apiVersion: apps/v1 kind: Deployment metadata: name: wifi-densepose namespace: wifi-densepose labels: app: wifi-densepose component: api version: v1 spec: replicas: 3 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 selector: matchLabels: app: wifi-densepose component: api template: metadata: labels: app: wifi-densepose component: api version: v1 annotations: prometheus.io/scrape: "true" prometheus.io/port: "8080" prometheus.io/path: "/metrics" spec: serviceAccountName: wifi-densepose-sa securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 containers: - name: wifi-densepose image: wifi-densepose:latest imagePullPolicy: Always ports: - containerPort: 8000 name: http protocol: TCP - containerPort: 8080 name: metrics protocol: TCP env: - name: ENVIRONMENT valueFrom: configMapKeyRef: name: wifi-densepose-config key: ENVIRONMENT - name: LOG_LEVEL valueFrom: configMapKeyRef: name: wifi-densepose-config key: LOG_LEVEL - name: WORKERS valueFrom: configMapKeyRef: name: wifi-densepose-config key: WORKERS - name: DATABASE_URL valueFrom: secretKeyRef: name: wifi-densepose-secrets key: DATABASE_URL - name: REDIS_URL valueFrom: secretKeyRef: name: wifi-densepose-secrets key: REDIS_URL - name: SECRET_KEY valueFrom: secretKeyRef: name: wifi-densepose-secrets key: SECRET_KEY - name: JWT_SECRET valueFrom: secretKeyRef: name: wifi-densepose-secrets key: JWT_SECRET envFrom: - configMapRef: name: wifi-densepose-config resources: requests: cpu: 500m memory: 1Gi limits: cpu: 2 memory: 4Gi livenessProbe: httpGet: path: /health port: 8000 initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 3 readinessProbe: httpGet: path: /health port: 8000 initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 startupProbe: httpGet: path: /health port: 8000 initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 30 volumeMounts: - name: logs mountPath: /app/logs - name: data mountPath: /app/data - name: models mountPath: /app/models - name: config mountPath: /app/config readOnly: true securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL volumes: - name: logs emptyDir: {} - name: data persistentVolumeClaim: claimName: wifi-densepose-data-pvc - name: models persistentVolumeClaim: claimName: wifi-densepose-models-pvc - name: config configMap: name: wifi-densepose-config nodeSelector: kubernetes.io/os: linux tolerations: - key: "node.kubernetes.io/not-ready" operator: "Exists" effect: "NoExecute" tolerationSeconds: 300 - key: "node.kubernetes.io/unreachable" operator: "Exists" effect: "NoExecute" tolerationSeconds: 300 affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - wifi-densepose topologyKey: kubernetes.io/hostname --- apiVersion: apps/v1 kind: Deployment metadata: name: postgres namespace: wifi-densepose labels: app: wifi-densepose component: postgres spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: wifi-densepose component: postgres template: metadata: labels: app: wifi-densepose component: postgres spec: securityContext: runAsNonRoot: true runAsUser: 999 runAsGroup: 999 fsGroup: 999 containers: - name: postgres image: postgres:15-alpine ports: - containerPort: 5432 name: postgres env: - name: POSTGRES_DB valueFrom: secretKeyRef: name: postgres-secret key: POSTGRES_DB - name: POSTGRES_USER valueFrom: secretKeyRef: name: postgres-secret key: POSTGRES_USER - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: postgres-secret key: POSTGRES_PASSWORD - name: PGDATA value: /var/lib/postgresql/data/pgdata resources: requests: cpu: 250m memory: 512Mi limits: cpu: 1 memory: 2Gi livenessProbe: exec: command: - /bin/sh - -c - exec pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 6 readinessProbe: exec: command: - /bin/sh - -c - exec pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 6 volumeMounts: - name: postgres-data mountPath: /var/lib/postgresql/data - name: postgres-init mountPath: /docker-entrypoint-initdb.d readOnly: true securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL volumes: - name: postgres-data persistentVolumeClaim: claimName: postgres-data-pvc - name: postgres-init configMap: name: postgres-init --- apiVersion: apps/v1 kind: Deployment metadata: name: redis namespace: wifi-densepose labels: app: wifi-densepose component: redis spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: wifi-densepose component: redis template: metadata: labels: app: wifi-densepose component: redis spec: securityContext: runAsNonRoot: true runAsUser: 999 runAsGroup: 999 fsGroup: 999 containers: - name: redis image: redis:7-alpine command: - redis-server - --appendonly - "yes" - --requirepass - "$(REDIS_PASSWORD)" ports: - containerPort: 6379 name: redis env: - name: REDIS_PASSWORD valueFrom: secretKeyRef: name: redis-secret key: REDIS_PASSWORD resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 1Gi livenessProbe: exec: command: - redis-cli - ping initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: exec: command: - redis-cli - ping initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 volumeMounts: - name: redis-data mountPath: /data securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL volumes: - name: redis-data persistentVolumeClaim: claimName: redis-data-pvc --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: wifi-densepose labels: app: wifi-densepose component: nginx spec: replicas: 2 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 selector: matchLabels: app: wifi-densepose component: nginx template: metadata: labels: app: wifi-densepose component: nginx spec: securityContext: runAsNonRoot: true runAsUser: 101 runAsGroup: 101 fsGroup: 101 containers: - name: nginx image: nginx:alpine ports: - containerPort: 80 name: http - containerPort: 443 name: https resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi livenessProbe: httpGet: path: /health port: 80 initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: httpGet: path: /health port: 80 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 volumeMounts: - name: nginx-config mountPath: /etc/nginx/nginx.conf subPath: nginx.conf readOnly: true - name: tls-certs mountPath: /etc/nginx/ssl readOnly: true - name: nginx-cache mountPath: /var/cache/nginx - name: nginx-run mountPath: /var/run securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL add: - NET_BIND_SERVICE volumes: - name: nginx-config configMap: name: nginx-config - name: tls-certs secret: secretName: tls-secret - name: nginx-cache emptyDir: {} - name: nginx-run emptyDir: {} affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: component operator: In values: - nginx topologyKey: kubernetes.io/hostname --- apiVersion: v1 kind: ServiceAccount metadata: name: wifi-densepose-sa namespace: wifi-densepose labels: app: wifi-densepose automountServiceAccountToken: true --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: wifi-densepose name: wifi-densepose-role rules: - apiGroups: [""] resources: ["pods", "services", "endpoints"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "secrets"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: wifi-densepose-rolebinding namespace: wifi-densepose subjects: - kind: ServiceAccount name: wifi-densepose-sa namespace: wifi-densepose roleRef: kind: Role name: wifi-densepose-role apiGroup: rbac.authorization.k8s.io