zuul-operator/zuul_operator/templates/zuul.yaml
James E. Blair fe827fbeb0 Add support for imagePullSecrets
Since we support custom image prefixes, we should also support
imagePullSecrets since they are likely to be in a private registry.

This also updates some nearby documentation which was out of date.

Change-Id: Id43382284a9adde877e2383644a31bda24030b2b
2021-10-01 16:38:36 -07:00

520 lines
15 KiB
YAML

{%- if manage_zk %}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: zookeeper-client
labels:
app.kubernetes.io/name: zookeeper-client-certificate
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zookeeper-client-certificate
spec:
keyEncoding: pkcs8
secretName: zookeeper-client-tls
commonName: client
usages:
- digital signature
- key encipherment
- server auth
- client auth
issuerRef:
name: ca-issuer
kind: Issuer
{%- endif %}
---
apiVersion: v1
kind: Service
metadata:
name: zuul-executor
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-executor
spec:
type: ClusterIP
clusterIP: None
ports:
- name: logs
port: 7900
protocol: TCP
targetPort: logs
selector:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-executor
---
apiVersion: v1
kind: Service
metadata:
name: zuul-gearman
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-scheduler
spec:
type: ClusterIP
ports:
- name: gearman
port: 4730
protocol: TCP
targetPort: gearman
selector:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-scheduler
---
apiVersion: v1
kind: Service
metadata:
name: zuul-web
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-web
spec:
type: NodePort
ports:
- name: zuul-web
port: 9000
protocol: TCP
targetPort: zuul-web
selector:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-web
---
apiVersion: v1
kind: Service
metadata:
name: zuul-fingergw
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-fingergw
spec:
type: NodePort
ports:
- name: zuul-fingergw
port: 9079
protocol: TCP
targetPort: zuul-web
selector:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-fingergw
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: zuul-scheduler
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-scheduler
spec:
replicas: 1
serviceName: zuul-scheduler
selector:
matchLabels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-scheduler
template:
metadata:
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-scheduler
annotations:
zuulConfSha: "{{ zuul_conf_sha }}"
spec:
imagePullSecrets: {{ spec.imagePullSecrets }}
containers:
- name: scheduler
image: {{ spec.imagePrefix }}/zuul-scheduler:{{ spec.zuulImageVersion }}
args: ["/usr/local/bin/zuul-scheduler", "-f", "-d"]
ports:
- name: gearman
containerPort: 4730
volumeMounts:
- name: zuul-config
mountPath: /etc/zuul
readOnly: true
- name: zuul-tenant-config
mountPath: /etc/zuul/tenant
readOnly: true
- name: zuul-scheduler
mountPath: /var/lib/zuul
- name: zookeeper-client-tls
mountPath: /tls/client
readOnly: true
{%- for connection_name, connection in connections.items() %}
{%- if 'secretName' in connection %}
- name: connection-{{ connection_name }}
mountPath: /etc/zuul/connections/{{ connection_name }}
readOnly: true
{%- endif %}
{%- endfor %}
env: {{ spec.env | zuul_to_json }}
volumes:
- name: zuul-config
secret:
secretName: zuul-config
- name: zuul-tenant-config
secret:
secretName: {{ zuul_tenant_secret }}
- name: zookeeper-client-tls
secret:
secretName: zookeeper-client-tls
{%- for connection_name, connection in connections.items() %}
{%- if 'secretName' in connection %}
- name: connection-{{ connection_name }}
secret:
secretName: {{ connection['secretName'] }}
{%- endif %}
{%- endfor %}
volumeClaimTemplates:
- metadata:
name: zuul-scheduler
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 80Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: zuul-web
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-web
spec:
replicas: {{ spec.web.count }}
selector:
matchLabels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-web
template:
metadata:
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-web
annotations:
zuulConfSha: "{{ zuul_conf_sha }}"
spec:
imagePullSecrets: {{ spec.imagePullSecrets }}
containers:
- name: web
image: {{ spec.imagePrefix }}/zuul-web:{{ spec.zuulImageVersion }}
ports:
- name: zuul-web
containerPort: 9000
volumeMounts:
- name: zuul-config
mountPath: /etc/zuul
- name: zookeeper-client-tls
mountPath: /tls/client
readOnly: true
env: {{ spec.env | zuul_to_json }}
volumes:
- name: zuul-config
secret:
secretName: zuul-config
- name: zookeeper-client-tls
secret:
secretName: zookeeper-client-tls
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: zuul-fingergw
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-fingergw
spec:
replicas: {{ spec.fingergw.count }}
selector:
matchLabels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-fingergw
template:
metadata:
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-fingergw
annotations:
zuulConfSha: "{{ zuul_conf_sha }}"
spec:
imagePullSecrets: {{ spec.imagePullSecrets }}
containers:
- name: fingergw
image: {{ spec.imagePrefix }}/zuul-fingergw:{{ spec.zuulImageVersion }}
ports:
- name: zuul-fingergw
containerPort: 9079
volumeMounts:
- name: zuul-config
mountPath: /etc/zuul
- name: zookeeper-client-tls
mountPath: /tls/client
readOnly: true
volumes:
- name: zuul-config
secret:
secretName: zuul-config
- name: zookeeper-client-tls
secret:
secretName: zookeeper-client-tls
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: zuul-executor
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-executor
spec:
serviceName: zuul-executor
replicas: {{ spec.executor.count }}
podManagementPolicy: Parallel
selector:
matchLabels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-executor
template:
metadata:
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-executor
annotations:
zuulConfSha: "{{ zuul_conf_sha }}"
spec:
imagePullSecrets: {{ spec.imagePullSecrets }}
securityContext:
runAsUser: 10001
runAsGroup: 10001
containers:
- name: executor
image: {{ spec.imagePrefix }}/zuul-executor:{{ spec.zuulImageVersion }}
args: ["/usr/local/bin/zuul-executor", "-f", "-d"]
ports:
- name: logs
containerPort: 7900
volumeMounts:
- name: zuul-config
mountPath: /etc/zuul
- name: zuul-var
mountPath: /var/lib/zuul
{%- if executor_ssh_secret %}
- name: nodepool-private-key
mountPath: /etc/zuul/sshkey
{%- endif %}
- name: zookeeper-client-tls
mountPath: /tls/client
readOnly: true
{%- for volume in spec.get('jobVolumes', []) %}
- name: {{ volume.volume.name }}
mountPath: {{ volume.path }}
{%- if volume.access == 'ro' %}readOnly: true{% endif %}
{%- endfor %}
{%- for connection_name, connection in connections.items() %}
{%- if 'secretName' in connection %}
- name: connection-{{ connection_name }}
mountPath: /etc/zuul/connections/{{ connection_name }}
readOnly: true
{%- endif %}
{%- endfor %}
securityContext:
privileged: true
terminationGracePeriodSeconds: {{ spec.executor.terminationGracePeriodSeconds }}
lifecycle:
preStop:
exec:
command: [
"/usr/local/bin/zuul-executor", "graceful"
]
volumes:
- name: zuul-var
emptyDir: {}
- name: zuul-config
secret:
secretName: zuul-config
- name: zookeeper-client-tls
secret:
secretName: {{ spec.zookeeper.secretName }}
{%- if executor_ssh_secret %}
- name: nodepool-private-key
secret:
secretName: {{ executor_ssh_secret }}
{%- endif %}
{%- for volume in spec.get('jobVolumes', []) %}
- {{ volume.volume | zuul_to_json }}
{%- endfor %}
{%- for connection_name, connection in connections.items() %}
{%- if 'secretName' in connection %}
- name: connection-{{ connection_name }}
secret:
secretName: {{ connection['secretName'] }}
{%- endif %}
{%- endfor %}
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: zuul-merger
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-merger
spec:
serviceName: zuul-merger
replicas: {{ spec.merger.count }}
podManagementPolicy: Parallel
selector:
matchLabels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-merger
template:
metadata:
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-merger
annotations:
zuulConfSha: "{{ zuul_conf_sha }}"
spec:
imagePullSecrets: {{ spec.imagePullSecrets }}
securityContext:
runAsUser: 10001
runAsGroup: 10001
containers:
- name: merger
image: {{ spec.imagePrefix }}/zuul-merger:{{ spec.zuulImageVersion }}
args: ["/usr/local/bin/zuul-merger", "-f", "-d"]
volumeMounts:
- name: zuul-config
mountPath: /etc/zuul
- name: zuul-var
mountPath: /var/lib/zuul
- name: zookeeper-client-tls
mountPath: /tls/client
readOnly: true
{%- for connection_name, connection in connections.items() %}
{%- if 'secretName' in connection %}
- name: connection-{{ connection_name }}
mountPath: /etc/zuul/connections/{{ connection_name }}
readOnly: true
{%- endif %}
{%- endfor %}
terminationGracePeriodSeconds: 3600
volumes:
- name: zuul-var
emptyDir: {}
- name: zuul-config
secret:
secretName: zuul-config
- name: zookeeper-client-tls
secret:
secretName: {{ spec.zookeeper.secretName }}
{%- for connection_name, connection in connections.items() %}
{%- if 'secretName' in connection %}
- name: connection-{{ connection_name }}
secret:
secretName: {{ connection['secretName'] }}
{%- endif %}
{%- endfor %}
---
apiVersion: v1
kind: Service
metadata:
name: zuul-preview
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-preview
spec:
type: NodePort
ports:
- name: zuul-preview
port: 80
protocol: TCP
targetPort: zuul-preview
selector:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-preview
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: zuul-preview
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-preview
spec:
replicas: {{ spec.preview.count }}
selector:
matchLabels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-preview
template:
metadata:
labels:
app.kubernetes.io/name: zuul
app.kubernetes.io/instance: {{ instance_name }}
app.kubernetes.io/part-of: zuul
app.kubernetes.io/component: zuul-preview
spec:
imagePullSecrets: {{ spec.imagePullSecrets }}
containers:
- name: preview
image: {{ spec.imagePrefix }}/zuul-preview:{{ spec.zuulPreviewImageVersion }}
ports:
- name: zuul-preview
containerPort: 80
env:
- name: ZUUL_API_URL
value: http://zuul-web/