imfreedom/k8s-cluster

Disable the fsGroup security context because it causes our container to time out for 20 minutes as k8s chown's all of the files in the volume. This isn't necessary except first start.

2020-05-07, Gary Kramlich
40090e27f8de
Disable the fsGroup security context because it causes our container to time out for 20 minutes as k8s chown's all of the files in the volume. This isn't necessary except first start.
# This is an installation of https://www.reviewboard.org/.
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: reviews-http
namespace: roost
spec:
entryPoints:
- http
routes:
- match: Host(`reviews.imfreedom.org`)
kind: Rule
services:
- name: reviews-reviewboard
port: 8000
middlewares:
- name: https-redirect
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: reviews
namespace: roost
spec:
entryPoints:
- https
routes:
- match: Host(`reviews.imfreedom.org`)
kind: Rule
services:
- name: reviews-reviewboard
port: 8000
middlewares:
- name: common-headers
tls:
secretName: reviews-tls
options:
name: default
namespace: kube-public
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
namespace: roost
name: reviews-tls
spec:
secretName: reviews-tls
issuerRef:
name: letsencrypt
commonName: reviews.imfreedom.org
dnsNames:
- reviews.imfreedom.org
---
apiVersion: v1
kind: Service
metadata:
namespace: roost
labels:
app: reviews
role: memcached
name: reviews-memcached
spec:
ports:
- port: 11211
protocol: TCP
name: memcached
selector:
app: reviews
role: memcached
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
namespace: roost
name: reviews-memcached
labels:
app: reviews
role: memcached
spec:
podSelector:
matchLabels:
app: reviews
role: memcached
ingress:
- from:
- podSelector:
matchLabels:
app: reviews
role: reviewboard
ports:
- port: memcached
protocol: TCP
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: roost
name: reviews-memcached
labels:
app: reviews
role: memcached
spec:
replicas: 1
selector:
matchLabels:
app: reviews
role: memcached
strategy:
type: Recreate
template:
metadata:
labels:
app: reviews
role: memcached
spec:
containers:
- name: memcached
image: memcached:1.5.20-alpine
imagePullPolicy: Always
ports:
- name: memcached
containerPort: 11211
resources:
limits:
cpu: 50m
memory: 256Mi
requests:
cpu: 10m
memory: 128Mi
securityContext:
fsGroup: 11211
runAsUser: 11211
---
apiVersion: v1
kind: Service
metadata:
namespace: roost
labels:
app: reviews
role: postgres
name: reviews-postgres
spec:
ports:
- port: 5432
protocol: TCP
name: postgres
selector:
app: reviews
role: postgres
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
namespace: roost
name: reviews-postgres
labels:
app: reviews
role: postgres
spec:
podSelector:
matchLabels:
app: reviews
role: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: reviews
role: reviewboard
ports:
- port: postgres
protocol: TCP
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: roost
name: reviews-postgres
labels:
app: reviews
role: postgres
spec:
replicas: 1
selector:
matchLabels:
app: reviews
role: postgres
strategy:
type: Recreate
template:
metadata:
labels:
app: reviews
role: postgres
spec:
containers:
- name: postgres
image: postgres:11
imagePullPolicy: Always
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: reviews-postgres
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: reviews-postgres
key: password
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: reviews-postgres
key: db
ports:
- name: postgres
containerPort: 5432
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: reviews-postgres
readOnly: false
subPath: postgresql
volumes:
- name: reviews-postgres
persistentVolumeClaim:
claimName: reviews-postgres
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: roost
name: reviews-postgres
labels:
app: reviews
role: postgres
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
volumeName: pvc-7aa02e8f-d9cc-47ae-8ef9-fa9599b419e7
---
apiVersion: v1
kind: Service
metadata:
namespace: roost
labels:
app: reviews
role: reviewboard
name: reviews-reviewboard
spec:
ports:
- port: 8000
protocol: TCP
name: http
selector:
app: reviews
role: reviewboard
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
namespace: roost
name: reviews-reviewboard
labels:
app: reviews
role: reviewboard
spec:
podSelector:
matchLabels:
app: reviews
role: reviewboard
ingress:
- from:
- namespaceSelector:
matchLabels:
name: kube-public
podSelector:
matchLabels:
app: traefik
role: controller
ports:
- port: http
protocol: TCP
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: roost
name: reviews-reviewboard
labels:
app: reviews
role: reviewboard
spec:
replicas: 1
selector:
matchLabels:
app: reviews
role: reviewboard
strategy:
type: Recreate
template:
metadata:
labels:
app: reviews
role: reviewboard
spec:
containers:
- name: reviewboard
image: ikatson/reviewboard:latest
imagePullPolicy: Always
env:
- name: PGUSER
valueFrom:
secretKeyRef:
name: reviews-postgres
key: username
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: reviews-postgres
key: password
- name: PGDB
valueFrom:
secretKeyRef:
name: reviews-postgres
key: db
- name: PGHOST
value: reviews-postgres
- name: MEMCACHED
value: reviews-memcached
ports:
- name: http
containerPort: 8000
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
volumeMounts:
- mountPath: /var/www/
name: reviews-reviewboard
readOnly: false
subPath: reviewboard
volumes:
- name: reviews-reviewboard
persistentVolumeClaim:
claimName: reviews-reviewboard
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: roost
name: reviews-reviewboard
labels:
app: reviews
role: reviewboard
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
volumeName: pvc-7895cb6a-0b99-46ef-b2c4-2aa15ed73d1e
---