apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Release.Name }} labels: app: {{ .Release.Name }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: app: {{ .Release.Name }} template: metadata: labels: app: {{ .Release.Name }} spec: containers: - name: {{ .Release.Name }} image: {{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - containerPort: {{ .Values.container.port }} env: - name: NODE_ENV value: {{ .Values.container.env }} - name: PORT value: "{{ .Values.container.port }}" - name: DOMAIN value: "bridgemanaccessible.ca" - name: ACCOUNTS_DEV_PORT value: "9010" - name: ACCOUNTS_SUBDOMAIN_PREFIX value: "account" # OAuth Implementation Stuff - name: BASE_APP_URL valueFrom: configMapKeyRef: name: {{ .Release.Name }}-oauth-credentials key: base-app-url - name: APP_ABBRV valueFrom: configMapKeyRef: name: {{ .Release.Name }}-oauth-credentials key: app-abbreviation - name: APP_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-oauth-credentials key: app-name - name: SERVICE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-oauth-credentials key: service-name - name: DEV_PORT valueFrom: configMapKeyRef: name: {{ .Release.Name }}-oauth-credentials key: dev-port # Database credentials - name: DB_HOST valueFrom: configMapKeyRef: name: {{ .Release.Name }}-db-credentials key: db-host - name: DB_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-db-credentials key: db-name - name: DB_PASSWORD valueFrom: secretKeyRef: name: {{ .Release.Name }}-db-password key: password - name: DB_PORT valueFrom: configMapKeyRef: name: {{ .Release.Name }}-db-credentials key: db-port - name: DB_USER valueFrom: configMapKeyRef: name: {{ .Release.Name }}-db-credentials key: db-user # NoSQL Credentials {{- if eq .Values.nosql.type "mongodb" }} - name: STORAGE_ACCOUNT_CONNECTION_STRING valueFrom: secretKeyRef: name: {{ .Release.Name }}-mongo-credentials key: connection-string {{- else if eq .Values.nosql.type "azure" }} - name: STORAGE_ACCOUNT_KEY valueFrom: secretKeyRef: name: {{ .Release.Name }}-azure-tables-credentials key: key - name: STORAGE_ACCOUNT_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-azure-tables-config key: name {{- end }} # NoSQL Grouping Names - name: ACCESS_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping key: access-properties - name: LOCALE_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping key: locales - name: ORDER_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping key: order-properties - name: PRICE_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping key: price-properties - name: SERVICE_CATEGORY_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping key: service-category-properties - name: SERVICE_PROPERTIES_STORAGE_TABLE_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-nosql-grouping key: service-properties # -- Secrets Vault (Hashicorp Vault OR Azure Key Vault) -- {{- if .Values.vault.enabled }} {{- if eq .Values.vault.type "azure" }} - name: KEYVAULT_CLIENT_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: client-id - name: KEYVAULT_CLIENT_SECRET valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: client-secret - name: KEYVAULT_NAME valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: name - name: KEYVAULT_TENANT_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: tenant-id {{- else if eq .Values.vault.type "hashicorp" }} - name: VAULT_NAME valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: vault-name - name: VAULT_PORT valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: vault-port {{- end }} {{- end }} # Caching Server Variables - name: CACHE_HOSTNAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-cache-configmap key: hostname - name: CACHE_PORT valueFrom: configMapKeyRef: name: {{ .Release.Name }}-cache-configmap key: port - name: CACHE_PASSWORD valueFrom: secretKeyRef: name: {{ .Release.Name }}-cache-credentials key: password # Email (Azure Communication Services API credentials, etc...) {{- if and (.Values.comms.email.enabled) (eq .Values.comms.email.type "acs") }} - name: EMAIL_CONNECTION_STRING valueFrom: secretKeyRef: name: {{ .Release.Name }}-email-secret key: connection-string {{- end }} # Third-Party Integrations {{- if .Values.thirdParty.stripe.enabled }} - name: STRIPE_PUBLIC_KEY valueFrom: secretKeyRef: name: {{ .Release.Name }}-stripe-secret key: public-key - name: STRIPE_SECRET_KEY valueFrom: secretKeyRef: name: {{ .Release.Name }}-stripe-secret key: secret-key - name: STRIPE_TEST_PUBLIC_KEY valueFrom: secretKeyRef: name: {{ .Release.Name }}-stripe-secret key: test-public-key - name: STRIPE_TEST_SECRET_KEY valueFrom: secretKeyRef: name: {{ .Release.Name }}-stripe-secret key: test-secret-key {{- end }} {{- if .Values.thirdParty.moneris.enabled }} - name: MONERIS_MERCHANT_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-moneris-secret key: merchant-id - name: MONERIS_STORE_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-moneris-secret key: store-id - name: MONERIS_HT_PROFILE_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-moneris-secret key: ht-profile-id - name: MONERIS_APP_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-moneris-secret key: app-id - name: MONERIS_APP_SECRET valueFrom: secretKeyRef: name: {{ .Release.Name }}-moneris-secret key: app-secret - name: MONERIS_TEST_MERCHANT_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-moneris-secret key: test-merchant-id - name: MONERIS_TEST_STORE_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-moneris-secret key: test-store-id - name: MONERIS_TEST_HT_PROFILE_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-moneris-secret key: test-ht-profile-id - name: MONERIS_TEST_APP_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-moneris-secret key: test-app-id - name: MONERIS_TEST_APP_SECRET valueFrom: secretKeyRef: name: {{ .Release.Name }}-moneris-secret key: test-app-secret {{- end }} # Logging Sidecar related environment variables {{- if .Values.loggingSidecar.enabled }} - name: LOGGING_SIDE_CAR_PORT value: {{ .Values.loggingSidecar.port | quote }} {{- end }} # Due to subtleties related to how the entrypoint scripts detects how/when to proceed # This environment variable indicates if the entrypoint should wait for a restore to complete {{- if ne .Values.container.restoreFromBackup "" }} - name: RESTORE_FROM_BACKUP value: {{ .Values.container.restoreFromBackup | quote }} {{- end }} {{- if .Values.vault.create.enabled }} volumeMounts: # Mount for a shared volume for app's vault credentials # Note, this is required because the credentials are created as part of the vault's setup and not known ahead of time # This seems a better approach than passing, as an example, a preset root token as an environment variable for a few reasons: # 1. This way even if the app's credentials become compromised their more limited in scope/permissions # 2. This creates a semi-unintentional wait lock for the app until the vault is ready (and the credentials are created) - name: role-vars mountPath: /role_vars readOnly: true {{- end }} # Logging sidecar for sending logs to a log aggregator {{- if .Values.loggingSidecar.enabled }} - name: {{ .Values.loggingSidecar.name }} image: {{ .Values.loggingSidecar.image.repository }}:{{ .Values.loggingSidecar.image.tag }} imagePullPolicy: {{ .Values.loggingSidecar.image.pullPolicy }} ports: - containerPort: {{ .Values.loggingSidecar.port }} env: - name: PORT value: {{ .Values.loggingSidecar.port | quote }} # Log aggregator (OpenObserve) auth variables - name: LOGGER_AUTH_USERNAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-logging-sidecar-credentials key: username - name: LOGGER_AUTH_PASSWORD valueFrom: secretKeyRef: name: {{ .Release.Name }}-logging-sidecar-password key: password {{- end }} # Backup sidecar for backing up service data {{- if .Values.backupSidecar.enabled }} - name: {{ .Values.backupSidecar.name }} image: {{ .Values.backupSidecar.image.repository }}:{{ .Values.backupSidecar.image.tag }} imagePullPolicy: {{ .Values.backupSidecar.image.pullPolicy }} ports: - containerPort: {{ .Values.backupSidecar.port }} env: # Release name (used to identify the service/release the backups came from in remote storage) - name: RELEASE_NAME value: {{ .Release.Name }} # Database related environment variables - name: DB_HOST valueFrom: configMapKeyRef: name: {{ .Release.Name }}-db-credentials key: db-host - name: DB_NAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-db-credentials key: db-name - name: DB_PASSWORD valueFrom: secretKeyRef: name: {{ .Release.Name }}-db-password key: password - name: DB_PORT valueFrom: configMapKeyRef: name: {{ .Release.Name }}-db-credentials key: db-port - name: DB_USER valueFrom: configMapKeyRef: name: {{ .Release.Name }}-db-credentials key: db-user {{- if .Values.vault.create.snapshotServer.enabled }} - name: VAULT_NAME valueFrom: secretKeyRef: name: {{ .Release.Name }}-vault-secret key: vault-name - name: VAULT_SNAPSHOT_SERVER_PORT valueFrom: configMapKeyRef: name: {{ .Release.Name }}-vault-snapshot-config key: port {{- end }} # NoSQL storage related environment variables # Note, we only worry about self-hosted options as cloud-based should have their own backups etc... {{- if eq .Values.nosql.type "mongodb" }} - name: STORAGE_ACCOUNT_CONNECTION_STRING valueFrom: secretKeyRef: name: {{ .Release.Name }}-mongo-credentials key: connection-string {{- end }} # Redis related environment variables # Redis is used for BullMQ, which is how we schedule backups # We use this instead of, for instance cron jobs, as it lets us deal with failures - name: REDIS_HOSTNAME valueFrom: configMapKeyRef: name: {{ .Release.Name }}-cache-configmap key: hostname - name: REDIS_PORT valueFrom: configMapKeyRef: name: {{ .Release.Name }}-cache-configmap key: port - name: REDIS_PASSWORD valueFrom: secretKeyRef: name: {{ .Release.Name }}-cache-credentials key: password {{- if .Values.vault.create.snapshotServer.enabled }} volumeMounts: # Mount for a shared volume for Vault credentials # This is separate from the app's `role vars` volume because it includes other credentials # In particular, the unseal keys which we require when/if we restore from the backup # This volume is also read-only where the `role-vars` is read-write (see description below for why) - name: creds mountPath: /vault-creds readOnly: true # Mount for a shared volume for the Vault's role variables for the app # This is required by the backup sidecar because if a restart of the app occurs AFTER a vault has been reset (ex. vault using a different container instance), # despite the vault data being restored the app would receive incorrect credentials (because this is ONLY written during setup of the vault) # The backup sidecar mitigates this by doing it's own write (to overwrite) once it's done a restore - name: role-vars mountPath: /role_vars {{- end }} {{- end }} {{- if .Values.vault.create.enabled }} volumes: - name: role-vars persistentVolumeClaim: claimName: {{ .Release.Name }}-vault-role-vars {{- if .Values.vault.create.snapshotServer.enabled }} - name: creds persistentVolumeClaim: claimName: {{ .Release.Name }}-vault-creds {{- end }} {{- end }}