6aba9bf11b
Referencing [here](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-sidecar#configure-kubernetes-authentication), comparing with the Secrets Operator that I used [here](https://blog.scubbo.org/posts/base-app-infrastructure/). I _think_ I prefer this because: * It doesn't create a Kubernetes secret (which is, contrary to expectation, [not entirely secure](https://kubernetes.io/docs/concepts/configuration/secret/)) * The YAML/template changes required are smaller * It looks like it _might_ be able to write a whole Vault path as a single file, rather than one-file-per-key - though it'll need some template wizardry (in a follow-on commit) to format that right.
104 lines
2.8 KiB
YAML
104 lines
2.8 KiB
YAML
image:
|
|
repository: gitea.scubbo.org/scubbo/edh-elo
|
|
tag: "9b4e6c3b4d852883a372332461253ef9eae6d014"
|
|
pullPolicy: IfNotPresent
|
|
extraEnv:
|
|
- name: DATABASE_URL
|
|
value: postgresql://db_user:pass@edh-elo-postgresql/postgres
|
|
- name: SPREADSHEET_ID
|
|
value: 1ITgXXfq7KaNP8JTQMvoZJSbu7zPpCcfNio_aooULRfc
|
|
- name: PATH_TO_GOOGLE_SHEETS_CREDENTIALS
|
|
value: /vault/secrets/google-credentials.json
|
|
postgresql:
|
|
auth:
|
|
existing-secret: edh-elo-postgresql
|
|
primary:
|
|
persistence:
|
|
enabled: true
|
|
initdb:
|
|
# TODO - switch to using a secret (and update `extraEnv`, above)
|
|
scripts:
|
|
psql.sql: |
|
|
CREATE USER db_user WITH PASSWORD 'pass';
|
|
GRANT ALL PRIVILEGES ON DATABASE postgres TO db_user;
|
|
GRANT ALL ON SCHEMA public TO db_user;
|
|
############
|
|
# Defaults #
|
|
############
|
|
replicaCount: 1
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
podAnnotations:
|
|
vault.hashicorp.com/agent-inject: "true"
|
|
vault.hashicorp.com/role: "edh-elo"
|
|
vault.hashicorp.com/agent-inject-secret-google-credentials.json: "edh-elo/data/google-credentials"
|
|
# vault.hashicorp.com/agent-inject-template-google-credentials.json: |
|
|
# {{- with secret "edh-elo/data/google-credentials" -}}
|
|
# {{- .Data | b64enc -}}
|
|
# {{- end -}}
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
securityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
service:
|
|
type: LoadBalancer
|
|
port: 8000
|
|
ingress:
|
|
enabled: false
|
|
className: "traefik"
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
# hosts:
|
|
# - host: edh-elo.avril
|
|
# paths:
|
|
# - path: /
|
|
# pathType: ImplementationSpecific
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - chart-example.local
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 100
|
|
targetCPUUtilizationPercentage: 80
|
|
# targetMemoryUtilizationPercentage: 80
|
|
nodeSelector: {}
|
|
# architecture: x86
|
|
|
|
tolerations: {}
|
|
# - key: architecture
|
|
# operator: Equal
|
|
# value: x86
|
|
|
|
affinity: {}
|