forked from hswaw/hscloud
Serge Bazanski
b7898a8038
Permissions get mangled on container restart. This adds an init container to fix them. Change-Id: I37c44e23a75b8ec41e6aba2ed38eee223496b8b9
113 lines
4.1 KiB
Text
113 lines
4.1 KiB
Text
local mirko = import "../../kube/mirko.libsonnet";
|
|
local kube = import "../../kube/kube.libsonnet";
|
|
|
|
// Deploy SourceGraph, a code serach tool. Its configuration is fully managed
|
|
// within sourcegraph itself, including user accounts.
|
|
|
|
{
|
|
cfg:: {
|
|
image: "sourcegraph/server:3.17.1",
|
|
publicFQDN: error "public FQDN must be set",
|
|
storageClassName: "waw-hdd-redundant-3",
|
|
},
|
|
|
|
component(cfg, env):: mirko.Component(env, "sourcegraph") {
|
|
local sourcegraph = self,
|
|
cfg+: {
|
|
image: cfg.image,
|
|
volumes+: {
|
|
data: kube.PersistentVolumeClaimVolume(sourcegraph.pvc.data),
|
|
etc: kube.PersistentVolumeClaimVolume(sourcegraph.pvc.etc),
|
|
},
|
|
securityContext: {
|
|
runAsUser: 0,
|
|
fsGroup: 0,
|
|
},
|
|
// This container fixes some permissions that Kubernetes volume mounts break.
|
|
initContainer: sourcegraph.Container("fixperms") {
|
|
image: "alpine:3",
|
|
volumeMounts_+: {
|
|
data: { mountPath: "/var/opt/sourcegraph" },
|
|
},
|
|
ports_: {},
|
|
command: [
|
|
"sh", "-c",
|
|
"chmod 755 /var/opt/sourcegraph; chmod -R 700 /var/opt/sourcegraph/postgresql",
|
|
],
|
|
},
|
|
container: sourcegraph.Container("main") {
|
|
volumeMounts_+: {
|
|
data: { mountPath: "/var/opt/sourcegraph" },
|
|
etc: { mountPath: "/etc/sourcegraph" },
|
|
},
|
|
resources: {
|
|
requests: {
|
|
cpu: "100m",
|
|
memory: "1Gi",
|
|
},
|
|
limits: {
|
|
cpu: "1",
|
|
memory: "2Gi",
|
|
},
|
|
},
|
|
},
|
|
ports+: {
|
|
publicHTTP: {
|
|
public: {
|
|
port: 7080,
|
|
dns: cfg.publicFQDN,
|
|
// Authenticate as 'Anonymous' user by default. This is done in tandem
|
|
// with Sourcegraphs authenticate-by-http-header feature, and is a
|
|
// workaround for the lack of a public view in the self-hosted free
|
|
// version of Sourcegraph.
|
|
// https://twitter.com/sqs/status/1272659451292422144
|
|
setHeaders: ["X-Forwarded-User Anonymous"],
|
|
},
|
|
},
|
|
},
|
|
extraPaths: [
|
|
{
|
|
// Redirect anonymous user settings to a service that doesn't
|
|
// have any endpoints/backends.
|
|
path: "/users/Anonymous/settings",
|
|
backend: { serviceName: sourcegraph.blocksvc.metadata.name, servicePort: 8080 },
|
|
},
|
|
],
|
|
},
|
|
|
|
blocksvc: kube.Service(sourcegraph.makeName("blocksvc")) {
|
|
metadata+: sourcegraph.metadata,
|
|
spec+: {
|
|
selector: null,
|
|
ports: [{ port: 2137, targetPort: 2137 }],
|
|
},
|
|
},
|
|
|
|
pvc: {
|
|
data: kube.PersistentVolumeClaim(sourcegraph.makeName("data")) {
|
|
metadata+: sourcegraph.metadata,
|
|
spec+: {
|
|
storageClassName: cfg.storageClassName,
|
|
accessModes: [ "ReadWriteOnce" ],
|
|
resources: {
|
|
requests: {
|
|
storage: "40Gi",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
etc: kube.PersistentVolumeClaim(sourcegraph.makeName("etc")) {
|
|
metadata+: sourcegraph.metadata,
|
|
spec+: {
|
|
storageClassName: cfg.storageClassName,
|
|
accessModes: [ "ReadWriteOnce" ],
|
|
resources: {
|
|
requests: {
|
|
storage: "4Gi",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|