diff --git a/config/README.md b/config/README.md deleted file mode 100644 index 67c46e32c..000000000 --- a/config/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# Steps - -## Cluster Setup - -* Created a GKE cluster with Workload Identity enabled -* Created a GCP Service Account (rekor-dev) -* Granted that GSA IAM permissions to be used with Workload Identity -* Paired that GSA with the KSA default in the default namespace -* Gave that GSA Cloud SQL user IAM permissions - -## SQL Setup - -* Created a Cloud SQL instance for MySQL -* Created a database with default settings -* Set a root user and password -* Used this to setup the database and app user: -https://github.com/google/trillian/blob/2053c7648b44d5de45863c3ad12550b511ad6a14/scripts/resetdb.sh -* To run the script: - * Get a Cloud Shell from the Cloud Console - * Get temporary access using "gcloud sql connect". - * This sets up an shell with access for 5 minutes - * You can just ctrl+c out of this and then access using whatever you need, in this case the above script. - -## Deployments - -Setup the SQL configmap with something like: - -``` -kubectl create configmap cloud-sql --from-literal=connection="project-rekor:us-central1:rekor-dev=tcp:3306" -``` - -Then deploy with: - -``` -ko apply -f config/ -``` - -## Ingress - -Install cert-manager with helm, using https://cert-manager.io/docs/installation/kubernetes/#installing-with-helm - -Install nginx-ingress with: kubectl apply -f nginx.yaml - -This was taken from https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.43.0/deploy/static/provider/cloud/deploy.yaml - -Local modification was to scale replicas to 3. -Install nginx-ingress with: kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.43.0/deploy/static/provider/cloud/deploy.yaml - -## Prometheus - -Installed Prometheus Chart with: - -``` -helm repo add prometheus-community https://prometheus-community.github.io/helm-charts -helm repo add kube-state-metrics https://kubernetes.github.io/kube-state-metrics -helm install prometheus prometheus-community/prometheus --namespace=prometheus -``` diff --git a/config/ingress.yaml b/config/ingress.yaml deleted file mode 100644 index 9fda2a70b..000000000 --- a/config/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: rekor - annotations: - kubernetes.io/ingress.class: "nginx" - cert-manager.io/issuer: "letsencrypt-prod" - -spec: - tls: - - hosts: - - api.rekor.dev - - api.sigstore.dev - secretName: rekor-ingress-tls - rules: - - host: api.rekor.dev - http: - paths: - - path: / - backend: - serviceName: rekor-server - servicePort: 80 - - host: api.sigstore.dev - http: - paths: - - path: / - backend: - serviceName: rekor-server - servicePort: 80 diff --git a/config/letsencrypt-prod.yaml b/config/letsencrypt-prod.yaml deleted file mode 100644 index fbefe86a4..000000000 --- a/config/letsencrypt-prod.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: letsencrypt-prod -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: dlorenc@google.com - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-prod - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: nginx diff --git a/config/letsencrypt-staging.yaml b/config/letsencrypt-staging.yaml deleted file mode 100644 index b5175ff09..000000000 --- a/config/letsencrypt-staging.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: letsencrypt-staging -spec: - acme: - # The ACME server URL - server: https://acme-staging-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: dlorenc@google.com - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-staging - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: nginx diff --git a/config/nginx.yaml b/config/nginx.yaml deleted file mode 100644 index caf15bb27..000000000 --- a/config/nginx.yaml +++ /dev/null @@ -1,665 +0,0 @@ - -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - ---- -# Source: ingress-nginx/templates/controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller - namespace: ingress-nginx -data: ---- -# Source: ingress-nginx/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - '' - resources: - - nodes - verbs: - - get - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - update - - watch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io # k8s 1.14+ - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -# Source: ingress-nginx/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx - namespace: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - update - - watch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io # k8s 1.14+ - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - resourceNames: - - ingress-controller-leader-nginx - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - '' - resources: - - endpoints - verbs: - - create - - get - - update - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch ---- -# Source: ingress-nginx/templates/controller-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-service-webhook.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller ---- -# Source: ingress-nginx/templates/controller-service.yaml -apiVersion: v1 -kind: Service -metadata: - annotations: - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - type: LoadBalancer - externalTrafficPolicy: Local - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller ---- -# Source: ingress-nginx/templates/controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - replicas: 3 - selector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller - revisionHistoryLimit: 10 - minReadySeconds: 0 - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller - spec: - dnsPolicy: ClusterFirst - containers: - - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v0.43.0@sha256:9bba603b99bf25f6d117cf1235b6598c16033ad027b143c90fa5b3cc583c5713 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 101 - allowPrivilegeEscalation: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - livenessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: webhook - containerPort: 8443 - protocol: TCP - volumeMounts: - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - resources: - requests: - cpu: 100m - memory: 90Mi - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: ingress-nginx - terminationGracePeriodSeconds: 300 - volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission ---- -# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml -# before changing this value, check the required kubernetes version -# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - name: ingress-nginx-admission -webhooks: - - name: validate.nginx.ingress.kubernetes.io - matchPolicy: Equivalent - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - namespace: ingress-nginx - name: ingress-nginx-controller-admission - path: /networking/v1beta1/ingresses ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: ingress-nginx-admission-create - annotations: - helm.sh/hook: pre-install,pre-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -spec: - template: - metadata: - name: ingress-nginx-admission-create - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - spec: - containers: - - name: create - image: docker.io/jettech/kube-webhook-certgen:v1.5.0 - imagePullPolicy: IfNotPresent - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission - securityContext: - runAsNonRoot: true - runAsUser: 2000 ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: ingress-nginx-admission-patch - annotations: - helm.sh/hook: post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -spec: - template: - metadata: - name: ingress-nginx-admission-patch - labels: - helm.sh/chart: ingress-nginx-3.19.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.43.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - spec: - containers: - - name: patch - image: docker.io/jettech/kube-webhook-certgen:v1.5.0 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission - securityContext: - runAsNonRoot: true - runAsUser: 2000 diff --git a/config/prometheus/values.yaml b/config/prometheus/values.yaml deleted file mode 100644 index e3e5efe7e..000000000 --- a/config/prometheus/values.yaml +++ /dev/null @@ -1,17 +0,0 @@ - -server: - sidecarContainers: - sidecar: - image: gcr.io/stackdriver-prometheus/stackdriver-prometheus-sidecar:0.8.2 - imagePullPolicy: Always - args: - - "--stackdriver.project-id=project-rekor" - - "--prometheus.wal-directory=/data/wal" - - "--stackdriver.kubernetes.location=us-central1" - - "--stackdriver.kubernetes.cluster-name=rekor-dev" - ports: - - name: sidecar - containerPort: 9091 - volumeMounts: - - name: storage-volume - mountPath: /data diff --git a/config/trillian.yaml b/config/trillian.yaml deleted file mode 100644 index 5845b93b1..000000000 --- a/config/trillian.yaml +++ /dev/null @@ -1,101 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: trillian-server - labels: - app: trillian-server -spec: - replicas: 3 - selector: - matchLabels: - app: trillian-server - template: - metadata: - labels: - app: trillian-server - spec: - containers: - - name: log-server - image: gcr.io/trillian-opensource-ci/log_server - ports: - - containerPort: 8090 - - containerPort: 8091 - args: [ - "--storage_system=mysql", - "--mysql_uri=test:zaphod@tcp(localhost:3306)/test", - "--rpc_endpoint=0.0.0.0:8091", - "--http_endpoint=0.0.0.0:8090", - "--alsologtostderr", - ] - resources: - requests: - memory: "1G" - cpu: ".5" - - name: cloud-sql-proxy - image: gcr.io/cloudsql-docker/gce-proxy:1.17 - command: - - "/cloud_sql_proxy" - # TODO: move these to a configmap - - "-instances=project-rekor:us-central1:rekor-dev=tcp:3306" - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Service -metadata: - name: trillian-server -spec: - selector: - app: trillian-server - ports: - - protocol: TCP - port: 8091 - targetPort: 8091 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: trillian-signer - labels: - app: trillian-signer -spec: - replicas: 1 - selector: - matchLabels: - app: trillian-signer - template: - metadata: - labels: - app: trillian-signer - spec: - containers: - - name: log-signer - image: gcr.io/trillian-opensource-ci/log_signer - args: [ - "--storage_system=mysql", - # TODO: move these to a secret/configmap - "--mysql_uri=test:zaphod@tcp(localhost:3306)/test", - "--rpc_endpoint=0.0.0.0:8090", - "--http_endpoint=0.0.0.0:8091", - # TODO: use etcd and run multiple signers - "--force_master", - "--alsologtostderr", - ] - resources: - requests: - memory: "1G" - cpu: ".5" - - name: cloud-sql-proxy - image: gcr.io/cloudsql-docker/gce-proxy:1.17 - command: - - "/cloud_sql_proxy" - # TODO: move to a secret/configmap - - "-instances=$(CLOUD_SQL_CONNECTION)" - env: - - name: CLOUD_SQL_CONNECTION - valueFrom: - configMapKeyRef: - name: cloud-sql - key: connection - securityContext: - runAsNonRoot: true