Last active
September 26, 2017 21:41
-
-
Save LorbusChris/865dd59b715cc5a0cad8d17c519615ce to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
kind: Template | |
apiVersion: v1 | |
metadata: | |
name: freeipa-server | |
labels: | |
app: "${IPA_SERVER_SERVICE}" | |
annotations: | |
openshift.io/display-name: FreeIPA Server | |
description: FreeIPA Server | |
tags: quickstart,freeipa,idm,identity management | |
objects: | |
- kind: ImageStream | |
apiVersion: v1 | |
metadata: | |
name: freeipa-server | |
annotations: | |
openshift.io/display-name: FreeIPA Server | |
spec: | |
tags: | |
- name: latest | |
annotations: | |
openshift.io/display-name: FreeIPA Server on Fedora 25 | |
tags: freeipa, identity management | |
from: | |
kind: DockerImage | |
name: freeipa/freeipa-server:latest | |
- name: centos-7 | |
annotations: | |
openshift.io/display-name: FreeIPA Server on CentOS 7 | |
tags: freeipa, identity management | |
from: | |
kind: DockerImage | |
name: freeipa/freeipa-server:centos-7 | |
- kind: Route | |
apiVersion: v1 | |
metadata: | |
name: "${IPA_SERVER_SERVICE}-https" | |
annotations: | |
description: Route for FreeIPA server's HTTPS | |
kubernetes.io/tls-acme: 'true' | |
kubernetes.io/tls-acme-secretname: "${IPA_SERVER_SERVICE}-acme-cert" | |
kubernetes.io/tls-acme-secretnamespace: acme-example | |
spec: | |
to: | |
kind: Service | |
name: "${IPA_SERVER_SERVICE}" | |
port: | |
targetPort: https | |
tls: | |
termination: passthrough | |
- kind: Secret | |
apiVersion: v1 | |
metadata: | |
name: "${IPA_SERVER_SERVICE}-password" | |
stringData: | |
admin.password: "${IPA_ADMIN_PASSWORD}" | |
- kind: Service | |
apiVersion: v1 | |
metadata: | |
name: "${IPA_SERVER_SERVICE}" | |
spec: | |
ports: | |
- name: dns-tcp | |
protocol: TCP | |
port: 53 | |
targetPort: 53 | |
- name: dns-udp | |
protocol: UDP | |
port: 53 | |
targetPort: 53 | |
- name: http | |
protocol: TCP | |
port: 80 | |
targetPort: 80 | |
- name: kerberos-tcp | |
protocol: TCP | |
port: 88 | |
targetPort: 88 | |
- name: kerberos-udp | |
protocol: UDP | |
port: 88 | |
targetPort: 88 | |
- name: ntp | |
protocol: UDP | |
port: 123 | |
targetPort: 123 | |
- name: ldap | |
protocol: TCP | |
port: 389 | |
targetPort: 389 | |
- name: https | |
protocol: TCP | |
port: 443 | |
targetPort: 443 | |
- name: kpasswd-tcp | |
protocol: TCP | |
port: 464 | |
targetPort: 464 | |
- name: kpasswd-udp | |
protocol: UDP | |
port: 464 | |
targetPort: 464 | |
- name: ldaps | |
protocol: TCP | |
port: 636 | |
targetPort: 636 | |
- name: ldap-replication | |
protocol: TCP | |
port: 7389 | |
targetPort: 7389 | |
- name: ca-webui | |
protocol: TCP | |
port: 9443 | |
targetPort: 9443 | |
- name: ca-https | |
protocol: TCP | |
port: 9444 | |
targetPort: 9444 | |
- name: ca-admin | |
protocol: TCP | |
port: 9445 | |
targetPort: 9445 | |
clusterIP: "${IPA_SERVER_IP}" | |
selector: | |
app: "${IPA_SERVER_SERVICE}" | |
- kind: DeploymentConfig | |
apiVersion: v1 | |
metadata: | |
name: "${IPA_SERVER_SERVICE}" | |
spec: | |
strategy: | |
type: Recreate | |
recreateParams: | |
timeoutSeconds: "${TIMEOUT}" | |
triggers: | |
- type: ConfigChange | |
- type: ImageChange | |
imageChangeParams: | |
automatic: true | |
containerNames: | |
- "${IPA_SERVER_SERVICE}" | |
from: | |
kind: ImageStreamTag | |
name: "${IPA_SERVER_IMAGE}" | |
replicas: 1 | |
test: false | |
selector: | |
app: "${IPA_SERVER_SERVICE}" | |
template: | |
metadata: | |
name: "${IPA_SERVER_SERVICE}" | |
labels: | |
app: "${IPA_SERVER_SERVICE}" | |
spec: | |
volumes: | |
- name: "${IPA_SERVER_SERVICE}-data" | |
persistentVolumeClaim: | |
claimName: "${IPA_SERVER_SERVICE}" | |
- name: "${IPA_SERVER_SERVICE}-run" | |
emptyDir: {} | |
- name: "${IPA_SERVER_SERVICE}-tmp" | |
emptyDir: {} | |
- name: "${IPA_SERVER_SERVICE}-journal" | |
emptyDir: {} | |
- name: "${IPA_SERVER_SERVICE}-acme-cert" | |
secret: | |
secretName: "${IPA_SERVER_SERVICE}-acme-cert" | |
containers: | |
- name: "${IPA_SERVER_SERVICE}" | |
image: " " | |
ports: | |
- containerPort: 53 | |
protocol: TCP | |
- containerPort: 53 | |
protocol: UDP | |
- containerPort: 80 | |
protocol: TCP | |
- containerPort: 88 | |
protocol: TCP | |
- containerPort: 88 | |
protocol: UDP | |
- containerPort: 123 | |
protocol: UDP | |
- containerPort: 389 | |
protocol: TCP | |
- containerPort: 443 | |
protocol: TCP | |
- containerPort: 464 | |
protocol: TCP | |
- containerPort: 464 | |
protocol: UDP | |
- containerPort: 636 | |
protocol: TCP | |
- containerPort: 7389 | |
protocol: TCP | |
- containerPort: 9443 | |
protocol: TCP | |
- containerPort: 9444 | |
protocol: TCP | |
- containerPort: 9445 | |
protocol: TCP | |
env: | |
- name: IPA_SERVER_IP | |
value: "${IPA_SERVER_IP}" | |
- name: IPA_SERVER_INSTALL_OPTS | |
value: "${IPA_SERVER_INSTALL_OPTS}" | |
- name: PASSWORD | |
valueFrom: | |
secretKeyRef: | |
name: "${IPA_SERVER_SERVICE}-password" | |
key: admin.password | |
resources: {} | |
volumeMounts: | |
- name: "${IPA_SERVER_SERVICE}-data" | |
mountPath: "/data" | |
- name: "${IPA_SERVER_SERVICE}-run" | |
mountPath: "/run" | |
- name: "${IPA_SERVER_SERVICE}-tmp" | |
mountPath: "/tmp" | |
- name: "${IPA_SERVER_SERVICE}-journal" | |
mountPath: "/var/log/journal" | |
- name: "${IPA_SERVER_SERVICE}-acme-cert" | |
mountPath: "/etc/ssl/ipa" | |
readOnly: true | |
readinessProbe: | |
exec: | |
command: | |
- "/usr/bin/systemctl" | |
- status | |
- ipa | |
initialDelaySeconds: 60 | |
timeoutSeconds: 10 | |
periodSeconds: 10 | |
successThreshold: 1 | |
failureThreshold: 3 | |
restartPolicy: Always | |
serviceAccountName: "${SERVICE_ACCOUNT_USEROOT}" | |
securityContext: {} | |
- kind: PersistentVolumeClaim | |
apiVersion: v1 | |
metadata: | |
name: "${IPA_SERVER_SERVICE}" | |
spec: | |
accessModes: | |
- ReadWriteOnce | |
resources: | |
requests: | |
storage: "${VOLUME_CAPACITY}" | |
parameters: | |
- name: IPA_SERVER_SERVICE | |
displayName: Service and deployment config name | |
required: true | |
value: freeipa-server | |
- name: IPA_SERVER_IMAGE | |
displayName: Image to use for the service | |
required: true | |
value: freeipa-server:latest | |
- name: IPA_SERVER_IP | |
displayName: FreeIPA server service IP address | |
required: false | |
- name: IPA_SERVER_INSTALL_OPTS | |
displayName: Options to ipa-server-install command | |
required: true | |
value: "-U -r EXAMPLE.TEST --setup-dns --no-forwarders --no-ntp" | |
- name: IPA_ADMIN_PASSWORD | |
displayName: Admin's password | |
required: false | |
from: "[a-zA-Z0-9]{32}" | |
generate: expression | |
- name: SERVICE_ACCOUNT_USEROOT | |
displayName: Service account to use for running the pods | |
description: 'It has to allow running containers as root, for example: oc create | |
serviceaccount useroot ; oc adm policy add-scc-to-user anyuid -z useroot' | |
required: false | |
value: default | |
- name: VOLUME_CAPACITY | |
displayName: Volume capacity | |
required: true | |
value: 1Gi | |
- name: TIMEOUT | |
displayName: Timeout for pods to become ready (in seconds) | |
required: true | |
value: '600' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment