Dustin C. Hatch
bed5ed5767
The *dch-webhooks* server now has a _POST /host/online_ hook that can be triggered by a new machine when it first comes online. This hook starts an automatic provisioning process by creating a Kubernetes Job to run Ansible and publishing information about the host to provision via AMQP. Thus, the server now needs access to the Kubernetes API in order to create the Job and access to RabbitMQ in order to publish the task parameters.
132 lines
3.5 KiB
YAML
132 lines
3.5 KiB
YAML
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: dch-webhooks
|
|
labels:
|
|
app.kubernetes.io/name: dch-webhooks
|
|
app.kubernetes.io/component: dch-webhooks
|
|
app.kubernetes.io/part-of: dch-webhooks
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: dch-webhooks
|
|
app.kubernetes.io/component: dch-webhooks
|
|
app.kubernetes.io/instance: dch-webhooks
|
|
app.kubernetes.io/part-of: dch-webhooks
|
|
name: dch-webhooks
|
|
spec:
|
|
ports:
|
|
- name: http
|
|
port: 8000
|
|
selector:
|
|
app.kubernetes.io/name: dch-webhooks
|
|
app.kubernetes.io/component: dch-webhooks
|
|
app.kubernetes.io/instance: dch-webhooks
|
|
type: ClusterIP
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: dch-webhooks
|
|
labels:
|
|
app.kubernetes.io/name: dch-webhooks
|
|
app.kubernetes.io/component: dch-webhooks
|
|
app.kubernetes.io/instance: dch-webhooks
|
|
app.kubernetes.io/part-of: dch-webhooks
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: dch-webhooks
|
|
app.kubernetes.io/component: dch-webhooks
|
|
app.kubernetes.io/instance: dch-webhooks
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: dch-webhooks
|
|
app.kubernetes.io/component: dch-webhooks
|
|
app.kubernetes.io/instance: dch-webhooks
|
|
spec:
|
|
containers:
|
|
- name: dch-webhooks
|
|
image: git.pyrocufflink.net/infra/dch-webhooks
|
|
env:
|
|
- name: UVICORN_HOST
|
|
value: 0.0.0.0
|
|
- name: UVICORN_LOG_LEVEL
|
|
value: debug
|
|
- name: ANSIBLE_JOB_YAML
|
|
value: /etc/dch-webhooks/ansible-job.yaml
|
|
envFrom:
|
|
- configMapRef:
|
|
name: dch-webhooks
|
|
ports:
|
|
- name: http
|
|
containerPort: 8000
|
|
startupProbe: &probe
|
|
httpGet:
|
|
path: /
|
|
port: 8000
|
|
periodSeconds: 1
|
|
timeoutSeconds: 1
|
|
successThreshold: 1
|
|
failureThreshold: 10
|
|
readinessProbe:
|
|
<<: *probe
|
|
periodSeconds: 60
|
|
failureThreshold: 2
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- mountPath: /run/dch-root-ca.crt
|
|
name: root-ca
|
|
subPath: dch-root-ca.crt
|
|
- mountPath: /run/secrets/du5t1n.me/firefly
|
|
name: firefly-token
|
|
- mountPath: /run/secrets/du5t1n.me/paperless
|
|
name: paperless-token
|
|
- mountPath: /run/secrets/du5t1n.me/rabbitmq
|
|
name: rabbitmq-cert
|
|
readOnly: true
|
|
- mountPath: /run/secrets/du5t1n.me/step-ca
|
|
name: step-ca-password
|
|
- mountPath: /tmp
|
|
name: tmp
|
|
subPath: tmp
|
|
- mountPath: /etc/dch-webhooks
|
|
name: host-provisioner
|
|
readOnly: true
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
serviceAccountName: dch-webhooks
|
|
volumes:
|
|
- name: firefly-token
|
|
secret:
|
|
secretName: firefly-token
|
|
optional: true
|
|
- name: host-provisioner
|
|
configMap:
|
|
name: host-provisioner
|
|
optional: true
|
|
- name: paperless-token
|
|
secret:
|
|
secretName: paperless-token
|
|
optional: true
|
|
- name: rabbitmq-cert
|
|
secret:
|
|
secretName: rabbitmq-cert
|
|
optional: true
|
|
- name: root-ca
|
|
configMap:
|
|
name: dch-root-ca
|
|
- name: step-ca-password
|
|
secret:
|
|
secretName: step-ca-password
|
|
optional: true
|
|
- name: tmp
|
|
emptyDir:
|
|
medium: Memory
|