shixiong
/
okd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198
							---

apiVersion: v1
kind: Template
metadata:
  name: autoheal-template
  annotations:
    description: "Auto-heal service"
    tags: "autoheal"

parameters:
- name: IMAGE
  description: The name of the image.
- name: CONFIG
  description: The BASE64 encoded content of the configuration file.
- name: SECRET
  description: The BASE64 encoded secret used to encrypt OAuth session cookies.

objects:

- apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: autoheal
    labels:
      app: autoheal

- apiVersion: authorization.openshift.io/v1
  kind: Role
  metadata:
    name: autoheal
    labels:
      app: autoheal
  rules:
  - apiGroups:
    - ""
    resources:
    - secrets
    resourceNames:
    - autoheal-config
    verbs:
    - get

- apiVersion: authorization.openshift.io/v1
  kind: ClusterRole
  metadata:
    name: autoheal-access
    labels:
      app: autoheal
  rules:
  - apiGroups:
    - ""
    resources:
    - secrets
    resourceNames:
    - autoheal-access-key
    verbs:
    - get

- apiVersion: authorization.openshift.io/v1
  kind: RoleBinding
  metadata:
    name: autoheal
    labels:
      app: autoheal
  roleRef:
    namespace: openshift-autoheal
    name: autoheal
  subjects:
  - kind: ServiceAccount
    namespace: openshift-autoheal
    name: autoheal

- apiVersion: authorization.openshift.io/v1
  kind: RoleBinding
  metadata:
    name: alertmanager-autoheal-access
    labels:
      app: autoheal
  roleRef:
    kind: ClusterRole
    name: autoheal-access
  subjects:
  - kind: ServiceAccount
    namespace: openshift-monitoring
    name: alertmanager-main

- apiVersion: authorization.openshift.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: autoheal-auth-delegator
    labels:
      app: autoheal
  roleRef:
    kind: ClusterRole
    name: system:auth-delegator
  subjects:
  - kind: ServiceAccount
    namespace: openshift-autoheal
    name: autoheal

- apiVersion: v1
  kind: Secret
  metadata:
    name: autoheal-config
    labels:
      app: autoheal
  data:
    autoheal.yml: ${CONFIG}

- apiVersion: v1
  kind: Secret
  metadata:
    name: autoheal-proxy-cookie
  data:
    session_secret: ${SECRET}

- apiVersion: apps/v1beta1
  kind: Deployment
  metadata:
    name: autoheal
    labels:
      app: autoheal
  spec:
    selector:
      matchLabels:
        app: autoheal
    replicas: 1
    template:
      metadata:
        labels:
          app: autoheal
      spec:
        serviceAccountName: autoheal
        volumes:
        - name: config
          secret:
            secretName: autoheal-config
        - name: proxy-tls
          secret:
            secretName: autoheal-proxy-tls
        - name: proxy-cookie
          secret:
            secretName: autoheal-proxy-cookie
        containers:
        - name: proxy
          image: openshift/oauth-proxy:v1.1.0
          imagePullPolicy: IfNotPresent
          volumeMounts:
          - mountPath: /etc/tls/private
            name: proxy-tls
          - mountPath: /etc/proxy/secrets
            name: proxy-cookie
          ports:
          - containerPort: 8443
            name: public
          args:
          - --https-address=:8443
          - --provider=openshift
          - --openshift-service-account=autoheal
          - --upstream=http://localhost:9099
          - --tls-cert=/etc/tls/private/tls.crt
          - -email-domain=*
          - '-openshift-sar={ "resource": "secrets", "verb": "get", "name": "autoheal-access-key", "namespace": "openshift-autoheal" }'
          - '-openshift-delegate-urls={ "/": { "resource": "secrets", "verb": "get", "name": "autoheal-access-key", "namespace": "openshift-autoheal" } }'
          - -tls-key=/etc/tls/private/tls.key
          - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
          - -cookie-secret-file=/etc/proxy/secrets/session_secret
          - -openshift-ca=/etc/pki/tls/cert.pem
          - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        - name: receiver
          image: ${IMAGE}
          imagePullPolicy: IfNotPresent
          volumeMounts:
          - name: config
            mountPath: /etc/autoheal/config.d
          command:
          - /usr/bin/autoheal
          args:
          - server
          - --config-file=/etc/autoheal/config.d
          - --logtostderr

- apiVersion: v1
  kind: Service
  metadata:
    name: receiver
    labels:
      app: autoheal
    annotations:
      service.alpha.openshift.io/serving-cert-secret-name: autoheal-proxy-tls
  spec:
    selector:
      app: autoheal
    ports:
    - name: autoheal
      port: 443
      targetPort: 8443