# uBlue-OS forge podman deployment ## variables will be replaces with envsubst when invoked via forge.sh --- apiVersion: v1 kind: Pod metadata: name: ${FORGE_POD_NAME_REVERSE_PROXY} labels: traefik.enable: true traefik.http.routers.traefik-dashboard.entrypoints: web,websecure traefik.http.routers.traefik-dashboard.rule: Host(`traefik.${FORGE_DOMAIN_NAME}`) traefik.http.services.traefik-dashboard.loadbalancer.server.port: 8080 traefik.http.routers.traefik-dashboard.service: api@internal spec: securityContext: seLinuxOptions: type: "container_runtime_t" # needed for podman.sock access restartPolicy: OnFailure volumes: - name: podman-socket hostPath: path: ${FORGE_PODMAN_SOCKET_PATH} type: Socket - name: ublue-os_forge-certs-pvc persistentVolumeClaim: claimName: ublue-os_forge-certs containers: - name: traefik.${FORGE_DOMAIN_NAME} image: traefik # will be built on pod start volumeMounts: - mountPath: /var/run/podman.sock name: podman-socket readOnly: true - mountPath: /certs name: ublue-os_forge-certs-pvc ports: - containerPort: 80 hostPort: 80 protocol: TCP - containerPort: 443 hostPort: 443 protocol: TCP - containerPort: 8080 hostPort: 8080 protocol: TCP initContainers: - name: minica.${FORGE_DOMAIN_NAME} image: minica volumeMounts: - mountPath: /certs name: ublue-os_forge-certs-pvc --- apiVersion: v1 kind: Pod metadata: name: ${FORGE_POD_NAME_REGISTRY} labels: traefik.enable: true traefik.http.routers.registry.entryPoints: web,websecure traefik.http.services.registry.loadbalancer.server.port: 5000 traefik.http.services.registry.loadbalancer.server.scheme: https traefik.http.routers.registry.rule: Host(`registry.${FORGE_DOMAIN_NAME}`) spec: restartPolicy: OnFailure volumes: - name: ublue-os_forge-certs-pvc persistentVolumeClaim: claimName: ublue-os_forge-certs - name: ublue-os_forge-registry-pvc persistentVolumeClaim: claimName: ublue-os_forge-registry containers: - name: docker.${FORGE_DOMAIN_NAME} image: registry # will be built on pod start volumeMounts: - mountPath: /certs name: ublue-os_forge-certs-pvc subPath: _.${FORGE_DOMAIN_NAME} - mountPath: /var/lib/registry name: ublue-os_forge-registry-pvc ports: - containerPort: 5000 protocol: TCP --- apiVersion: v1 kind: Pod metadata: name: ${FORGE_POD_NAME_ANVIL} labels: traefik.enable: true traefik.http.routers.forge.entrypoints: web,websecure traefik.http.routers.forge.rule: Host(`forge.${FORGE_DOMAIN_NAME}`) traefik.http.services.forge.loadbalancer.server.port: 3000 spec: restartPolicy: OnFailure volumes: - name: ublue-os_forge-certs-pvc persistentVolumeClaim: claimName: ublue-os_forge-certs - name: ublue-os_forge-data-pvc persistentVolumeClaim: claimName: ublue-os_forge-data hostAliases: - ip: ${FORGE_HOST_IP_ADDRESS} hostnames: - registry.${FORGE_DOMAIN_NAME} containers: - name: ansible.${FORGE_DOMAIN_NAME} image: anvil # will be built on pod start volumeMounts: - mountPath: /certs name: ublue-os_forge-certs-pvc readOnly: true - mountPath: /data name: ublue-os_forge-data-pvc env: - name: ANSIBLE_HOST_USER valueFrom: secretKeyRef: name: ublue-os_forge-secure key: ANSIBLE_HOST_USER - name: ANSIBLE_HOST_BECOME_PASSWORD valueFrom: secretKeyRef: name: ublue-os_forge-secure key: ANSIBLE_HOST_BECOME_PASSWORD ports: - containerPort: 3000 protocol: TCP