--- # Source: openproject/templates/web-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: openproject-web labels: openproject/process: web spec: replicas: 1 strategy: type: Recreate selector: matchLabels: component: web template: metadata: annotations: # annotate pods with env value checksums so changes trigger re-deployments checksum/env-core: f2b092f43e1c4c37ec21840d9fbca6bd40dc514094fce97e682a1ec202ba5e45 checksum/env-memcached: ff6b5c8eeeea9c2c34b0799a614f9d252c79257f7cc1a89f56d5ee0fd5664fd4 checksum/env-oidc: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b checksum/env-s3: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b checksum/env-environment: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b labels: component: web spec: securityContext: fsGroup: 1000 serviceAccountName: openproject volumes: - name: tmp # we can't use emptyDir due to the sticky bit issue # see: https://github.com/kubernetes/kubernetes/issues/110835 ephemeral: volumeClaimTemplate: metadata: creationTimestamp: null spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: {{ .apps.openproject.tmpVolumesStorage }} - name: app-tmp # we can't use emptyDir due to the sticky bit / world writable issue # see: https://github.com/kubernetes/kubernetes/issues/110835 ephemeral: volumeClaimTemplate: metadata: creationTimestamp: null spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: {{ .apps.openproject.tmpVolumesStorage }} - name: "data" persistentVolumeClaim: claimName: openproject initContainers: - name: wait-for-db securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault image: {{ .apps.openproject.serverImage }} imagePullPolicy: Always envFrom: - configMapRef: name: openproject-core - configMapRef: name: openproject-memcached env: - name: OPENPROJECT_DB_PASSWORD valueFrom: secretKeyRef: name: openproject-secrets key: apps.openproject.dbPassword - name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD valueFrom: secretKeyRef: name: openproject-secrets key: apps.openproject.adminPassword args: - /app/docker/prod/wait-for-db resources: limits: memory: 1Gi requests: memory: 512Mi volumeMounts: - mountPath: /tmp name: tmp - mountPath: /app/tmp name: app-tmp containers: - name: "openproject" securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault image: {{ .apps.openproject.serverImage }} imagePullPolicy: Always envFrom: - configMapRef: name: openproject-core - configMapRef: name: openproject-memcached env: - name: OPENPROJECT_DB_PASSWORD valueFrom: secretKeyRef: name: openproject-secrets key: apps.openproject.dbPassword - name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD valueFrom: secretKeyRef: name: openproject-secrets key: apps.openproject.adminPassword args: - /app/docker/prod/web volumeMounts: - mountPath: /tmp name: tmp - mountPath: /app/tmp name: app-tmp - name: "data" mountPath: "/var/openproject/assets" ports: - name: http containerPort: 8080 protocol: TCP livenessProbe: httpGet: path: "/health_checks/default" port: 8080 httpHeaders: # required otherwise health check will return 404 because health check is done using the Pod IP, which may cause issues with downstream variants - name: Host value: localhost initialDelaySeconds: 120 timeoutSeconds: 3 periodSeconds: 30 failureThreshold: 3 successThreshold: 1 readinessProbe: httpGet: path: "/health_checks/default" port: 8080 httpHeaders: # required otherwise health check will return 404 because health check is done using the Pod IP, which may cause issues with downstream variants - name: Host value: localhost initialDelaySeconds: 30 timeoutSeconds: 3 periodSeconds: 15 failureThreshold: 30 successThreshold: 1 resources: limits: cpu: "4" memory: 4Gi requests: cpu: 250m memory: 512Mi