0 +1,3 @@
|
||||
- op: replace
|
||||
path: /spec/template/spec/containers/0/env/0/value
|
||||
value: "memcached-stg:11211"
|
||||
5
overlays/stg/patch-deployment.yaml
Normal file
5
overlays/stg/patch-deployment.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/env/-
|
||||
value:
|
||||
name: DEBUG
|
||||
value: "true"
|
||||
@@ -1,3 +1,6 @@
|
||||
- op: replace #action
|
||||
path: /spec/routes/0/match
|
||||
value: Host(`anyway-stg.anydev.info`) || Host(`anyway-stg.kluster.moll.re`)
|
||||
- op: replace
|
||||
path: /spec/routes/0/services/0/name
|
||||
value: anyway-backend-stg
|
||||
61
rbac.yaml
Normal file
61
rbac.yaml
Normal file
@@ -0,0 +1,61 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
namespace: anyway-backend
|
||||
name: deployment-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
- "apps"
|
||||
- "traefik.io"
|
||||
resources:
|
||||
- pods
|
||||
- services
|
||||
- deployments
|
||||
- ingressroutes
|
||||
- persistentvolumeclaims
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- deletecollection
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: deployment-rolebinding
|
||||
namespace: anyway-backend
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: deployment-sa
|
||||
namespace: anyway-backend
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: deployment-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: deployment-sa
|
||||
namespace: anyway-backend
|
||||
automountServiceAccountToken: false
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
namespace: anyway-backend
|
||||
name: deployment-token-secret
|
||||
annotations:
|
||||
kubernetes.io/service-account.name: deployment-sa
|
||||
type: kubernetes.io/service-account-token
|
||||
Reference in New Issue
Block a user