-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathflux-deployment.yaml
97 lines (89 loc) · 3.31 KB
/
flux-deployment.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: flux
spec:
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
name: flux
spec:
serviceAccount: flux
volumes:
- name: git-key
secret:
secretName: flux-git-deploy
defaultMode: 0400 # when mounted read-only, we won't be able to chmod
# This is a tmpfs used for generating SSH keys. In K8s >= 1.10,
# mounted secrets are read-only, so we need a separate volume we
# can write to.
- name: git-keygen
emptyDir:
medium: Memory
# This is to share docker creds from a sidecar into flux since we use ECR
- name: shared-data
emptyDir: {}
initContainers:
- name: init-ecr-creds
image: struz/ecr-creds:v0.2.9
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- "make_docker_config_json.sh ap-southeast-2"
volumeMounts:
- name: shared-data
mountPath: /docker-creds
containers:
- name: flux
# There are no ":latest" images for flux. Find the most recent
# release or image version at https://quay.io/weaveworks/flux
# and replace the tag here.
image: quay.io/weaveworks/flux:1.3.1
#image: struz/flux:1.3.1-test
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3030 # informational
volumeMounts:
- name: git-key
mountPath: /etc/fluxd/ssh # to match image's ~/.ssh/config
readOnly: true # this will be the case perforce in K8s >=1.10
- name: git-keygen
mountPath: /var/fluxd/keygen # to match image's ~/.ssh/config
- name: shared-data
mountPath: /docker-creds
args:
# if you deployed memcached in a different namespace to flux,
# or with a different service name, you can supply these
# following two arguments to tell fluxd how to connect to it.
# - --memcached-hostname=memcached.default.svc.cluster.local
# - --memcached-service=memcached
# this must be supplied, and be in the tmpfs (emptyDir)
# mounted above, for K8s >= 1.10
- --ssh-keygen-dir=/var/fluxd/keygen
# replace (at least) the following URL
- [email protected]:weaveworks/flux-example
- --git-branch=master
# include these next two to connect to an "upstream" service
# (e.g., Weave Cloud). The token is particular to the service.
# - --connect=wss://cloud.weave.works/api/flux
# - --token=abc123abc123abc123abc123
# We specify our own docker creds that are refreshed by the sidecar
# so that we can pull from ECR, which is otherwise unsupported at flux
# version v1.3.1. See: https://github.com/weaveworks/flux/pull/1065
- --docker-config=/docker-creds/config.json
- name: ecr-creds
image: struz/ecr-creds:v0.2.9
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
# Sleep for 8 hours then update the creds, repeat. Far from ideal but
# does the job.
- "while true; do sleep 28800; make_docker_config_json.sh ap-southeast-2; done"
volumeMounts:
- name: shared-data
mountPath: /docker-creds