-
Notifications
You must be signed in to change notification settings - Fork 6
/
deploy_example.yaml
144 lines (143 loc) · 3.77 KB
/
deploy_example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# The only thing that our Pod needs is to have access to the cluster API and be able to read
# config maps. The following service account, role and role binding show the minimum perms required:
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-able-to-access-k8s-api-and-read-configmaps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: read-configmaps
rules:
- verbs:
- watch
- get
- list
apiGroups:
- ""
resources:
- configmaps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-config-maps-to-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: read-configmaps
subjects:
- kind: ServiceAccount
name: sa-able-to-access-k8s-api-and-read-configmaps
---
# This is the Pod with Traefik and configbump as a sidecar. The only things required to make
# configbump do its job is to a) assign the proper service account to the Pod and b) connect
# the Traefik container and configbump container using a shared emptydir volume. There is no
# need for the volume to be persistent because configbump syncs its content with all the matching
# configmaps.
kind: Pod
apiVersion: v1
metadata:
name: traefik
spec:
serviceAccountName: sa-able-to-access-k8s-api-and-read-configmaps
containers:
- name: traefik
image: docker.io/traefik:v2.2.8
volumeMounts:
- name: config
mountPath: /etc/traefik
- name: dynamic-config
mountPath: "/dynamic-config"
- name: config-map-sync
image: quay.io/che-incubator/configbump:latest
env:
- name: CONFIG_BUMP_DIR
value: "/dynamic-config"
- name: CONFIG_BUMP_LABELS
value: "app=che,role=gateway-config"
- name: CONFIG_BUMP_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: dynamic-config
mountPath: "/dynamic-config"
volumes:
- name: config
configMap:
name: traefik-config
- name: dynamic-config
emptyDir: {}
---
# This is the main configuration for Traefik. We configure it to listen
# for changes in the "/dynamic-config" directory - where we put all the
# configuration from the config maps labeled with "config-for" label equal
# "traefik".
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-config
data:
traefik.yml: |
global:
checkNewVersion: false
sendAnonymousUsage: false
entrypoints:
http:
address: ":8080"
https:
address: ":8443"
providers:
file:
directory: "/dynamic-config"
watch: true
---
kind: ConfigMap
apiVersion: v1
metadata:
name: che-gateway-che
labels:
app: che
role: gateway-config
data:
che.yml: |
http:
routers:
che:
rule: "PathPrefix(`/`)"
service: che
priority: 1
plugin-registry:
rule: "PathPrefix(`/plugin-registry`)"
service: plugin-registry
middlewares: [plugin-registry]
priority: 10
devfile-registry:
rule: "PathPrefix(`/devfile-registry`)"
service: devfile-registry
middlewares: [devfile-registry]
priority: 10
services:
che:
loadBalancer:
servers:
- url: 'http://che-host:8080'
plugin-registry:
loadBalancer:
servers:
- url: 'http://plugin-registry:8080'
devfile-registry:
loadBalancer:
servers:
- url: 'http://devfile-registry:8080'
middlewares:
plugin-registry:
stripPrefix:
prefixes:
- '/plugin-registry'
devfile-registry:
stripPrefix:
prefixes:
- '/devfile-registry'