services.bridgemanaccessible.ca-helm/templates/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Release.Name }}
  labels:
    app: {{ .Release.Name }}
spec:
  replicas: {{ .Values.app.replicaCount }}
  selector:
    matchLabels:
      app: {{ .Release.Name }}
  template:
    metadata:
      labels:
        app: {{ .Release.Name }}
    spec:
      containers:
      - name: {{ .Release.Name }}
        image: {{ .Values.app.image.repository }}:{{ .Values.app.image.tag }}
        imagePullPolicy: {{ .Values.app.image.pullPolicy }}
        ports:
        - containerPort: {{ .Values.app.container.port }}
        env:
        - name: NODE_ENV
          value: {{ .Values.app.container.env }}
        - name: PORT
          value: "{{ .Values.app.container.port }}"
        - name: DOMAIN
          value: "bridgemanaccessible.ca"
        - name: ACCOUNTS_DEV_PORT
          value: "9010"
        - name: ACCOUNTS_SUBDOMAIN_PREFIX
          value: "account"
        # OAuth Implementation Stuff
        - name: BASE_APP_URL
          valueFrom:
            configMapKeyRef:
              name: {{ .Release.Name }}-oauth-credentials
              key: base-app-url
        - name: APP_ABBRV
          valueFrom:
            configMapKeyRef:
              name: {{ .Release.Name }}-oauth-credentials
              key: app-abbreviation
        - name: APP_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Release.Name }}-oauth-credentials
              key: app-name
        - name: SERVICE_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Release.Name }}-oauth-credentials
              key: service-name
        - name: DEV_PORT
          valueFrom:
            configMapKeyRef:
              name: {{ .Release.Name }}-oauth-credentials
              key: dev-port
        {{- include "db.envVars" . | nindent 8 }}
        {{- include "cache.envVars" . | nindent 8 }}
        {{- include "nosql.envVars" . | nindent 8 }}
        # NoSQL Grouping Names
        - name: ACCESS_PROPERTIES_STORAGE_TABLE_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Release.Name }}-nosql-grouping-config
              key: access-properties
        - name: LOCALE_PROPERTIES_STORAGE_TABLE_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Release.Name }}-nosql-grouping-config
              key: locales
        - name: ORDER_PROPERTIES_STORAGE_TABLE_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Release.Name }}-nosql-grouping-config
              key: order-properties
        - name: PRICE_PROPERTIES_STORAGE_TABLE_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Release.Name }}-nosql-grouping-config
              key: price-properties
        - name: SERVICE_CATEGORY_PROPERTIES_STORAGE_TABLE_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Release.Name }}-nosql-grouping-config
              key: service-category-properties
        - name: SERVICE_PROPERTIES_STORAGE_TABLE_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Release.Name }}-nosql-grouping-config
              key: service-properties
        # -- Secrets Vault (Hashicorp Vault OR Azure Key Vault) --
        {{- if .Values.vault.enabled }}
        {{- if eq .Values.vault.type "azure" }}
        - name: KEYVAULT_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: {{ .Release.Name }}-vault-secret
              key: client-id
        - name: KEYVAULT_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: {{ .Release.Name }}-vault-secret
              key: client-secret
        - name: KEYVAULT_NAME
          valueFrom:
            secretKeyRef:
              name: {{ .Release.Name }}-vault-secret
              key: name
        - name: KEYVAULT_TENANT_ID
          valueFrom:
            secretKeyRef:
              name: {{ .Release.Name }}-vault-secret
              key: tenant-id
        {{- else if eq .Values.vault.type "hashicorp" }}
        - name: VAULT_NAME
          valueFrom:
            secretKeyRef:
              name: {{ .Release.Name }}-vault-secret
              key: vault-name
        - name: VAULT_PORT
          valueFrom:
            secretKeyRef:
              name: {{ .Release.Name }}-vault-secret
              key: vault-port
        {{- end }}
        {{- end }}
        # Email (Azure Communication Services API credentials, etc...)
        {{- if and (.Values.comms.email.enabled) (eq .Values.comms.email.type "acs") }}
        - name: EMAIL_CONNECTION_STRING
          valueFrom:
            secretKeyRef:
              name: {{ .Release.Name }}-email-secret
              key: connection-string
        {{- end }}
        # Third-Party Integrations
        {{- if .Values.thirdParty.stripe.enabled }}
        {{- /* This injects the YAML defined in the `_thirdParty.tpl` file */ -}}
        {{ include "stripe.envVars" . | nindent 8 }}
        {{- end }}
        {{- if .Values.thirdParty.moneris.enabled }}
        {{- /* This injects the YAML defined in the `_thirdParty.tpl` file */ -}}
        {{ include "moneris.envVars" . | nindent 8 }}
        {{- end }}
        - name: INITIAL_USER_ID
          value: {{ .Values.initialUserID | quote }}
        {{- if .Values.loggingSidecar.enabled }}
        {{- include "logging.envVars" . | nindent 8 }}
        {{- end }}
        {{- if ne .Values.app.restoreFromBackup "" }}
        # Due to subtleties related to how the entrypoint scripts detects how/when to proceed
        # This environment variable indicates if the entrypoint should wait for a restore to complete
        - name: RESTORE_FROM_BACKUP
          value: {{ .Values.app.restoreFromBackup | quote }}
        {{- end }}
        {{- if .Values.vault.create.enabled }}
        volumeMounts:
        # Mount for a shared volume for app's vault credentials
        # Note, this is required because the credentials are created as part of the vault's setup and not known ahead of time
        # This seems a better approach than passing, as an example, a preset root token as an environment variable for a few reasons:
        # 1. This way even if the app's credentials become compromised their more limited in scope/permissions
        # 2. This creates a semi-unintentional wait lock for the app until the vault is ready (and the credentials are created)
        - name: role-vars
          mountPath: /role_vars
          readOnly: true
        {{- end }}
        resources:
          requests:
            cpu: {{ .Values.app.resources.requests.cpu }}
            memory: {{ .Values.app.resources.requests.memory }}
            ephemeral-storage: {{ .Values.app.resources.requests.ephemeralStorage }}
          limits:
            cpu: {{ .Values.app.resources.limits.cpu }}
            memory: {{ .Values.app.resources.limits.memory }}
            ephemeral-storage: {{ .Values.app.resources.limits.ephemeralStorage }}
      # Logging sidecar for sending logs to a log aggregator
      {{- if .Values.loggingSidecar.enabled }}
      {{ include "logging.sidecar" . | nindent 6 }}
      {{- end }}
      # Backup sidecar for backing up service data
      {{- if .Values.backupSidecar.enabled }}
      {{- /* This injects the YAML defined in the `_sidecar.tpl` file */ -}}
      {{ include "backupSidecar" . | nindent 6 }}
      {{- end }}
      {{- if .Values.vault.create.enabled }}
      volumes:
      - name: role-vars
        persistentVolumeClaim:
          claimName: {{ .Release.Name }}-vault-role-vars
      {{- if .Values.vault.create.snapshotServer.enabled }}
      - name: creds
        persistentVolumeClaim:
          claimName: {{ .Release.Name }}-vault-creds
      {{- end }}
      {{- end }}