resource "kubectl_manifest" "Deployment_taiga-events" { yaml_body = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: "${var.instance}-${var.component}-events" labels: ${jsonencode(local.event_all_labels)} namespace: ${var.namespace} ownerReferences: ${jsonencode(var.install_owner)} annotations: secret.reloader.stakater.com/reload: "${kubectl_manifest.secret.name},${kubectl_manifest.rabbit_user_secret.name}" spec: selector: matchLabels: ${jsonencode(local.event_labels)} replicas: 1 template: metadata: labels: ${jsonencode(local.event_labels)} spec: securityContext: fsGroup: 99 containers: - name: taiga-events image: "${var.images.events.registry}/${var.images.events.repository}:${var.images.events.tag}" imagePullPolicy: ${var.images.events.pull_policy} envFrom: - secretRef: name: ${kubectl_manifest.secret.name} env: - name: TAIGA_EVENTS_RABBITMQ_HOST value: ${kubectl_manifest.rabbit.name} - name: RABBITMQ_USER valueFrom: secretKeyRef: name: ${kubectl_manifest.rabbit_user_secret.name} key: username - name: RABBITMQ_PASS valueFrom: secretKeyRef: name: ${kubectl_manifest.rabbit_user_secret.name} key: password ports: - name: taiga-events containerPort: 8888 - name: health containerPort: 3023 livenessProbe: httpGet: path: /healthz port: health initialDelaySeconds: 20 periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 3 readinessProbe: httpGet: path: /healthz port: health initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] runAsGroup: 99 runAsNonRoot: true runAsUser: 99 seccompProfile: type: RuntimeDefault EOF } resource "kubectl_manifest" "Deployment_taiga-front" { yaml_body = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: "${var.instance}-${var.component}-front" labels: ${jsonencode(local.front_all_labels)} namespace: ${var.namespace} ownerReferences: ${jsonencode(var.install_owner)} annotations: configmap.reloader.stakater.com/reload: "${kubectl_manifest.cm_env_front.name}" secret.reloader.stakater.com/reload: "${module.oauth2.secret_client_id_name}" spec: selector: matchLabels: ${jsonencode(local.front_labels)} replicas: 1 template: metadata: labels: ${jsonencode(local.front_labels)} spec: securityContext: fsGroup: 0 containers: - name: taiga-front image: "${var.images.front.registry}/${var.images.front.repository}:${var.images.front.tag}" imagePullPolicy: ${var.images.front.pull_policy} env: - name: OPENID_CLIENT_ID valueFrom: secretKeyRef: name: ${module.oauth2.secret_client_id_name} key: ${module.oauth2.secret_client_id_key} envFrom: - configMapRef: name: ${kubectl_manifest.cm_env_front.name} ports: - name: http containerPort: 80 livenessProbe: httpGet: path: / port: http httpHeaders: initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: httpGet: path: /ready port: http initialDelaySeconds: 3 periodSeconds: 3 securityContext: allowPrivilegeEscalation: true runAsGroup: 0 runAsNonRoot: false runAsUser: 0 seccompProfile: type: RuntimeDefault EOF } resource "kubectl_manifest" "Deployment_taiga-protected" { yaml_body = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: "${var.instance}-${var.component}-protected" labels: ${jsonencode(local.protected_all_labels)} namespace: ${var.namespace} ownerReferences: ${jsonencode(var.install_owner)} annotations: secret.reloader.stakater.com/reload: "${kubectl_manifest.secret.name}" spec: selector: matchLabels: ${jsonencode(local.protected_labels)} replicas: 1 template: metadata: labels: ${jsonencode(local.protected_labels)} spec: securityContext: fsGroup: 999 containers: - name: taiga-protected image: "${var.images.protected.registry}/${var.images.protected.repository}:${var.images.protected.tag}" imagePullPolicy: ${var.images.protected.pull_policy} env: - name: SECRET_KEY valueFrom: secretKeyRef: name: ${kubectl_manifest.secret.name} key: TAIGA_SECRET_KEY - name: MAX_AGE value: '360' ports: - name: taiga-protected containerPort: 8003 livenessProbe: initialDelaySeconds: 10 exec: command: ["/bin/sh", "-c", "pidof -x gunicorn"] securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] runAsGroup: 999 runAsNonRoot: true runAsUser: 999 seccompProfile: type: RuntimeDefault EOF } resource "kubectl_manifest" "Deployment_taiga-back" { yaml_body = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: "${var.instance}-${var.component}-back" labels: ${jsonencode(local.back_all_labels)} namespace: ${var.namespace} ownerReferences: ${jsonencode(var.install_owner)} annotations: configmap.reloader.stakater.com/reload: "${kubectl_manifest.cm_env_back.name},${kubectl_manifest.cm_scripts.name},${kubectl_manifest.cm_nginx.name}" secret.reloader.stakater.com/reload: "${kubectl_manifest.rabbit_user_secret.name},${module.oauth2.secret_client_id_name},${module.ingress.secret_name},${var.instance}-${var.component}-pg-app,${kubectl_manifest.secret.name}" spec: selector: matchLabels: ${jsonencode(local.back_labels)} replicas: 1 template: metadata: labels: ${jsonencode(local.back_labels)} spec: securityContext: fsGroup: 999 containers: - name: taiga-back image: "${var.images.back.registry}/${var.images.back.repository}:${var.images.back.tag}" imagePullPolicy: ${var.images.back.pull_policy} env: - name: TAIGA_EVENTS_RABBITMQ_HOST value: ${kubectl_manifest.rabbit.name} - name: TAIGA_ASYNC_RABBITMQ_HOST value: ${kubectl_manifest.rabbit.name} - name: RABBITMQ_USER valueFrom: secretKeyRef: name: ${kubectl_manifest.rabbit_user_secret.name} key: username - name: RABBITMQ_PASS valueFrom: secretKeyRef: name: ${kubectl_manifest.rabbit_user_secret.name} key: password - name: OPENID_CLIENT_ID valueFrom: secretKeyRef: name: ${module.oauth2.secret_client_id_name} key: ${module.oauth2.secret_client_id_key} - name: OPENID_CLIENT_SECRET valueFrom: secretKeyRef: name: ${module.oauth2.secret_client_secret_name} key: ${module.oauth2.secret_client_secret_key} - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: ${var.instance}-${var.component}-pg-app key: password envFrom: - secretRef: name: ${kubectl_manifest.secret.name} - configMapRef: name: ${kubectl_manifest.cm_env_back.name} ports: - name: taiga-back containerPort: 8000 volumeMounts: - name: scripts mountPath: /docker-entrypoint.d/certs.sh subPath: certs.sh - name: data mountPath: /taiga-back/static subPath: static - name: data mountPath: /taiga-back/media subPath: media - name: certs mountPath: /etc/local-ca readOnly: true livenessProbe: httpGet: path: /api/v1/ port: 8000 initialDelaySeconds: 30 periodSeconds: 20 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 5 readinessProbe: httpGet: path: /api/v1/ port: 8000 initialDelaySeconds: 5 periodSeconds: 20 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 5 securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] runAsGroup: 999 runAsNonRoot: true runAsUser: 999 seccompProfile: type: RuntimeDefault - name: taiga-async image: "${var.images.back.registry}/${var.images.back.repository}:${var.images.back.tag}" imagePullPolicy: ${var.images.back.pull_policy} command: ["/usr/local/bin/async_entrypoint.sh"] env: - name: RABBITMQ_USER valueFrom: secretKeyRef: name: ${kubectl_manifest.rabbit_user_secret.name} key: username - name: RABBITMQ_PASS valueFrom: secretKeyRef: name: ${kubectl_manifest.rabbit_user_secret.name} key: password - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: ${var.instance}-${var.component}-pg-app key: password envFrom: - secretRef: name: ${kubectl_manifest.secret.name} - configMapRef: name: ${kubectl_manifest.cm_env_back.name} volumeMounts: - name: scripts mountPath: /docker-entrypoint.d/certs.sh subPath: certs.sh - name: data mountPath: /taiga-back/static subPath: static - name: data mountPath: /taiga-back/media subPath: media - name: certs mountPath: /opt/certs securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] runAsGroup: 999 runAsNonRoot: true runAsUser: 999 seccompProfile: type: RuntimeDefault - name: nginx image: "${var.images.nginx.registry}/${var.images.nginx.repository}:${var.images.nginx.tag}" imagePullPolicy: ${var.images.nginx.pull_policy} ports: - name: http containerPort: 8080 volumeMounts: - name: data mountPath: /taiga/static subPath: static - name: data mountPath: /taiga/media subPath: media - name: taiga-conf mountPath: /etc/nginx/conf.d/ securityContext: allowPrivilegeEscalation: true runAsGroup: 0 runAsNonRoot: false runAsUser: 0 seccompProfile: type: RuntimeDefault volumes: - name: certs secret: secretName: "${module.ingress.secret_name}" defaultMode: 0444 - name: scripts configMap: name: ${kubectl_manifest.cm_scripts.name} defaultMode: 0755 items: - key: certs.sh path: certs.sh - name: data persistentVolumeClaim: claimName: ${kubectl_manifest.pvc.name} - name: taiga-conf configMap: name: ${kubectl_manifest.cm_nginx.name} livenessProbe: httpGet: path: / port: http httpHeaders: initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: httpGet: path: /ready port: http initialDelaySeconds: 3 periodSeconds: 3 EOF }