charts/ocis/templates/storageusers/deployment.yaml

{{- include "ocis.appNames" (dict "scope" . "appName" "appNameStorageUsers" "appNameSuffix" "") -}}
{{- $_ := set . "resources" (default (default (dict) .Values.resources) .Values.services.storageusers.resources) -}}
apiVersion: apps/v1
kind: Deployment
{{ include "ocis.metadata" . }}
spec:
  {{- include "ocis.selector" . | nindent 2 }}
  {{- if and (not .Values.autoscaling.enabled) (.Values.replicas) }}
  replicas: {{ .Values.replicas }}
  {{- end }}
  {{- include "ocis.deploymentStrategy" . | nindent 2 }}
  template:
    {{- include "ocis.templateMetadata" (dict "scope" $ "configCheck" false) | nindent 4 }}
    spec:
      {{- include "ocis.serviceAccount" . | nindent 6 }}
      {{- include "ocis.affinity" .Values.services.storageusers | nindent 6 }}
      {{- include "ocis.securityContextAndtopologySpreadConstraints" . | nindent 6 }}
      {{- if and $.Values.services.storageusers.persistence.enabled $.Values.services.storageusers.persistence.chownInitContainer }}
      initContainers:
        - name: init-chown-data
          image: busybox
          securityContext:
            runAsNonRoot: false
            runAsUser: 0
          command: ["chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }}", "/var/lib/ocis"]
          volumeMounts:
          - name: storage-users-data
            mountPath: /var/lib/ocis
      {{ end }}
      containers:
        - name: {{ .appName }}
          image: {{ template "ocis.image" $ }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: ["ocis"]
          args: ["storage-users", "server"]
          {{- include "ocis.containerSecurityContext" . | nindent 10 }}
          env:
            - name: MICRO_REGISTRY
              value: kubernetes

            # logging
            - name: STORAGE_USERS_LOG_COLOR
              value: {{ .Values.logging.color | quote }}
            - name: STORAGE_USERS_LOG_LEVEL
              value: {{ .Values.logging.level | quote }}
            - name: STORAGE_USERS_LOG_PRETTY
              value: {{ .Values.logging.pretty | quote }}

            - name: STORAGE_USERS_TRACING_ENABLED
              value: "{{ .Values.tracing.enabled }}"
            - name: STORAGE_USERS_TRACING_TYPE
              value: {{ .Values.tracing.type | quote }}
            - name: STORAGE_USERS_TRACING_ENDPOINT
              value: {{ .Values.tracing.endpoint | quote }}
            - name: STORAGE_USERS_TRACING_COLLECTOR
              value: {{ .Values.tracing.collector | quote }}

            - name: STORAGE_USERS_DEBUG_PPROF
              value: {{ .Values.debug.profiling | quote }}

            # bind config
            - name: STORAGE_USERS_GRPC_ADDR
              value: 0.0.0.0:9157
            - name: STORAGE_USERS_DEBUG_ADDR
              value: 0.0.0.0:9159

            # external availability data gateway
            - name: STORAGE_USERS_HTTP_ADDR
              value: 0.0.0.0:9158
            - name: STORAGE_USERS_DATA_SERVER_URL
              value: "http://{{ .appName }}:9158/data"

            - name: STORAGE_USERS_PERMISSION_ENDPOINT
              value: {{ .appNameSettings }}:9191

            # oCIS storage driver (decomposed filesystem)
            {{- if  eq .Values.services.storageusers.storageBackend.driver "ocis" }}
            - name: STORAGE_USERS_DRIVER
              value: ocis
            - name: STORAGE_USERS_OCIS_METADATA_BACKEND
              value: {{ .Values.services.storageusers.storageBackend.driverConfig.ocis.metadataBackend | quote }}
            {{- end }}

            # S3ng storage driver (decomposed filesystem)
            {{- if  eq .Values.services.storageusers.storageBackend.driver "s3ng" }}
            - name: STORAGE_USERS_DRIVER
              value: s3ng
            - name: STORAGE_USERS_S3NG_METADATA_BACKEND
              value: {{ .Values.services.storageusers.storageBackend.driverConfig.s3ng.metadataBackend | quote }}
            - name: STORAGE_USERS_S3NG_ENDPOINT
              value: {{ .Values.services.storageusers.storageBackend.driverConfig.s3ng.endpoint | quote }}
            - name: STORAGE_USERS_S3NG_REGION
              value: {{ .Values.services.storageusers.storageBackend.driverConfig.s3ng.region | quote }}
            - name: STORAGE_USERS_S3NG_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secretRefs.s3CredentialsSecretRef }}
                  key: accessKey
            - name: STORAGE_USERS_S3NG_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secretRefs.s3CredentialsSecretRef }}
                  key: secretKey
            - name: STORAGE_USERS_S3NG_BUCKET
              value: {{ .Values.services.storageusers.storageBackend.driverConfig.s3ng.bucket | quote }}
            {{- end }}

            # events
            - name: STORAGE_USERS_EVENTS_ENDPOINT
            {{- if not .Values.messagingSystem.external.enabled }}
              value: {{ .appNameNats }}:9233
            {{- else }}
              value: {{ .Values.messagingSystem.external.endpoint | quote }}
            - name: STORAGE_USERS_EVENTS_CLUSTER
              value: {{ .Values.messagingSystem.external.cluster | quote }}
            - name: STORAGE_USERS_EVENTS_ENABLE_TLS
              value: {{ .Values.messagingSystem.external.tls.enabled | quote }}
            - name: STORAGE_USERS_EVENTS_TLS_INSECURE
              value: {{ .Values.messagingSystem.external.tls.insecure | quote }}
            - name: STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE
              {{- if not .Values.messagingSystem.external.tls.certTrusted }}
              value: /etc/ocis/messaging-system-ca/messaging-system-ca.crt
              {{- else }}
              value: "" # no cert needed
              {{- end }}
            {{- end }}

            # Duration in seconds after which uploads will expire.
            - name: STORAGE_USERS_UPLOAD_EXPIRATION
              value: {{ .Values.services.storageusers.maintenance.cleanUpExpiredUploads.uploadExpiration | quote }}

            # Settings for how old trash bin items should be deleted
            - name: STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE
              value: {{ .Values.services.storageusers.maintenance.purgeExpiredTrashBinItems.personalDeleteBefore | quote}}
            - name: STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE
              value: {{ .Values.services.storageusers.maintenance.purgeExpiredTrashBinItems.projectDeleteBefore | quote }}

            # User ID to use for purging trash bin items
            - name: STORAGE_USERS_PURGE_TRASH_BIN_USER_ID
              value: {{ .Values.services.storageusers.maintenance.purgeExpiredTrashBinItems.purgeTrashBinUserID | quote}}

            - name: OCIS_MACHINE_AUTH_API_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ include "secrets.machineAuthAPIKeySecret" . }}
                  key: machine-auth-api-key

            - name: OCIS_REVA_GATEWAY
              value: {{ .appNameGateway }}:9142

            # cache
            - name: STORAGE_USERS_FILEMETADATA_CACHE_STORE
              value: {{ .Values.cache.type | quote }}
            {{- if ne .Values.cache.type "noop" }}
            - name: STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES
              value: {{ join "," .Values.cache.nodes | quote }}
            {{- end }}

            # the stat cache is disabled for now for performance reasons, see https://github.com/owncloud/ocis-charts/issues/214
            - name: STORAGE_USERS_STAT_CACHE_STORE
              value: noop

            - name: STORAGE_USERS_MOUNT_ID
              valueFrom:
                configMapKeyRef:
                  name: {{ include "config.storageUsers" . }}
                  key: storage-uuid

            - name: STORAGE_USERS_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ include "secrets.jwtSecret" . }}
                  key: jwt-secret

            - name: OCIS_TRANSFER_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ include "secrets.transferSecret" . }}
                  key: transfer-secret

            {{- if .Values.features.quotas.max }}
            - name: STORAGE_USERS_OCIS_MAX_QUOTA
              value: {{ .Values.features.quotas.max | quote }}
            {{- end }}

            - name: OCIS_ASYNC_UPLOADS
              value: "true"

            - name: STORAGE_USERS_DATA_GATEWAY_URL
              value: "http://{{ .appNameFrontend }}:9140/data/"

          {{- include "ocis.livenessProbe" . | nindent 10 }}

          resources: {{ toYaml .resources | nindent 12 }}

          ports:
            - name: grpc
              containerPort: 9157
            - name: http
              containerPort: 9158
            - name: metrics-debug
              containerPort: 9159

          volumeMounts:
            - name: tmp-volume
              mountPath: /tmp
            - name: ocis-config-tmp
              mountPath: /etc/ocis # we mount that volume only to apply fsGroup to that path
            - name: messaging-system-ca
              mountPath: /etc/ocis/messaging-system-ca
              readOnly: true
            - name: storage-users-data
              mountPath: /var/lib/ocis

      {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
      volumes:
        - name: tmp-volume
          emptyDir: {}
        - name: ocis-config-tmp
          emptyDir: {}
        - name: messaging-system-ca
          {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }}
          secret:
            secretName: {{ include "secrets.messagingSystemCASecret" . }}
          {{ else }}
          emptyDir: {}
          {{ end }}
        - name: storage-users-data
          {{ if .Values.services.storageusers.persistence.enabled }}
          persistentVolumeClaim:
            claimName: {{ .appName }}-data
          {{ else }}
          emptyDir: {}
          {{ end }}