--- apiVersion: apps/v1 kind: Deployment metadata: name: inventory-app labels: app: signs-webpage spec: replicas: 1 revisionHistoryLimit: 0 selector: matchLabels: app: inventory-app template: metadata: labels: app: inventory-app spec: containers: - image: harbor.k-space.ee/k-space/inventory-app:latest imagePullPolicy: Always env: - name: ENVIRONMENT_TYPE value: PROD - name: PYTHONUNBUFFERED value: "1" - name: INVENTORY_ASSETS_BASE_URL value: https://external.minio-clusters.k-space.ee/hackerspace-701d9303-0f27-4829-a2be-b1084021ad91/ - name: MACADDRESS_OUTLINK_BASEURL value: https://grafana.k-space.ee/d/ddwyidbtbc16oa/ip-usage?orgId=1&from=now-2y&to=now&timezone=browser&var-Filters=mac%7C%3D%7C - name: OIDC_USERS_NAMESPACE value: passmower - name: SECRET_KEY valueFrom: secretKeyRef: key: SECRET_KEY name: inventory-secrets - name: INVENTORY_API_KEY valueFrom: secretKeyRef: key: INVENTORY_API_KEY name: inventory-api-key - name: SLACK_DOORLOG_CALLBACK valueFrom: secretKeyRef: key: SLACK_DOORLOG_CALLBACK name: slack-secrets - name: SLACK_VERIFICATION_TOKEN valueFrom: secretKeyRef: key: SLACK_VERIFICATION_TOKEN name: slack-secrets envFrom: - secretRef: name: miniobucket-inventory-external-owner-secrets - secretRef: name: oidc-client-inventory-app-owner-secrets - secretRef: name: inventory-mongodb name: inventory-app ports: - containerPort: 5000 name: http protocol: TCP resources: limits: cpu: "1" memory: 500Mi requests: cpu: 100m memory: 200Mi securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /tmp name: tmp dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler serviceAccountName: inventory-svcacc terminationGracePeriodSeconds: 30 volumes: - name: tmp --- apiVersion: v1 kind: Service metadata: name: inventory-app spec: type: ClusterIP selector: app: inventory-app ports: - protocol: TCP port: 5000 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: inventory-app annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure external-dns.alpha.kubernetes.io/target: traefik.k-space.ee external-dns.alpha.kubernetes.io/hostname: inventory.k-space.ee,members.k-space.ee spec: rules: - host: inventory.k-space.ee http: paths: - pathType: Prefix path: "/" backend: service: name: inventory-app port: number: 5000 tls: - hosts: - "*.k-space.ee" --- apiVersion: codemowers.cloud/v1beta1 kind: OIDCClient metadata: name: inventory-app spec: uri: 'https://inventory.k-space.ee' redirectUris: - 'https://inventory.k-space.ee/login-callback' grantTypes: - 'authorization_code' responseTypes: - 'code' availableScopes: - 'openid' - 'profile' - 'groups' tokenEndpointAuthMethod: 'client_secret_basic' pkce: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: inventory-role namespace: hackerspace rules: - verbs: - get - list - watch apiGroups: - codemowers.cloud resources: - oidcusers - oidcusers/status --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: inventory-roles namespace: hackerspace roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: inventory-role subjects: - kind: ServiceAccount name: inventory-svcacc namespace: hackerspace --- apiVersion: v1 kind: ServiceAccount metadata: name: inventory-svcacc