apiVersion: template.openshift.io/v1 kind: Template metadata: name: composer annotations: openshift.io/display-name: Image-Builder composer service description: Composer component of the image-builder serivce tags: golang iconClass: icon-shadowman template.openshift.io/provider-display-name: Red Hat, Inc. labels: template: composer objects: - apiVersion: apps/v1 kind: Deployment metadata: labels: service: image-builder name: composer spec: replicas: ${{REPLICAS}} selector: matchLabels: app: composer strategy: # Update pods 1 at a time type: RollingUpdate rollingUpdate: # Create at most 0 extra pod over .spec.replicas maxSurge: 0 # At all times there should be .spec.replicas - 1 available maxUnavailable: 1 template: metadata: labels: app: composer spec: serviceAccountName: image-builder affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchLabels: app: composer topologyKey: kubernetes.io/hostname containers: - image: "${IMAGE_NAME}:${IMAGE_TAG}" name: composer livenessProbe: failureThreshold: 3 exec: command: - cat - /tmp/osbuild-composer-live periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 3 httpGet: path: ${READINESS_URI} port: ${{COMPOSER_API_PORT}} scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: "${CPU_REQUEST}" memory: "${MEMORY_REQUEST}" limits: cpu: "${CPU_LIMIT}" memory: "${MEMORY_LIMIT}" env: - name: PGHOST valueFrom: secretKeyRef: name: composer-db key: db.host - name: PGPORT valueFrom: secretKeyRef: name: composer-db key: db.port - name: PGDATABASE valueFrom: secretKeyRef: name: composer-db key: db.name - name: PGUSER valueFrom: secretKeyRef: name: composer-db key: db.user - name: PGPASSWORD valueFrom: secretKeyRef: name: composer-db key: db.password - name: PGSSLMODE value: "${PGSSLMODE}" - name: PGMAXCONNS value: "${PGMAXCONNS}" # Splunk forwarding - name: SPLUNK_HEC_TOKEN valueFrom: secretKeyRef: name: splunk key: token optional: true - name: SPLUNK_HEC_HOST valueFrom: secretKeyRef: name: splunk key: url optional: true - name: SPLUNK_HEC_PORT value: "${SPLUNK_HEC_PORT}" - name: GLITCHTIP_DSN valueFrom: secretKeyRef: key: dsn name: "${GLITCHTIP_DSN_NAME}" optional: true - name: DISTRO_ALIASES value: ${DISTRO_ALIASES} - name: CHANNEL value: ${CHANNEL} ports: - name: composer-api protocol: TCP containerPort: ${{COMPOSER_API_PORT}} - name: prometheus protocol: TCP containerPort: ${{PROMETHEUS_PORT}} - name: worker-api protocol: TCP containerPort: ${{WORKER_API_PORT}} volumeMounts: - name: composer-config mountPath: "${COMPOSER_CONFIG_DIR}" readOnly: true - name: state-directory mountPath: "/var/lib/osbuild-composer" - name: cache-directory mountPath: "/var/cache/osbuild-composer" volumes: - name: composer-config configMap: name: composer-config - name: state-directory emptyDir: {} - name: cache-directory emptyDir: {} initContainers: - name: composer-migrate image: "${IMAGE_NAME}:${IMAGE_TAG}" command: [ "/opt/migrate/tern", "migrate", "-m", "/opt/migrate/schemas" ] resources: requests: cpu: "${CPU_REQUEST}" memory: "${MEMORY_REQUEST}" limits: cpu: "${CPU_LIMIT}" memory: "${MEMORY_LIMIT}" env: - name: PGHOST valueFrom: secretKeyRef: name: composer-db key: db.host - name: PGPORT valueFrom: secretKeyRef: name: composer-db key: db.port - name: PGDATABASE valueFrom: secretKeyRef: name: composer-db key: db.name - name: PGUSER valueFrom: secretKeyRef: name: composer-db key: db.user - name: PGPASSWORD valueFrom: secretKeyRef: name: composer-db key: db.password - name: PGSSLMODE value: "${PGSSLMODE}" - apiVersion: v1 kind: ServiceAccount metadata: name: image-builder imagePullSecrets: - name: quay.io - apiVersion: v1 kind: Service metadata: name: image-builder-composer labels: app: composer port: composer-api spec: ports: - name: composer-api protocol: TCP port: 80 targetPort: ${{COMPOSER_API_PORT}} - name: prometheus protocol: TCP port: 8008 targetPort: ${{PROMETHEUS_PORT}} selector: app: composer - apiVersion: v1 kind: Service metadata: name: image-builder-worker labels: app: composer port: worker-api spec: ports: - name: worker-api protocol: TCP port: 80 targetPort: ${{WORKER_API_PORT}} selector: app: composer # This map should probably move to app-intf - apiVersion: v1 kind: ConfigMap metadata: name: composer-config data: acl.yml: | - claim: rh-org-id pattern: ^(${ACL_ORG_ID_TENANTS})$ - claim: account_id pattern: ^(${ACL_ACCOUNT_ID_TENANTS})$ osbuild-composer.toml: | ignore_missing_repos = true log_level = "info" log_format = "json" [koji] enable_tls = false enable_mtls = false enable_jwt = true jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs"] jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml" jwt_tenant_provider_fields = ["rh-org-id", "account_id"] [worker] request_job_timeout = "20s" base_path = "/api/image-builder-worker/v1" enable_artifacts = false enable_tls = false enable_mtls = false enable_jwt = true jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs"] jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml" jwt_tenant_provider_fields = ["rh-org-id", "account_id"] worker_heartbeat_timeout = "5m" parameters: - description: composer image name name: IMAGE_NAME value: quay.io/app-sre/composer required: true - description: composer image tag name: IMAGE_TAG required: true - description: postgres sslmode to use when connecting to the db name: PGSSLMODE value: "require" - description: postgres maximum connections per pod name: PGMAXCONNS value: "20" - description: number of pods to spin up name: REPLICAS value: "3" required: true - description: base sso url name: RH_SSO_BASE_URL required: true value: "https://sso.redhat.com/auth/realms/redhat-external" - description: base sso url name: COMPOSER_CONFIG_DIR required: true value: "/etc/osbuild-composer" - description: Allowed tenants based on org id name: ACL_ORG_ID_TENANTS value: "15842261|15877963|15885990|16057323" - description: Allowed tenants based on account id name: ACL_ACCOUNT_ID_TENANTS value: "15842261|16057323" - description: composer-api port name: COMPOSER_API_PORT required: true value: "8080" - description: prometheus port name: PROMETHEUS_PORT value: "8008" - description: worker-api port name: WORKER_API_PORT required: true value: "8700" - name: READINESS_URI description: URI to query for the readiness check value: "/api/image-builder-composer/v2/openapi" - name: CPU_REQUEST description: CPU request per container value: "500m" - name: CPU_LIMIT description: CPU limit per container value: "1" - name: FLUENTD_CPU_REQUEST description: CPU request per container value: "50m" - name: FLUENTD_CPU_LIMIT description: CPU limit per container value: "100m" - name: MEMORY_REQUEST description: Memory request per container value: "256Mi" - name: MEMORY_LIMIT description: Memory limit per container value: "512Mi" - description: Splunk HTTP Event Collector port name: SPLUNK_HEC_PORT value: "443" - name: GLITCHTIP_DSN_NAME value: "composer-stage-dsn" description: Name of the secret for connecting to sentry/glitchtip - description: Distro name aliases name: DISTRO_ALIASES value: "rhel-7=rhel-7.9,rhel-8=rhel-8.10,rhel-9=rhel-9.5,rhel-10=rhel-10.0" - name: CHANNEL value: "local" description: > Channel where this pod is deployed. This is appended to the logs. Usually something like "local", "staging" or "production".