Michael DiLeo
7327d77dcd
Add the redacted source file for demo purposes Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1 Co-authored-by: Michael DiLeo <michael_dileo@proton.me> Co-committed-by: Michael DiLeo <michael_dileo@proton.me>
195 lines
5.6 KiB
YAML
195 lines
5.6 KiB
YAML
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: pixelfed-web
|
|
namespace: pixelfed-application
|
|
labels:
|
|
app: pixelfed
|
|
component: web
|
|
spec:
|
|
replicas: 2
|
|
strategy:
|
|
type: RollingUpdate
|
|
rollingUpdate:
|
|
maxUnavailable: 0
|
|
maxSurge: 1
|
|
selector:
|
|
matchLabels:
|
|
app: pixelfed
|
|
component: web
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: pixelfed
|
|
component: web
|
|
spec:
|
|
securityContext:
|
|
runAsUser: 1000 # pixelfed user in Docker image
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
runAsNonRoot: true
|
|
imagePullSecrets:
|
|
- name: harbor-pull-secret
|
|
initContainers:
|
|
- name: setup-env
|
|
image: <YOUR_REGISTRY_URL>/library/pixelfed-web:v0.12.6
|
|
imagePullPolicy: Always
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |
|
|
set -e
|
|
|
|
# Simple approach: only copy .env if it doesn't exist
|
|
if [ ! -f /var/www/pixelfed/.env ]; then
|
|
echo "No .env file found, copying ConfigMap content..."
|
|
cp /tmp/env-config/config /var/www/pixelfed/.env
|
|
echo "Environment file created successfully"
|
|
else
|
|
echo "Found existing .env file, preserving it"
|
|
fi
|
|
|
|
echo "Init container completed successfully"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- name: env-config-source
|
|
mountPath: /tmp/env-config
|
|
- name: pixelfed-env-writable
|
|
mountPath: /var/www/pixelfed/.env
|
|
subPath: .env
|
|
- name: app-storage
|
|
mountPath: /var/www/pixelfed/storage
|
|
- name: cache-storage
|
|
mountPath: /var/www/pixelfed/bootstrap/cache
|
|
|
|
containers:
|
|
- name: pixelfed-web
|
|
image: <YOUR_REGISTRY_URL>/library/pixelfed-web:v0.12.6
|
|
imagePullPolicy: Always
|
|
ports:
|
|
- name: http
|
|
containerPort: 80
|
|
protocol: TCP
|
|
- name: https
|
|
containerPort: 443
|
|
protocol: TCP
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /api/v1/instance
|
|
port: http
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 30
|
|
timeoutSeconds: 10
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /api/v1/instance
|
|
port: http
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
startupProbe:
|
|
httpGet:
|
|
path: /api/v1/instance
|
|
port: http
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 5
|
|
timeoutSeconds: 5
|
|
failureThreshold: 12
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- name: pixelfed-env-writable
|
|
mountPath: /var/www/pixelfed/.env
|
|
subPath: .env
|
|
- name: app-storage
|
|
mountPath: /var/www/pixelfed/storage
|
|
- name: cache-storage
|
|
mountPath: /var/www/pixelfed/bootstrap/cache
|
|
- name: php-config
|
|
mountPath: /usr/local/etc/php/conf.d/99-pixelfed-uploads.ini
|
|
subPath: php.ini
|
|
- name: tls-cert
|
|
mountPath: /etc/ssl/certs/tls.crt
|
|
subPath: tls.crt
|
|
readOnly: true
|
|
- name: tls-key
|
|
mountPath: /etc/ssl/private/tls.key
|
|
subPath: tls.key
|
|
readOnly: true
|
|
resources:
|
|
requests:
|
|
cpu: 500m # 0.5 CPU core
|
|
memory: 1Gi # 1GB RAM
|
|
limits:
|
|
cpu: 2000m # 2 CPU cores (medium+ requirement)
|
|
memory: 4Gi # 4GB RAM (medium+ requirement)
|
|
volumes:
|
|
- name: app-storage
|
|
persistentVolumeClaim:
|
|
claimName: pixelfed-app-storage
|
|
- name: cache-storage
|
|
persistentVolumeClaim:
|
|
claimName: pixelfed-cache-storage
|
|
- name: env-config-source
|
|
configMap:
|
|
name: pixelfed-config
|
|
items:
|
|
- key: config
|
|
path: config
|
|
- name: pixelfed-env-writable
|
|
persistentVolumeClaim:
|
|
claimName: pixelfed-env-storage
|
|
- name: php-config
|
|
configMap:
|
|
name: pixelfed-php-config
|
|
- name: tls-cert
|
|
secret:
|
|
secretName: pixelfed-internal-tls-secret
|
|
items:
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
- name: tls-key
|
|
secret:
|
|
secretName: pixelfed-internal-tls-secret
|
|
items:
|
|
- key: tls.key
|
|
path: tls.key
|
|
# Node affinity to distribute across nodes
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
# Prefer different nodes for web pods (spread web across nodes)
|
|
- weight: 100
|
|
podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app
|
|
operator: In
|
|
values: ["pixelfed"]
|
|
- key: component
|
|
operator: In
|
|
values: ["web"]
|
|
topologyKey: kubernetes.io/hostname
|
|
# Prefer to avoid worker pods (existing rule)
|
|
- weight: 50
|
|
podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app
|
|
operator: In
|
|
values: ["pixelfed"]
|
|
- key: component
|
|
operator: In
|
|
values: ["worker"]
|
|
topologyKey: kubernetes.io/hostname |