| {{$svcAcctSplit := .serviceAccount | split "@"}}{{$svcAcct := $svcAcctSplit._0}} |
| apiVersion: apps/v1 |
| kind: StatefulSet |
| metadata: |
| name: autoroll-be-{{.rollerName}} |
| spec: |
| serviceName: "autoroll-be-{{.rollerName}}" |
| replicas: 1 |
| selector: |
| matchLabels: |
| app: autoroll-be-{{.rollerName}} |
| updateStrategy: |
| type: RollingUpdate |
| template: |
| metadata: |
| labels: |
| app: autoroll-be-{{.rollerName}} # Pod template's label selector |
| annotations: |
| prometheus.io.scrape: "true" |
| prometheus.io.port: "20000" |
| spec: |
| automountServiceAccountToken: false |
| securityContext: |
| runAsUser: 2000 # aka skia |
| fsGroup: 2000 # aka skia |
| containers: |
| - name: autoroll-be-{{.rollerName}} |
| image: gcr.io/skia-public/autoroll-be:TODO |
| args: |
| - "--logtostderr" |
| - "--config_file=/usr/local/share/autoroll/config/{{.configFile}}" |
| - "--email_creds=/var/secrets/autoroll-email-creds" |
| - "--firestore_instance=production" |
| - "--port=:8000" |
| - "--prom_port=:20000" |
| - "--recipes_cfg=/usr/local/share/autoroll/recipes.cfg" |
| - "--workdir=/data" |
| - "--chat_webhooks_file=/etc/notifier-chat-config/chat_config.txt" |
| ports: |
| - containerPort: 8000 |
| - containerPort: 20000 |
| volumeMounts: |
| - name: autoroll-be-{{.rollerName}}-storage |
| mountPath: /data |
| - name: autoroll-be-{{$svcAcct}}-sa |
| mountPath: /var/secrets/google |
| - name: autoroll-email-creds |
| mountPath: /var/secrets/autoroll-email-creds |
| - name: notifier-chat-config |
| mountPath: /etc/notifier-chat-config/ |
| {{- range $index, $secret := .kubernetes.secrets}} |
| - name: {{$secret.name}} |
| mountPath: {{$secret.mountPath}} |
| {{- end}} |
| env: |
| - name: GOOGLE_APPLICATION_CREDENTIALS |
| value: /var/secrets/google/key.json |
| - name: TMPDIR |
| value: /data/tmp |
| resources: |
| limits: |
| memory: "{{.kubernetes.memory}}" |
| cpu: {{.kubernetes.cpu}} |
| readinessProbe: |
| httpGet: |
| path: /healthz |
| port: 8000 |
| initialDelaySeconds: {{.kubernetes.readinessInitialDelaySeconds}} |
| periodSeconds: {{.kubernetes.readinessPeriodSeconds}} |
| failureThreshold: {{.kubernetes.readinessFailureThreshold}} |
| volumes: |
| - name: autoroll-be-{{$svcAcct}}-sa |
| secret: |
| secretName: {{$svcAcct}} |
| - name: autoroll-email-creds |
| secret: |
| secretName: autoroll-email-creds |
| - name: notifier-chat-config |
| secret: |
| secretName: notifier-chat-config |
| {{- range $index, $secret := .kubernetes.secrets}} |
| - name: {{$secret.name}} |
| secret: |
| secretName: {{$secret.name}} |
| {{- end}} |
| volumeClaimTemplates: |
| - metadata: |
| name: autoroll-be-{{.rollerName}}-storage |
| spec: |
| accessModes: [ "ReadWriteOnce" ] |
| resources: |
| requests: |
| storage: {{.kubernetes.disk}} |