Bridgeman-Accessible/services.bridgemanaccessible.ca-helm
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
services.bridgemanaccessibl.../templates/deployment.yaml
Alan Bridgeman 80fc5b4f56 Added an initial user ID environment variable
2025-06-11 17:45:40 -05:00

420 lines
16 KiB
YAML
Raw Blame History

apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}
labels:
app: {{ .Release.Name }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ .Release.Name }}
spec:
containers:
- name: {{ .Release.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- containerPort: {{ .Values.container.port }}
env:
- name: NODE_ENV
value: {{ .Values.container.env }}
- name: PORT
value: "{{ .Values.container.port }}"
- name: DOMAIN
value: "bridgemanaccessible.ca"
- name: ACCOUNTS_DEV_PORT
value: "9010"
- name: ACCOUNTS_SUBDOMAIN_PREFIX
value: "account"
# OAuth Implementation Stuff
- name: BASE_APP_URL
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-oauth-credentials
key: base-app-url
- name: APP_ABBRV
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-oauth-credentials
key: app-abbreviation
- name: APP_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-oauth-credentials
key: app-name
- name: SERVICE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-oauth-credentials
key: service-name
- name: DEV_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-oauth-credentials
key: dev-port
# Database credentials
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-host
- name: DB_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-name
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-db-password
key: password
- name: DB_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-port
- name: DB_USER
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-user
# NoSQL Credentials
{{- if eq .Values.nosql.type "mongodb" }}
- name: STORAGE_ACCOUNT_CONNECTION_STRING
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-mongo-credentials
key: connection-string
{{- else if eq .Values.nosql.type "azure" }}
- name: STORAGE_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-azure-tables-credentials
key: key
- name: STORAGE_ACCOUNT_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-azure-tables-config
key: name
{{- end }}
# NoSQL Grouping Names
- name: ACCESS_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: access-properties
- name: LOCALE_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: locales
- name: ORDER_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: order-properties
- name: PRICE_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: price-properties
- name: SERVICE_CATEGORY_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: service-category-properties
- name: SERVICE_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: service-properties
# -- Secrets Vault (Hashicorp Vault OR Azure Key Vault) --
{{- if .Values.vault.enabled }}
{{- if eq .Values.vault.type "azure" }}
- name: KEYVAULT_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: client-id
- name: KEYVAULT_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: client-secret
- name: KEYVAULT_NAME
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: name
- name: KEYVAULT_TENANT_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: tenant-id
{{- else if eq .Values.vault.type "hashicorp" }}
- name: VAULT_NAME
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: vault-name
- name: VAULT_PORT
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: vault-port
{{- end }}
{{- end }}
# Caching Server Variables
- name: CACHE_HOSTNAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-cache-configmap
key: hostname
- name: CACHE_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-cache-configmap
key: port
- name: CACHE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-cache-credentials
key: password
# Email (Azure Communication Services API credentials, etc...)
{{- if and (.Values.comms.email.enabled) (eq .Values.comms.email.type "acs") }}
- name: EMAIL_CONNECTION_STRING
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-email-secret
key: connection-string
{{- end }}
# Third-Party Integrations
{{- if .Values.thirdParty.stripe.enabled }}
- name: STRIPE_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-stripe-secret
key: public-key
- name: STRIPE_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-stripe-secret
key: secret-key
- name: STRIPE_TEST_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-stripe-secret
key: test-public-key
- name: STRIPE_TEST_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-stripe-secret
key: test-secret-key
{{- end }}
{{- if .Values.thirdParty.moneris.enabled }}
- name: MONERIS_MERCHANT_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: merchant-id
- name: MONERIS_STORE_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: store-id
- name: MONERIS_HT_PROFILE_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: ht-profile-id
- name: MONERIS_APP_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: app-id
- name: MONERIS_APP_SECRET
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: app-secret
- name: MONERIS_TEST_MERCHANT_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: test-merchant-id
- name: MONERIS_TEST_STORE_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: test-store-id
- name: MONERIS_TEST_HT_PROFILE_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: test-ht-profile-id
- name: MONERIS_TEST_APP_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: test-app-id
- name: MONERIS_TEST_APP_SECRET
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: test-app-secret
{{- end }}
- name: INITIAL_USER_ID
value: {{ .Values.initialUserID | quote }}
# Logging Sidecar related environment variables
{{- if .Values.loggingSidecar.enabled }}
- name: LOGGING_SIDE_CAR_PORT
value: {{ .Values.loggingSidecar.port | quote }}
{{- end }}
# Due to subtleties related to how the entrypoint scripts detects how/when to proceed
# This environment variable indicates if the entrypoint should wait for a restore to complete
{{- if ne .Values.container.restoreFromBackup "" }}
- name: RESTORE_FROM_BACKUP
value: {{ .Values.container.restoreFromBackup | quote }}
{{- end }}
{{- if .Values.vault.create.enabled }}
volumeMounts:
# Mount for a shared volume for app's vault credentials
# Note, this is required because the credentials are created as part of the vault's setup and not known ahead of time
# This seems a better approach than passing, as an example, a preset root token as an environment variable for a few reasons:
# 1. This way even if the app's credentials become compromised their more limited in scope/permissions
# 2. This creates a semi-unintentional wait lock for the app until the vault is ready (and the credentials are created)
- name: role-vars
mountPath: /role_vars
readOnly: true
{{- end }}
# Logging sidecar for sending logs to a log aggregator
{{- if .Values.loggingSidecar.enabled }}
- name: {{ .Values.loggingSidecar.name }}
image: {{ .Values.loggingSidecar.image.repository }}:{{ .Values.loggingSidecar.image.tag }}
imagePullPolicy: {{ .Values.loggingSidecar.image.pullPolicy }}
ports:
- containerPort: {{ .Values.loggingSidecar.port }}
env:
- name: PORT
value: {{ .Values.loggingSidecar.port | quote }}
# Log aggregator (OpenObserve) auth variables
- name: LOGGER_AUTH_USERNAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-logging-sidecar-credentials
key: username
- name: LOGGER_AUTH_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-logging-sidecar-password
key: password
{{- end }}
# Backup sidecar for backing up service data
{{- if .Values.backupSidecar.enabled }}
- name: {{ .Values.backupSidecar.name }}
image: {{ .Values.backupSidecar.image.repository }}:{{ .Values.backupSidecar.image.tag }}
imagePullPolicy: {{ .Values.backupSidecar.image.pullPolicy }}
ports:
- containerPort: {{ .Values.backupSidecar.port }}
env:
# Release name (used to identify the service/release the backups came from in remote storage)
- name: RELEASE_NAME
value: {{ .Release.Name }}
# Database related environment variables
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-host
- name: DB_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-name
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-db-password
key: password
- name: DB_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-port
- name: DB_USER
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-user
{{- if .Values.vault.create.snapshotServer.enabled }}
- name: VAULT_NAME
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: vault-name
- name: VAULT_SNAPSHOT_SERVER_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-vault-snapshot-config
key: port
{{- end }}
# NoSQL storage related environment variables
# Note, we only worry about self-hosted options as cloud-based should have their own backups etc...
{{- if eq .Values.nosql.type "mongodb" }}
- name: STORAGE_ACCOUNT_CONNECTION_STRING
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-mongo-credentials
key: connection-string
{{- end }}
# Redis related environment variables
# Redis is used for BullMQ, which is how we schedule backups
# We use this instead of, for instance cron jobs, as it lets us deal with failures
- name: REDIS_HOSTNAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-cache-configmap
key: hostname
- name: REDIS_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-cache-configmap
key: port
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-cache-credentials
key: password
{{- if .Values.vault.create.snapshotServer.enabled }}
volumeMounts:
# Mount for a shared volume for Vault credentials
# This is separate from the app's `role vars` volume because it includes other credentials
# In particular, the unseal keys which we require when/if we restore from the backup
# This volume is also read-only where the `role-vars` is read-write (see description below for why)
- name: creds
mountPath: /vault-creds
readOnly: true
# Mount for a shared volume for the Vault's role variables for the app
# This is required by the backup sidecar because if a restart of the app occurs AFTER a vault has been reset (ex. vault using a different container instance),
# despite the vault data being restored the app would receive incorrect credentials (because this is ONLY written during setup of the vault)
# The backup sidecar mitigates this by doing it's own write (to overwrite) once it's done a restore
- name: role-vars
mountPath: /role_vars
{{- end }}
{{- end }}
{{- if .Values.vault.create.enabled }}
volumes:
- name: role-vars
persistentVolumeClaim:
claimName: {{ .Release.Name }}-vault-role-vars
{{- if .Values.vault.create.snapshotServer.enabled }}
- name: creds
persistentVolumeClaim:
claimName: {{ .Release.Name }}-vault-creds
{{- end }}
{{- end }}
Reference in a new issue View git blame Copy permalink