blob: 9167d2a1b7803ba6dd02cee5c67f6ff1f4f909d5 [file] [log] [blame]
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
namespace: default
name: fiddle
rules:
- apiGroups:
- ""
resources:
- pods
verbs: ["get", "list", "watch", "delete"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: fiddle
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: fiddle
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: fiddle
subjects:
- kind: ServiceAccount
name: fiddle
namespace: default
---
apiVersion: v1
kind: Service
metadata:
labels:
app: fiddle
name: fiddle
annotations:
beta.cloud.google.com/backend-config: '{"ports": {"8000":"skia-default-backendconfig"}}'
spec:
ports:
- name: metrics
port: 20000
- name: http
port: 8000
selector:
app: fiddle
type: NodePort
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: fiddle
spec:
replicas: 2
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: fiddle
appgroup: fiddle
annotations:
prometheus.io.scrape: "true"
prometheus.io.port: "20000"
spec:
serviceAccountName: fiddle
automountServiceAccountToken: true
securityContext:
runAsUser: 2000 # aka skia
fsGroup: 2000 # aka skia
containers:
- name: fiddle
image: gcr.io/skia-public/fiddle:2019-02-11T15_35_15Z-jcgregorio-a297194-clean
args:
- "--logtostderr"
- "--port=:8000"
- "--prom_port=:20000"
- "--resources_dir=/usr/local/share/fiddle/"
- "--source_image_dir=/etc/fiddle/source"
ports:
- containerPort: 8000
- containerPort: 20000
volumeMounts:
- name: skia-fiddle-sa
mountPath: /var/secrets/google
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
resources:
requests:
memory: "100M"
cpu: "1"
readinessProbe:
httpGet:
path: /healthz
port: 8000
initialDelaySeconds: 1
periodSeconds: 10
volumes:
- name: skia-fiddle-sa
secret:
secretName: skia-fiddle