fc-apple-mdm: add NanoHUB GitOps workload
This commit is contained in:
Robot
127
apps/fc-apple-mdm/deployment.yaml
Normal file
127
apps/fc-apple-mdm/deployment.yaml
Normal file
@@ -0,0 +1,127 @@
|
||||
# Self-hosted NanoHUB lane for FlowerCore Apple device management.
|
||||
#
|
||||
# Image contract:
|
||||
# Mirror/import localhost/fc-apple-mdm-nanohub:v0.2.0-20260617 from
|
||||
# ghcr.io/micromdm/nanohub:latest@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd
|
||||
# or rebuild from nanohub-linux-arm64-v0.2.0.zip with SHA-256
|
||||
# b05968322a9bc34e79169ebee28d16554046f981eaee48a12cf80899f51a9dbd.
|
||||
# Keep imagePullPolicy: Never so the RKE2 nodes do not depend on GHCR at
|
||||
# runtime.
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: fc-apple-mdm
|
||||
namespace: fc-apple-mdm
|
||||
labels:
|
||||
app: fc-apple-mdm
|
||||
app.kubernetes.io/name: fc-apple-mdm
|
||||
app.kubernetes.io/component: mdm
|
||||
app.kubernetes.io/part-of: flowercore
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
flowercore.io/tenant-id: system
|
||||
flowercore.io/created-by: bluejay-infra
|
||||
annotations:
|
||||
flowercore.io/traceability-standard: k8s-pod-ownership-and-traceability-standard
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 3
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: fc-apple-mdm
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: fc-apple-mdm
|
||||
app.kubernetes.io/name: fc-apple-mdm
|
||||
app.kubernetes.io/component: mdm
|
||||
app.kubernetes.io/part-of: flowercore
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
flowercore.io/tenant-id: system
|
||||
flowercore.io/created-by: bluejay-infra
|
||||
annotations:
|
||||
fc.flowercore.io/healthz-anon: "true"
|
||||
fc.flowercore.io/probe-path: "/version"
|
||||
prometheus.io/scrape: "false"
|
||||
flowercore.io/audit-trace-id: "apple-mdm-nanohub-runtime-trace"
|
||||
spec:
|
||||
securityContext:
|
||||
fsGroup: 1654
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
containers:
|
||||
- name: nanohub
|
||||
image: localhost/fc-apple-mdm-nanohub:v0.2.0-20260617
|
||||
imagePullPolicy: Never
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 9004
|
||||
env:
|
||||
- name: HOME
|
||||
value: "/var/lib/nanohub"
|
||||
- name: NANOHUB_LISTEN
|
||||
value: ":9004"
|
||||
- name: NANOHUB_STORAGE
|
||||
value: "file"
|
||||
- name: NANOHUB_STORAGE_DSN
|
||||
value: "/var/lib/nanohub/db"
|
||||
- name: NANOHUB_CHECKIN
|
||||
value: "true"
|
||||
- name: NANOHUB_API_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: fc-apple-mdm-runtime
|
||||
key: NANOHUB_API_KEY
|
||||
- name: NANOHUB_WEBHOOK_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: fc-apple-mdm-runtime
|
||||
key: NANOHUB_WEBHOOK_URL
|
||||
optional: true
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /version
|
||||
port: 9004
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
failureThreshold: 30
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /version
|
||||
port: 9004
|
||||
periodSeconds: 10
|
||||
failureThreshold: 3
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /version
|
||||
port: 9004
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 30
|
||||
failureThreshold: 3
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1654
|
||||
runAsGroup: 1654
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /var/lib/nanohub
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: fc-apple-mdm-data
|
||||
- name: tmp
|
||||
emptyDir: {}
|
||||
Reference in New Issue
Block a user