apiVersion: apps/v1 kind: Deployment metadata: name: datatracker spec: replicas: 1 revisionHistoryLimit: 2 selector: matchLabels: app: datatracker strategy: type: Recreate template: metadata: labels: app: datatracker spec: securityContext: runAsNonRoot: true containers: # ----------------------------------------------------- # Datatracker Container # ----------------------------------------------------- - name: datatracker image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG" imagePullPolicy: Always volumeMounts: - name: dt-vol mountPath: /a - name: dt-tmp mountPath: /tmp - name: dt-home mountPath: /home/datatracker - name: dt-xml2rfc-cache mountPath: /var/cache/xml2rfc - name: dt-cfg mountPath: /workspace/ietf/settings_local.py subPath: settings_local.py env: - name: "CONTAINER_ROLE" value: "datatracker" # ensures the pod gets recreated on every deploy: - name: "DEPLOY_UID" value: "$DEPLOY_UID" envFrom: - secretRef: name: dt-secrets-env startupProbe: httpGet: port: 8000 path: /health/ initialDelaySeconds: 10 periodSeconds: 5 failureThreshold: 30 timeoutSeconds: 3 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsUser: 1000 runAsGroup: 1000 # ----------------------------------------------------- # Nginx Container # ----------------------------------------------------- - name: nginx image: "ghcr.io/nginxinc/nginx-unprivileged:1.27" imagePullPolicy: IfNotPresent ports: - containerPort: 8080 name: http protocol: TCP livenessProbe: httpGet: port: 8080 path: /health/nginx securityContext: readOnlyRootFilesystem: true volumeMounts: - name: nginx-tmp mountPath: /tmp - name: dt-cfg mountPath: /etc/nginx/conf.d/00logging.conf subPath: nginx-logging.conf - name: dt-cfg # Replaces the original default.conf mountPath: /etc/nginx/conf.d/default.conf subPath: nginx-datatracker.conf # ----------------------------------------------------- # ScoutAPM Container # ----------------------------------------------------- - name: scoutapm image: "scoutapp/scoutapm:version-1.4.0" imagePullPolicy: IfNotPresent # Replace command with one that will shut down on a TERM signal # The ./core-agent start command line is from the scoutapm docker image command: - "sh" - "-c" - >- trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM; ./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 & wait $! livenessProbe: exec: command: - "sh" - "-c" - "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'" securityContext: readOnlyRootFilesystem: true runAsUser: 65534 # "nobody" user by default runAsGroup: 65534 # "nogroup" group by default initContainers: - name: migration image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG" env: - name: "CONTAINER_ROLE" value: "migrations" envFrom: - secretRef: name: dt-secrets-env securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsUser: 1000 runAsGroup: 1000 volumeMounts: - name: dt-vol mountPath: /a - name: dt-tmp mountPath: /tmp - name: dt-home mountPath: /home/datatracker - name: dt-xml2rfc-cache mountPath: /var/cache/xml2rfc - name: dt-cfg mountPath: /workspace/ietf/settings_local.py subPath: settings_local.py volumes: # To be overriden with the actual shared volume - name: dt-vol - name: dt-tmp emptyDir: sizeLimit: "2Gi" - name: dt-xml2rfc-cache emptyDir: sizeLimit: "2Gi" - name: dt-home emptyDir: sizeLimit: "2Gi" - name: dt-cfg configMap: name: files-cfgmap - name: nginx-tmp emptyDir: sizeLimit: "500Mi" dnsPolicy: ClusterFirst restartPolicy: Always terminationGracePeriodSeconds: 60 --- apiVersion: v1 kind: Service metadata: name: datatracker spec: type: ClusterIP ports: - port: 80 targetPort: http protocol: TCP name: http selector: app: datatracker