--- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-carrramba namespace: default spec: acme: email: me@adrien.run server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-carrramba solvers: - http01: ingress: class: traefik --- apiVersion: apps/v1 kind: Deployment metadata: name: carrramba-encore-rate-frontend labels: app: carrramba-encore-rate-frontend spec: replicas: 1 selector: matchLabels: app: carrramba-encore-rate-frontend template: metadata: labels: app: carrramba-encore-rate-frontend spec: containers: - name: carrramba-encore-rate-frontend image: rg.fr-par.scw.cloud/asr-projects/carrramba-encore-rate-frontend:latest ports: - name: web containerPort: 80 imagePullSecrets: - name: registry-secret --- apiVersion: v1 kind: Service metadata: name: carrramba-encore-rate-frontend labels: app: carrramba-encore-rate-frontend spec: ports: - name: web port: 80 targetPort: web selector: app: carrramba-encore-rate-frontend --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: carrramba-encore-rate-frontend-ingress annotations: traefik.ingress.kubernetes.io/router.entrypoints: web spec: rules: - http: paths: - path: / pathType: Prefix backend: service: name: carrramba-encore-rate-frontend port: name: web --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: strip-api-prefix spec: stripPrefix: prefixes: - /api --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: carrramba-encore-rate-api-ingress annotations: cert-manager.io/cluster-issuer: letsencrypt-carrramba traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.middlewares: default-strip-api-prefix@kubernetescrd spec: tls: - hosts: - carrramba.adrien.run secretName: tls-carrramba-encore-rate-ingress rules: - http: paths: - path: /api/ pathType: Prefix backend: service: name: carrramba-encore-rate-api port: name: web --- # Service account to allow pod access to Vault via K8s auth apiVersion: v1 kind: ServiceAccount metadata: name: carrramba-encore-rate-api automountServiceAccountToken: true --- apiVersion: apps/v1 kind: Deployment metadata: name: carrramba-encore-rate-api labels: app: carrramba-encore-rate-api spec: replicas: 1 selector: matchLabels: app: carrramba-encore-rate-api template: metadata: labels: app: carrramba-encore-rate-api annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject-secret-carrramba-encore-rate-api: "database/creds/carrramba-encore-rate-api" vault.hashicorp.com/agent-inject-template-carrramba-encore-rate-api: | {{ with secret "database/creds/carrramba-encore-rate-api" -}} export CER__DB__NAME=carrramba_encore_rate export CER__DB__HOST=postgres export CER__DB__PORT=5432 export CER__DB__USER={{ .Data.username }} export CER__DB__PASSWORD={{ .Data.password }} {{- end }} {{ with secret "carrramba-encore-rate-api/idfm-api-key" -}} export CER__IDFM_API_KEY={{ .Data.key }} {{- end}} vault.hashicorp.com/role: "carrramba-encore-rate-api" spec: containers: - name: carrramba-encore-rate-api image: rg.fr-par.scw.cloud/asr-projects/carrramba-encore-rate-api:latest command: ["/bin/bash"] args: ["-c", "source ${BASH_ENV} ; python ./api_server.py "] # args: ["-c", "while true; do echo hello; sleep 10;done"] ports: - name: web containerPort: 8080 env: - name: BASH_ENV value: /vault/secrets/carrramba-encore-rate-api - name: CONFIG_PATH value: ./config.sample.yaml - name: CER__TRACING__ENABLE value: "true" - name: OTEL_EXPORTER_OTLP_ENDPOINT value: "http://jaeger-all-in-one-collector.observability.svc.cluster.local:$(JAEGER_ALL_IN_ONE_COLLECTOR_SERVICE_PORT_HTTP_OTLP)" imagePullPolicy: Always imagePullSecrets: - name: registry-secret serviceAccountName: carrramba-encore-rate-api --- apiVersion: v1 kind: Service metadata: name: carrramba-encore-rate-api labels: app: carrramba-encore-rate-api spec: ports: - name: web port: 8080 targetPort: web selector: app: carrramba-encore-rate-api --- apiVersion: batch/v1 kind: CronJob metadata: name: db-update spec: schedule: "0 1 * * 5" # At 01:00 on Friday jobTemplate: spec: template: metadata: annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject-secret-carrramba-encore-rate-admin: "database/creds/carrramba-encore-rate-admin" vault.hashicorp.com/agent-inject-template-carrramba-encore-rate-admin: | {{ with secret "database/creds/carrramba-encore-rate-admin" -}} export CER__DB__NAME=carrramba_encore_rate export CER__DB__HOST=postgres export CER__DB__PORT=5432 export CER__DB__USER={{ .Data.username }} export CER__DB__PASSWORD={{ .Data.password }} {{- end }} {{ with secret "carrramba-encore-rate-api/idfm-api-key" -}} export CER__IDFM_API_KEY={{ .Data.key }} {{- end}} vault.hashicorp.com/role: "carrramba-encore-rate-admin" spec: containers: - name: db-update image: rg.fr-par.scw.cloud/asr-projects/carrramba-encore-rate-db-updater:latest command: ["/bin/bash"] args: ["-c", "source ${BASH_ENV} ; python ./db_updater.py"] imagePullPolicy: IfNotPresent env: - name: BASH_ENV value: /vault/secrets/carrramba-encore-rate-admin - name: CONFIG_PATH value: ./config.sample.yaml restartPolicy: Never imagePullSecrets: - name: registry-secret serviceAccountName: carrramba-encore-rate-admin --- # Service account to allow pod access to Vault via K8s auth apiVersion: v1 kind: ServiceAccount metadata: name: carrramba-encore-rate-admin automountServiceAccountToken: true