CSTF/wild-cloud
1
1
Fork 0
Code Issues 12 Pull Requests Actions Packages Projects 1 Releases 1 Wiki Activity
Files
5ca8c010e565b52cb2f28efdd8e3bd22f1a04364
wild-cloud/apps/openproject/web-deployment.yaml
Paul Payne 5ca8c010e5 Use full secret paths.
2025-08-04 13:57:52 -07:00

182 lines
6.0 KiB
YAML
Raw Blame History

---
# Source: openproject/templates/web-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: openproject-web
labels:
openproject/process: web
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
component: web
template:
metadata:
annotations:
# annotate pods with env value checksums so changes trigger re-deployments
checksum/env-core: f2b092f43e1c4c37ec21840d9fbca6bd40dc514094fce97e682a1ec202ba5e45
checksum/env-memcached: ff6b5c8eeeea9c2c34b0799a614f9d252c79257f7cc1a89f56d5ee0fd5664fd4
checksum/env-oidc: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/env-s3: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/env-environment: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
labels:
component: web
spec:
securityContext:
fsGroup: 1000
serviceAccountName: openproject
volumes:
- name: tmp
# we can't use emptyDir due to the sticky bit issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
ephemeral:
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: {{ .apps.openproject.tmpVolumesStorage }}
- name: app-tmp
# we can't use emptyDir due to the sticky bit / world writable issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
ephemeral:
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: {{ .apps.openproject.tmpVolumesStorage }}
- name: "data"
persistentVolumeClaim:
claimName: openproject
initContainers:
- name: wait-for-db
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: {{ .apps.openproject.serverImage }}
imagePullPolicy: Always
envFrom:
- configMapRef:
name: openproject-core
- configMapRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: apps.openproject.dbPassword
- name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: apps.openproject.adminPassword
args:
- /app/docker/prod/wait-for-db
resources:
limits:
memory: 1Gi
requests:
memory: 512Mi
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
containers:
- name: "openproject"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: {{ .apps.openproject.serverImage }}
imagePullPolicy: Always
envFrom:
- configMapRef:
name: openproject-core
- configMapRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: apps.openproject.dbPassword
- name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: apps.openproject.adminPassword
args:
- /app/docker/prod/web
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
- name: "data"
mountPath: "/var/openproject/assets"
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
httpGet:
path: "/health_checks/default"
port: 8080
httpHeaders:
# required otherwise health check will return 404 because health check is done using the Pod IP, which may cause issues with downstream variants
- name: Host
value: localhost
initialDelaySeconds: 120
timeoutSeconds: 3
periodSeconds: 30
failureThreshold: 3
successThreshold: 1
readinessProbe:
httpGet:
path: "/health_checks/default"
port: 8080
httpHeaders:
# required otherwise health check will return 404 because health check is done using the Pod IP, which may cause issues with downstream variants
- name: Host
value: localhost
initialDelaySeconds: 30
timeoutSeconds: 3
periodSeconds: 15
failureThreshold: 30
successThreshold: 1
resources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: 250m
memory: 512Mi
Reference in New Issue View Git Blame Copy Permalink