apiVersion: apps/v1
kind: Deployment
metadata:
name: meta
spec:
replicas: 1
selector:
matchLabels:
component: meta
template:
metadata:
labels:
component: meta
spec:
containers:
- name: main
image: ghcr.io/xdavidwu/c/metasrht:3555
volumeMounts:
- name: secrets
mountPath: /etc/sr.ht/config.ini
subPath: config.ini
# PAM from host via pam_unix
# XXX perhaps socket-interfaced PAM instead (sssd?)
# or consider remote auth (is NIS or LDAP worth it?)
- name: passwd
mountPath: /etc/passwd
readOnly: true
- name: shadow
mountPath: /etc/shadow
readOnly: true
- name: group
mountPath: /etc/group
readOnly: true
readinessProbe:
httpGet:
port: 5000
securityContext:
runAsGroup: 0
- name: api
image: ghcr.io/xdavidwu/c/metasrht:3555
command:
- /usr/bin/meta.sr.ht-api
- metasrht.app:app
volumeMounts:
- name: secrets
mountPath: /etc/sr.ht/config.ini
subPath: config.ini
readinessProbe:
httpGet:
port: 5100
path: /query/api-meta.json
- name: webhooks
image: ghcr.io/xdavidwu/c/metasrht:3555
command:
- /usr/bin/celery
- -A
- metasrht.webhooks
- worker
- --loglevel=info
- --concurrency=2
volumeMounts:
- name: secrets
mountPath: /etc/sr.ht/config.ini
subPath: config.ini
nodeSelector:
kubernetes.io/hostname: parto
volumes:
- name: secrets
secret:
secretName: secrets
- name: passwd
hostPath:
path: /etc/passwd
type: File
- name: shadow
hostPath:
path: /etc/shadow
type: File
- name: group
hostPath:
path: /etc/group
type: File