From 1fd5003b61966454f39f0744bcf38dd66135384a Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 25 Feb 2018 23:23:32 +0100
Subject: TLS hack

---
 templates/default/kubernetes/sfive-deploy.yml.j2 | 32 +++++++++++++++++++-----
 1 file changed, 26 insertions(+), 6 deletions(-)

(limited to 'templates/default/kubernetes/sfive-deploy.yml.j2')

diff --git a/templates/default/kubernetes/sfive-deploy.yml.j2 b/templates/default/kubernetes/sfive-deploy.yml.j2
index 68d907f..5b02eb0 100644
--- a/templates/default/kubernetes/sfive-deploy.yml.j2
+++ b/templates/default/kubernetes/sfive-deploy.yml.j2
@@ -40,6 +40,16 @@ spec:
         volumeMounts:
         - name: hub-data
           mountPath: /srv/data
+      - name: copy-certificates
+        image: busybox
+        command: ['sh', '-c', 'chmod 0750 /srv/acme && cp /var/lib/acme/live/{{ deploy.worker.flags['stream-hostname'] }}/* /srv/acme && chown -R 998 /srv/acme']
+        securityContext:
+          runAsUser: 0
+        volumeMounts:
+        - name: proxy-cert
+          mountPath: /srv/acme
+        - name: acme-lib
+          mountPath: /var/lib/acme
 {% if deploy.worker.flags.sfive == 'proxy' and 'stream-onion' in deploy.worker.flags %}
       - name: prepare-onion-lib
         image: busybox
@@ -76,6 +86,8 @@ spec:
           mountPath: /srv
         - name: proxy-config
           mountPath: /srv/config
+        - name: proxy-cert
+          mountPath: /srv/acme
 {%   if 'stream-onion' in deploy.worker.flags %}
       - name: proxy-onion
         image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }}
@@ -118,18 +130,26 @@ spec:
       - name: home
         emptyDir:
           medium: Memory
+      - name: hub-data
+        hostPath:
+          type: DirectoryOrCreate
+          path: /var/lib/sfive/{{ desc.globals.name }}
 {% if deploy.worker.flags.sfive == 'proxy' and 'stream-onion' in deploy.worker.flags %}
-      - name: onion-lib
-        emptyDir:
-          medium: Memory
       - name: onion-config
         configMap:
           name: onion-service-{{ deploy.worker.flags.stream }}
+      - name: onion-lib
+        emptyDir:
+          medium: Memory
 {% endif %}
       - name: proxy-config
         configMap:
           name: sfive-{{ deploy.worker.name }}
-      - name: hub-data
+      - name: proxy-cert
+        emptyDir:
+          medium: Memory
+      - name: acme-lib
         hostPath:
-          type: DirectoryOrCreate
-          path: /var/lib/sfive/{{ desc.globals.name }}
+          type: Directory
+          path: /var/lib/acme
+          readOnly: yes
-- 
cgit v1.2.3