{{- if .Values.backend.enabled -}} apiVersion: apps/v1 kind: Deployment metadata: name: tower-backend labels: {{- include "tower.labels" . | nindent 4 }} odoosky.io/role: backend spec: replicas: {{ .Values.backend.replicas }} selector: matchLabels: app.kubernetes.io/name: tower odoosky.io/role: backend template: metadata: labels: {{- include "tower.labels" . | nindent 8 }} odoosky.io/role: backend spec: serviceAccountName: tower {{- with .Values.backend.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} containers: - name: tower image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}" imagePullPolicy: {{ .Values.backend.image.pullPolicy }} ports: - name: http containerPort: 8080 env: - name: TOWER_LISTEN_ADDR value: ":8080" - name: TOWER_VERSION value: {{ .Values.backend.image.tag | quote }} - name: TOWER_GITEA_URL value: {{ .Values.config.giteaURL | quote }} - name: TOWER_GITEA_ORG value: {{ .Values.config.giteaOrg | quote }} - name: TOWER_CHART_REPO value: {{ .Values.config.chartRepo | quote }} - name: TOWER_GIT_HOST value: {{ .Values.config.gitHost | quote }} - name: TOWER_GITLAB_URL value: {{ .Values.config.gitLabURL | quote }} - name: TOWER_GITLAB_GROUP value: {{ .Values.config.gitLabGroup | quote }} - name: TOWER_GITLAB_TOKEN valueFrom: secretKeyRef: name: {{ .Values.config.existingSecret }} key: GITLAB_TOKEN - name: TOWER_ARGOCD_URL value: {{ .Values.config.argoCDURL | quote }} - name: TOWER_ARGOCD_USERNAME value: {{ .Values.config.argoCDUsername | quote }} - name: TOWER_ARGOCD_DESTINATION value: {{ .Values.config.argoCDDestination | quote }} - name: TOWER_ARGOCD_PROJECT value: {{ .Values.config.argoCDProject | quote }} - name: TOWER_ARGOCD_NAMESPACE value: {{ .Values.config.argoCDNamespace | quote }} - name: TOWER_TENANT_NAMESPACE value: {{ .Values.config.tenantNamespace | quote }} - name: TOWER_GITEA_TOKEN valueFrom: secretKeyRef: name: {{ .Values.config.existingSecret }} key: GITEA_TOKEN - name: TOWER_ARGOCD_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.config.existingSecret }} key: ARGOCD_PASSWORD # Cloudflare creds for per-tenant DNS automation. Optional — # if absent, deploys to the in-cluster destination still # work (wildcard A handles them); deploys to non-default # servers fail fast with a clear error. - name: TOWER_CLOUDFLARE_TOKEN valueFrom: secretKeyRef: name: {{ .Values.config.existingSecret }} key: CLOUDFLARE_TOKEN optional: true - name: TOWER_CLOUDFLARE_ZONE_ID valueFrom: secretKeyRef: name: {{ .Values.config.existingSecret }} key: CLOUDFLARE_ZONE_ID optional: true # OpenBao token — scoped read-only on v3/data/*. Used to # fetch S3 creds at request time for the backup list + # restore-by-key endpoints. Optional: missing token = # backup-list endpoint returns runs without S3 file # listings (degrades gracefully). - name: TOWER_VAULT_ADDR value: "https://vault.odoosky.org" - name: TOWER_VAULT_TOKEN valueFrom: secretKeyRef: name: {{ .Values.config.existingSecret }} key: VAULT_TOKEN optional: true # OpStore persistence — when the PVC is mounted, point # the backend at a JSON file inside it. With this set, the # bell + Activity history survive Tower-backend rollouts. # When persistence is disabled, this stays empty and the # store runs purely in-memory. {{- if .Values.backend.persistence.enabled }} - name: TOWER_OPS_PERSIST_PATH value: /var/lib/tower/operations.db {{- end }} # Docker-mirror credentials threaded into Connect's # ApplyConnectSecrets so every customer cluster gets a # docker-mirror-pull Secret automatically. Phase H — # without these, every connected cluster wedged on # addon-build with "secret docker-mirror-pull not found". # # Read from the same existingSecret as the rest of the # platform credentials so they're rotated together. - name: TOWER_DOCKER_MIRROR_REGISTRY valueFrom: secretKeyRef: name: {{ .Values.config.existingSecret }} key: DOCKER_MIRROR_REGISTRY optional: true - name: TOWER_DOCKER_MIRROR_USERNAME valueFrom: secretKeyRef: name: {{ .Values.config.existingSecret }} key: DOCKER_MIRROR_USERNAME optional: true - name: TOWER_DOCKER_MIRROR_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.config.existingSecret }} key: DOCKER_MIRROR_PASSWORD optional: true readinessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 2 periodSeconds: 5 livenessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 10 periodSeconds: 15 resources: {{- toYaml .Values.backend.resources | nindent 12 }} {{- if .Values.backend.persistence.enabled }} volumeMounts: - name: tower-data mountPath: /var/lib/tower {{- end }} {{- if .Values.backend.persistence.enabled }} volumes: - name: tower-data persistentVolumeClaim: claimName: tower-data {{- end }} {{- end }}