--- apiVersion: v1 kind: Template metadata: name: autoheal-template annotations: description: "Auto-heal service" tags: "autoheal" parameters: - name: IMAGE description: The name of the image. - name: CONFIG description: The BASE64 encoded content of the configuration file. - name: SECRET description: The BASE64 encoded secret used to encrypt OAuth session cookies. objects: - apiVersion: v1 kind: ServiceAccount metadata: name: autoheal labels: app: autoheal - apiVersion: authorization.openshift.io/v1 kind: Role metadata: name: autoheal labels: app: autoheal rules: - apiGroups: - "" resources: - secrets resourceNames: - autoheal-config verbs: - get - apiVersion: authorization.openshift.io/v1 kind: ClusterRole metadata: name: autoheal-access labels: app: autoheal rules: - apiGroups: - "" resources: - secrets resourceNames: - autoheal-access-key verbs: - get - apiVersion: authorization.openshift.io/v1 kind: RoleBinding metadata: name: autoheal labels: app: autoheal roleRef: namespace: openshift-autoheal name: autoheal subjects: - kind: ServiceAccount namespace: openshift-autoheal name: autoheal - apiVersion: authorization.openshift.io/v1 kind: RoleBinding metadata: name: alertmanager-autoheal-access labels: app: autoheal roleRef: kind: ClusterRole name: autoheal-access subjects: - kind: ServiceAccount namespace: openshift-monitoring name: alertmanager-main - apiVersion: authorization.openshift.io/v1 kind: ClusterRoleBinding metadata: name: autoheal-auth-delegator labels: app: autoheal roleRef: kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount namespace: openshift-autoheal name: autoheal - apiVersion: v1 kind: Secret metadata: name: autoheal-config labels: app: autoheal data: autoheal.yml: ${CONFIG} - apiVersion: v1 kind: Secret metadata: name: autoheal-proxy-cookie data: session_secret: ${SECRET} - apiVersion: apps/v1beta1 kind: Deployment metadata: name: autoheal labels: app: autoheal spec: selector: matchLabels: app: autoheal replicas: 1 template: metadata: labels: app: autoheal spec: serviceAccountName: autoheal volumes: - name: config secret: secretName: autoheal-config - name: proxy-tls secret: secretName: autoheal-proxy-tls - name: proxy-cookie secret: secretName: autoheal-proxy-cookie containers: - name: proxy image: openshift/oauth-proxy:v1.1.0 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /etc/tls/private name: proxy-tls - mountPath: /etc/proxy/secrets name: proxy-cookie ports: - containerPort: 8443 name: public args: - --https-address=:8443 - --provider=openshift - --openshift-service-account=autoheal - --upstream=http://localhost:9099 - --tls-cert=/etc/tls/private/tls.crt - -email-domain=* - '-openshift-sar={ "resource": "secrets", "verb": "get", "name": "autoheal-access-key", "namespace": "openshift-autoheal" }' - '-openshift-delegate-urls={ "/": { "resource": "secrets", "verb": "get", "name": "autoheal-access-key", "namespace": "openshift-autoheal" } }' - -tls-key=/etc/tls/private/tls.key - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - -cookie-secret-file=/etc/proxy/secrets/session_secret - -openshift-ca=/etc/pki/tls/cert.pem - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - name: receiver image: ${IMAGE} imagePullPolicy: IfNotPresent volumeMounts: - name: config mountPath: /etc/autoheal/config.d command: - /usr/bin/autoheal args: - server - --config-file=/etc/autoheal/config.d - --logtostderr - apiVersion: v1 kind: Service metadata: name: receiver labels: app: autoheal annotations: service.alpha.openshift.io/serving-cert-secret-name: autoheal-proxy-tls spec: selector: app: autoheal ports: - name: autoheal port: 443 targetPort: 8443