apiVersion: v1 kind: Template metadata: name: composer annotations: openshift.io/display-name: Image-Builder composer service description: Composer component of the image-builder serivce tags: golang iconClass: icon-shadowman template.openshift.io/provider-display-name: Red Hat, Inc. labels: template: composer objects: - apiVersion: apps/v1 kind: Deployment metadata: labels: service: image-builder name: composer spec: replicas: 3 selector: matchLabels: app: composer strategy: # Update pods 1 at a time type: RollingUpdate rollingUpdate: # Create at most 0 extra pod over .spec.replicas maxSurge: 0 # At all times there should be .spec.replicas - 1 available maxUnavailable: 1 template: metadata: labels: app: composer spec: containers: - image: "${IMAGE_NAME}:${IMAGE_TAG}" name: composer env: - name: PGHOST valueFrom: secretKeyRef: name: composer-db key: db.host - name: PGPORT valueFrom: secretKeyRef: name: composer-db key: db.port - name: PGDATABASE valueFrom: secretKeyRef: name: composer-db key: db.name - name: PGUSER valueFrom: secretKeyRef: name: composer-db key: db.user - name: PGPASSWORD valueFrom: secretKeyRef: name: composer-db key: db.password - name: PGSSLMODE value: "${PGSSLMODE}" ports: - name: composer-api protocol: TCP containerPort: ${{COMPOSER_API_PORT}} - name: worker-api protocol: TCP containerPort: ${{WORKER_API_PORT}} volumeMounts: - name: composer-config mountPath: "${COMPOSER_CONFIG_DIR}" readOnly: true - name: state-directory mountPath: "/var/lib/osbuild-composer" - name: cache-directory mountPath: "/var/cache/osbuild-composer" volumes: - name: composer-config configMap: name: composer-config - name: db-secrets secret: secretName: db - name: state-directory emptyDir: {} - name: cache-directory emptyDir: {} initContainers: - name: composer-migrate image: "${IMAGE_NAME}:${IMAGE_TAG}" command: [ "/opt/migrate/tern", "migrate", "-m", "/opt/migrate/schemas" ] env: - name: PGHOST valueFrom: secretKeyRef: name: composer-db key: db.host - name: PGPORT valueFrom: secretKeyRef: name: composer-db key: db.port - name: PGDATABASE valueFrom: secretKeyRef: name: composer-db key: db.name - name: PGUSER valueFrom: secretKeyRef: name: composer-db key: db.user - name: PGPASSWORD valueFrom: secretKeyRef: name: composer-db key: db.password - name: PGSSLMODE value: "${PGSSLMODE}" - apiVersion: v1 kind: Service metadata: name: image-builder-composer labels: app: composer port: composer-api spec: ports: - name: composer-api protocol: TCP port: 80 targetPort: ${{COMPOSER_API_PORT}} selector: app: composer - apiVersion: v1 kind: Service metadata: name: image-builder-worker labels: app: composer port: worker-api spec: ports: - name: worker-api protocol: TCP port: 80 targetPort: ${{WORKER_API_PORT}} selector: app: composer # This map should probably move to app-intf - apiVersion: v1 kind: ConfigMap metadata: name: composer-config data: acl.yml: | - claim: user_id pattern: ^(54629121|54629180|54597799)$ osbuild-composer.toml: | log_level = "info" [koji] enable_tls = false enable_mtls = false enable_jwt = true jwt_keys_url = "${SSO_BASE_URL}/protocol/openid-connect/certs" jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml" [worker] request_job_timeout = "20s" base_path = "/api/image-builder-worker/v1" enable_tls = false enable_mtls = false enable_jwt = true jwt_keys_url = "${SSO_BASE_URL}/protocol/openid-connect/certs" jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml" parameters: - description: composer image name name: IMAGE_NAME value: quay.io/app-sre/composer required: true - description: composer image tag name: IMAGE_TAG required: true - description: postgres sslmode to use when connecting to the db name: PGSSLMODE value: "require" - description: base sso url name: SSO_BASE_URL required: true value: "https://sso.redhat.com/auth/realms/redhat-external" - description: base sso url name: COMPOSER_CONFIG_DIR required: true value: "/etc/osbuild-composer" - description: composer-api port name: COMPOSER_API_PORT required: true value: "8080" - description: worker-api port name: WORKER_API_PORT required: true value: "8700"