-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathkubernetes.yml
390 lines (390 loc) · 12 KB
/
kubernetes.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
# Ingress Controller LoadBalancer.
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress
spec:
type: LoadBalancer
# You can select a static IP for your Ingress controller so your can use DNS.
#loadBalancerIP: 10.10.10.10
ports:
- port: 80
name: http
- port: 443
name: https
selector:
name: nginx-ingress-controller
---
# Nginx Ingress Controller
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
spec:
revisionHistoryLimit: 3
replicas: 1
template:
metadata:
labels:
name: nginx-ingress-controller
spec:
terminationGracePeriodSeconds: 60
containers:
- name: nginx-ingress-controller
image: gcr.io/google_containers/nginx-ingress-controller:0.8.3
imagePullPolicy: Always
args:
- /nginx-ingress-controller
# Ingress controller redirects here for any unknown subdomain, that service should:
# - Serve a HTTP/404 on /
# - Serve a HTTP/200 on /healthz
- --default-backend-service=default/default-http-backend
# Use downward API
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- containerPort: 80
- containerPort: 443
# (Optional) Expose 18080 to access Nginx stats in url /nginx-status:
#- containerPort: 18080
volumeMounts:
- name: tls-dhparam-vol
mountPath: /etc/nginx-ssl/dhparam
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
resources:
requests:
cpu: 5m
memory: "100Mi"
limits:
memory: "500Mi"
volumes:
- name: tls-dhparam-vol
secret:
secretName: ingress-tls-dhparam
---
# Retrieves and updates TLS certificates from LetsEncrypt.org (ACME provider).
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kube-lego
spec:
revisionHistoryLimit: 3
replicas: 1
template:
metadata:
labels:
name: kube-lego
# Required for auto-created kube-lego-nginx service to work.
app: kube-lego
spec:
containers:
- name: kube-lego
image: jetstack/kube-lego:0.1.2
imagePullPolicy: Always
ports:
- containerPort: 8080
env:
- name: LEGO_EMAIL
# TODO: Put your e-mail here.
value: example@example.com
- name: LEGO_URL
# Use Let's Encrypt production API URL (instead of default staging environment):
value: "https://acme-v01.api.letsencrypt.org/directory"
- name: LEGO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LEGO_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
readinessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 1
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 1
resources:
requests:
cpu: 5m
memory: "10Mi"
limits:
cpu: 50m
memory: "100Mi"
---
# Default web server if no Ingress rule applies.
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
spec:
ports:
- port: 80
targetPort: 8080
selector:
name: default-http-backend
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: default-http-backend
spec:
revisionHistoryLimit: 3
replicas: 1
template:
metadata:
labels:
name: default-http-backend
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
image: gcr.io/google_containers/defaultbackend:1.0
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
volumeMounts:
# Security hack, see https://github.com/kubernetes/kubernetes/issues/16779
- name: no-service-account
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readOnly: true
volumes:
- name: no-service-account
emptyDir: {}
---
# We only need this Ingress rule to generate a TLS certificate.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: che-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
kubernetes.io/tls-acme: "true"
spec:
tls:
- secretName: che-tls-certificate
hosts:
# TODO: Put your hostname
- che.example.com
rules:
# TODO: Put your hostname
- host: che.example.com
---
apiVersion: v1
kind: Service
metadata:
name: spdyproxy
spec:
type: LoadBalancer
# Should be the same IP as the Ingress controller.
# loadBalancerIP: 10.10.10.10
ports:
- port: 44300
selector:
app: che
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: che
spec:
revisionHistoryLimit: 3
replicas: 1
# Pod template (contains same fields as a normal Pod)
template:
metadata:
labels:
app: che
spec:
# Resolve "che" to localhost on these containers.
# This is so that trying to access http://che/ through speedy will
# let SPDY point to localhost, and that way all ports opened by
# Docker:DinD will also be accessible, e.g. http://che:32650.
hostname: che
terminationGracePeriodSeconds: 60
containers:
- name: spdyproxy
image: wernight/spdyproxy
imagePullPolicy: Always
args:
- --key=/var/run/secrets/tls/tls.key
- --cert=/var/run/secrets/tls/tls.crt
# TODO: Set authentication.
#- --user=MY_USERNAME
#- --pass=MY_PASSWORD
- --verbose
ports:
- containerPort: 44300
readinessProbe:
tcpSocket:
port: 44300
livenessProbe:
tcpSocket:
port: 44300
initialDelaySeconds: 60
resources:
requests:
cpu: 5m
memory: "10Mi"
limits:
memory: "100Mi"
volumeMounts:
- name: tls-vol
mountPath: /var/run/secrets/tls
readOnly: true
# Security hack, see https://github.com/kubernetes/kubernetes/issues/16779
- name: no-service-account
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readOnly: true
- name: che-server
# See documentation on https://eclipse.org/che/docs/setup/docker/index.html
# Latest tags: https://hub.docker.com/r/eclipse/che-server/tags/
image: eclipse/che-server:5.7.0
env:
- name: CHE_IP
value: che # External hostname.
- name: CHE_PORT
value: "80"
- name: DOCKER_HOST
value: tcp://che:2375
# Asks workspaces to be persisted under storage so that
# only on directory is needed to persist Che data.
- name: CHE_WORKSPACE_STORAGE
value: /projects
# Uncomment to give access to a Google Container Registry
# See http://stackoverflow.com/a/43140504/167897 to see
# we cnnot use the UI because GCE passwords are too long
# See https://github.com/codenvy/codenvy/issues/1948
#- name: CHE_DOCKER_REGISTRY_AUTH_REGISTRY1_URL
# value: gcr.io
#- name: CHE_DOCKER_REGISTRY_AUTH_REGISTRY1_USERNAME
# value: _json_key
#- name: CHE_DOCKER_REGISTRY_AUTH_REGISTRY1_PASSWORD
# valueFrom:
# secretKeyRef:
# name: container-registry-account
# key: password
ports:
- containerPort: 80
readinessProbe:
tcpSocket:
port: 80
# See also https://github.com/eclipse/che/issues/2761
# httpGet:
# path: /dashboard/
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 80
# httpGet:
# path: /dashboard/
initialDelaySeconds: 60
periodSeconds: 30
lifecycle:
preStop:
exec:
# See https://github.com/eclipse/che-dockerfiles/blob/master/che-launcher/launcher_cmds.sh
command: ["/home/user/che/bin/che.sh", "-c", "-s:uid", "stop"]
resources:
requests:
cpu: 5m
memory: "300Mi"
limits:
memory: "1.0Gi"
volumeMounts:
- name: lib-vol
mountPath: /home/user/che/lib-copy
- name: storage-vol
mountPath: /home/user/che/storage
# Security hack, see https://github.com/kubernetes/kubernetes/issues/16779
- name: no-service-account
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readOnly: true
- name: docker-dind
image: docker:dind
# TODO: You may add arg `--storage-driver=<DRIVER>` using the same driver as your host
# (which can be seen under `Storage Driver` in the output of `docker info`)
# for your Docker to be faster.
imagePullPolicy: Always
resources:
requests:
cpu: 5m
memory: "1.0Gi"
limits:
# TODO: Remove or adjust to whatever you feel should be max.
cpu: 700m
memory: "3.0Gi"
securityContext:
privileged: true
readinessProbe:
exec:
command: ["docker", "info"]
livenessProbe:
exec:
command: ["docker", "info"]
periodSeconds: 30
lifecycle:
preStop:
exec:
# Wait a little so that Che server can gracefully exit.
command: ["sleep", "30"]
volumeMounts:
- name: lib-vol
mountPath: /home/user/che/lib
# Mounting storage is required for SSH key to work for example.
# Mounting also workspaces is optional for Che but required if you want to mount
# workspace directories like "docker run -v $PWD:..." from within a Che workspace.
- name: storage-vol
mountPath: /home/user/che/storage
- name: docker-vol
mountPath: /var/lib/docker
# Security hack, see https://github.com/kubernetes/kubernetes/issues/16779
- name: no-service-account
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readOnly: true
volumes:
- name: tls-vol
secret:
secretName: che-tls-certificate
- name: lib-vol
emptyDir: {}
- name: storage-vol
# TODO: You may want to use persistent disk instead.
emptyDir: {}
- name: docker-vol
# TODO: You may want to use persistent disk instead to preserve Docker images cache.
emptyDir: {}
- name: no-service-account
emptyDir: {}