Align fc-ttsreader with hardened runtime
This commit is contained in:
Andrew Stoltz
@@ -5,7 +5,7 @@ kind: Namespace
|
|||||||
metadata:
|
metadata:
|
||||||
name: fc-ttsreader
|
name: fc-ttsreader
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/part-of: bluejay-infra
|
app.kubernetes.io/part-of: flowercore
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@@ -13,48 +13,91 @@ metadata:
|
|||||||
name: ttsreader-web
|
name: ttsreader-web
|
||||||
namespace: fc-ttsreader
|
namespace: fc-ttsreader
|
||||||
labels:
|
labels:
|
||||||
app: ttsreader-web
|
app.kubernetes.io/name: ttsreader-web
|
||||||
|
app.kubernetes.io/part-of: flowercore
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
|
strategy:
|
||||||
|
type: Recreate
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: ttsreader-web
|
app.kubernetes.io/name: ttsreader-web
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: ttsreader-web
|
app.kubernetes.io/name: ttsreader-web
|
||||||
|
app.kubernetes.io/part-of: flowercore
|
||||||
|
annotations:
|
||||||
|
prometheus.io/scrape: "true"
|
||||||
|
prometheus.io/port: "5217"
|
||||||
|
prometheus.io/path: "/metrics"
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
fsGroup: 1654
|
||||||
|
fsGroupChangePolicy: OnRootMismatch
|
||||||
containers:
|
containers:
|
||||||
- name: ttsreader-web
|
- name: web
|
||||||
image: localhost/fc-ttsreader-web:v202604132015
|
image: localhost/fc-ttsreader-web:v202604162001
|
||||||
imagePullPolicy: Never
|
imagePullPolicy: Never
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 8080
|
- containerPort: 5217
|
||||||
name: http
|
name: http
|
||||||
env:
|
env:
|
||||||
- name: ASPNETCORE_ENVIRONMENT
|
|
||||||
value: Production
|
|
||||||
- name: ASPNETCORE_URLS
|
- name: ASPNETCORE_URLS
|
||||||
value: "http://+:8080"
|
value: "http://+:5217"
|
||||||
|
- name: ASPNETCORE_ENVIRONMENT
|
||||||
|
value: "Production"
|
||||||
|
- name: FlowerCore__Database__ConnectionStrings__Sqlite
|
||||||
|
value: "Data Source=/data/ttsreader.db"
|
||||||
|
- name: TtsReader__Audio__OutputRoot
|
||||||
|
value: "/data/audio"
|
||||||
|
- name: TtsReader__Jobs__Root
|
||||||
|
value: "/data/jobs"
|
||||||
|
- name: TtsReader__Runtime__LogsRoot
|
||||||
|
value: "/data/logs"
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: ttsreader-secrets
|
||||||
|
optional: true
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
memory: "128Mi"
|
cpu: 100m
|
||||||
cpu: "100m"
|
memory: 256Mi
|
||||||
limits:
|
limits:
|
||||||
memory: "512Mi"
|
cpu: 500m
|
||||||
cpu: "500m"
|
memory: 512Mi
|
||||||
livenessProbe:
|
volumeMounts:
|
||||||
httpGet:
|
- name: data
|
||||||
path: /metrics/prometheus
|
mountPath: /data
|
||||||
port: 8080
|
- name: tmp
|
||||||
initialDelaySeconds: 10
|
mountPath: /tmp
|
||||||
periodSeconds: 30
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1654
|
||||||
|
runAsGroup: 1654
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: /metrics/prometheus
|
path: /health
|
||||||
port: 8080
|
port: 5217
|
||||||
initialDelaySeconds: 5
|
initialDelaySeconds: 5
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /health
|
||||||
|
port: 5217
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 30
|
||||||
|
volumes:
|
||||||
|
- name: data
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: ttsreader-data
|
||||||
|
- name: tmp
|
||||||
|
emptyDir: {}
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
@@ -63,19 +106,32 @@ metadata:
|
|||||||
namespace: fc-ttsreader
|
namespace: fc-ttsreader
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
app: ttsreader-web
|
app.kubernetes.io/name: ttsreader-web
|
||||||
ports:
|
ports:
|
||||||
- port: 80
|
- port: 5217
|
||||||
targetPort: 8080
|
targetPort: 5217
|
||||||
name: http
|
name: http
|
||||||
---
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: ttsreader-data
|
||||||
|
namespace: fc-ttsreader
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
storageClassName: longhorn
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 5Gi
|
||||||
|
---
|
||||||
apiVersion: cert-manager.io/v1
|
apiVersion: cert-manager.io/v1
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: ttsreader-web-tls
|
name: ttsreader-cert
|
||||||
namespace: fc-ttsreader
|
namespace: fc-ttsreader
|
||||||
spec:
|
spec:
|
||||||
secretName: ttsreader-web-tls
|
secretName: ttsreader-tls
|
||||||
issuerRef:
|
issuerRef:
|
||||||
name: step-ca-acme
|
name: step-ca-acme
|
||||||
kind: ClusterIssuer
|
kind: ClusterIssuer
|
||||||
@@ -95,6 +151,6 @@ spec:
|
|||||||
kind: Rule
|
kind: Rule
|
||||||
services:
|
services:
|
||||||
- name: ttsreader-web
|
- name: ttsreader-web
|
||||||
port: 80
|
port: 5217
|
||||||
tls:
|
tls:
|
||||||
secretName: ttsreader-web-tls
|
secretName: ttsreader-tls
|
||||||
|
|||||||
Reference in New Issue
Block a user