Created
December 22, 2023 03:09
-
-
Save lachlan-ibm/1e2cc5e8f96fba1a80a4083c96973384 to your computer and use it in GitHub Desktop.
Kubernetes / OpenShift deployment descriptor for Verify Access. This include a configuration, reverse proxy and runtime contaienr
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### ISVA Config ### | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: isamconfig | |
| labels: | |
| app: isamconfig | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: isamconfig | |
| replicas: 1 | |
| template: | |
| metadata: | |
| labels: | |
| app: isamconfig | |
| annotations: | |
| openshift.io/required-scc: "isva-scc" | |
| productName: "IBM Security Verify Access Virtual Edition" | |
| productId: "e2ba21cf5df245bb8524be1957857d9f" | |
| productMetric: "PROCESSOR_VALUE_UNIT" | |
| productChargedContainers: "All" | |
| spec: | |
| volumes: | |
| - name: isamconfigvol | |
| emptyDir: {} | |
| containers: | |
| - name: isamconfig | |
| image: icr.io/isva/verify-access:10.0.7.0 | |
| imagePullPolicy: IfNotPresent | |
| ports: | |
| - containerPort: 9443 | |
| volumeMounts: | |
| - mountPath: /var/shared | |
| name: isamconfigvol | |
| env: | |
| - name: SERVICE | |
| value: config | |
| - name: CONTAINER_TIMEZONE | |
| value: Australia/Brisbane | |
| --- | |
| # for external service access, see https://console.bluemix.net/docs/containers/cs_apps.html#cs_apps_public_nodeport | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: isamconfig | |
| labels: | |
| app: isamconfig | |
| spec: | |
| ports: | |
| - port: 9443 | |
| name: isamconfig | |
| protocol: TCP | |
| nodePort: 30543 | |
| # make this one statically allocated and exposed to internet - comment this line out if you don't want to expose the LMI externally. | |
| selector: | |
| app: isamconfig | |
| type: NodePort | |
| --- | |
| # This secret is created for the runtime and webseal containers to automatically retrieve the configuration snapshot via web service | |
| # These are the Base64 encoded versions of username: cfgsvc password: Passw0rd | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| name: configreader | |
| type: Opaque | |
| data: | |
| username: Y2Znc3Zj | |
| password: UGFzc3cwcmQ= | |
| --- | |
| ### ISVA WRP ### | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: isamwebseal | |
| labels: | |
| app: isamwebseal | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: isamwebseal | |
| replicas: 1 | |
| revisionHistoryLimit: 1 | |
| template: | |
| metadata: | |
| labels: | |
| app: isamwebseal | |
| annotations: | |
| productName: "IBM Security Verify Access Virtual Edition" | |
| productId: "e2ba21cf5df245bb8524be1957857d9f" | |
| productMetric: "PROCESSOR_VALUE_UNIT" | |
| productChargedContainers: "All" | |
| spec: | |
| volumes: | |
| - name: isamconfigvol | |
| emptyDir: {} | |
| containers: | |
| - name: isamwebseal | |
| image: icr.io/isva/verify-access-wrp:10.0.7.0 | |
| imagePullPolicy: IfNotPresent | |
| ports: | |
| - containerPort: 9443 | |
| volumeMounts: | |
| - mountPath: /var/shared | |
| name: isamconfigvol | |
| env: | |
| - name: SERVICE | |
| value: webseal | |
| - name: INSTANCE | |
| value: default | |
| - name: CONTAINER_TIMEZONE | |
| value: Australia/Brisbane | |
| - name: CONFIG_SERVICE_URL | |
| value: https://isamconfig:9443/shared_volume | |
| - name: CONFIG_SERVICE_TLS_CACERT | |
| value: disabled | |
| - name: CONFIG_SERVICE_USER_NAME | |
| valueFrom: | |
| secretKeyRef: | |
| name: configreader | |
| key: username | |
| - name: CONFIG_SERVICE_USER_PWD | |
| valueFrom: | |
| secretKeyRef: | |
| name: configreader | |
| key: password | |
| --- | |
| # for external service access, see https://console.bluemix.net/docs/containers/cs_apps.html#cs_apps_public_nodeport | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: isamwebseal | |
| labels: | |
| app: isamwebseal | |
| spec: | |
| ports: | |
| - port: 9443 | |
| name: isamwebseal | |
| protocol: TCP | |
| nodePort: 30443 | |
| selector: | |
| app: isamwebseal | |
| type: NodePort | |
| --- | |
| ### ISVA Runtime ### | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: isamruntime | |
| labels: | |
| app: isamruntime | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: isamruntime | |
| replicas: 1 | |
| revisionHistoryLimit: 1 | |
| template: | |
| metadata: | |
| labels: | |
| app: isamruntime | |
| annotations: | |
| productName: "IBM Security Verify Access Virtual Edition" | |
| productId: "e2ba21cf5df245bb8524be1957857d9f" | |
| productMetric: "PROCESSOR_VALUE_UNIT" | |
| productChargedContainers: "All" | |
| spec: | |
| volumes: | |
| - name: isamconfigvol | |
| emptyDir: {} | |
| containers: | |
| - name: isamruntime | |
| image: icr.io/isva/verify-access-runtime:10.0.7.0 | |
| imagePullPolicy: IfNotPresent | |
| ports: | |
| - containerPort: 9443 | |
| volumeMounts: | |
| - mountPath: /var/shared | |
| name: isamconfigvol | |
| env: | |
| - name: SERVICE | |
| value: runtime | |
| - name: WLP_LOGGING_CONSOLE_FORMAT | |
| value: simple | |
| - name: CONTAINER_TIMEZONE | |
| value: Australia/Brisbane | |
| - name: CONFIG_SERVICE_URL | |
| value: https://isamconfig:9443/shared_volume | |
| - name: CONFIG_SERVICE_TLS_CACERT | |
| value: disabled | |
| - name: CONFIG_SERVICE_USER_NAME | |
| valueFrom: | |
| secretKeyRef: | |
| name: configreader | |
| key: username | |
| - name: CONFIG_SERVICE_USER_PWD | |
| valueFrom: | |
| secretKeyRef: | |
| name: configreader | |
| key: password | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: isamruntime | |
| labels: | |
| app: isamruntime | |
| spec: | |
| ports: | |
| - port: 9443 | |
| name: isamruntime | |
| protocol: TCP | |
| selector: | |
| app: isamruntime | |
| type: ClusterIP |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### OpenLDAP ### | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: openldap | |
| labels: | |
| app: openldap | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: openldap | |
| replicas: 1 | |
| template: | |
| metadata: | |
| labels: | |
| app: openldap | |
| spec: | |
| volumes: | |
| - name: keys | |
| secret: | |
| secretName: openldap-keys | |
| imagePullSecrets: | |
| #- name: isva-login | |
| #- name: jenkins-login | |
| #serviceAccountName: openldap | |
| containers: | |
| - name: openldap | |
| image: icr.io/isva/verify-access-openldap:10.0.6.0 | |
| #image: docker-na.artifactory.swg-devops.com/sec-isam-docker-local/verify-access-openldap:development | |
| imagePullPolicy: IfNotPresent | |
| ports: | |
| - containerPort: 636 | |
| env: | |
| - name: LDAP_DOMAIN | |
| value: ibm.com | |
| - name: LDAP_ADMIN_PASSWORD | |
| value: Passw0rd | |
| - name: LDAP_CONFIG_PASSWORD | |
| value: Passw0rd | |
| volumeMounts: | |
| - mountPath: /container/service/slapd/assets/certs | |
| name: keys | |
| args: ["--copy-service"] | |
| --- | |
| # The service to connect to OpenLDAP. For external service access, see https://console.bluemix.net/docs/containers/cs_apps.html#cs_apps_public_nodeport | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: openldap | |
| labels: | |
| app: openldap | |
| spec: | |
| ports: | |
| - port: 636 | |
| name: ldaps | |
| protocol: TCP | |
| nodePort: 30636 | |
| selector: | |
| app: openldap | |
| type: NodePort | |
| --- | |
| ### PostgreSQL ### | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: postgresql | |
| labels: | |
| app: postgresql | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: postgresql | |
| replicas: 1 | |
| template: | |
| metadata: | |
| labels: | |
| app: postgresql | |
| spec: | |
| volumes: | |
| - name: postgresqldata | |
| emptyDir: {} | |
| - name: keys | |
| secret: | |
| secretName: postgresql-keys | |
| imagePullSecrets: | |
| #- name: isva-login | |
| #- name: jenkins-login | |
| containers: | |
| - name: postgresql | |
| image: icr.io/isva/verify-access-postgresql:10.0.7.0 | |
| #image: docker-na.artifactory.swg-devops.com/sec-isam-docker-local/verify-access-postgresql:development | |
| imagePullPolicy: IfNotPresent | |
| ports: | |
| - containerPort: 5432 | |
| env: | |
| - name: POSTGRES_USER | |
| value: postgres | |
| - name: POSTGRES_PASSWORD | |
| value: Passw0rd | |
| - name: POSTGRES_DB | |
| value: isam | |
| - name: POSTGRES_SSL_KEYDB | |
| value: /var/local/server.crt | |
| volumeMounts: | |
| - mountPath: /var/lib/postgresql/data | |
| name: postgresqldata | |
| - mountPath: /var/local | |
| name: keys | |
| --- | |
| # The service to connect to Postgresql. Note this is a cluster ip service only. | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: postgresql | |
| spec: | |
| ports: | |
| - port: 5432 | |
| name: postgresql | |
| protocol: TCP | |
| selector: | |
| app: postgresql |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment