blob: 907a722fe888ea562784cdd4f945cfea38d21c6f [file] [log] [blame]
# Copyright 2022 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: prod
name: relui-deployment
spec:
selector:
matchLabels:
app: relui
strategy:
type: Recreate
template:
metadata:
labels:
app: relui
spec:
serviceAccountName: relui
containers:
- name: relui
image: gcr.io/symbolic-datum-552/relui:latest
imagePullPolicy: Always
command:
- "/usr/bin/tini"
- "--"
- "./relui"
- "--listen-https-selfsigned=:444"
- "--base-url=https://build.golang.org/releases"
# Define the site header and external service configuration.
- "--site-title=Go Releases"
- "--site-header-css=Site-header--production"
- "--sendgrid-api-key=secret:symbolic-datum-552/sendgrid-sendonly-api-key"
- "--announce-mail-from=announce@golang.org"
- "--announce-mail-to=golang-nuts@googlegroups.com"
- "--announce-mail-bcc=golang-announce@googlegroups.com, golang-dev@googlegroups.com"
- "--schedule-mail-from=nobody@golang.org"
- "--schedule-mail-to=go-builders-alerts@google.com"
- "--gopls-announce-mail-from=announce@golang.org"
# TODO(hxjiang): replace builder alerts with tooling gopher google group.
- "--gopls-announce-mail-to=go-builders-alerts@google.com"
- "--vscode-go-announce-mail-from=announce@golang.org"
- "--vscode-go-announce-mail-to=go-builders-alerts@google.com"
- "--twitter-api-secret=secret:symbolic-datum-552/twitter-api-secret"
- "--mastodon-api-secret=secret:symbolic-datum-552/mastodon-api-secret"
- "--builder-master-key=secret:symbolic-datum-552/builder-master-key"
- "--github-token=secret:symbolic-datum-552/maintner-github-token"
- "--scratch-files-base=gs://golang-release-staging/relui-scratch"
- "--signed-files-base=gs://golang-release-staging/relui-scratch/relworker-scratch"
- "--serving-files-base=gs://golang"
- "--edge-cache-url=https://dl.google.com/go"
- "--website-upload-url=https://go.dev/dl/upload"
- "--cloud-build-project=symbolic-datum-552"
- "--cloud-build-account=projects/symbolic-datum-552/serviceAccounts/relui-prod@symbolic-datum-552.iam.gserviceaccount.com"
- "--swarming-url=https://chrome-swarming.appspot.com"
- "--swarming-account=relui-tasks@symbolic-datum-552.iam.gserviceaccount.com"
- "--swarming-pool=luci.golang.security-try-workers"
- "--swarming-realm=golang:security-try-workers"
- "--buildbucket-host=cr-buildbucket.appspot.com"
readinessProbe:
httpGet:
path: /healthz
port: 444
scheme: HTTPS
ports:
- containerPort: 444
env:
- name: PGUSER
value: relui-prod@symbolic-datum-552.iam
- name: PGHOST
value: 127.0.0.1
- name: PGDATABASE
value: relui
resources:
requests:
cpu: "8"
memory: "8Gi"
- name: cloud-sql-proxy
# It is recommended to use the latest version of the Cloud SQL proxy
image: gcr.io/cloudsql-docker/gce-proxy:latest
command:
- "/cloud_sql_proxy"
# If connecting from a VPC-native GKE cluster, you can use the
# following flag to have the proxy connect over private IP
- "-ip_address_types=PRIVATE"
- "-enable_iam_login"
# Replace DB_PORT with the port the proxy should listen on
# Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433
- "-instances=symbolic-datum-552:us-central1:relui-prod-01=tcp:5432"
securityContext:
# The default Cloud SQL proxy image runs as the
# "nonroot" user and group (uid: 65532) by default.
runAsNonRoot: true
# Resource configuration depends on an application's requirements. You
# should adjust the following values based on what your application
# needs. For details, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
requests:
# The proxy's memory use scales linearly with the number of active
# connections. Fewer open connections will use less memory. Adjust
# this value based on your application's requirements.
memory: "2Gi"
# The proxy's CPU use scales linearly with the amount of IO between
# the database and the application. Adjust this value based on your
# application's requirements.
cpu: "1"
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: prod
name: relui
annotations:
iam.gke.io/gcp-service-account: relui-prod@symbolic-datum-552.iam.gserviceaccount.com
---
apiVersion: v1
kind: Service
metadata:
namespace: prod
name: relui-internal
annotations:
cloud.google.com/backend-config: '{"default": "relui-iap-backend"}'
cloud.google.com/neg: '{"ingress": false}'
cloud.google.com/app-protocols: '{"https":"HTTP2"}'
spec:
ports:
- port: 444
targetPort: 444
name: https
selector:
app: relui
type: NodePort
---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
namespace: prod
name: relui-iap-backend
spec:
iap:
enabled: true
oauthclientCredentials:
secretName: iap-oauth
healthCheck:
timeoutSec: 10
checkIntervalSec: 15
type: HTTPS
requestPath: /healthz