fdo/rendezvous-server.yml at main · suse-edge/fdo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: fdo
    fdo-service: rendezvous
  name: rendezvous-server-svc
spec:
  ports:
    - protocol: TCP
      port: 9002
      targetPort: 9002
  selector:
    app: fdo
    fdo-service: rendezvous
  type: NodePort
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: rendezvous-server-ingress
  labels:
    app: fdo
    fdo-service: rendezvous
spec:
  ingressClassName: nginx
  rules:
    - host: rendezvous-192.168.122.70.sslip.io
      http:
        paths:
          - backend:
              service:
                name: rendezvous-server-svc
                port:
                  number: 9002
            path: /
            pathType: Prefix
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: rendezvous-server
  labels:
    app: fdo
    fdo-service: rendezvous
spec:
  replicas: 1
  selector:
    matchLabels:
      app: fdo
      fdo-service: rendezvous
  template:
    metadata:
      annotations:
      labels:
        app: fdo
        fdo-service: rendezvous
      name: rendezvous-server
    spec:
      containers:
        - image: quay.io/fido-fdo/rendezvous-server:latest
          name: rendezvous-server
          ports:
            - containerPort: 9002
          volumeMounts:
            - name: rendezvous-server-config
              mountPath: /etc/fdo/rendezvous-server.conf.d/
              readOnly: true
            - name: manufacturer-cert
              mountPath: /etc/fdo/keys/manufacturer_cert.pem
              subPath: manufacturer_cert.pem
              readOnly: true
            - name: registered
              mountPath: /etc/fdo/registered
            - name: sessions
              mountPath: /etc/fdo/sessions
          # securityContext:
          #   allowPrivilegeEscalation: false
          #   capabilities:
          #     drop: ["ALL"]
      volumes:
        - name: rendezvous-server-config
          configMap:
            name: rendezvous-server-config
        - name: manufacturer-cert
          secret:
            secretName: manufacturer-cert-pem
        - name: sessions
          emptyDir: {}
        - name: registered
          emptyDir: {}
      # securityContext:
      #   runAsNonRoot: true
      #   seccompProfile:
      #     type: RuntimeDefault
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: rendezvous-server-config
  labels:
    app: fdo
    fdo-service: rendezvous
data:
  rendezvous-server.yml: |+
    ---
    storage_driver:
      Directory:
        path: /etc/fdo/registered
    session_store_driver:
      Directory:
        path: /etc/fdo/sessions
    trusted_manufacturer_keys_path: /etc/fdo/keys/manufacturer_cert.pem
    # trusted_device_keys_path: /etc/fdo/keys/device_ca_cert.pem
    max_wait_seconds: ~
    bind: "0.0.0.0:9002"