apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Release.Name }} labels: app: {{ .Release.Name }} spec: replicas: {{ .Values.app.replicaCount }} selector: matchLabels: app: {{ .Release.Name }} template: metadata: labels: app: {{ .Release.Name }} spec: containers: - name: {{ .Release.Name }} image: {{ .Values.app.image.repository }}:{{ .Values.app.image.tag }} imagePullPolicy: {{ .Values.app.image.pullPolicy }} ports: - containerPort: {{ .Values.app.container.port }} env: - name: NODE_ENV value: {{ .Values.app.container.env }} - name: PORT value: "{{ .Values.app.container.port }}" - name: DOMAIN value: "bridgemanaccessible.ca" - name: ACCOUNTS_DEV_PORT value: "9010" - name: ACCOUNTS_SUBDOMAIN_PREFIX value: "account" {{- /* This injects the YAML defined in the `_oauth.tpl` file */ -}} {{- include "oauth.envVars" . | nindent 8 }} {{- /* This injects the YAML defined from the `db_deploy`, `cache_deploy` and `nosql_deploy` subcharts */ -}} {{- include "db.envVars" . | nindent 8 }} {{- include "cache.envVars" . | nindent 8 }} {{- include "nosql.envVars" . | nindent 8 }} # NoSQL Grouping Names - name: ACCESS_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping-config key: access-properties - name: LOCALE_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping-config key: locales - name: ORDER_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping-config key: order-properties - name: PRICE_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping-config key: price-properties - name: SERVICE_CATEGORY_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping-config key: service-category-properties - name: SERVICE_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping-config key: service-properties # -- Secrets Vault (Hashicorp Vault OR Azure Key Vault) -- {{- if .Values.vault.enabled }} {{- if eq .Values.vault.type "azure" }} - name: KEYVAULT_CLIENT_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: client-id - name: KEYVAULT_CLIENT_SECRET valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: client-secret - name: KEYVAULT_NAME valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: name - name: KEYVAULT_TENANT_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: tenant-id {{- else if eq .Values.vault.type "hashicorp" }} - name: VAULT_NAME valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: vault-name - name: VAULT_PORT valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: vault-port {{- end }} {{- end }} # Email (Azure Communication Services API credentials, etc...) {{- if and (.Values.comms.email.enabled) (eq .Values.comms.email.type "acs") }} - name: EMAIL_CONNECTION_STRING valueFrom: secretKeyRef: name: {{ .Release.Name }}-email-secret key: connection-string {{- end }} # Third-Party Integrations {{- if .Values.thirdParty.stripe.enabled }} {{- /* This injects the YAML defined in the `_thirdParty.tpl` file */ -}} {{ include "stripe.envVars" . | nindent 8 }} {{- end }} {{- if .Values.thirdParty.moneris.enabled }} {{- /* This injects the YAML defined in the `_thirdParty.tpl` file */ -}} {{ include "moneris.envVars" . | nindent 8 }} {{- end }} - name: INITIAL_USER_ID value: {{ .Values.initialUserID | quote }} {{- if .Values.loggingSidecar.enabled }} {{- include "logging.envVars" . | nindent 8 }} {{- end }} {{- if ne .Values.app.restoreFromBackup "" }} # Due to subtleties related to how the entrypoint scripts detects how/when to proceed # This environment variable indicates if the entrypoint should wait for a restore to complete - name: RESTORE_FROM_BACKUP value: {{ .Values.app.restoreFromBackup | quote }} {{- end }} {{- if .Values.vault.create.enabled }} volumeMounts: # Mount for a shared volume for app's vault credentials # Note, this is required because the credentials are created as part of the vault's setup and not known ahead of time # This seems a better approach than passing, as an example, a preset root token as an environment variable for a few reasons: # 1. This way even if the app's credentials become compromised their more limited in scope/permissions # 2. This creates a semi-unintentional wait lock for the app until the vault is ready (and the credentials are created) - name: role-vars mountPath: /role_vars readOnly: true {{- end }} resources: requests: cpu: {{ .Values.app.resources.requests.cpu }} memory: {{ .Values.app.resources.requests.memory }} ephemeral-storage: {{ .Values.app.resources.requests.ephemeralStorage }} limits: cpu: {{ .Values.app.resources.limits.cpu }} memory: {{ .Values.app.resources.limits.memory }} ephemeral-storage: {{ .Values.app.resources.limits.ephemeralStorage }} # Logging sidecar for sending logs to a log aggregator {{- if .Values.loggingSidecar.enabled }} {{ include "logging.sidecar" . | nindent 6 }} {{- end }} # Backup sidecar for backing up service data {{- if .Values.backupSidecar.enabled }} {{- /* This injects the YAML defined in the `_sidecar.tpl` file */ -}} {{ include "backupSidecar" . | nindent 6 }} {{- end }} {{- if .Values.vault.create.enabled }} volumes: - name: role-vars persistentVolumeClaim: claimName: {{ .Release.Name }}-vault-role-vars {{- if .Values.vault.create.snapshotServer.enabled }} - name: creds persistentVolumeClaim: claimName: {{ .Release.Name }}-vault-creds {{- end }} {{- end }}