30a4a5a77b
* ci: securityContext for rabbitmq * ci: logs from rabbitmq as json to console * ci: tmp volume for rabbitmq Needed since rootfs is now read-only * ci: fix permissions on /var/lib/rabbitmq vol Rabbitmq needs to be able to write to the fs at /var/lib/rabbitmq. It may be possible to get rid of the initContainer and use fsGroup in the pod securityContext to manage this, but that does not work for the hostVolume mounts I use for dev. The solution here moves the actual mount to the rabbitmq/ directory in the rabbitmq-data volume and uses an initContainer to set the permissions on that. That should work for any volume type.
88 lines
2.9 KiB
YAML
88 lines
2.9 KiB
YAML
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: {{ include "datatracker.rabbitmq.fullname" . }}
|
|
labels:
|
|
{{- include "datatracker.commonLabels" . | nindent 4 }}
|
|
app.kubernetes.io/name: {{ .Values.rabbitmq.name }}
|
|
spec:
|
|
{{- $podValues := .Values.rabbitmq }}
|
|
replicas: {{ $podValues.replicaCount }}
|
|
revisionHistoryLimit: {{ $podValues.revisionHistoryLimit }}
|
|
selector:
|
|
matchLabels:
|
|
{{- include "datatracker.selectorLabels" . | nindent 6 }}
|
|
app.kubernetes.io/name: {{ $podValues.name }}
|
|
template:
|
|
metadata:
|
|
labels:
|
|
{{- include "datatracker.selectorLabels" . | nindent 8 }}
|
|
app.kubernetes.io/name: {{ $podValues.name }}
|
|
spec:
|
|
{{- with $podValues.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
serviceAccountName: {{ include "datatracker.serviceAccountName.rabbitmq" . }}
|
|
securityContext:
|
|
{{- toYaml $podValues.podSecurityContext | nindent 8 }}
|
|
initContainers:
|
|
- name: init-rabbitmq
|
|
image: busybox:stable
|
|
command:
|
|
- "sh"
|
|
- "-c"
|
|
- "mkdir -p -m700 /mnt/rabbitmq && chown 100:101 /mnt/rabbitmq"
|
|
securityContext:
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- name: "rabbitmq-data"
|
|
mountPath: "/mnt"
|
|
containers:
|
|
- name: {{ .Chart.Name }}
|
|
securityContext:
|
|
{{- toYaml $podValues.securityContext | nindent 12 }}
|
|
image: "{{ $podValues.image.repository }}:{{ default "latest" $podValues.image.tag }}"
|
|
imagePullPolicy: {{ default "IfNotPresent" $podValues.image.pullPolicy }}
|
|
env:
|
|
{{- if .Values.env }}
|
|
{{- range $key, $val := .Values.env }}
|
|
- name: {{ $key | quote }}
|
|
value: {{ $val | quote }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with $podValues.volumeMounts }}
|
|
volumeMounts:
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
ports:
|
|
- name: amqp
|
|
containerPort: 5672
|
|
protocol: TCP
|
|
livenessProbe:
|
|
{{- toYaml $podValues.livenessProbe | nindent 12 }}
|
|
readinessProbe:
|
|
{{- toYaml $podValues.readinessProbe | nindent 12 }}
|
|
startupProbe:
|
|
{{- toYaml $podValues.startupProbe | nindent 12 }}
|
|
resources:
|
|
{{- toYaml $podValues.resources | nindent 12 }}
|
|
{{- with $podValues.nodeSelector }}
|
|
nodeSelector:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with $podValues.affinity }}
|
|
affinity:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with $podValues.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with $podValues.volumes }}
|
|
volumes:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|