forge-pod.yml

# uBlue-OS forge podman deployment
## variables will be replaces with envsubst when invoked via forge.sh
---
apiVersion: v1
kind: Pod
metadata:
  name: ${FORGE_POD_NAME_REVERSE_PROXY}
  labels:
    traefik.enable: true
    traefik.http.routers.traefik-dashboard.entrypoints: web,websecure
    traefik.http.routers.traefik-dashboard.rule: Host(`traefik.${FORGE_DOMAIN_NAME}`)
    traefik.http.services.traefik-dashboard.loadbalancer.server.port: 8080
    traefik.http.routers.traefik-dashboard.service: api@internal
spec:
  securityContext:
    seLinuxOptions:
      type: "container_runtime_t" # needed for podman.sock access
  restartPolicy: OnFailure
  volumes:
    - name: podman-socket
      hostPath:
        path: ${FORGE_PODMAN_SOCKET_PATH}
        type: Socket
    - name: ublue-os_forge-certs-pvc
      persistentVolumeClaim:
        claimName: ublue-os_forge-certs
  containers:
    - name: traefik.${FORGE_DOMAIN_NAME}
      image: traefik # will be built on pod start
      volumeMounts:
        - mountPath: /var/run/podman.sock
          name: podman-socket
          readOnly: true
        - mountPath: /certs
          name: ublue-os_forge-certs-pvc
      ports:
        - containerPort: 80
          hostPort: 80
          protocol: TCP
        - containerPort: 443
          hostPort: 443
          protocol: TCP
        - containerPort: 8080
          hostPort: 8080
          protocol: TCP
  initContainers:
    - name: minica.${FORGE_DOMAIN_NAME}
      image: minica
      volumeMounts:
        - mountPath: /certs
          name: ublue-os_forge-certs-pvc

---
apiVersion: v1
kind: Pod
metadata:
  name: ${FORGE_POD_NAME_REGISTRY}
  labels:
    traefik.enable: true
    traefik.http.routers.registry.entryPoints: web,websecure
    traefik.http.services.registry.loadbalancer.server.port: 5000
    traefik.http.services.registry.loadbalancer.server.scheme: https
    traefik.http.routers.registry.rule: Host(`registry.${FORGE_DOMAIN_NAME}`)
spec:
  restartPolicy: OnFailure
  volumes:
    - name: ublue-os_forge-certs-pvc
      persistentVolumeClaim:
        claimName: ublue-os_forge-certs
    - name: ublue-os_forge-registry-pvc
      persistentVolumeClaim:
        claimName: ublue-os_forge-registry
  containers:
    - name: docker.${FORGE_DOMAIN_NAME}
      image: registry # will be built on pod start
      volumeMounts:
        - mountPath: /certs
          name: ublue-os_forge-certs-pvc
          subPath: _.${FORGE_DOMAIN_NAME}
        - mountPath: /var/lib/registry
          name: ublue-os_forge-registry-pvc
      ports:
        - containerPort: 5000
          protocol: TCP

---
apiVersion: v1
kind: Pod
metadata:
  name: ${FORGE_POD_NAME_ANVIL}
  labels:
    traefik.enable: true
    traefik.http.routers.forge.entrypoints: web,websecure
    traefik.http.routers.forge.rule: Host(`forge.${FORGE_DOMAIN_NAME}`)
    traefik.http.services.forge.loadbalancer.server.port: 3000
spec:
  restartPolicy: OnFailure
  volumes:
    - name: ublue-os_forge-certs-pvc
      persistentVolumeClaim:
        claimName: ublue-os_forge-certs
    - name: ublue-os_forge-data-pvc
      persistentVolumeClaim:
        claimName: ublue-os_forge-data
  hostAliases:
    - ip: ${FORGE_HOST_IP_ADDRESS}
      hostnames:
        - registry.${FORGE_DOMAIN_NAME}
  containers:
    - name: ansible.${FORGE_DOMAIN_NAME}
      image: anvil # will be built on pod start
      volumeMounts:
        - mountPath: /certs
          name: ublue-os_forge-certs-pvc
          readOnly: true
        - mountPath: /data
          name: ublue-os_forge-data-pvc
      env:
        - name: ANSIBLE_HOST_USER
          valueFrom:
            secretKeyRef:
              name: ublue-os_forge-secure
              key: ANSIBLE_HOST_USER

        - name: ANSIBLE_HOST_BECOME_PASSWORD
          valueFrom:
            secretKeyRef:
              name: ublue-os_forge-secure
              key: ANSIBLE_HOST_BECOME_PASSWORD
      ports:
        - containerPort: 3000
          protocol: TCP