129 lines
2.9 KiB
YAML
129 lines
2.9 KiB
YAML
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: step-ca
|
|
namespace: step-ca
|
|
labels:
|
|
app.kubernetes.io/name: step-ca
|
|
app.kubernetes.io/component: step-ca
|
|
app.kubernetes.io/instance: step-ca
|
|
app.kubernetes.io/part-of: step-ca
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
resources:
|
|
requests:
|
|
storage: 1Gi
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: step-ca
|
|
namespace: step-ca
|
|
labels:
|
|
app.kubernetes.io/name: step-ca
|
|
app.kubernetes.io/component: step-ca
|
|
app.kubernetes.io/instance: step-ca
|
|
app.kubernetes.io/part-of: step-ca
|
|
spec:
|
|
ports:
|
|
- port: 32599
|
|
nodePort: 32599
|
|
name: step-ca
|
|
selector:
|
|
app.kubernetes.io/name: step-ca
|
|
app.kubernetes.io/component: step-ca
|
|
app.kubernetes.io/instance: step-ca
|
|
type: NodePort
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: step-ca
|
|
namespace: step-ca
|
|
labels:
|
|
app.kubernetes.io/name: step-ca
|
|
app.kubernetes.io/component: step-ca
|
|
app.kubernetes.io/instance: step-ca
|
|
app.kubernetes.io/part-of: step-ca
|
|
spec:
|
|
serviceName: step-ca
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: step-ca
|
|
app.kubernetes.io/component: step-ca
|
|
app.kubernetes.io/instance: step-ca
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: step-ca
|
|
app.kubernetes.io/component: step-ca
|
|
app.kubernetes.io/instance: step-ca
|
|
spec:
|
|
enableServiceLinks: false
|
|
containers:
|
|
- name: step-ca
|
|
image: docker.io/smallstep/step-ca:0.25.0
|
|
workingDir: /step
|
|
env:
|
|
- name: CONFIGPATH
|
|
value: /step/config/ca.json
|
|
- name: PWDPATH
|
|
value: /step/secrets/password
|
|
- name: STEPPATH
|
|
value: /step
|
|
ports:
|
|
- containerPort: 32599
|
|
name: step-ca
|
|
readinessProbe: &probe
|
|
httpGet:
|
|
port: 32599
|
|
path: /health
|
|
scheme: HTTPS
|
|
failureThreshold: 3
|
|
periodSeconds: 60
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
startupProbe:
|
|
<<: *probe
|
|
failureThreshold: 30
|
|
periodSeconds: 3
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
volumeMounts:
|
|
- mountPath: /step/certs
|
|
name: certs
|
|
readOnly: true
|
|
- mountPath: /step/config
|
|
name: config
|
|
readOnly: true
|
|
- mountPath: /step/db
|
|
name: data
|
|
subPath: db
|
|
- mountPath: /step/secrets
|
|
name: secrets
|
|
readOnly: true
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: step-ca-config
|
|
- name: certs
|
|
configMap:
|
|
name: step-ca-certs
|
|
- name: secrets
|
|
secret:
|
|
secretName: step-ca
|
|
- name: data
|
|
persistentVolumeClaim:
|
|
claimName: step-ca
|
|
|
|
|