debian-forge-composer/templates/composer.yml

apiVersion: v1
kind: Template
metadata:
  name: composer
  annotations:
    openshift.io/display-name: Image-Builder composer service
    description: Composer component of the image-builder serivce
    tags: golang
    iconClass: icon-shadowman
    template.openshift.io/provider-display-name: Red Hat, Inc.
labels:
  template: composer
objects:
- apiVersion: apps/v1
  kind: Deployment
  metadata:
    labels:
      service: image-builder
    name: composer
  spec:
    replicas: 3
    selector:
      matchLabels:
        app: composer
    strategy:
      # Update pods 1 at a time
      type: RollingUpdate
      rollingUpdate:
        # Create at most 0 extra pod over .spec.replicas
        maxSurge: 0
        # At all times there should be .spec.replicas - 1 available
        maxUnavailable: 1
    template:
      metadata:
        labels:
          app: composer
      spec:
        containers:
        - image: "${IMAGE_NAME}:${IMAGE_TAG}"
          name: composer
          env:
          - name: PGHOST
            valueFrom:
              secretKeyRef:
                name: composer-db
                key: db.host
          - name: PGPORT
            valueFrom:
              secretKeyRef:
                name: composer-db
                key: db.port
          - name: PGDATABASE
            valueFrom:
              secretKeyRef:
                name: composer-db
                key: db.name
          - name: PGUSER
            valueFrom:
              secretKeyRef:
                name: composer-db
                key: db.user
          - name: PGPASSWORD
            valueFrom:
              secretKeyRef:
                name: composer-db
                key: db.password
          - name: PGSSLMODE
            value: "${PGSSLMODE}"
          ports:
          - name: composer-api
            protocol: TCP
            containerPort: "${COMPOSER_API_PORT}"
          - name: composer-worker-api
            protocol: TCP
            containerPort: "${COMPOSER_WORKER_API_PORT}"
          volumeMounts:
          - name: composer-config
            mountPath: "${COMPOSER_CONFIG_DIR}"
            readOnly: true
          - name: state-directory
            mountPath: "/var/lib/osbuild-composer"
          - name: cache-directory
            mountPath: "/var/cache/osbuild-composer"
        volumes:
        - name: composer-config
          configMap:
            name: composer-config
        - name: db-secrets
          secret:
            secretName: db
        - name: state-directory
          emptyDir: {}
        - name: cache-directory
          emptyDir: {}
        initContainers:
        - name: composer-migrate
          image: "${IMAGE_NAME}:${IMAGE_TAG}"
          command: [ "/opt/migrate/tern", "migrate", "-m", "/opt/migrate/schemas" ]
          env:
          - name: PGHOST
            valueFrom:
              secretKeyRef:
                name: composer-db
                key: db.host
          - name: PGPORT
            valueFrom:
              secretKeyRef:
                name: composer-db
                key: db.port
          - name: PGDATABASE
            valueFrom:
              secretKeyRef:
                name: composer-db
                key: db.name
          - name: PGUSER
            valueFrom:
              secretKeyRef:
                name: composer-db
                key: db.user
          - name: PGPASSWORD
            valueFrom:
              secretKeyRef:
                name: composer-db
                key: db.password
          - name: PGSSLMODE
            value: "${PGSSLMODE}"

- apiVersion: v1
  kind: Service
  metadata:
    name: composer
    labels:
      app: composer
      port: composer-api
  spec:
    ports:
      - protocol: TCP
        port: 80
        targetPort: "${COMPOSER_API_PORT}"
    selector:
      app: composer

- apiVersion: v1
  kind: Service
  metadata:
    name: composer-worker
    labels:
      app: composer
      port: composer-worker-api
  spec:
    ports:
      - protocol: TCP
        port: 80
        targetPort: "${COMPOSER_WORKER_API_PORT}"
    selector:
      app: composer

# This map should probably move to app-intf
- apiVersion: v1
  kind: ConfigMap
  metadata:
    name: composer-config
  data:
    acl.yml: |
      - claim: email
        pattern: ^osbuilders@redhat\.com$
    osbuild-composer.toml: |
      log_level = "info"
      [koji]
      enable_tls = false
      enable_mtls = false
      enable_jwt = true
      jwt_keys_url = ""
      jwt_keys_url = "${SSO_BASE_URL}/protocol/openid-connect/certs"
      jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml"
      [worker]
      enable_tls = false
      enable_mtls = false
      enable_jwt = true
      jwt_keys_url = "${SSO_BASE_URL}/protocol/openid-connect/certs"
      jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml"

parameters:
  - description: composer image name
    name: IMAGE_NAME
    value: quay.io/app-sre/composer
    required: true
  - description: composer image tag
    name: IMAGE_TAG
    required: true
  - description: postgres sslmode to use when connecting to the db
    name: PGSSLMODE
    value: "require"
  - description: base sso url
    name: SSO_BASE_URL
    required: true
    value: "https://sso.redhat.com/auth/realms/redhat-external"
  - description: base sso url
    name: COMPOSER_CONFIG_DIR
    required: true
    value: "/etc/osbuild-composer"
  - description: composer-api port
    name: COMPOSER_API_PORT
    required: true
    value: "8080"
  - description: composer-worker-api port
    name: COMPOSER_WORKER_API_PORT
    required: true
    value: "8700"