operator/k8s/operator.yaml - k8s-gerrit - Git at Google

 apiVersion: v1
 kind: Namespace
 metadata:
   name: gerrit-operator

 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: gerrit-operator
   namespace: gerrit-operator

 ## Required to use an external/persistent keystore, otherwise a keystore using
 ## self-signed certificates will be generated
 # ---
 # apiVersion: v1
 # kind: Secret
 # metadata:
 #   name:  gerrit-operator-ssl
 #   namespace: gerrit-operator
 # data:
 #   keystore.jks: # base64-encoded Java keystore
 #   keystore.password: # base64-encoded Java keystore password
 # type: Opaque

 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: gerrit-operator
   namespace: gerrit-operator
 spec:
   selector:
     matchLabels:
       app: gerrit-operator
   template:
     metadata:
       labels:
         app: gerrit-operator
     spec:
       serviceAccountName: gerrit-operator
       containers:
       - name: operator
         image: k8sgerrit/gerrit-operator
         imagePullPolicy: Always
         env:
         - name: NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
         ports:
         - containerPort: 80
         readinessProbe:
           httpGet:
             path: /health
             port: 8080
             scheme: HTTPS
           initialDelaySeconds: 1
         livenessProbe:
           httpGet:
             path: /health
             port: 8080
             scheme: HTTPS
           initialDelaySeconds: 30
       ## Only required, if an external/persistent keystore is being used.
       #   volumeMounts:
       #   - name: ssl
       #     readOnly: true
       #     mountPath: /operator
       # volumes:
       # - name: ssl
       #   secret:
       #     secretName: gerrit-operator-ssl

 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: gerrit-operator-admin
 subjects:
 - kind: ServiceAccount
   name: gerrit-operator
   namespace: gerrit-operator
 roleRef:
   kind: ClusterRole
   name: gerrit-operator
   apiGroup: ""

 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: gerrit-operator
 rules:
 - apiGroups:
   - "batch"
   resources:
   - cronjobs
   verbs:
   - '*'
 - apiGroups:
   - "apps"
   resources:
   - statefulsets
   - deployments
   verbs:
   - '*'
 - apiGroups:
   - ""
   resources:
   - configmaps
   - persistentvolumeclaims
   - secrets
   - services
   verbs:
   - '*'
 - apiGroups:
   - "storage.k8s.io"
   resources:
   - storageclasses
   verbs:
   - 'get'
   - 'list'
 - apiGroups:
   - "apiextensions.k8s.io"
   resources:
   - customresourcedefinitions
   verbs:
   - '*'
 - apiGroups:
   - "networking.k8s.io"
   resources:
   - ingresses
   verbs:
   - '*'
 - apiGroups:
   - "gerritoperator.google.com"
   resources:
   - '*'
   verbs:
   - '*'
 - apiGroups:
   - "networking.istio.io"
   resources:
   - "gateways"
   - "virtualservices"
   - "destinationrules"
   verbs:
   - '*'
	apiVersion: v1
	kind: Namespace
	metadata:
	name: gerrit-operator

	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: gerrit-operator
	namespace: gerrit-operator

	## Required to use an external/persistent keystore, otherwise a keystore using
	## self-signed certificates will be generated
	# ---
	# apiVersion: v1
	# kind: Secret
	# metadata:
	# name: gerrit-operator-ssl
	# namespace: gerrit-operator
	# data:
	# keystore.jks: # base64-encoded Java keystore
	# keystore.password: # base64-encoded Java keystore password
	# type: Opaque

	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: gerrit-operator
	namespace: gerrit-operator
	spec:
	selector:
	matchLabels:
	app: gerrit-operator
	template:
	metadata:
	labels:
	app: gerrit-operator
	spec:
	serviceAccountName: gerrit-operator
	containers:
	- name: operator
	image: k8sgerrit/gerrit-operator
	imagePullPolicy: Always
	env:
	- name: NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	ports:
	- containerPort: 80
	readinessProbe:
	httpGet:
	path: /health
	port: 8080
	scheme: HTTPS
	initialDelaySeconds: 1
	livenessProbe:
	httpGet:
	path: /health
	port: 8080
	scheme: HTTPS
	initialDelaySeconds: 30
	## Only required, if an external/persistent keystore is being used.
	# volumeMounts:
	# - name: ssl
	# readOnly: true
	# mountPath: /operator
	# volumes:
	# - name: ssl
	# secret:
	# secretName: gerrit-operator-ssl

	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: gerrit-operator-admin
	subjects:
	- kind: ServiceAccount
	name: gerrit-operator
	namespace: gerrit-operator
	roleRef:
	kind: ClusterRole
	name: gerrit-operator
	apiGroup: ""

	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: gerrit-operator
	rules:
	- apiGroups:
	- "batch"
	resources:
	- cronjobs
	verbs:
	- '*'
	- apiGroups:
	- "apps"
	resources:
	- statefulsets
	- deployments
	verbs:
	- '*'
	- apiGroups:
	- ""
	resources:
	- configmaps
	- persistentvolumeclaims
	- secrets
	- services
	verbs:
	- '*'
	- apiGroups:
	- "storage.k8s.io"
	resources:
	- storageclasses
	verbs:
	- 'get'
	- 'list'
	- apiGroups:
	- "apiextensions.k8s.io"
	resources:
	- customresourcedefinitions
	verbs:
	- '*'
	- apiGroups:
	- "networking.k8s.io"
	resources:
	- ingresses
	verbs:
	- '*'
	- apiGroups:
	- "gerritoperator.google.com"
	resources:
	- '*'
	verbs:
	- '*'
	- apiGroups:
	- "networking.istio.io"
	resources:
	- "gateways"
	- "virtualservices"
	- "destinationrules"
	verbs:
	- '*'