| {{$svcAcctSplit := .serviceAccount | split "@"}}{{$svcAcct := $svcAcctSplit._0}} |
| {{- if and (eq .useWorkloadIdentity "true") (.oldCluster) -}} |
| apiVersion: v1 |
| kind: ServiceAccount |
| metadata: |
| annotations: |
| iam.gke.io/gcp-service-account: {{.serviceAccount}} |
| name: {{$svcAcct}} |
| namespace: default |
| --- |
| {{- end}} |
| apiVersion: apps/v1 |
| kind: StatefulSet |
| metadata: |
| name: autoroll-be-{{.rollerName}} |
| {{- if not .oldCluster}} |
| namespace: {{$svcAcct}} |
| {{- end}} |
| spec: |
| serviceName: "autoroll-be-{{.rollerName}}" |
| replicas: 1 |
| selector: |
| matchLabels: |
| app: autoroll-be-{{.rollerName}} |
| updateStrategy: |
| type: RollingUpdate |
| template: |
| metadata: |
| labels: |
| app: autoroll-be-{{.rollerName}} # Pod template's label selector |
| appgroup: autoroll |
| owner-primary: {{.ownerPrimary}} |
| owner-secondary: {{.ownerSecondary}} |
| annotations: |
| prometheus.io.scrape: "true" |
| prometheus.io.port: "20000" |
| spec: |
| automountServiceAccountToken: false |
| securityContext: |
| runAsUser: 2000 # aka skia |
| fsGroup: 2000 # aka skia |
| {{- if and (eq .useWorkloadIdentity "true") (.oldCluster)}} |
| serviceAccountName: {{$svcAcct}} |
| {{- end}} |
| {{if .kubernetes.disk}} |
| initContainers: |
| - name: init-autoroll-be-{{.rollerName}} |
| image: {{.kubernetes.image}} |
| command: ['mkdir', '-p', '$(TMPDIR)'] |
| env: |
| - name: TMPDIR |
| value: {{if .kubernetes.disk}}/data{{end}}/tmp |
| volumeMounts: |
| - name: autoroll-be-{{.rollerName}}-storage |
| mountPath: /data |
| {{end}} |
| containers: |
| - name: autoroll-be-{{.rollerName}} |
| image: {{.kubernetes.image}} |
| command: ["luci-auth"] |
| args: |
| - "context" |
| - "-service-account-json" |
| {{- if or (eq .useWorkloadIdentity "true") (not .oldCluster)}} |
| - ":gce" |
| {{- else}} |
| - "/var/secrets/google/key.json" |
| {{- end}} |
| - "--" |
| - "/usr/local/bin/autoroll-be" |
| - "--config={{.configBase64}}" |
| - "--firestore_instance=production" |
| - "--port=:8000" |
| - "--prom_port=:20000" |
| - "--recipes_cfg=/usr/local/share/autoroll/recipes.cfg" |
| - "--workdir={{if .kubernetes.disk}}/data{{else}}/tmp{{end}}" |
| ports: |
| - containerPort: 8000 |
| - containerPort: 20000 |
| name: prom |
| volumeMounts:{{if .kubernetes.disk}} |
| - name: autoroll-be-{{.rollerName}}-storage |
| mountPath: /data{{end}} |
| {{- if and (eq .useWorkloadIdentity "false") (.oldCluster)}} |
| - name: autoroll-be-{{$svcAcct}}-sa |
| mountPath: /var/secrets/google |
| {{- end}} |
| env: |
| {{- if and (eq .useWorkloadIdentity "false") (.oldCluster)}} |
| - name: GOOGLE_APPLICATION_CREDENTIALS |
| value: /var/secrets/google/key.json |
| {{- end}} |
| - name: TMPDIR |
| value: {{if .kubernetes.disk}}/data{{end}}/tmp |
| resources: |
| requests: |
| memory: "{{.kubernetes.memory}}" |
| cpu: {{.kubernetes.cpu}} |
| {{- if not .kubernetes.disk}} |
| ephemeral-storage: '32M' |
| {{- end}} |
| readinessProbe: |
| httpGet: |
| path: /healthz |
| port: 8000 |
| initialDelaySeconds: {{.kubernetes.readinessInitialDelaySeconds}} |
| periodSeconds: {{.kubernetes.readinessPeriodSeconds}} |
| failureThreshold: {{.kubernetes.readinessFailureThreshold}} |
| volumes: |
| {{- if and (eq .useWorkloadIdentity "false") (.oldCluster)}} |
| - name: autoroll-be-{{$svcAcct}}-sa |
| secret: |
| secretName: {{$svcAcct}} |
| {{- end}} |
| {{- if .kubernetes.disk}} |
| volumeClaimTemplates: |
| - metadata: |
| name: autoroll-be-{{.rollerName}}-storage |
| spec: |
| accessModes: [ "ReadWriteOnce" ] |
| resources: |
| requests: |
| storage: {{.kubernetes.disk}} |
| {{- end}} |