--- apiVersion: apps/v1 kind: Deployment metadata: name: pixelfed-web namespace: pixelfed-application labels: app: pixelfed component: web spec: replicas: 2 strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 0 maxSurge: 1 selector: matchLabels: app: pixelfed component: web template: metadata: labels: app: pixelfed component: web spec: securityContext: runAsUser: 1000 # pixelfed user in Docker image runAsGroup: 1000 fsGroup: 1000 runAsNonRoot: true imagePullSecrets: - name: harbor-pull-secret initContainers: - name: setup-env image: /library/pixelfed-web:v0.12.6 imagePullPolicy: Always command: ["/bin/sh", "-c"] args: - | set -e # Simple approach: only copy .env if it doesn't exist if [ ! -f /var/www/pixelfed/.env ]; then echo "No .env file found, copying ConfigMap content..." cp /tmp/env-config/config /var/www/pixelfed/.env echo "Environment file created successfully" else echo "Found existing .env file, preserving it" fi echo "Init container completed successfully" securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault volumeMounts: - name: env-config-source mountPath: /tmp/env-config - name: pixelfed-env-writable mountPath: /var/www/pixelfed/.env subPath: .env - name: app-storage mountPath: /var/www/pixelfed/storage - name: cache-storage mountPath: /var/www/pixelfed/bootstrap/cache containers: - name: pixelfed-web image: /library/pixelfed-web:v0.12.6 imagePullPolicy: Always ports: - name: http containerPort: 80 protocol: TCP - name: https containerPort: 443 protocol: TCP livenessProbe: httpGet: path: /api/v1/instance port: http initialDelaySeconds: 60 periodSeconds: 30 timeoutSeconds: 10 readinessProbe: httpGet: path: /api/v1/instance port: http initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 startupProbe: httpGet: path: /api/v1/instance port: http initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 5 failureThreshold: 12 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault volumeMounts: - name: pixelfed-env-writable mountPath: /var/www/pixelfed/.env subPath: .env - name: app-storage mountPath: /var/www/pixelfed/storage - name: cache-storage mountPath: /var/www/pixelfed/bootstrap/cache - name: php-config mountPath: /usr/local/etc/php/conf.d/99-pixelfed-uploads.ini subPath: php.ini - name: tls-cert mountPath: /etc/ssl/certs/tls.crt subPath: tls.crt readOnly: true - name: tls-key mountPath: /etc/ssl/private/tls.key subPath: tls.key readOnly: true resources: requests: cpu: 500m # 0.5 CPU core memory: 1Gi # 1GB RAM limits: cpu: 2000m # 2 CPU cores (medium+ requirement) memory: 4Gi # 4GB RAM (medium+ requirement) volumes: - name: app-storage persistentVolumeClaim: claimName: pixelfed-app-storage - name: cache-storage persistentVolumeClaim: claimName: pixelfed-cache-storage - name: env-config-source configMap: name: pixelfed-config items: - key: config path: config - name: pixelfed-env-writable persistentVolumeClaim: claimName: pixelfed-env-storage - name: php-config configMap: name: pixelfed-php-config - name: tls-cert secret: secretName: pixelfed-internal-tls-secret items: - key: tls.crt path: tls.crt - name: tls-key secret: secretName: pixelfed-internal-tls-secret items: - key: tls.key path: tls.key # Node affinity to distribute across nodes affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: # Prefer different nodes for web pods (spread web across nodes) - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: ["pixelfed"] - key: component operator: In values: ["web"] topologyKey: kubernetes.io/hostname # Prefer to avoid worker pods (existing rule) - weight: 50 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: ["pixelfed"] - key: component operator: In values: ["worker"] topologyKey: kubernetes.io/hostname