133 lines
3.6 KiB
YAML
133 lines
3.6 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: node-red-1
|
|
name: node-red-1
|
|
namespace: node-red
|
|
spec:
|
|
progressDeadlineSeconds: 600
|
|
replicas: 1
|
|
revisionHistoryLimit: 10
|
|
selector:
|
|
matchLabels:
|
|
app: node-red-1
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 25%
|
|
maxUnavailable: 25%
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
vault.hashicorp.com/agent-inject: "true"
|
|
vault.hashicorp.com/agent-inject-secret-config.cfg: x
|
|
vault.hashicorp.com/agent-inject-template-config.cfg: |
|
|
cookie_secret='0ViLJk3i3NNRaTvoIFlXaA=='
|
|
cookie_domains=['werts.us']
|
|
whitelist_domains=[".werts.us"]
|
|
# only users with this domain will be let in
|
|
email_domains=["werts.us","strudelline.net","andariese.net"]
|
|
|
|
{{- with secret "kvv2/data/k8s-ns/node-red/node-red-1-werts-oidc" }}
|
|
client_id="{{ .Data.data.client_id }}"
|
|
client_secret="{{ .Data.data.client_secret }}"
|
|
{{- end }}
|
|
cookie_secure="false"
|
|
|
|
redirect_url="https://red-1.werts.us/oauth2/callback"
|
|
|
|
upstreams = [ "http://localhost:1880" ]
|
|
skip_auth_routes = [
|
|
"!=^/admin(/.*)?$"
|
|
]
|
|
|
|
reverse_proxy = true
|
|
set_xauthrequest = true
|
|
|
|
provider="oidc"
|
|
oidc_issuer_url="https://auth.werts.us/realms/werts"
|
|
vault.hashicorp.com/role: default
|
|
creationTimestamp: null
|
|
labels:
|
|
app: node-red-1
|
|
spec:
|
|
containers:
|
|
- env:
|
|
- name: CHROMIUM_USER_FLAGS
|
|
value: --no-sandbox --disable-setuid-sandbox
|
|
image: jamesandariese/node-red-with-chrome
|
|
imagePullPolicy: Always
|
|
name: node-red-1
|
|
resources: {}
|
|
terminationMessagePath: /dev/termination-log
|
|
terminationMessagePolicy: File
|
|
volumeMounts:
|
|
- mountPath: /data
|
|
name: data-pv
|
|
- image: haproxy
|
|
imagePullPolicy: Always
|
|
name: haproxy
|
|
resources: {}
|
|
terminationMessagePath: /dev/termination-log
|
|
terminationMessagePolicy: File
|
|
volumeMounts:
|
|
- mountPath: /usr/local/etc/haproxy
|
|
name: haproxy-config
|
|
readOnly: true
|
|
- args:
|
|
- --http-address=0.0.0.0:4180
|
|
- --config=/vault/secrets/config.cfg
|
|
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /ping
|
|
port: http
|
|
scheme: HTTP
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
name: oauth2-proxy
|
|
ports:
|
|
- containerPort: 4180
|
|
name: http
|
|
protocol: TCP
|
|
resources: {}
|
|
terminationMessagePath: /dev/termination-log
|
|
terminationMessagePolicy: File
|
|
dnsPolicy: ClusterFirst
|
|
restartPolicy: Always
|
|
schedulerName: default-scheduler
|
|
securityContext: {}
|
|
terminationGracePeriodSeconds: 30
|
|
volumes:
|
|
- name: data-pv
|
|
nfs:
|
|
path: /volume1/k8s-volumes/node-red-1
|
|
server: 172.16.18.1
|
|
- configMap:
|
|
defaultMode: 420
|
|
name: node-red-1-haproxy-config
|
|
name: haproxy-config
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: node-red-1
|
|
namespace: node-red
|
|
spec:
|
|
ingressClassName: istio
|
|
rules:
|
|
- host: red-1.werts.us
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: node-red-1
|
|
port:
|
|
number: 4180
|