bluejay-infra/apps/fc-apple-mdm/deployment.yaml

# Self-hosted NanoHUB lane for FlowerCore Apple device management.
#
# Image contract:
#   Mirror/import localhost/fc-apple-mdm-nanohub:v0.2.0-20260617 from
#   ghcr.io/micromdm/nanohub:latest@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd
#   or rebuild from nanohub-linux-arm64-v0.2.0.zip with SHA-256
#   b05968322a9bc34e79169ebee28d16554046f981eaee48a12cf80899f51a9dbd.
#   Keep imagePullPolicy: Never so the RKE2 nodes do not depend on GHCR at
#   runtime.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: fc-apple-mdm
  namespace: fc-apple-mdm
  labels:
    app: fc-apple-mdm
    app.kubernetes.io/name: fc-apple-mdm
    app.kubernetes.io/component: mdm
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
  annotations:
    flowercore.io/traceability-standard: k8s-pod-ownership-and-traceability-standard
spec:
  replicas: 1
  revisionHistoryLimit: 3
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: fc-apple-mdm
  template:
    metadata:
      labels:
        app: fc-apple-mdm
        app.kubernetes.io/name: fc-apple-mdm
        app.kubernetes.io/component: mdm
        app.kubernetes.io/part-of: flowercore
        app.kubernetes.io/managed-by: argocd
        flowercore.io/tenant-id: system
        flowercore.io/created-by: bluejay-infra
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/version"
        prometheus.io/scrape: "false"
        flowercore.io/audit-trace-id: "apple-mdm-nanohub-runtime-trace"
    spec:
      securityContext:
        fsGroup: 1654
        fsGroupChangePolicy: OnRootMismatch
      containers:
        - name: nanohub
          image: localhost/fc-apple-mdm-nanohub:v0.2.0-20260617
          imagePullPolicy: Never
          ports:
            - name: http
              containerPort: 9004
          env:
            - name: HOME
              value: "/var/lib/nanohub"
            - name: NANOHUB_LISTEN
              value: ":9004"
            - name: NANOHUB_STORAGE
              value: "file"
            - name: NANOHUB_STORAGE_DSN
              value: "/var/lib/nanohub/db"
            - name: NANOHUB_CHECKIN
              value: "true"
            - name: NANOHUB_API_KEY
              valueFrom:
                secretKeyRef:
                  name: fc-apple-mdm-runtime
                  key: NANOHUB_API_KEY
            - name: NANOHUB_WEBHOOK_URL
              valueFrom:
                secretKeyRef:
                  name: fc-apple-mdm-runtime
                  key: NANOHUB_WEBHOOK_URL
                  optional: true
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi
          startupProbe:
            httpGet:
              path: /version
              port: 9004
            initialDelaySeconds: 5
            periodSeconds: 5
            failureThreshold: 30
          readinessProbe:
            httpGet:
              path: /version
              port: 9004
            periodSeconds: 10
            failureThreshold: 3
          livenessProbe:
            httpGet:
              path: /version
              port: 9004
            initialDelaySeconds: 30
            periodSeconds: 30
            failureThreshold: 3
          securityContext:
            runAsNonRoot: true
            runAsUser: 1654
            runAsGroup: 1654
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          volumeMounts:
            - name: data
              mountPath: /var/lib/nanohub
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: fc-apple-mdm-data
        - name: tmp
          emptyDir: {}