498 lines
12 KiB
YAML
498 lines
12 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: wifi-densepose
|
|
namespace: wifi-densepose
|
|
labels:
|
|
app: wifi-densepose
|
|
component: api
|
|
version: v1
|
|
spec:
|
|
replicas: 3
|
|
strategy:
|
|
type: RollingUpdate
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 0
|
|
selector:
|
|
matchLabels:
|
|
app: wifi-densepose
|
|
component: api
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: wifi-densepose
|
|
component: api
|
|
version: v1
|
|
annotations:
|
|
prometheus.io/scrape: "true"
|
|
prometheus.io/port: "8080"
|
|
prometheus.io/path: "/metrics"
|
|
spec:
|
|
serviceAccountName: wifi-densepose-sa
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
containers:
|
|
- name: wifi-densepose
|
|
image: wifi-densepose:latest
|
|
imagePullPolicy: Always
|
|
ports:
|
|
- containerPort: 8000
|
|
name: http
|
|
protocol: TCP
|
|
- containerPort: 8080
|
|
name: metrics
|
|
protocol: TCP
|
|
env:
|
|
- name: ENVIRONMENT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: wifi-densepose-config
|
|
key: ENVIRONMENT
|
|
- name: LOG_LEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: wifi-densepose-config
|
|
key: LOG_LEVEL
|
|
- name: WORKERS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: wifi-densepose-config
|
|
key: WORKERS
|
|
- name: DATABASE_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: wifi-densepose-secrets
|
|
key: DATABASE_URL
|
|
- name: REDIS_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: wifi-densepose-secrets
|
|
key: REDIS_URL
|
|
- name: SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: wifi-densepose-secrets
|
|
key: SECRET_KEY
|
|
- name: JWT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: wifi-densepose-secrets
|
|
key: JWT_SECRET
|
|
envFrom:
|
|
- configMapRef:
|
|
name: wifi-densepose-config
|
|
resources:
|
|
requests:
|
|
cpu: 500m
|
|
memory: 1Gi
|
|
limits:
|
|
cpu: 2
|
|
memory: 4Gi
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: 8000
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 30
|
|
timeoutSeconds: 10
|
|
failureThreshold: 3
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: 8000
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
startupProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: 8000
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 30
|
|
volumeMounts:
|
|
- name: logs
|
|
mountPath: /app/logs
|
|
- name: data
|
|
mountPath: /app/data
|
|
- name: models
|
|
mountPath: /app/models
|
|
- name: config
|
|
mountPath: /app/config
|
|
readOnly: true
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
volumes:
|
|
- name: logs
|
|
emptyDir: {}
|
|
- name: data
|
|
persistentVolumeClaim:
|
|
claimName: wifi-densepose-data-pvc
|
|
- name: models
|
|
persistentVolumeClaim:
|
|
claimName: wifi-densepose-models-pvc
|
|
- name: config
|
|
configMap:
|
|
name: wifi-densepose-config
|
|
nodeSelector:
|
|
kubernetes.io/os: linux
|
|
tolerations:
|
|
- key: "node.kubernetes.io/not-ready"
|
|
operator: "Exists"
|
|
effect: "NoExecute"
|
|
tolerationSeconds: 300
|
|
- key: "node.kubernetes.io/unreachable"
|
|
operator: "Exists"
|
|
effect: "NoExecute"
|
|
tolerationSeconds: 300
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app
|
|
operator: In
|
|
values:
|
|
- wifi-densepose
|
|
topologyKey: kubernetes.io/hostname
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: postgres
|
|
namespace: wifi-densepose
|
|
labels:
|
|
app: wifi-densepose
|
|
component: postgres
|
|
spec:
|
|
replicas: 1
|
|
strategy:
|
|
type: Recreate
|
|
selector:
|
|
matchLabels:
|
|
app: wifi-densepose
|
|
component: postgres
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: wifi-densepose
|
|
component: postgres
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 999
|
|
runAsGroup: 999
|
|
fsGroup: 999
|
|
containers:
|
|
- name: postgres
|
|
image: postgres:15-alpine
|
|
ports:
|
|
- containerPort: 5432
|
|
name: postgres
|
|
env:
|
|
- name: POSTGRES_DB
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: postgres-secret
|
|
key: POSTGRES_DB
|
|
- name: POSTGRES_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: postgres-secret
|
|
key: POSTGRES_USER
|
|
- name: POSTGRES_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: postgres-secret
|
|
key: POSTGRES_PASSWORD
|
|
- name: PGDATA
|
|
value: /var/lib/postgresql/data/pgdata
|
|
resources:
|
|
requests:
|
|
cpu: 250m
|
|
memory: 512Mi
|
|
limits:
|
|
cpu: 1
|
|
memory: 2Gi
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- exec pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" -h 127.0.0.1 -p 5432
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- exec pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" -h 127.0.0.1 -p 5432
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
volumeMounts:
|
|
- name: postgres-data
|
|
mountPath: /var/lib/postgresql/data
|
|
- name: postgres-init
|
|
mountPath: /docker-entrypoint-initdb.d
|
|
readOnly: true
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
volumes:
|
|
- name: postgres-data
|
|
persistentVolumeClaim:
|
|
claimName: postgres-data-pvc
|
|
- name: postgres-init
|
|
configMap:
|
|
name: postgres-init
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: redis
|
|
namespace: wifi-densepose
|
|
labels:
|
|
app: wifi-densepose
|
|
component: redis
|
|
spec:
|
|
replicas: 1
|
|
strategy:
|
|
type: Recreate
|
|
selector:
|
|
matchLabels:
|
|
app: wifi-densepose
|
|
component: redis
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: wifi-densepose
|
|
component: redis
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 999
|
|
runAsGroup: 999
|
|
fsGroup: 999
|
|
containers:
|
|
- name: redis
|
|
image: redis:7-alpine
|
|
command:
|
|
- redis-server
|
|
- --appendonly
|
|
- "yes"
|
|
- --requirepass
|
|
- "$(REDIS_PASSWORD)"
|
|
ports:
|
|
- containerPort: 6379
|
|
name: redis
|
|
env:
|
|
- name: REDIS_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: redis-secret
|
|
key: REDIS_PASSWORD
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
limits:
|
|
cpu: 500m
|
|
memory: 1Gi
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- redis-cli
|
|
- ping
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- redis-cli
|
|
- ping
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
volumeMounts:
|
|
- name: redis-data
|
|
mountPath: /data
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
volumes:
|
|
- name: redis-data
|
|
persistentVolumeClaim:
|
|
claimName: redis-data-pvc
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: nginx
|
|
namespace: wifi-densepose
|
|
labels:
|
|
app: wifi-densepose
|
|
component: nginx
|
|
spec:
|
|
replicas: 2
|
|
strategy:
|
|
type: RollingUpdate
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 0
|
|
selector:
|
|
matchLabels:
|
|
app: wifi-densepose
|
|
component: nginx
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: wifi-densepose
|
|
component: nginx
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 101
|
|
runAsGroup: 101
|
|
fsGroup: 101
|
|
containers:
|
|
- name: nginx
|
|
image: nginx:alpine
|
|
ports:
|
|
- containerPort: 80
|
|
name: http
|
|
- containerPort: 443
|
|
name: https
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: 80
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: 80
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
volumeMounts:
|
|
- name: nginx-config
|
|
mountPath: /etc/nginx/nginx.conf
|
|
subPath: nginx.conf
|
|
readOnly: true
|
|
- name: tls-certs
|
|
mountPath: /etc/nginx/ssl
|
|
readOnly: true
|
|
- name: nginx-cache
|
|
mountPath: /var/cache/nginx
|
|
- name: nginx-run
|
|
mountPath: /var/run
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
add:
|
|
- NET_BIND_SERVICE
|
|
volumes:
|
|
- name: nginx-config
|
|
configMap:
|
|
name: nginx-config
|
|
- name: tls-certs
|
|
secret:
|
|
secretName: tls-secret
|
|
- name: nginx-cache
|
|
emptyDir: {}
|
|
- name: nginx-run
|
|
emptyDir: {}
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: component
|
|
operator: In
|
|
values:
|
|
- nginx
|
|
topologyKey: kubernetes.io/hostname
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: wifi-densepose-sa
|
|
namespace: wifi-densepose
|
|
labels:
|
|
app: wifi-densepose
|
|
automountServiceAccountToken: true
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
namespace: wifi-densepose
|
|
name: wifi-densepose-role
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods", "services", "endpoints"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["configmaps", "secrets"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: wifi-densepose-rolebinding
|
|
namespace: wifi-densepose
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: wifi-densepose-sa
|
|
namespace: wifi-densepose
|
|
roleRef:
|
|
kind: Role
|
|
name: wifi-densepose-role
|
|
apiGroup: rbac.authorization.k8s.io |