This repository has been archived by the owner on Aug 28, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathopenshift-descriptors-https-self-signed.yaml
167 lines (164 loc) Β· 3.81 KB
/
openshift-descriptors-https-self-signed.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
apiVersion: v1
kind: Secret
metadata:
name: basicauth
type: Opaque
data:
username: aGFycnk=
password: c2FsbHk=
#htpasswd: aGFycnk6JGFwcjEkdnZaV2o4TDEkSWc2dzh2djRJWjRyVVFrd0dicEtHMQo=
---
apiVersion: v1
kind: ConfigMap
metadata:
name: caddyfile
data:
Caddyfile: |
import /app/Caddyfile
tls self_signed
jwt {
path /
redirect /login
allow sub demo
allow sub {$BASIC_AUTH_USERNAME}
}
login {
success-url /
jwt-expiry 720h # Stay logged in 30 days
#simple {$BASIC_AUTH_USERNAME}={$BASIC_AUTH_PASSWORD}
htpasswd file=/gollum/config/.htpasswd
# See https://github.com/tarent/loginsrv/blob/master/README.md#configuration-and-startup
}
---
apiVersion: v1
kind: Service
metadata:
name: gollum-galore
labels:
name: gollum-galore
spec:
ports:
- name: http
port: 80
- name: https
port: 443
selector:
app: gollum-galore
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gollum-gallore-persistent-storage-claim
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "1Gi"
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: gollum-galore
spec:
serviceName: gollum-galore
replicas: 1
template:
metadata:
labels:
app: gollum-galore
spec:
containers:
- name: gollum-galore
image: schnatterer/gollum-galore:0.3.2
ports:
- containerPort: 80
- containerPort: 443
volumeMounts:
- name: wiki
mountPath: /gollum/wiki
- name: config
mountPath: /gollum/config
resources:
requests:
memory: 512M
readinessProbe:
# don't use http here, because all our resources are protected
tcpSocket:
port: 443
# Wait for volume to get bound
initialDelaySeconds: 20
periodSeconds: 1
livenessProbe:
tcpSocket:
port: 443
initialDelaySeconds: 120
periodSeconds: 10
env:
- name: GOLLUM_PARAMS
value: --allow-uploads --live-preview
- name: CADDY_PARAMS
value: -conf /gollum/config/Caddyfile -log stdout
- name: HOST
value: yourdomain.com:443
- name: BASIC_AUTH_USERNAME
valueFrom:
secretKeyRef:
name: basicauth
key: username
- name: BASIC_AUTH_PASSWORD
valueFrom:
secretKeyRef:
name: basicauth
key: password
volumes:
- name: wiki
persistentVolumeClaim:
claimName: gollum-gallore-persistent-storage-claim
- name: config
projected:
sources:
- secret:
name: credentials
items:
- key: htpasswd
path: .htpasswd
- configMap:
name: caddyfile
items:
- key: Caddyfile
path: Caddyfile
---
# Creates the following route: <route-name>[-<namespace>].<suffix>
# You can query it like so: oc get route gollum-galore-generated
# Create a CNAME record and point it to the URL created by this route
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: gollum-galore-generated
spec:
port:
targetPort: http
to:
kind: Service
name: gollum-galore
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: gollum-galore
spec:
# Insert your hostname here
host: yourdomain.com
port:
targetPort: https
tls:
insecureEdgeTerminationPolicy: Redirect
termination: passthrough
to:
kind: Service
name: gollum-galore
---
# Allow unsecure HTTP only for acme challenge does not work. The passthrough route seems to always take precedence.
#host: yourdomain.com
#path: /.well-known