apiVersion: v1 kind: Namespace metadata: annotations: app.broker/app: xfce-desktop cnrm.cloud.google.com/project-id: code-server-gcp-solutions labels: app.kubernetes.io/managed-by: pod-broker name: xfce-desktop --- apiVersion: v1 kind: ServiceAccount metadata: annotations: app.broker/app: xfce-desktop iam.gke.io/gcp-service-account: broker-user@code-server-gcp-solutions.iam.gserviceaccount.com labels: app.kubernetes.io/managed-by: pod-broker name: xfce-desktop namespace: xfce-desktop --- apiVersion: v1 kind: Service metadata: annotations: app.broker/app: xfce-desktop labels: app.kubernetes.io/managed-by: pod-broker name: xfce-desktop namespace: xfce-desktop spec: clusterIP: None --- apiVersion: apps/v1 kind: Deployment metadata: annotations: app.broker/app: xfce-desktop labels: app.kubernetes.io/managed-by: pod-broker name: xfce-desktop namespace: xfce-desktop spec: replicas: 2 selector: matchLabels: app: xfce-desktop app.kubernetes.io/managed-by: pod-broker template: metadata: annotations: app.broker/app: xfce-desktop labels: app: xfce-desktop app.kubernetes.io/managed-by: pod-broker spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: app.broker/initialized operator: In values: - "true" weight: 100 automountServiceAccountToken: false containers: - env: - name: VDI_USER value: xfce-desktop - name: LD_LIBRARY_PATH value: /usr/local/nvidia/lib64:/usr/local/nvidia/lib32 - name: PULSE_SERVER value: 127.0.0.1:4713 image: gcr.io/disla-goog-dev/webrtc-gpu-streaming-desktop:latest name: desktop resources: limits: {} requests: cpu: 500m securityContext: privileged: false runAsGroup: 1000 runAsUser: 1000 volumeMounts: - mountPath: /tmp/.X11-unix name: x11 - mountPath: /var/run/appconfig name: config - mountPath: /dev/shm name: dshm - args: - -ec - | echo "Waiting for host X server at ${DISPLAY}" until [[ -e /var/run/appconfig/xserver_ready ]]; do sleep 1; done echo "Host X server is ready" exec /usr/bin/python3 /opt/app/xserver_watchdog.py --on_timeout=/opt/app/watchdog.sh command: - /bin/bash env: - name: DISPLAY value: :0 - name: BROKER_COOKIE value: broker_xfce-desktop= - name: BROKER_ENDPOINT value: https://test.domain/broker - name: BROKER_HOST value: test.domain - name: IN_CLUSTER value: "true" - name: CLIENT_ID value: test.clientid - name: POD_USER value: xfce-desktop - name: APP_NAME value: xfce-desktop - name: WATCHDOG_TIMEOUT value: "3600" image: gcr.io/disla-goog-dev/webrtc-gpu-streaming-gst-webrtc-app:latest imagePullPolicy: IfNotPresent name: watchdog volumeMounts: - mountPath: /tmp/.X11-unix name: x11 - mountPath: /var/run/appconfig name: config - image: gcr.io/disla-goog-dev/webrtc-gpu-streaming-pulseaudio:latest imagePullPolicy: IfNotPresent name: pulseaudio ports: - containerPort: 4713 name: pulseaudio protocol: TCP - env: - name: VDI_USER value: xfce-desktop - name: X11_DRIVER value: xdummy - name: X11_DRIVER value: xdummy image: gcr.io/disla-goog-dev/webrtc-gpu-streaming-xserver:latest imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - sh - -c - kill $(pidof Xorg tail bash) name: xserver resources: limits: {} requests: {} securityContext: privileged: false volumeMounts: - mountPath: /tmp/.X11-unix name: x11 - mountPath: /var/run/appconfig name: config - env: - name: GST_DEBUG value: '*:2' - name: LD_LIBRARY_PATH value: /usr/local/nvidia/lib64:/usr/local/nvidia/cuda/lib64:/usr/local/nvidia/lib32 - name: DISPLAY value: :0 - name: PULSE_SERVER value: 127.0.0.1:4713 - name: SIGNALLING_SERVER value: ws://127.0.0.1:8080 - name: COTURN_AUTH_HEADER_NAME value: x-goog-authenticated-user-email - name: COTURN_WEB_URI value: http://turn.pod-broker-system.svc.cluster.local/ - name: APP_AUTO_INIT value: "true" - name: ENABLE_AUDIO value: "false" - name: WEBRTC_ENCODER value: vp8enc image: gcr.io/disla-goog-dev/webrtc-gpu-streaming-gst-webrtc-app:latest imagePullPolicy: IfNotPresent name: webrtc resources: limits: {} requests: {} securityContext: privileged: false tty: true volumeMounts: - mountPath: /tmp/.X11-unix name: x11 - mountPath: /var/run/appconfig name: config - image: gcr.io/disla-goog-dev/webrtc-gpu-streaming-signaling:latest imagePullPolicy: IfNotPresent name: signalling ports: - containerPort: 8080 name: signalling readinessProbe: tcpSocket: port: signalling - args: - -exc - | sed -i \ -e 's/listen.*80;/listen 8082;/g' \ /etc/nginx/conf.d/default.conf exec nginx -g 'daemon off;' command: - /bin/sh image: gcr.io/disla-goog-dev/webrtc-gpu-streaming-gst-web:latest imagePullPolicy: IfNotPresent name: web ports: - containerPort: 8082 name: web readinessProbe: httpGet: path: / port: web enableServiceLinks: false initContainers: [] nodeSelector: app.broker/tier: tier1 cloud.google.com/gke-nodepool: tier1 serviceAccount: xfce-desktop terminationGracePeriodSeconds: 5 tolerations: - effect: NoSchedule key: app.broker/tier operator: Exists - effect: NoSchedule key: app.broker/node-init operator: Exists volumes: - emptyDir: medium: Memory sizeLimit: 10Mi name: x11 - emptyDir: medium: Memory sizeLimit: 10Mi name: config - emptyDir: medium: Memory sizeLimit: 1Gi name: dshm --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: annotations: app.broker/app: xfce-desktop cnrm.cloud.google.com/deletion-policy: abandon labels: app.kubernetes.io/managed-by: pod-broker name: xfce-desktop-wi namespace: xfce-desktop spec: member: serviceAccount:code-server-gcp-solutions.svc.id.goog[xfce-desktop/xfce-desktop] resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 external: projects/code-server-gcp-solutions/serviceAccounts/broker-user@code-server-gcp-solutions.iam.gserviceaccount.com kind: IAMServiceAccount role: roles/iam.workloadIdentityUser --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: annotations: app.broker/app: xfce-desktop labels: app.kubernetes.io/managed-by: pod-broker name: deny-all namespace: xfce-desktop spec: ingress: - from: - namespaceSelector: matchLabels: install.operator.istio.io/owner-kind: IstioControlPlane podSelector: {} policyTypes: - Ingress