-
Notifications
You must be signed in to change notification settings - Fork 17
/
kessel-relations-deploy.yaml
195 lines (195 loc) · 6.42 KB
/
kessel-relations-deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
apiVersion: template.openshift.io/v1
kind: Template
metadata:
name: relations
objects:
- apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
name: ${CLOWDAPP_NAME}-spicedb
spec:
config:
logLevel: debug
replicas: ${{SPICEDB_REPLICAS}}
datastoreEngine: postgres
secretName: spicedb-config
patches:
- kind: Job
patch:
spec:
template:
spec:
containers:
- name: migrate
volumeMounts:
- mountPath: /etc/tls/rds.pem
name: rds-tls
subPath: db.ca_cert
volumes:
- name: rds-tls
secret:
secretName: kessel-relations-spicedb
- kind: Deployment
patch:
spec:
template:
spec:
containers:
- name: spicedb
resources:
requests:
memory: ${SPICEDB_REQUESTS_MEMORY}
cpu: ${SPICEDB_REQUESTS_CPU}
limits:
memory: ${SPICEDB_LIMITS_MEMORY}
cpu: ${SPICEDB_LIMITS_CPU}
env:
- name: SPICEDB_DATASTORE_REVISION_QUANTIZATION_INTERVAL
value: ${SPICEDB_QUANTIZATION_INTERVAL}
- name: SPICEDB_DATASTORE_REVISION_QUANTIZATION_MAX_STALENESS_PERCENT
value: ${SPICEDB_QUANTIZATION_STALENESS_PERCENT}
- name: SPICEDB_DATASTORE_CONN_POOL_READ_MAX_OPEN
value: ${SPICEDB_DATASTORE_MAX_CONN_OPEN}
- name: SPICEDB_DATASTORE_CONN_POOL_READ_MIN_OPEN
value: ${SPICEDB_DATASTORE_MIN_CONN_OPEN}
- name: SPICEDB_ENABLE_EXPERIMENTAL_WATCHABLE_SCHEMA_CACHE
value: ${SPICEDB_ENABLE_WATCHABLE_SCHEMA_CACHE}
volumeMounts:
- name: rds-tls
mountPath: /etc/tls/rds.pem
subPath: db.ca_cert
volumes:
- name: rds-tls
secret:
secretName: kessel-relations-spicedb
- apiVersion: cloud.redhat.com/v1alpha1
kind: ClowdApp
metadata:
name: ${CLOWDAPP_NAME}
spec:
envName: ${ENV_NAME}
testing:
iqePlugin: relations_api
deployments:
- name: api
minReplicas: ${{RELATIONS_REPLICAS}}
podSpec:
image: ${RELATIONS_IMAGE}:${IMAGE_TAG}
livenessProbe:
httpGet:
path: /api/authz/livez
port: 8000
readinessProbe:
httpGet:
path: /api/authz/readyz
port: 8000
resources:
requests:
memory: ${RELATIONS_REQUESTS_MEMORY}
cpu: ${RELATIONS_REQUESTS_CPU}
limits:
memory: ${RELATIONS_LIMITS_MEMORY}
cpu: ${RELATIONS_LIMITS_CPU}
env:
- name: SPICEDB_PRESHARED
valueFrom:
secretKeyRef:
key: preshared_key
name: spicedb-config
- name: SPICEDB_ENDPOINT
value: ${CLOWDAPP_NAME}-spicedb:50051
- name: SPICEDB_SCHEMA_FILE
value: /etc/schema/schema.zed
volumes:
- name: schema
configMap:
name: spicedb-schema
- name: relations-api-config
configMap:
name: relations-api-config
volumeMounts:
- name: schema
mountPath: /etc/schema
- name: relations-api-config
mountPath: /config
webServices:
public:
enabled: true
apiPath: authz
- kind: PodDisruptionBudget
apiVersion: policy/v1
metadata:
name: kessel-relations-api-pdb
spec:
minAvailable: 1
selector:
matchLabels:
app: kessel-relations
- kind: PodDisruptionBudget
apiVersion: policy/v1
metadata:
name: kessel-spicedb-pdb
spec:
minAvailable: 1
selector:
matchLabels:
app.kubernetes.io/instance: kessel-relations-spicedb-spicedb
parameters:
- description: Name of the ClowdApp
name: CLOWDAPP_NAME
value: kessel-relations
- description: ClowdEnvironment name (ephemeral, stage, prod)
name: ENV_NAME
required: true
- description: App Image
name: RELATIONS_IMAGE
value: quay.io/redhat-services-prod/project-kessel-tenant/kessel-relations/relations-api
- description: Image Tag
name: IMAGE_TAG
required: true
value: latest
- description: Number of pods for spiceDB service
name: SPICEDB_REPLICAS
value: '1'
- description: Number of pods for relations service
name: RELATIONS_REPLICAS
value: '1'
- description: Memory request for SpiceDB
name: SPICEDB_REQUESTS_MEMORY
value: '128Mi'
- description: CPU request for SpiceDB
name: SPICEDB_REQUESTS_CPU
value: '25m'
- description: Memory limit for SpiceDB
name: SPICEDB_LIMITS_MEMORY
value: '256Mi'
- description: CPU limit for SpiceDB
name: SPICEDB_LIMITS_CPU
value: '100m'
- description: Memory request for relations service
name: RELATIONS_REQUESTS_MEMORY
value: '512Mi'
- description: CPU request for relations service
name: RELATIONS_REQUESTS_CPU
value: '150m'
- description: Memory limit for relations service
name: RELATIONS_LIMITS_MEMORY
value: '1Gi'
- description: CPU limit for relations service
name: RELATIONS_LIMITS_CPU
value: '300m'
- description: SpiceDB quantization interval in seconds
name: SPICEDB_QUANTIZATION_INTERVAL
value: '5s'
- description: SpiceDB quantization max staleness percent (float)
name: SPICEDB_QUANTIZATION_STALENESS_PERCENT
value: '0.1'
- description: Maximum number of open connections to datastore
name: SPICEDB_DATASTORE_MAX_CONN_OPEN
value: '20'
- description: Minimum number of open connections to datastore
name: SPICEDB_DATASTORE_MIN_CONN_OPEN
value: '20'
- description: Enable the experimental schema cache which makes use of the Watch API for automatic updates
name: SPICEDB_ENABLE_WATCHABLE_SCHEMA_CACHE
value: 'false'