Skip to content

Instantly share code, notes, and snippets.

@mayorova

mayorova/amp23_sec_context.yml

Created November 17, 2018 04:29
Show Gist options
  • Save mayorova/98b20cfbd3324682584c4b4ca1d1a514 to your computer and use it in GitHub Desktop.
Save mayorova/98b20cfbd3324682584c4b4ca1d1a514 to your computer and use it in GitHub Desktop.
Download ZIP
3scale API Management v2.3 template with Security Context
Raw
amp23_sec_context.yml
base_env: &base_env
- name: RAILS_ENV
value: "production"
- name: DATABASE_URL
value: "mysql2://root:${MYSQL_ROOT_PASSWORD}@system-mysql/${MYSQL_DATABASE}"
- name: FORCE_SSL
value: "true"
- name: THREESCALE_SUPERDOMAIN
value: "${WILDCARD_DOMAIN}"
- name: MASTER_DOMAIN
value: "${MASTER_NAME}"
- name: MASTER_USER
value: "${MASTER_USER}"
- name: MASTER_PASSWORD
value: "${MASTER_PASSWORD}"
- name: TENANT_NAME
value: "${TENANT_NAME}"
- name: APICAST_ACCESS_TOKEN
value: "${APICAST_ACCESS_TOKEN}"
- name: ADMIN_ACCESS_TOKEN
value: "${ADMIN_ACCESS_TOKEN}"
- name: PROVIDER_PLAN
value: 'enterprise'
- name: USER_LOGIN
value: "${ADMIN_USERNAME}"
- name: USER_PASSWORD
value: "${ADMIN_PASSWORD}"
- name: RAILS_LOG_TO_STDOUT
value: "true"
- name: RAILS_LOG_LEVEL
value: "info"
- name: THINKING_SPHINX_ADDRESS
value: "system-sphinx"
- name: THINKING_SPHINX_PORT
value: "9306"
- name: THINKING_SPHINX_CONFIGURATION_FILE
value: "/tmp/sphinx.conf"
- name: EVENTS_SHARED_SECRET
value: "${SYSTEM_BACKEND_SHARED_SECRET}"
- name: THREESCALE_SANDBOX_PROXY_OPENSSL_VERIFY_MODE
value: "VERIFY_NONE"
- name: APICAST_BACKEND_ROOT_ENDPOINT
value: "https://backend-${TENANT_NAME}.${WILDCARD_DOMAIN}"
- name: CONFIG_INTERNAL_API_USER
value: "${SYSTEM_BACKEND_USERNAME}"
- name: CONFIG_INTERNAL_API_PASSWORD
value: "${SYSTEM_BACKEND_PASSWORD}"
- name: SECRET_KEY_BASE
value: "${SYSTEM_APP_SECRET_KEY_BASE}"
- name: AMP_RELEASE
value: "${AMP_RELEASE}"
- name: ZYNC_AUTHENTICATION_TOKEN
valueFrom:
secretKeyRef:
name: zync
key: ZYNC_AUTHENTICATION_TOKEN
- name: SMTP_ADDRESS
valueFrom:
configMapKeyRef:
name: smtp
key: address
- name: SMTP_USER_NAME
valueFrom:
configMapKeyRef:
name: smtp
key: username
- name: SMTP_PASSWORD
valueFrom:
configMapKeyRef:
name: smtp
key: password
- name: SMTP_DOMAIN
valueFrom:
configMapKeyRef:
name: smtp
key: domain
- name: SMTP_PORT
valueFrom:
configMapKeyRef:
name: smtp
key: port
- name: SMTP_AUTHENTICATION
valueFrom:
configMapKeyRef:
name: smtp
key: authentication
- name: SMTP_OPENSSL_VERIFY_MODE
valueFrom:
configMapKeyRef:
name: smtp
key: openssl.verify.mode
- name: BACKEND_ROUTE
value: "https://backend-${TENANT_NAME}.${WILDCARD_DOMAIN}"
- name: SSL_CERT_DIR
value: "/etc/pki/tls/certs"
- name: APICAST_REGISTRY_URL
value: "${APICAST_REGISTRY_URL}"
apiVersion: v1
kind: Template
metadata:
name: 3scale-api-management
annotations:
openshift.io/display-name: 3scale API Management
openshift.io/provider-display-name: Red Hat, Inc.
iconClass: icon-3scale
description: >-
3scale API Management main system
tags: integration, api management, 3scale
message: "Login on https://${TENANT_NAME}-admin.${WILDCARD_DOMAIN} as ${ADMIN_USERNAME}/${ADMIN_PASSWORD}"
objects:
- kind: ImageStream
apiVersion: v1
metadata:
name: amp-system
labels:
app: ${APP_LABEL}
3scale.component: system
annotations:
openshift.io/display-name: AMP System
spec:
tags:
- name: latest
annotations:
openshift.io/display-name: AMP System (latest)
from:
kind: ImageStreamTag
name: "${AMP_RELEASE}"
- name: "${AMP_RELEASE}"
annotations:
openshift.io/display-name: AMP system ${AMP_RELEASE}
from:
kind: DockerImage
name: ${AMP_SYSTEM_IMAGE}
importPolicy:
insecure: "${{IMAGESTREAM_TAG_IMPORT_INSECURE}}"
- kind: ImageStream
apiVersion: v1
metadata:
name: amp-backend
labels:
app: ${APP_LABEL}
3scale.component: backend
annotations:
openshift.io/display-name: AMP backend
spec:
tags:
- name: latest
annotations:
openshift.io/display-name: amp-backend (latest)
from:
kind: ImageStreamTag
name: "${AMP_RELEASE}"
- name: "${AMP_RELEASE}"
annotations:
openshift.io/display-name: amp-backend ${AMP_RELEASE}
from:
kind: DockerImage
name: ${AMP_BACKEND_IMAGE}
importPolicy:
insecure: "${{IMAGESTREAM_TAG_IMPORT_INSECURE}}"
- kind: ImageStream
apiVersion: v1
metadata:
name: amp-apicast
labels:
app: ${APP_LABEL}
3scale.component: apicast
annotations:
openshift.io/display-name: AMP APIcast
spec:
tags:
- name: latest
annotations:
openshift.io/display-name: AMP APIcast (latest)
from:
kind: ImageStreamTag
name: "${AMP_RELEASE}"
- name: "${AMP_RELEASE}"
annotations:
openshift.io/display-name: AMP APIcast ${AMP_RELEASE}
from:
kind: DockerImage
name: ${AMP_APICAST_IMAGE}
importPolicy:
insecure: "${{IMAGESTREAM_TAG_IMPORT_INSECURE}}"
- kind: ImageStream
apiVersion: v1
metadata:
name: amp-wildcard-router
labels:
app: ${APP_LABEL}
3scale.component: wildcard-router
annotations:
openshift.io/display-name: AMP APIcast Wildcard Router
spec:
tags:
- name: latest
annotations:
openshift.io/display-name: AMP APIcast Wildcard Router (latest)
from:
kind: ImageStreamTag
name: "${AMP_RELEASE}"
- name: "${AMP_RELEASE}"
annotations:
openshift.io/display-name: AMP APIcast Wildcard Router ${AMP_RELEASE}
from:
kind: DockerImage
name: ${AMP_ROUTER_IMAGE}
importPolicy:
insecure: "${{IMAGESTREAM_TAG_IMPORT_INSECURE}}"
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: system-storage
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: app
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Mi
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql-storage
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: mysql
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: system-redis-storage
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: redis
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: backend-redis-storage
labels:
app: ${APP_LABEL}
3scale.component: backend
3scale.component-element: redis
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: backend-cron
labels:
app: ${APP_LABEL}
3scale.component: backend
3scale.component-element: cron
spec:
replicas: 1
selector:
deploymentConfig: backend-cron
strategy:
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 1200
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
deploymentConfig: backend-cron
app: ${APP_LABEL}
3scale.component: backend
3scale.component-element: cron
spec:
initContainers:
- name: backend-redis-svc
image: amp-backend:latest
command: ['sh', '-c', 'until $(echo -n > /dev/tcp/backend-redis/6379); do sleep $SLEEP_SECONDS; done']
activeDeadlineSeconds: 1200
env:
- name: SLEEP_SECONDS
value: "1"
containers:
- args:
- backend-cron
env:
- name: CONFIG_REDIS_PROXY
value: redis://backend-redis:6379/0
- name: CONFIG_REDIS_SENTINEL_HOSTS
value: ""
- name: CONFIG_REDIS_SENTINEL_ROLE
value: ""
- name: CONFIG_QUEUES_MASTER_NAME
value: redis://backend-redis:6379/1
- name: CONFIG_QUEUES_SENTINEL_HOSTS
value: ""
- name: CONFIG_QUEUES_SENTINEL_ROLE
value: ""
- name: RACK_ENV
value: "production"
image: amp-backend:latest
imagePullPolicy: IfNotPresent
name: backend-cron
resources:
limits:
cpu: 150m
memory: 80Mi
requests:
cpu: 50m
memory: 40Mi
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- backend-redis-svc
- backend-cron
from:
kind: ImageStreamTag
name: amp-backend:latest
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: backend-redis
labels:
app: ${APP_LABEL}
3scale.component: backend
3scale.component-element: redis
spec:
replicas: 1
selector:
deploymentConfig: backend-redis
strategy:
type: Recreate
template:
metadata:
labels:
deploymentConfig: backend-redis
app: ${APP_LABEL}
3scale.component: backend
3scale.component-element: redis
spec:
containers:
- image: ${REDIS_IMAGE}
imagePullPolicy: IfNotPresent
name: backend-redis
command:
- "/opt/rh/rh-redis32/root/usr/bin/redis-server"
args:
- "/etc/redis.d/redis.conf"
- "--daemonize"
- "no"
resources:
limits:
cpu: 2000m
memory: 32Gi
requests:
cpu: 1000m
memory: 1024Mi
readinessProbe:
exec:
command:
- "container-entrypoint"
- "bash"
- "-c"
- "redis-cli set liveness-probe \"`date`\" | grep OK"
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 1
livenessProbe:
tcpSocket:
port: 6379
initialDelaySeconds: 10
periodSeconds: 10
volumeMounts:
- name: backend-redis-storage
mountPath: "/var/lib/redis/data"
- name: redis-config
mountPath: /etc/redis.d/
volumes:
- name: backend-redis-storage
persistentVolumeClaim:
claimName: backend-redis-storage
- name: redis-config
configMap:
name: redis-config
items:
- key: redis.conf
path: redis.conf
securityContext:
supplementalGroups: [65534]
triggers:
- type: ConfigChange
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: backend-listener
labels:
app: ${APP_LABEL}
3scale.component: backend
3scale.component-element: listener
spec:
replicas: 1
selector:
deploymentConfig: backend-listener
strategy:
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 600
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
deploymentConfig: backend-listener
app: ${APP_LABEL}
3scale.component: backend
3scale.component-element: listener
spec:
containers:
- args:
- bin/3scale_backend
- start
- "-e"
- production
- "-p"
- '3000'
- "-x"
- "/dev/stdout"
env:
- name: CONFIG_REDIS_PROXY
value: redis://backend-redis:6379/0
- name: CONFIG_REDIS_SENTINEL_HOSTS
value: ""
- name: CONFIG_REDIS_SENTINEL_ROLE
value: ""
- name: CONFIG_QUEUES_MASTER_NAME
value: redis://backend-redis:6379/1
- name: CONFIG_QUEUES_SENTINEL_HOSTS
value: ""
- name: CONFIG_QUEUES_SENTINEL_ROLE
value: ""
- name: RACK_ENV
value: "production"
- name: CONFIG_INTERNAL_API_USER
value: "${SYSTEM_BACKEND_USERNAME}"
- name: CONFIG_INTERNAL_API_PASSWORD
value: "${SYSTEM_BACKEND_PASSWORD}"
- name: PUMA_WORKERS
value: "16"
image: amp-backend:latest
imagePullPolicy: IfNotPresent
name: backend-listener
resources:
limits:
cpu: 1000m
memory: 700Mi
requests:
cpu: 500m
memory: 550Mi
livenessProbe:
initialDelaySeconds: 30
periodSeconds: 10
tcpSocket:
port: 3000
readinessProbe:
httpGet:
path: "/status"
port: 3000
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 3000
protocol: TCP
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- backend-listener
from:
kind: ImageStreamTag
name: amp-backend:latest
- apiVersion: v1
kind: Service
metadata:
name: backend-redis
labels:
app: ${APP_LABEL}
3scale.component: backend
3scale.component-element: redis
spec:
ports:
- port: 6379
protocol: TCP
targetPort: 6379
selector:
deploymentConfig: backend-redis
- apiVersion: v1
kind: Service
metadata:
name: backend-listener
labels:
app: ${APP_LABEL}
3scale.component: backend
3scale.component-element: listener
spec:
ports:
- port: 3000
protocol: TCP
targetPort: 3000
name: http
selector:
deploymentConfig: backend-listener
- apiVersion: v1
kind: Service
metadata:
name: system-provider
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: provider-ui
spec:
ports:
- port: 3000
protocol: TCP
targetPort: provider
name: http
selector:
deploymentConfig: system-app
- apiVersion: v1
kind: Service
metadata:
name: system-master
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: master-ui
spec:
ports:
- port: 3000
protocol: TCP
targetPort: master
name: http
selector:
deploymentConfig: system-app
- apiVersion: v1
kind: Service
metadata:
name: system-developer
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: developer-ui
spec:
ports:
- port: 3000
protocol: TCP
targetPort: developer
name: http
selector:
deploymentConfig: system-app
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: backend-worker
labels:
app: ${APP_LABEL}
3scale.component: backend
3scale.component-element: worker
spec:
replicas: 1
selector:
deploymentConfig: backend-worker
strategy:
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 1200
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
deploymentConfig: backend-worker
app: ${APP_LABEL}
3scale.component: backend
3scale.component-element: worker
spec:
initContainers:
- name: backend-redis-svc
image: amp-backend:latest
command: ['sh', '-c', 'until $(echo -n > /dev/tcp/backend-redis/6379); do sleep $SLEEP_SECONDS; done']
activeDeadlineSeconds: 1200
env:
- name: SLEEP_SECONDS
value: "1"
containers:
- args:
- bin/3scale_backend_worker
- run
env:
- name: CONFIG_REDIS_PROXY
value: redis://backend-redis:6379/0
- name: CONFIG_REDIS_SENTINEL_HOSTS
value: ""
- name: CONFIG_REDIS_SENTINEL_ROLE
value: ""
- name: CONFIG_QUEUES_MASTER_NAME
value: redis://backend-redis:6379/1
- name: CONFIG_QUEUES_SENTINEL_HOSTS
value: ""
- name: CONFIG_QUEUES_SENTINEL_ROLE
value: ""
- name: RACK_ENV
value: "production"
- name: CONFIG_EVENTS_HOOK
value: http://system-master:3000/master/events/import
- name: CONFIG_EVENTS_HOOK_SHARED_SECRET
value: ${SYSTEM_BACKEND_SHARED_SECRET}
image: amp-backend:latest
imagePullPolicy: IfNotPresent
name: backend-worker
resources:
limits:
cpu: 1000m
memory: 300Mi
requests:
cpu: 150m
memory: 50Mi
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- backend-redis-svc
- backend-worker
from:
kind: ImageStreamTag
name: amp-backend:latest
- kind: Service
apiVersion: v1
metadata:
name: system-mysql
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: mysql
spec:
ports:
- name: system-mysql
protocol: TCP
port: 3306
targetPort: 3306
nodePort: 0
selector:
deploymentConfig: system-mysql
- apiVersion: v1
kind: Service
metadata:
name: system-redis
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: redis
spec:
ports:
- port: 6379
protocol: TCP
targetPort: 6379
name: redis
selector:
deploymentConfig: system-redis
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: system-redis
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: redis
spec:
replicas: 1
selector:
deploymentConfig: system-redis
strategy:
type: Recreate
template:
metadata:
labels:
deploymentConfig: system-redis
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: redis
spec:
containers:
- image: ${REDIS_IMAGE}
imagePullPolicy: IfNotPresent
name: system-redis
command:
- "/opt/rh/rh-redis32/root/usr/bin/redis-server"
args:
- "/etc/redis.d/redis.conf"
- "--daemonize"
- "no"
resources:
limits:
memory: 32Gi
cpu: 500m
requests:
cpu: 150m
memory: 256Mi
terminationMessagePath: /dev/termination-log
volumeMounts:
- name: system-redis-storage
mountPath: "/var/lib/redis/data"
- name: redis-config
mountPath: /etc/redis.d/
readinessProbe:
exec:
command:
- "container-entrypoint"
- "bash"
- "-c"
- "redis-cli set liveness-probe \"`date`\" | grep OK"
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
livenessProbe:
tcpSocket:
port: 6379
initialDelaySeconds: 10
periodSeconds: 5
volumes:
- name: system-redis-storage
persistentVolumeClaim:
claimName: system-redis-storage
- name: redis-config
configMap:
name: redis-config
items:
- key: redis.conf
path: redis.conf
securityContext:
supplementalGroups: [65534]
triggers:
- type: ConfigChange
- apiVersion: v1
kind: Service
metadata:
name: system-sphinx
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: sphinx
spec:
ports:
- port: 9306
protocol: TCP
targetPort: 9306
name: sphinx
selector:
deploymentConfig: system-sphinx
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: system-sphinx
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: sphinx
spec:
replicas: 1
selector:
deploymentConfig: system-sphinx
strategy:
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 1200
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
deploymentConfig: system-sphinx
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: sphinx
spec:
volumes:
- name: system-sphinx-database
emptyDir: {}
initContainers:
- name: system-master-svc
image: amp-system:latest
command: ['sh', '-c', 'until $(curl --output /dev/null --silent --fail --head http://system-master:3000/status); do sleep $SLEEP_SECONDS; done']
activeDeadlineSeconds: 1200
env:
- name: SLEEP_SECONDS
value: "1"
containers:
- args:
- rake
- 'openshift:thinking_sphinx:start'
volumeMounts:
- name: system-sphinx-database
mountPath: "/opt/system/db/sphinx"
env:
- name: RAILS_ENV
value: production
- name: DATABASE_URL
value: "mysql2://root:${MYSQL_ROOT_PASSWORD}@system-mysql/${MYSQL_DATABASE}"
- name: THINKING_SPHINX_ADDRESS
value: 0.0.0.0
- name: THINKING_SPHINX_CONFIGURATION_FILE
value: "db/sphinx/production.conf"
- name: THINKING_SPHINX_PID_FILE
value: db/sphinx/searchd.pid
- name: DELTA_INDEX_INTERVAL
value: '5'
- name: FULL_REINDEX_INTERVAL
value: '60'
image: amp-system:latest
imagePullPolicy: IfNotPresent
name: system-sphinx
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 80m
memory: 250Mi
livenessProbe:
tcpSocket:
port: 9306
initialDelaySeconds: 60
periodSeconds: 10
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- system-master-svc
- system-sphinx
from:
kind: ImageStreamTag
name: amp-system:latest
- apiVersion: v1
kind: Service
metadata:
name: system-memcache
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: memcache
spec:
ports:
- port: 11211
protocol: TCP
targetPort: 11211
name: memcache
selector:
deploymentConfig: system-memcache
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: system-memcache
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: memcache
spec:
replicas: 1
selector:
deploymentConfig: system-memcache
strategy:
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 600
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
deploymentConfig: system-memcache
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: memcache
spec:
containers:
- args:
env:
image: ${MEMCACHED_IMAGE}
imagePullPolicy: IfNotPresent
name: memcache
resources:
limits:
cpu: 250m
memory: 96Mi
requests:
cpu: 50m
memory: 64Mi
readinessProbe:
exec:
command:
- "sh"
- "-c"
- "echo version | nc $HOSTNAME 11211 | grep VERSION"
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 5
livenessProbe:
tcpSocket:
port: 11211
initialDelaySeconds: 10
periodSeconds: 10
command:
- "memcached"
- "-m"
- "64"
ports:
- containerPort: 6379
protocol: TCP
triggers:
- type: ConfigChange
- apiVersion: v1
kind: Route
metadata:
name: system-provider-admin
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: provider-ui
spec:
host: ${TENANT_NAME}-admin.${WILDCARD_DOMAIN}
to:
kind: Service
name: system-provider
port:
targetPort: http
tls:
termination: edge
insecureEdgeTerminationPolicy: Allow
- apiVersion: v1
kind: Route
metadata:
name: system-master-admin
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: master-ui
spec:
host: ${MASTER_NAME}-admin.${WILDCARD_DOMAIN}
to:
kind: Service
name: system-master
port:
targetPort: http
tls:
termination: edge
insecureEdgeTerminationPolicy: Allow
- apiVersion: v1
kind: Route
metadata:
name: system-developer
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: developer-ui
spec:
host: ${TENANT_NAME}.${WILDCARD_DOMAIN}
to:
kind: Service
name: system-developer
port:
targetPort: http
tls:
termination: edge
insecureEdgeTerminationPolicy: Allow
- apiVersion: v1
kind: Route
metadata:
name: backend
labels:
app: ${APP_LABEL}
3scale.component: backend
spec:
host: backend-${TENANT_NAME}.${WILDCARD_DOMAIN}
to:
kind: Service
name: backend-listener
port:
targetPort: http
tls:
termination: edge
insecureEdgeTerminationPolicy: Allow
- apiVersion: v1
kind: Route
metadata:
name: api-apicast-staging
labels:
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: staging
spec:
host: api-${TENANT_NAME}-apicast-staging.${WILDCARD_DOMAIN}
to:
kind: Service
name: apicast-staging
port:
targetPort: gateway
tls:
termination: edge
insecureEdgeTerminationPolicy: Allow
- apiVersion: v1
kind: Service
metadata:
name: apicast-staging
labels:
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: staging
spec:
ports:
- name: gateway
port: 8080
protocol: TCP
targetPort: 8080
- name: management
port: 8090
protocol: TCP
targetPort: 8090
selector:
deploymentConfig: apicast-staging
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: apicast-staging
labels:
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: staging
spec:
replicas: 1
selector:
deploymentConfig: apicast-staging
strategy:
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 1800
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
deploymentConfig: apicast-staging
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: staging
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '9421'
spec:
containers:
- env:
- name: THREESCALE_PORTAL_ENDPOINT
value: "http://${APICAST_ACCESS_TOKEN}@system-master:3000/master/api/proxy/configs"
- name: APICAST_CONFIGURATION_LOADER
value: "lazy"
- name: APICAST_CONFIGURATION_CACHE
value: "0"
- name: THREESCALE_DEPLOYMENT_ENV
value: "sandbox"
- name: APICAST_MANAGEMENT_API
value: "${APICAST_MANAGEMENT_API}"
- name: BACKEND_ENDPOINT_OVERRIDE
value: http://backend-listener:3000
- name: OPENSSL_VERIFY
value: '${APICAST_OPENSSL_VERIFY}'
- name: APICAST_RESPONSE_CODES
value: '${APICAST_RESPONSE_CODES}'
- name: REDIS_URL
value: "redis://system-redis:6379/2"
image: amp-apicast:latest
imagePullPolicy: IfNotPresent
name: apicast-staging
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
livenessProbe:
httpGet:
path: /status/live
port: 8090
initialDelaySeconds: 10
timeoutSeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /status/ready
port: 8090
initialDelaySeconds: 15
timeoutSeconds: 5
periodSeconds: 30
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 8090
protocol: TCP
- name: metrics
containerPort: 9421
protocol: TCP
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- apicast-staging
from:
kind: ImageStreamTag
name: amp-apicast:latest
- apiVersion: v1
kind: Route
metadata:
name: api-apicast-production
labels:
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: production
spec:
host: api-${TENANT_NAME}-apicast-production.${WILDCARD_DOMAIN}
to:
kind: Service
name: apicast-production
port:
targetPort: gateway
tls:
termination: edge
insecureEdgeTerminationPolicy: Allow
- apiVersion: v1
kind: Service
metadata:
name: apicast-production
labels:
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: production
spec:
ports:
- name: gateway
port: 8080
protocol: TCP
targetPort: 8080
- name: management
port: 8090
protocol: TCP
targetPort: 8090
selector:
deploymentConfig: apicast-production
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: apicast-production
labels:
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: production
spec:
replicas: 1
selector:
deploymentConfig: apicast-production
strategy:
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 1800
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
deploymentConfig: apicast-production
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: production
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '9421'
spec:
initContainers:
- name: system-master-svc
image: amp-apicast:latest
command: ['sh', '-c', 'until $(curl --output /dev/null --silent --fail --head http://system-master:3000/status); do sleep $SLEEP_SECONDS; done']
activeDeadlineSeconds: 1200
env:
- name: SLEEP_SECONDS
value: "1"
containers:
- env:
- name: THREESCALE_PORTAL_ENDPOINT
value: "http://${APICAST_ACCESS_TOKEN}@system-master:3000/master/api/proxy/configs"
- name: APICAST_CONFIGURATION_LOADER
value: "boot"
- name: APICAST_CONFIGURATION_CACHE
value: "300"
- name: THREESCALE_DEPLOYMENT_ENV
value: "production"
- name: APICAST_MANAGEMENT_API
value: "${APICAST_MANAGEMENT_API}"
- name: BACKEND_ENDPOINT_OVERRIDE
value: http://backend-listener:3000
- name: OPENSSL_VERIFY
value: '${APICAST_OPENSSL_VERIFY}'
- name: APICAST_RESPONSE_CODES
value: '${APICAST_RESPONSE_CODES}'
- name: REDIS_URL
value: "redis://system-redis:6379/1"
image: amp-apicast:latest
imagePullPolicy: IfNotPresent
name: apicast-production
resources:
limits:
cpu: 1000m
memory: 128Mi
requests:
cpu: 500m
memory: 64Mi
livenessProbe:
httpGet:
path: /status/live
port: 8090
initialDelaySeconds: 10
timeoutSeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /status/ready
port: 8090
initialDelaySeconds: 15
timeoutSeconds: 5
periodSeconds: 30
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 8090
protocol: TCP
- name: metrics
containerPort: 9421
protocol: TCP
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- system-master-svc
- apicast-production
from:
kind: ImageStreamTag
name: amp-apicast:latest
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: apicast-wildcard-router
labels:
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: wildcard-router
spec:
replicas: 1
selector:
deploymentConfig: apicast-wildcard-router
strategy:
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 1800
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
deploymentConfig: apicast-wildcard-router
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: wildcard-router
spec:
containers:
- env:
- name: API_HOST
value: "http://${APICAST_ACCESS_TOKEN}@system-master:3000"
image: amp-wildcard-router:latest
imagePullPolicy: IfNotPresent
name: apicast-wildcard-router
resources:
limits:
cpu: 500m
memory: 64Mi
requests:
cpu: 120m
memory: 32Mi
ports:
- containerPort: 8080
protocol: TCP
name: http
livenessProbe:
initialDelaySeconds: 30
periodSeconds: 10
tcpSocket:
port: http
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- apicast-wildcard-router
from:
kind: ImageStreamTag
name: amp-wildcard-router:latest
- apiVersion: v1
kind: Service
metadata:
name: apicast-wildcard-router
labels:
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: wildcard-router
spec:
ports:
- port: 8080
protocol: TCP
targetPort: http
name: http
selector:
deploymentConfig: apicast-wildcard-router
- apiVersion: v1
kind: Route
metadata:
name: apicast-wildcard-router
labels:
app: ${APP_LABEL}
3scale.component: apicast
3scale.component-element: wildcard-router
spec:
host: apicast-wildcard.${WILDCARD_DOMAIN}
to:
kind: Service
name: apicast-wildcard-router
port:
targetPort: http
wildcardPolicy: ${WILDCARD_POLICY}
tls:
termination: edge
insecureEdgeTerminationPolicy: Allow
- kind: ConfigMap
apiVersion: v1
metadata:
name: system
labels:
app: ${APP_LABEL}
3scale.component: system
data:
zync.yml: |
production:
endpoint: 'http://zync:8080'
authentication:
token: "<%= ENV.fetch('ZYNC_AUTHENTICATION_TOKEN') %>"
connect_timeout: 5
send_timeout: 5
receive_timeout: 10
root_url:
rolling_updates.yml: |
production:
old_charts: false
new_provider_documentation: false
proxy_pro: false
instant_bill_plan_change: false
service_permissions: true
async_apicast_deploy: false
duplicate_application_id: true
duplicate_user_key: true
plan_changes_wizard: false
require_cc_on_signup: false
apicast_per_service: true
new_notification_system: true
cms_api: false
apicast_v2: true
forum: false
published_service_plan_signup: true
apicast_oidc: true
policies: true
- kind: ConfigMap
apiVersion: v1
metadata:
name: mysql-extra-conf
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: mysql
data:
mysql-charset.cnf: |
[client]
default-character-set = utf8
[mysql]
default-character-set = utf8
[mysqld]
character-set-server = utf8
collation-server = utf8_unicode_ci
- kind: ConfigMap
apiVersion: v1
metadata:
name: mysql-main-conf
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: mysql
data:
my.cnf: |
!include /etc/my.cnf
!includedir /etc/my-extra.d
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: system-app
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: app
spec:
replicas: 1
selector:
deploymentConfig: system-app
strategy:
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 1200
updatePeriodSeconds: 1
pre:
failurePolicy: Retry
execNewPod:
containerName: system-master
command:
- bash
- -c
- bundle exec rake boot openshift:deploy MASTER_ACCESS_TOKEN="${MASTER_ACCESS_TOKEN}"
env: *base_env
volumes:
- system-storage
post:
failurePolicy: Abort
execNewPod:
containerName: system-master
command:
- bash
- -c
- bundle exec rake boot openshift:post_deploy
type: Rolling
template:
metadata:
labels:
deploymentConfig: system-app
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: app
spec:
containers:
- env: *base_env
image: amp-system:latest
imagePullPolicy: IfNotPresent
args: [ 'env', 'TENANT_MODE=master', 'PORT=3002', 'container-entrypoint', 'bundle', 'exec', 'unicorn', '-c', 'config/unicorn.rb' ]
name: system-master
resources:
limits:
cpu: 1000m
memory: 800Mi
requests:
cpu: 50m
memory: 600Mi
livenessProbe:
tcpSocket:
port: master
initialDelaySeconds: 40
failureThreshold: 40
periodSeconds: 10
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /check.txt
port: master
scheme: HTTP
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 60
failureThreshold: 10
periodSeconds: 30
timeoutSeconds: 10
ports:
- containerPort: 3002
protocol: TCP
name: master
volumeMounts:
- name: system-storage
mountPath: /opt/system/public/system
- name: system-config
mountPath: /opt/system-extra-configs
- env: *base_env
image: amp-system:latest
imagePullPolicy: IfNotPresent
args: [ 'env', 'TENANT_MODE=provider', 'PORT=3000', 'container-entrypoint', 'bundle', 'exec', 'unicorn', '-c', 'config/unicorn.rb' ]
name: system-provider
resources:
limits:
cpu: 1000m
memory: 800Mi
requests:
cpu: 50m
memory: 600Mi
livenessProbe:
tcpSocket:
port: provider
initialDelaySeconds: 40
failureThreshold: 40
periodSeconds: 10
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /check.txt
port: provider
scheme: HTTP
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 60
failureThreshold: 10
periodSeconds: 30
timeoutSeconds: 10
ports:
- containerPort: 3000
protocol: TCP
name: provider
volumeMounts:
- name: system-storage
mountPath: /opt/system/public/system
- name: system-config
mountPath: /opt/system-extra-configs
- env: *base_env
image: amp-system:latest
args: [ 'env', 'PORT=3001', 'container-entrypoint', 'bundle', 'exec', 'unicorn', '-c', 'config/unicorn.rb' ]
imagePullPolicy: IfNotPresent
name: system-developer
resources:
limits:
cpu: 1000m
memory: 800Mi
requests:
cpu: 50m
memory: 600Mi
livenessProbe:
tcpSocket:
port: developer
initialDelaySeconds: 40
failureThreshold: 40
periodSeconds: 10
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /check.txt
port: developer
scheme: HTTP
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 60
failureThreshold: 10
periodSeconds: 30
timeoutSeconds: 10
ports:
- containerPort: 3001
protocol: TCP
name: developer
volumeMounts:
- name: system-storage
mountPath: /opt/system/public/system
readOnly: true
- name: system-config
mountPath: /opt/system-extra-configs
volumes:
- name: system-storage
persistentVolumeClaim:
claimName: system-storage
- name: system-config
configMap:
name: system
items:
- key: zync.yml
path: zync.yml
- key: rolling_updates.yml
path: rolling_updates.yml
securityContext:
supplementalGroups: [65534]
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- system-provider
- system-developer
- system-master
from:
kind: ImageStreamTag
name: amp-system:latest
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: system-resque
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: resque
spec:
replicas: 1
selector:
deploymentConfig: system-resque
strategy:
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 1200
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
deploymentConfig: system-resque
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: resque
spec:
initContainers:
- name: system-master-svc
image: amp-system:latest
command: ['sh', '-c', 'until $(curl --output /dev/null --silent --fail --head http://system-master:3000/status); do sleep $SLEEP_SECONDS; done']
activeDeadlineSeconds: 1200
env:
- name: SLEEP_SECONDS
value: "1"
containers:
- args:
- 'rake'
- 'resque:work'
- 'QUEUE=*'
env: *base_env
image: amp-system:latest
imagePullPolicy: IfNotPresent
name: system-resque
resources:
limits:
cpu: 150m
memory: 450Mi
requests:
cpu: 100m
memory: 300Mi
volumeMounts:
- name: system-storage
mountPath: /opt/system/public/system
- args:
- 'rake'
- 'resque:scheduler'
- 'QUEUE=*'
env: *base_env
image: amp-system:latest
imagePullPolicy: IfNotPresent
name: system-scheduler
resources:
limits:
cpu: 150m
memory: 250Mi
requests:
cpu: 50m
memory: 200Mi
volumes:
- name: system-storage
persistentVolumeClaim:
claimName: system-storage
securityContext:
supplementalGroups: [65534]
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- system-master-svc
- system-scheduler
- system-resque
from:
kind: ImageStreamTag
name: amp-system:latest
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: system-sidekiq
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: sidekiq
spec:
replicas: 1
selector:
deploymentConfig: system-sidekiq
strategy:
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 1200
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
deploymentConfig: system-sidekiq
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: sidekiq
spec:
initContainers:
- name: check-svc
image: amp-system:latest
command: ['sh', '-c', 'until $(echo -n > /dev/tcp/backend-redis/6379 && curl --output /dev/null --silent --fail --head http://system-master:3000/status && curl --output /dev/null --silent --head --fail http://zync:8080/status/ready); do sleep $SLEEP_SECONDS; done']
activeDeadlineSeconds: 1200
env:
- name: SLEEP_SECONDS
value: "1"
containers:
- args:
- rake
- sidekiq:worker
- RAILS_MAX_THREADS=25
env: *base_env
image: amp-system:latest
imagePullPolicy: IfNotPresent
name: system-sidekiq
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
cpu: 100m
memory: 500Mi
volumeMounts:
- name: system-storage
mountPath: /opt/system/public/system
- name: system-tmp
mountPath: /tmp
- name: system-config
mountPath: /opt/system-extra-configs
volumes:
- name: system-tmp
emptyDir:
medium: Memory
- name: system-storage
persistentVolumeClaim:
claimName: system-storage
- name: system-config
configMap:
name: system
items:
- key: zync.yml
path: zync.yml
- key: rolling_updates.yml
path: rolling_updates.yml
securityContext:
supplementalGroups: [65534]
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- check-svc
- system-sidekiq
from:
kind: ImageStreamTag
name: amp-system:latest
- kind: DeploymentConfig
apiVersion: v1
metadata:
name: system-mysql
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: mysql
spec:
strategy:
type: Recreate
triggers:
- type: ConfigChange
replicas: 1
selector:
deploymentConfig: system-mysql
template:
metadata:
labels:
deploymentConfig: system-mysql
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: mysql
spec:
containers:
- name: system-mysql
image: ${MYSQL_IMAGE}
ports:
- containerPort: 3306
protocol: TCP
resources:
limits:
memory: 2Gi
requests:
cpu: 250m
memory: 512Mi
readinessProbe:
timeoutSeconds: 5
initialDelaySeconds: 10
periodSeconds: 30
exec:
command:
- /bin/sh
- '-i'
- '-c'
- >-
MYSQL_PWD="$MYSQL_PASSWORD" mysql -h 127.0.0.1 -u
$MYSQL_USER -D $MYSQL_DATABASE -e 'SELECT 1'
livenessProbe:
initialDelaySeconds: 30
periodSeconds: 10
tcpSocket:
port: 3306
env:
- name: MYSQL_USER
value: ${MYSQL_USER}
- name: MYSQL_PASSWORD
value: ${MYSQL_PASSWORD}
- name: MYSQL_DATABASE
value: ${MYSQL_DATABASE}
- name: MYSQL_ROOT_PASSWORD
value: ${MYSQL_ROOT_PASSWORD}
- name: MYSQL_LOWER_CASE_TABLE_NAMES
value: "1"
- name: MYSQL_DEFAULTS_FILE
value: /etc/my-extra/my.cnf
volumeMounts:
- name: mysql-storage
mountPath: /var/lib/mysql/data
- name: mysql-extra-conf
mountPath: /etc/my-extra.d
- name: mysql-main-conf
mountPath: /etc/my-extra
imagePullPolicy: IfNotPresent
volumes:
- name: mysql-storage
persistentVolumeClaim:
claimName: mysql-storage
- name: mysql-extra-conf
configMap:
name: mysql-extra-conf
- name: mysql-main-conf
configMap:
name: mysql-main-conf
securityContext:
supplementalGroups: [65534]
- kind: ConfigMap
apiVersion: v1
metadata:
name: redis-config
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: redis
data:
redis.conf: |
protected-mode no
port 6379
timeout 0
tcp-keepalive 300
daemonize no
supervised no
loglevel notice
databases 16
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
slave-serve-stale-data yes
slave-read-only yes
repl-diskless-sync no
repl-disable-tcp-nodelay no
appendonly yes
appendfilename "appendonly.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
lua-time-limit 5000
activerehashing no
aof-rewrite-incremental-fsync yes
dir /var/lib/redis/data
- apiVersion: v1
kind: ConfigMap
metadata:
name: smtp
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: smtp
data:
address: ""
username: ""
password: ""
domain: ""
port: ""
authentication: ""
openssl.verify.mode: ""
- apiVersion: v1
kind: ImageStream
metadata:
name: postgresql
labels:
app: ${APP_LABEL}
3scale.component: system
3scale.component-element: postgresql
spec:
tags:
- name: "9.5"
from:
kind: DockerImage
name: ${POSTGRESQL_IMAGE}
importPolicy:
insecure: "${{IMAGESTREAM_TAG_IMPORT_INSECURE}}"
- kind: ImageStream
apiVersion: v1
metadata:
name: amp-zync
labels:
app: ${APP_LABEL}
3scale.component: zync
annotations:
openshift.io/display-name: AMP Zync
spec:
tags:
- name: latest
annotations:
openshift.io/display-name: AMP Zync (latest)
from:
kind: ImageStreamTag
name: "${AMP_RELEASE}"
- name: "${AMP_RELEASE}"
annotations:
openshift.io/display-name: AMP Zync ${AMP_RELEASE}
from:
kind: DockerImage
name: ${AMP_ZYNC_IMAGE}
importPolicy:
insecure: "${{IMAGESTREAM_TAG_IMPORT_INSECURE}}"
- kind: Secret
apiVersion: v1
stringData:
SECRET_KEY_BASE: "${ZYNC_SECRET_KEY_BASE}"
DATABASE_URL: "postgresql://zync:${ZYNC_DATABASE_PASSWORD}@zync-database:5432/zync_production"
ZYNC_DATABASE_PASSWORD: "${ZYNC_DATABASE_PASSWORD}"
ZYNC_AUTHENTICATION_TOKEN: "${ZYNC_AUTHENTICATION_TOKEN}"
metadata:
name: zync
labels:
app: ${APP_LABEL}
3scale.component: zync
type: Opaque
- apiVersion: v1
kind: DeploymentConfig
metadata:
annotations:
labels:
app: ${APP_LABEL}
3scale.component: zync
name: zync
spec:
replicas: 1
selector:
deploymentConfig: zync
template:
metadata:
labels:
deploymentConfig: zync
app: ${APP_LABEL}
3scale.component: zync
spec:
initContainers:
- name: zync-db-svc
image: amp-zync:latest
command: ['sh', '-c', 'until $(echo -n > /dev/tcp/zync-database/5432); do sleep $SLEEP_SECONDS; done']
activeDeadlineSeconds: 1200
env:
- name: SLEEP_SECONDS
value: "1"
containers:
- image: amp-zync:latest
name: zync
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
cpu: 1
memory: 512Mi
requests:
cpu: 150m
memory: 250M
env:
- name: RAILS_LOG_TO_STDOUT
value: 'true'
- name: RAILS_ENV
value: production
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: zync
key: DATABASE_URL
- name: SECRET_KEY_BASE
valueFrom:
secretKeyRef:
name: zync
key: SECRET_KEY_BASE
- name: ZYNC_AUTHENTICATION_TOKEN
valueFrom:
secretKeyRef:
name: zync
key: ZYNC_AUTHENTICATION_TOKEN
livenessProbe:
httpGet:
path: /status/live
port: 8080
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 60
periodSeconds: 10
successThreshold: 1
failureThreshold: 10
readinessProbe:
httpGet:
path: /status/ready
port: 8080
scheme: HTTP
initialDelaySeconds: 100
timeoutSeconds: 10
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
triggers:
- type: ConfigChange
- imageChangeParams:
automatic: true
containerNames:
- zync-db-svc
- zync
from:
kind: ImageStreamTag
name: amp-zync:latest
type: ImageChange
- apiVersion: v1
kind: Service
metadata:
labels:
app: ${APP_LABEL}
3scale.component: zync
name: zync
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
selector:
deploymentConfig: zync
- kind: Service
apiVersion: v1
metadata:
name: zync-database
labels:
app: ${APP_LABEL}
3scale.component: zync
3scale.component-element: database
spec:
ports:
- name: postgresql
protocol: TCP
port: 5432
targetPort: 5432
nodePort: 0
selector:
deploymentConfig: zync-database
- kind: DeploymentConfig
apiVersion: v1
metadata:
name: zync-database
labels:
app: ${APP_LABEL}
3scale.component: zync
3scale.component-element: database
spec:
strategy:
type: Recreate
triggers:
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- postgresql
from:
kind: ImageStreamTag
name: postgresql:9.5
- type: ConfigChange
replicas: 1
selector:
deploymentConfig: zync-database
template:
metadata:
labels:
deploymentConfig: zync-database
app: ${APP_LABEL}
3scale.component: zync
3scale.component-element: database
spec:
containers:
- name: postgresql
image: " "
ports:
- containerPort: 5432
protocol: TCP
readinessProbe:
timeoutSeconds: 1
initialDelaySeconds: 5
exec:
command:
- "/bin/sh"
- "-i"
- "-c"
- psql -h 127.0.0.1 -U zync -q -d zync_production -c 'SELECT 1'
livenessProbe:
timeoutSeconds: 1
initialDelaySeconds: 30
tcpSocket:
port: 5432
env:
- name: POSTGRESQL_USER
value: zync
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: zync
key: ZYNC_DATABASE_PASSWORD
- name: POSTGRESQL_DATABASE
value: zync_production
resources:
limits:
memory: 2G
cpu: 250m
requests:
cpu: 50m
memory: 250M
volumeMounts:
- name: zync-database-data
mountPath: /var/lib/pgsql/data
imagePullPolicy: IfNotPresent
volumes:
- name: zync-database-data
emptyDir:
medium: ''
restartPolicy: Always
parameters:
- name: APP_LABEL
description: Used for object app labels
value: "3scale-api-management"
required: true
- name: ZYNC_DATABASE_PASSWORD
displayName: PostgreSQL Connection Password
description: Password for the PostgreSQL connection user.
generate: expression
from: "[a-zA-Z0-9]{16}"
required: true
- name: ZYNC_SECRET_KEY_BASE
generate: expression
from: "[a-zA-Z0-9]{16}"
required: true
- name: ZYNC_AUTHENTICATION_TOKEN
generate: expression
from: "[a-zA-Z0-9]{16}"
required: true
- name: AMP_RELEASE
description: "AMP release tag."
value: "2.3.0"
required: true
- name: ADMIN_PASSWORD
required: true
generate: expression
from: "[a-z0-9]{8}"
- name: ADMIN_USERNAME
value: admin
required: true
- name: APICAST_ACCESS_TOKEN
required: true
generate: expression
from: "[a-z0-9]{8}"
description: "Read Only Access Token that is APIcast going to use to download its configuration."
- name: ADMIN_ACCESS_TOKEN
required: false
generate: expression
from: "[a-z0-9]{16}"
description: "Admin Access Token with all scopes and write permissions for API access."
- name: WILDCARD_DOMAIN
description: Root domain for the wildcard routes. Eg. example.com will generate 3scale-admin.example.com.
required: true
- name: WILDCARD_POLICY
description: Use "Subdomain" to create a wildcard route for apicast wildcard router
required: true
value: "None"
- name: TENANT_NAME
description: "Tenant name under the root that Admin UI will be available with -admin suffix."
required: true
value: "3scale"
- name: MYSQL_USER
displayName: MySQL User
description: Username for MySQL user that will be used for accessing the database.
value: "mysql"
required: true
- name: MYSQL_PASSWORD
displayName: MySQL Password
description: Password for the MySQL user.
generate: expression
from: "[a-z0-9]{8}"
required: true
- name: MYSQL_DATABASE
displayName: MySQL Database Name
description: Name of the MySQL database accessed.
value: "system"
required: true
- name: MYSQL_ROOT_PASSWORD
displayName: MySQL Root password.
description: Password for Root user.
generate: expression
from: "[a-z0-9]{8}"
required: true
- name: SYSTEM_BACKEND_USERNAME
description: Internal 3scale API username for internal 3scale api auth.
value: "3scale_api_user"
required: true
- name: SYSTEM_BACKEND_PASSWORD
description: Internal 3scale API password for internal 3scale api auth.
generate: expression
from: "[a-z0-9]{8}"
required: true
- name: REDIS_IMAGE
description: Redis image to use
required: true
value: "registry.access.redhat.com/rhscl/redis-32-rhel7:3.2"
- name: MYSQL_IMAGE
description: Mysql image to use
required: true
value: "registry.access.redhat.com/rhscl/mysql-57-rhel7:5.7"
- name: MEMCACHED_IMAGE
description: Memcached image to use
required: true
value: "registry.access.redhat.com/3scale-amp20/memcached:1.4.15"
- name: POSTGRESQL_IMAGE
description: Postgresql image to use
required: true
value: "registry.access.redhat.com/rhscl/postgresql-95-rhel7:9.5"
- name: AMP_SYSTEM_IMAGE
value: "registry.access.redhat.com/3scale-amp22/system"
required: true
- name: AMP_BACKEND_IMAGE
value: "registry.access.redhat.com/3scale-amp22/backend"
required: true
- name: AMP_APICAST_IMAGE
value: "registry.access.redhat.com/3scale-amp23/apicast-gateway"
required: true
- name: AMP_ROUTER_IMAGE
value: "registry.access.redhat.com/3scale-amp22/wildcard-router"
required: true
- name: AMP_ZYNC_IMAGE
value: "registry.access.redhat.com/3scale-amp22/zync"
required: true
- name: SYSTEM_BACKEND_SHARED_SECRET
description: Shared secret to import events from backend to system.
generate: expression
from: "[a-z0-9]{8}"
required: true
- name: SYSTEM_APP_SECRET_KEY_BASE
description: System application secret key base
generate: expression
from: "[a-f0-9]{128}"
required: true
- name: APICAST_MANAGEMENT_API
description: "Scope of the APIcast Management API. Can be disabled, status or debug. At least status required for health checks."
required: false
value: "status"
- name: APICAST_OPENSSL_VERIFY
description: "Turn on/off the OpenSSL peer verification when downloading the configuration. Can be set to true/false."
required: false
value: "false"
- name: APICAST_RESPONSE_CODES
description: "Enable logging response codes in APIcast."
value: "true"
required: false
- name: MASTER_NAME
description: "The root name which Admin UI will be available with -admin suffix."
value: "master"
required: true
- name: MASTER_USER
value: master
required: true
- name: MASTER_PASSWORD
required: true
generate: expression
from: "[a-z0-9]{8}"
- name: MASTER_ACCESS_TOKEN
required: true
generate: expression
from: "[a-z0-9]{8}"
- name: APICAST_REGISTRY_URL
description: "The URL to point to APIcast policies registry management"
value: "http://apicast-staging:8090/policies"
required: true
- name: IMAGESTREAM_TAG_IMPORT_INSECURE
description: "Set to true if the server may bypass certificate verification or connect directly over HTTP during image import."
required: true
value: 'false'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment