wip

resources/keb/templates/globalaccounts.yaml

@@ -0,0 +1,128 @@
+{{ if .Values.globalaccounts.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "kyma-environment-globalaccounts"
+  namespace: kcp-system
+  labels:
+    app.kubernetes.io/name: kyma-environment-globalaccounts
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kyma-environment-globalaccounts
+  template:
+    metadata:
+      name: kyma-environment-globalaccounts
+      labels:
+        app.kubernetes.io/name: kyma-environment-globalaccounts
+    spec:
+      serviceAccountName: kcp-kyma-environment-broker
+      securityContext:
+        runAsUser: 2000
+      restartPolicy: Always
+      containers:
+        - name: kyma-environment-globalaccounts
+          command: ["/bin/main"]
+          image: europe-docker.pkg.dev/kyma-project/prod/kyma-environment-globalaccounts:1.0.0
+          imagePullPolicy: Always
+          env:
+            - name: GLOBALACCOUNTS_DATABASE_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: kcp-storage-client-secret
+                  key: secretKey
+                  optional: true
+            - name: GLOBALACCOUNTS_DATABASE_USER
+              valueFrom:
+                secretKeyRef:
+                  key: postgresql-broker-username
+                  name: kcp-postgresql
+            - name: GLOBALACCOUNTS_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: postgresql-broker-password
+                  name: kcp-postgresql
+            - name: GLOBALACCOUNTS_DATABASE_HOST
+              valueFrom:
+                secretKeyRef:
+                  key: postgresql-serviceName
+                  name: kcp-postgresql
+            - name: GLOBALACCOUNTS_DATABASE_PORT
+              valueFrom:
+                secretKeyRef:
+                  key: postgresql-servicePort
+                  name: kcp-postgresql
+            - name: GLOBALACCOUNTS_DATABASE_NAME
+              valueFrom:
+                secretKeyRef:
+                  key: postgresql-broker-db-name
+                  name: kcp-postgresql
+                      - name: GLOBALACCOUNTS_CIS_ACCOUNTS_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.cis.accounts.secretName | required "please specify .Values.cis.accounts.secretName" | quote }}
+                  key: id
+            - name: GLOBALACCOUNTS_CIS_ACCOUNTS_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.cis.accounts.secretName | required "please specify .Values.cis.accounts.secretName" | quote }}
+                  key: secret
+            - name: GLOBALACCOUNTS_ACCOUNTS_AUTH_URL
+              value: {{ .Values.cis.accounts.authURL | required "please specify .Values.cis.accounts.authURL" | quote }}
+            - name: GLOBALACCOUNTS_ACCOUNTS_SERVICE_URL
+              value: {{ .Values.cis.accounts.serviceURL | required "please specify .Values.cis.accounts.serviceURL" | quote }}
+            - name: GLOBALACCOUNTS_DATABASE_SSLMODE
+              valueFrom:
+                secretKeyRef:
+                  key: postgresql-sslMode
+                  name: kcp-postgresql
+            - name: GLOBALACCOUNTS_DATABASE_SSLROOTCERT
+              value: /secrets/cloudsql-sslrootcert/server-ca.pem
+        {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled false)}}
+          volumeMounts:
+              - name: cloudsql-sslrootcert
+                mountPath: /secrets/cloudsql-sslrootcert
+                readOnly: true
+        {{- end}}
+        {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled true)}}
+        - name: cloudsql-proxy
+          image: {{ .Values.global.images.cloudsql_proxy.repository }}:{{ .Values.global.images.cloudsql_proxy.tag }}
+          {{- if .Values.global.database.cloudsqlproxy.workloadIdentity.enabled }}
+          command: ["/cloud-sql-proxy",
+                    "{{ .Values.global.database.managedGCP.instanceConnectionName }}",
+                    "--exit-zero-on-sigterm",
+                    "--private-ip"]
+          {{- else }}
+          command: ["/cloud-sql-proxy",
+                    "{{ .Values.global.database.managedGCP.instanceConnectionName }}",
+                    "--exit-zero-on-sigterm",
+                    "--private-ip",
+                    "--credentials-file=/secrets/cloudsql-instance-credentials/credentials.json"]
+          volumeMounts:
+            - name: cloudsql-instance-credentials
+              mountPath: /secrets/cloudsql-instance-credentials
+              readOnly: true
+          {{- end }}
+          {{- with .Values.deployment.securityContext }}
+          securityContext:
+            {{ toYaml . | nindent 16 }}
+          {{- end }}
+        {{- end}}
+      {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled true) (eq .Values.global.database.cloudsqlproxy.workloadIdentity.enabled false)}}
+      volumes:
+        - name: cloudsql-instance-credentials
+          secret:
+            secretName: cloudsql-instance-credentials
+      {{- end}}
+      {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled false)}}
+      volumes:
+        - name: cloudsql-sslrootcert
+          secret:
+            secretName: kcp-postgresql
+            items: 
+              - key: postgresql-sslRootCert
+                path: server-ca.pem
+            optional: true
+      {{- end}}
+{{ end }}

resources/keb/values.yaml

@@ -602,3 +602,5 @@ testConfig:
   kebDeployment:
     useAnnotations: false
     weight: "2"
+
+globalaccounts: false