apiVersion: v1 kind: Namespace metadata: annotations: description: | The namespace under which {{name}} stuff runs. name: {{name}} --- apiVersion: v1 kind: ServiceAccount metadata: annotations: description: | This defines the service account as which legion pods run. name: {{name}} namespace: {{name}} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: description: | A role that has pod management permissions, allowing the {{name}} service to self-manage itself. namespace: {{name}} name: peer-discovery rules: - apiGroups: [""] resources: ["pods"] verbs: ["list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: description: | Bind legion pods to peer-discovery roles. name: {{name}} namespace: {{name}} subjects: - kind: ServiceAccount name: {{name}} roleRef: kind: Role name: peer-discovery apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: Service metadata: annotations: description: | This is a headless service required by the {{name}} StatefulSet that causes pods to be exposed via DNS records. name: {{name}} namespace: {{name}} spec: selector: app: {{name}} type: ClusterIP clusterIP: None --- apiVersion: apps/v1 kind: StatefulSet metadata: annotations: description: | {{name}} deployment. name: {{name}} namespace: {{name}} labels: app: {{name}} spec: replicas: 1 selector: matchLabels: app: {{name}} updateStrategy: type: RollingUpdate serviceName: {{name}} template: metadata: annotations: description: | Pod of the {{name}} service. name: {{name}} namespace: {{name}} labels: app: {{name}} spec: containers: - name: {{name}}-container image: {{image}} imagePullPolicy: Always readinessProbe: tcpSocket: port: 5289 livenessProbe: tcpSocket: port: 5289 env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: LOG_LEVEL value: DEBUG - name: DOMAIN value: {{name}}.{{name}}.svc.cluster.local serviceAccountName: {{name}} terminationGracePeriodSeconds: 1200