mgmt/mgmt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
afb8f13613fda1b8e2f925058cd090474322485a
mgmt/chart/osa-suite/templates/backend-deployment.yaml
scott 81b898246f fix CA cert bundle init container to handle all cert extensions and newlines 
Ensures each cert file ends with a newline before concatenation so PEM
markers never run together, and strips blank lines for libpq/OpenSSL
compatibility. Supports .crt, .pem, and .cert file extensions from the
configmap.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 14:27:28 -07:00

122 lines
4.5 KiB
YAML
Raw Blame History

apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "osa-suite.backendName" . }}
labels:
app.kubernetes.io/component: backend
{{- include "osa-suite.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.backend.replicas }}
strategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/component: backend
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/component: backend
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.caCert.enabled }}
- name: bundle-ca-certs
image: busybox:1.37
command: ["sh", "-c", "for f in /certs/*.crt /certs/*.pem /certs/*.cert; do [ -f \"$f\" ] && cat \"$f\" && echo; done | sed '/^$/d' > /bundle/ca-bundle.crt"]
volumeMounts:
- name: ca-certs
mountPath: /certs
readOnly: true
- name: ca-bundle
mountPath: /bundle
{{- end }}
- name: migrate
image: {{ include "osa-suite.backendImage" . }}
imagePullPolicy: {{ eq .Values.backend.tag "latest" | ternary "Always" "IfNotPresent" }}
command: ["python", "migrate.py"]
env:
{{- if .Values.caCert.enabled }}
- name: REQUESTS_CA_BUNDLE
value: /etc/ssl/certs/custom-ca-bundle/ca-bundle.crt
- name: SSL_CERT_FILE
value: /etc/ssl/certs/custom-ca-bundle/ca-bundle.crt
{{- end }}
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret | default (printf "%s-secrets" (include "osa-suite.fullname" .)) }}
key: DATABASE_PASSWORD
- name: DATABASE_URL
value: {{ include "osa-suite.databaseURL" . | quote }}
envFrom:
- configMapRef:
name: {{ include "osa-suite.backendName" . }}-config
- secretRef:
name: {{ .Values.existingSecret | default (printf "%s-secrets" (include "osa-suite.fullname" .)) }}
{{- if .Values.caCert.enabled }}
volumeMounts:
- name: ca-bundle
mountPath: /etc/ssl/certs/custom-ca-bundle
readOnly: true
{{- end }}
containers:
- name: backend
image: {{ include "osa-suite.backendImage" . }}
imagePullPolicy: {{ eq .Values.backend.tag "latest" | ternary "Always" "IfNotPresent" }}
ports:
- containerPort: {{ .Values.backend.port }}
protocol: TCP
env:
{{- if .Values.caCert.enabled }}
- name: REQUESTS_CA_BUNDLE
value: /etc/ssl/certs/custom-ca-bundle/ca-bundle.crt
- name: SSL_CERT_FILE
value: /etc/ssl/certs/custom-ca-bundle/ca-bundle.crt
{{- end }}
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret | default (printf "%s-secrets" (include "osa-suite.fullname" .)) }}
key: DATABASE_PASSWORD
- name: DATABASE_URL
value: {{ include "osa-suite.databaseURL" . | quote }}
envFrom:
- configMapRef:
name: {{ include "osa-suite.backendName" . }}-config
- secretRef:
name: {{ .Values.existingSecret | default (printf "%s-secrets" (include "osa-suite.fullname" .)) }}
{{- if .Values.caCert.enabled }}
volumeMounts:
- name: ca-bundle
mountPath: /etc/ssl/certs/custom-ca-bundle
readOnly: true
{{- end }}
livenessProbe:
httpGet:
path: /api/auth/health
port: {{ .Values.backend.port }}
initialDelaySeconds: 10
periodSeconds: 30
failureThreshold: 3
readinessProbe:
httpGet:
path: /api/auth/ready
port: {{ .Values.backend.port }}
initialDelaySeconds: 5
periodSeconds: 10
resources:
{{- toYaml .Values.backend.resources | nindent 12 }}
{{- if .Values.caCert.enabled }}
volumes:
- name: ca-certs
configMap:
name: {{ .Values.caCert.configMapName }}
- name: ca-bundle
emptyDir: {}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink