-
Notifications
You must be signed in to change notification settings - Fork 11
/
broker.yaml
109 lines (109 loc) · 7.02 KB
/
broker.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# Broker runs under a service account to inherit roles.
apiVersion: v1
kind: ServiceAccount
metadata:
name: couchbase-service-broker
---
# Broker requires its role to be bound to its service account.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: couchbase-service-broker
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: couchbase-service-broker
subjects:
- kind: ServiceAccount
name: couchbase-service-broker
namespace: default
---
# Broker requires TLS support to enable end-to-end encryption.
# This protects any sensitive parameters communicated to and from
# the API. It also uses bearer tokens or basic auth to protect
# the API from malicious use.
apiVersion: v1
kind: Secret
metadata:
name: couchbase-service-broker
data:
username: dXNlcm5hbWU=
password: cGFzc3dvcmQ=
token: VDBwNWVDcjNU
tls-certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURyVENDQXBXZ0F3SUJBZ0lSQUtseDNybHN1KzA2bzZtbGxWSkV5NWN3RFFZSktvWklodmNOQVFFTEJRQXcKSmpFa01DSUdBMVVFQXd3YlEyOTFZMmhpWVhObElGTmxjblpwWTJVZ1FuSnZhMlZ5SUVOQk1CNFhEVEU1TURNeApPREV3TlRNMU1Gb1hEVEl5TURNd01qRXdOVE0xTUZvd0l6RWhNQjhHQTFVRUF3d1lZMjkxWTJoaVlYTmxMWE5sCmNuWnBZMlV0WW5KdmEyVnlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTFpbTgKZmNqY1cvb3dTMDdyRmVOVFhHYUxXRFhnMzdkYXA5L0RQcjk4M1J1V0k5SE5XbmVFSnk4VE9NNElab1N4YmVsSgprbTVleGF6eGt1RHpjTW8ranFyZFRFdzNEcFNzR3QzN3Voc2ErWVM2TUNjM28rV0xvQXhhSnNwdCtTdGFkNjU3CjIwTnB5bTY3RXBzUC9EdzhJZ1RVTzlJcXRKdjM5ekl2dWhBZ3RQSHY2SVp6enF0aVdPNDg1N2lrQVdLMkVwQlgKZXR5Qnh0TEZ2Y2FGWW13RjJtVXZsbnhJditHekdBaTVDT3JwZmM4S1hDT0V2TVlVMTVmZUNkdkhjMG84RitzcQpzdkU2SUxKeFBsVGp1YnZPanNhNkgxbzh0NXYxUXVqeDRML3pqc0laZ2JDNXJCT1UyeEdKT1ZGWnBhU2NZb21GCmN3RU0xRFA0MjVpQ3IzOW05d0lEQVFBQm80SFlNSUhWTUFrR0ExVWRFd1FDTUFBd0hRWURWUjBPQkJZRUZOUEYKMkYrY2Q3NjNUMTNSclAza2paQTlLSUw4TUZZR0ExVWRJd1JQTUUyQUZQL2ZtQTV0MnNGVW90OEpjRjY1RGRrZwpGbHJob1Nxa0tEQW1NU1F3SWdZRFZRUUREQnREYjNWamFHSmhjMlVnVTJWeWRtbGpaU0JDY205clpYSWdRMEdDCkNRQ0l2UXNmcHhKb2hqQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBVEFMQmdOVkhROEVCQU1DQmFBd0x3WUQKVlIwUkJDZ3dKb0lrWTI5MVkyaGlZWE5sTFhObGNuWnBZMlV0WW5KdmEyVnlMbVJsWm1GMWJIUXVjM1pqTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQkFRQXNVU3lNWldYcjJHOURBY2tseUdqZFBLTm8yM1B5cHFnTzVSTjcxeWdHCmREOVRVRzdFaTM5WFVDajU4aWI2anVRZGthNzBKVU9zTWtLU2N3bS9mU2NVUG1zMEJKRTBKbjBOZ3E3RDhrbC8KYWRwdE8wVk0xQzNKR3cvQ3orRGtqeHQ2MndUMjNXako5TkNObEJTcjdOZFNyMXdYZGtsTEhkZTNSTS9EM3FQYwpFM3ZuSWJQZzlScy8veXNZWFBXYzRtSU11eUNrUjMvSnpxNGZnQmZ6cW8vRmxEdGJDZm1uUlNDbVdjaXZTSVVPCmRvcy92M3R6RTlsMVptMDUyUXVBTmxReFJocHFRQzRNajkzQXVMVWxSR2ZwcC9PRTVoR0FFUkptcGVZdTRtNSsKQXdZeW85M1VqM1paSVBWZEpjSXY3Mi9OUXpQeFUyM2paL1lpd1VzSTNiNmkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls-private-key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRFdLYng5eU54YitqQkwKVHVzVjQxTmNab3RZTmVEZnQxcW4zOE0rdjN6ZEc1WWowYzFhZDRRbkx4TTR6Z2htaExGdDZVbVNibDdGclBHUwo0UE53eWo2T3F0MU1URGNPbEt3YTNmdTZHeHI1aExvd0p6ZWo1WXVnREZvbXltMzVLMXAzcm52YlEybkticnNTCm13LzhQRHdpQk5RNzBpcTBtL2YzTWkrNkVDQzA4ZS9vaG5QT3EySlk3anpudUtRQllyWVNrRmQ2M0lIRzBzVzkKeG9WaWJBWGFaUytXZkVpLzRiTVlDTGtJNnVsOXp3cGNJNFM4eGhUWGw5NEoyOGR6U2p3WDZ5cXk4VG9nc25FKwpWT081dTg2T3hyb2ZXankzbS9WQzZQSGd2L09Pd2htQnNMbXNFNVRiRVlrNVVWbWxwSnhpaVlWekFRelVNL2piCm1JS3ZmMmIzQWdNQkFBRUNnZ0VBUEg5RHVNQ1J4d1d3dU1WTlVUeUxJdEh3MFBVL1ZkTUVyK0ZjMVEvZ3BORVQKSTRFem9qZWF4RHJmRWkvWlhhUmtQcWtrMkZHSFFnM3RtOUVoMDUyOStDMDZJRUJ6V1JJVVgrNlBHbTVudTA2TQpEZWcySm4xRWFPeTBWcnJlUUFISUo0REppaEhNQTV3dUNqNTFVSXB2YmlpeEQwajZPVlRKd2pHU0c5eE1jUEJXClQ1UEN1TkFXZzVpa3dKU0tPcXYxTXkvVnByOFdOZU5GN3drTmZCMzZlLzUrMlBBcURLdGlXZXh2dzJrOTg2Z2gKMjFRUlBET01vK0d3cmFkNElZK3J0ZzhvQko0TUxOWm9tVWdPanNTRDdxMGlrQ25IeHZDZ3hMcGVBNGxHUHdFOApUU1dsckQ2NGxMZVg4WkRzOHoyNzhJUnZkYnp4bTVHdzQvcmE5cjlqWVFLQmdRRC9JU0pJdWVpbVZLQXVxMnMyCndRTVFWSk1XVi9SS0JUdEdOMVdyMEpyYUQxRUhrUjd4MFpyODdVLzA1NXg5VVNzbEYyWkg5ZWVmc3BCTDloU0sKSktaMzNMQloxV2htQUY3Qk9wSUVJRWFFeG9QZ1lKUTVqWWM1UDR2THNYZGdubmZYbWdFSStLWm5EVzBHV1VQTwpQcjg4L0lsa1kxSUZseEs4QnNXMGxKOGprUUtCZ1FEVzVORUlid2lGTy9KMERJV3lMb1RZeXljMkVObm9Bb0lVCnN0dGY0VG0rclF0Wm1rUUJzays5dG5pL0N5QSsxVmVWdkpNakJuQ1lhZ3FKTWVGTGJON24xNjdWTHRDMXhtK2cKenR3T2djRjRzc3lJcXJSQ0JGMjVLTjBsVkNVdzJoYmFwU2p3RElzVDVheHBhbG1KYUl2QUJwOXQ3ZXgyT3VLegpWRDFCTnp1T0J3S0JnQm8wQWZ4c002dlpwellEM3hnWmpNSUJuYlcreE5WUllqd2M5TXlYdVQvS01PMVJCMWVZCnlvMU5wbGVsN2htazI0U011YkdNWFFTMjUwRVYvaGdPR1piWDhMalpSVWFzcFE2OWdEK3lQT3ZvSTZWSTVoQmYKSzlOQ1pvNCtKTitraHZSNjJiNWRJMklVSysxcC81L1FLLzRNaGVQc200RDllaXdibWZTcEN3c3hBb0dCQUl0SQp1Q3dOTzZxUDFuQmRoWEtlTUVFTVBCZ1JDQXdYUkJVQ2NLcE9vMHp4Z0QvTmUzTFdEbFZhcGh5OXEyTE9pUHhtCnc3K1o5dlR6Rm0waVJYTEwyQmJSZDJKNSs1RTJVemdabkF4VEVnR1hjbmJLbmhlRUdQTmdoeVlneWhKRjZUWkMKZ3F4RWxRaUtmeHU4Y05oZFNPZG40NEl2Q21yL2M5emtKdWZVVXVlVkFvR0JBTmVUdUdPbkM5dXc0RnZYOE1NOQpjejQyUHlkQTFWQjM0QWpFTVpKejMzeTZQb25KZGJUdmNQT2xBZ2Nzd3NXWVdXSE51UjRwSWNLcVBuVDVuR0RXCkxJb2FoYk13WDgyK1VFMVBCUk1tL09rNkxBQ0x2SjYxU3BLM3l6dzhxUGNla09ZaGJpTXBNWk1PVkhXbVVCVXcKOUFrOFlhdUlhb0MrcGErMnBBSnlEQ2FUCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
---
# Main Broker deployment. This is reentrant so should be able to be scaled
# horizontally for HA.
apiVersion: apps/v1
kind: Deployment
metadata:
name: couchbase-service-broker
spec:
replicas: 1
selector:
matchLabels:
app: couchbase-service-broker
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: couchbase-service-broker
spec:
containers:
- args:
- -logtostderr
- -v
- "0"
# This may be either 'basic' (for username/password), or token (for bearer token)
# If you change this, then you also need to update the authentication type defined
# in clusterservicebroker.yaml
- -authentication=basic
- -token=/var/run/secrets/couchbase-service-broker/token
- -username=/var/run/secrets/couchbase-service-broker/username
- -password=/var/run/secrets/couchbase-service-broker/password
- -tls-certificate=/var/run/secrets/couchbase-service-broker/tls-certificate
- -tls-private-key=/var/run/secrets/couchbase-service-broker/tls-private-key
env:
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: couchbase/service-broker:latest
imagePullPolicy: IfNotPresent
name: couchbase-service-broker
ports:
- containerPort: 8443
name: https
readinessProbe:
failureThreshold: 20
httpGet:
path: /readyz
scheme: HTTPS
port: https
initialDelaySeconds: 3
periodSeconds: 10
volumeMounts:
- mountPath: /var/run/secrets/couchbase-service-broker
name: couchbase-service-broker
readOnly: true
serviceAccountName: couchbase-service-broker
volumes:
- name: couchbase-service-broker
secret:
secretName: couchbase-service-broker
---
# The Broker is exposed to the Service Catalog with a Service.
apiVersion: v1
kind: Service
metadata:
name: couchbase-service-broker
spec:
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
app: couchbase-service-broker