Ops: Adjust deployment manifests for environment

k8s/api/deployment.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       initContainers:
         - name: migrate
-          image: reactbin-api:latest
+          image: git.juggalol.com/juggalol/reactbin-api:v1.0.0
           command: ["alembic", "upgrade", "head"]
           workingDir: /app
           envFrom:

k8s/ingress.yaml

@@ -1,4 +1,3 @@
-# Replace <your-domain> with the real domain before applying
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -11,10 +10,10 @@ spec:
   ingressClassName: nginx
   tls:
     - hosts:
-        - <your-domain>
+        - reactbin.juggalol.com
       secretName: reactbin-tls
   rules:
-    - host: <your-domain>
+    - host: reactbin.juggalol.com
       http:
         paths:
           # /api/ must appear before / — nginx evaluates paths in declaration order

k8s/minio/statefulset.yaml

@@ -1,4 +1,3 @@
-# Replace 'latest' with the real image tag before applying
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:

k8s/vault/api-secret.yaml

@@ -4,8 +4,8 @@ metadata:
   name: api-secret
   namespace: reactbin
 spec:
-  vaultAuthRef: reactbin-auth
+  vaultAuthRef: reactbin-vault-auth
-  mount: secret
+  mount: kv
   type: kv-v2
   # Required Vault keys at this path:
   #   DATABASE_URL, JWT_SECRET_KEY, OWNER_USERNAME, OWNER_PASSWORD,

k8s/vault/minio-secret.yaml

@@ -4,8 +4,8 @@ metadata:
   name: minio-secret
   namespace: reactbin
 spec:
-  vaultAuthRef: reactbin-auth
+  vaultAuthRef: reactbin-vault-auth
-  mount: secret
+  mount: kv
   type: kv-v2
   # Required Vault keys at this path:
   #   MINIO_ROOT_USER, MINIO_ROOT_PASSWORD

k8s/vault/vault-auth.yaml

@@ -1,7 +1,13 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vso-reactbin
+  namespace: reactbin
+---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
-  name: reactbin-auth
+  name: reactbin-vault-auth
   namespace: reactbin
 spec:
   method: kubernetes
@@ -10,7 +16,7 @@ spec:
     # The operator must create this role in Vault and bind it to the
     # default service account in the reactbin namespace with read access
     # to both reactbin/api/config and reactbin/minio/credentials.
-    role: reactbin
+    role: vso-reactbin
-    serviceAccount: default
+    serviceAccount: vso-reactbin
     audiences:
-      - https://kubernetes.default.svc
+      - vault