blob: 4dd9395d024f8aec442c57361fe5c48695c9c134 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
apiVersion: template.openshift.io/v1
kind: Template
metadata:
name: template-service-broker-apiserver
parameters:
- name: IMAGE
value: openshift/origin-template-service-broker:latest
- name: NAMESPACE
value: openshift-template-service-broker
- name: LOGLEVEL
value: "0"
- name: API_SERVER_CONFIG
value: |
kind: TemplateServiceBrokerConfig
apiVersion: config.templateservicebroker.openshift.io/v1
templateNamespaces:
- openshift
- name: NODE_SELECTOR
value: "{}"
objects:
# to create the tsb server
- apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
namespace: ${NAMESPACE}
name: apiserver
labels:
apiserver: "true"
spec:
template:
metadata:
name: apiserver
labels:
apiserver: "true"
spec:
serviceAccountName: apiserver
containers:
- name: c
image: ${IMAGE}
imagePullPolicy: IfNotPresent
command:
- "/usr/bin/template-service-broker"
- "start"
- "template-service-broker"
- "--secure-port=8443"
- "--audit-log-path=-"
- "--tls-cert-file=/var/serving-cert/tls.crt"
- "--tls-private-key-file=/var/serving-cert/tls.key"
- "--v=${LOGLEVEL}"
- "--config=/var/apiserver-config/apiserver-config.yaml"
ports:
- containerPort: 8443
volumeMounts:
- mountPath: /var/serving-cert
name: serving-cert
- mountPath: /var/apiserver-config
name: apiserver-config
readinessProbe:
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
nodeSelector: "${{NODE_SELECTOR}}"
volumes:
- name: serving-cert
secret:
defaultMode: 420
secretName: apiserver-serving-cert
- name: apiserver-config
configMap:
defaultMode: 420
name: apiserver-config
# to create the config for the TSB
- apiVersion: v1
kind: ConfigMap
metadata:
namespace: ${NAMESPACE}
name: apiserver-config
data:
apiserver-config.yaml: ${API_SERVER_CONFIG}
# to be able to assign powers to the process
- apiVersion: v1
kind: ServiceAccount
metadata:
namespace: ${NAMESPACE}
name: apiserver
# to be able to expose TSB inside the cluster
- apiVersion: v1
kind: Service
metadata:
namespace: ${NAMESPACE}
name: apiserver
annotations:
service.alpha.openshift.io/serving-cert-secret-name: apiserver-serving-cert
spec:
selector:
apiserver: "true"
ports:
- port: 443
targetPort: 8443
# This service account will be granted permission to call the TSB.
# The token for this SA will be provided to the service catalog for
# use when calling the TSB.
- apiVersion: v1
kind: ServiceAccount
metadata:
namespace: ${NAMESPACE}
name: templateservicebroker-client
# This secret will be populated with a copy of the templateservicebroker-client SA's
# auth token. Since this secret has a static name, it can be referenced more
# easily than the auto-generated secret for the service account.
- apiVersion: v1
kind: Secret
metadata:
namespace: ${NAMESPACE}
name: templateservicebroker-client
annotations:
kubernetes.io/service-account.name: templateservicebroker-client
type: kubernetes.io/service-account-token
|