c0547a9964
The app's ApiKeyAuthenticationMiddleware runs BEFORE /health is mapped, so unauthenticated probe requests get 404. tcpSocket probes verify the listener is up without auth, which is correct for an internal K8s probe (kubelet talks pod IP directly, not externally). Real fix is in the app: move /health before the middleware or mark it [AllowAnonymous]. Tracked separately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
126 lines
2.8 KiB
YAML
126 lines
2.8 KiB
YAML
# FlowerCore SignalControl — Signal sequencing and relay coordination
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: fc-signalcontrol
|
|
labels:
|
|
app.kubernetes.io/part-of: bluejay-infra
|
|
---
|
|
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: signalcontrol-data
|
|
namespace: fc-signalcontrol
|
|
labels:
|
|
app: signalcontrol-web
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClassName: longhorn
|
|
resources:
|
|
requests:
|
|
storage: 1Gi
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: signalcontrol-web
|
|
namespace: fc-signalcontrol
|
|
labels:
|
|
app: signalcontrol-web
|
|
spec:
|
|
replicas: 1
|
|
strategy:
|
|
type: Recreate
|
|
selector:
|
|
matchLabels:
|
|
app: signalcontrol-web
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: signalcontrol-web
|
|
spec:
|
|
containers:
|
|
- name: signalcontrol-web
|
|
image: localhost/fc-signalcontrol-web:v202604132015
|
|
imagePullPolicy: Never
|
|
ports:
|
|
- containerPort: 8080
|
|
name: http
|
|
env:
|
|
- name: ASPNETCORE_ENVIRONMENT
|
|
value: Production
|
|
- name: ASPNETCORE_URLS
|
|
value: "http://+:8080"
|
|
volumeMounts:
|
|
- name: data
|
|
mountPath: /app/data
|
|
resources:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "512Mi"
|
|
cpu: "500m"
|
|
# Note: app's ApiKeyAuthenticationMiddleware blocks /health → 404. Until
|
|
# /health is moved before that middleware (or marked anonymous), use
|
|
# tcpSocket probes that just check the listener is accepting.
|
|
livenessProbe:
|
|
tcpSocket:
|
|
port: 8080
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 30
|
|
readinessProbe:
|
|
tcpSocket:
|
|
port: 8080
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
volumes:
|
|
- name: data
|
|
persistentVolumeClaim:
|
|
claimName: signalcontrol-data
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: signalcontrol-web
|
|
namespace: fc-signalcontrol
|
|
spec:
|
|
selector:
|
|
app: signalcontrol-web
|
|
ports:
|
|
- port: 80
|
|
targetPort: 8080
|
|
name: http
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: signalcontrol-web-tls
|
|
namespace: fc-signalcontrol
|
|
spec:
|
|
secretName: signalcontrol-web-tls
|
|
issuerRef:
|
|
name: step-ca-acme
|
|
kind: ClusterIssuer
|
|
dnsNames:
|
|
- signalcontrol.iamworkin.lan
|
|
---
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: signalcontrol-web
|
|
namespace: fc-signalcontrol
|
|
spec:
|
|
entryPoints:
|
|
- websecure
|
|
routes:
|
|
- match: Host(`signalcontrol.iamworkin.lan`)
|
|
kind: Rule
|
|
services:
|
|
- name: signalcontrol-web
|
|
port: 80
|
|
tls:
|
|
secretName: signalcontrol-web-tls
|