# https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
apiVersion: apps/v1
kind: Deployment
metadata:
name: cic-auth-proxy-ussd
namespace: grassroots
labels:
app: cic-auth-proxy-ussd
group: cic
annotations:
keel.sh/policy: "glob:master-*"
keel.sh/trigger: poll
keel.sh/pollSchedule: "@every 5m"
spec:
selector:
matchLabels:
app: cic-auth-proxy-ussd
replicas: 1
template:
metadata:
labels:
app: cic-auth-proxy-ussd
group: cic
spec:
containers:
- name: cic-auth-proxy-ussd
#image: registry.gitlab.com/grassrootseconomics/cic-auth-proxy:master-c05fafbf-1627493790 # {"$imagepolicy": "flux-system:cic-auth-proxy"}
image: registry.gitlab.com/grassrootseconomics/cic-auth-proxy:latest
imagePullPolicy: Always
command: ["uwsgi", "--wsgi-file", "meta/scripts/proxy-ussd.py", "--http",
":8080"]
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 100m
memory: 200Mi
env:
- name: PROXY_HOST
value: cic-user-ussd-server
- name: PROXY_PORT
value: "80"
- name: PROXY_PATH_PREFIX
value: "/"
- name: HTTP_AUTH_ORIGIN
value: https://ussd-auth.dev.grassrootseconomics.net:443
- name: HTTP_AUTH_REALM
value: GE
- name: ACL_CREDENTIALS_ENDPOINT
value: http://key-server:8081/
- name: ACL_PATH
value: /data/acls/F3FAF668E82EF5124D5187BAEF26F4682343F692
- name: ACL_QUERYSTRING_USERNAME
valueFrom:
secretKeyRef:
name: cic-ussd-querystring-creds
key: username
- name: ACL_QUERYSTRING_PASSWORD
valueFrom:
secretKeyRef:
name: cic-ussd-querystring-creds
key: password
- name: ACL_WHITELIST
value: "37.188.113.15, 164.177.157.18, 5.79.0.242, 164.177.141.82, 164.177.141.83"
- name: GPG_PUBLICKEYS_ENDPOINT
value: http://key-server:8080/.well-known/publickeys/
- name: GPG_SIGNATURE_ENDPOINT
value: http://key-server:8080/.well-known/signature/
- name: GPG_TRUSTED_PUBLICKEY_FINGERPRINT # fingerprint of trusted key
value: CCE2E1D2D0E36ADE0405E2D0995BB21816313BD5
- name: GPG_HOMEDIR
value: /usr/local/etc/cic-auth-proxy/.gnupg/
- name: GPG_IMPORT_DIR
value: /usr/local/etc/cic-auth-proxy/import/
- name: GPG_PUBLICKEY_FILENAME
value: publickeys.asc
- name: GPG_SIGNATURE_FILENAME
value: signature.asc
- name: GPG_TRUSTED_PUBLICKEY_MATERIAL
value: /usr/local/etc/cic-auth-proxy/trusted/trustedpublickey.asc
ports:
- containerPort: 8080
name: http
volumeMounts:
- name: acl-config
mountPath: /data/acls/
readOnly: true
- name: credentials-config
mountPath: /data/noop/
readOnly: true
- name: trusted-publickey
mountPath: /usr/local/etc/cic-auth-proxy/trusted/
- name: gpg-homedir
mountPath: /usr/local/etc/cic-auth-proxy/.gnupg
- name: pgp-meta-test
mountPath: /usr/local/etc/cic-auth-proxy/import
volumes:
- name: pgp-meta-test
configMap:
name: pgp-meta-test
- name: acl-config
configMap:
name: cic-auth-proxy-acl-configmap
- name: credentials-config
configMap:
name: cic-auth-proxy-credentials-configmap
- name: trusted-publickey
configMap:
name: pgp-trusted-publickey
- name: gpg-homedir
emptyDir: {}
---
# https://kubernetes.io/docs/concepts/services-networking/service/
apiVersion: v1
kind: Service
metadata:
name: cic-auth-proxy-ussd
namespace: grassroots
spec:
selector:
app: cic-auth-proxy-ussd
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8080