titan-iac/services/bstein-dev-home/backend-deployment.yaml

# services/bstein-dev-home/backend-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: bstein-dev-home-backend
  namespace: bstein-dev-home
spec:
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app: bstein-dev-home-backend
  template:
    metadata:
      labels:
        app: bstein-dev-home-backend
    spec:
      automountServiceAccountToken: true
      serviceAccountName: bstein-dev-home
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      imagePullSecrets:
        - name: harbor-regcred
      containers:
        - name: backend
          image: registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"}
          imagePullPolicy: Always
          command: ["/bin/sh", "-c"]
          args:
            - >-
              . /vault/scripts/bstein_dev_home_vault_env.sh
              && exec gunicorn -b 0.0.0.0:8080 --workers 2 --timeout 180 app:app
          env:
            - name: AI_CHAT_API
              value: http://ollama.ai.svc.cluster.local:11434
            - name: AI_CHAT_MODEL
              value: qwen2.5-coder:7b-instruct-q4_0
            - name: AI_CHAT_TIMEOUT_SEC
              value: "60"
            - name: AI_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: AI_NODE_GPU_MAP
              value: |
                {"titan-20": "Jetson Xavier (edge GPU)", "titan-21": "Jetson Xavier (edge GPU)", "titan-22": "RTX 3050 8GB (local GPU)", "titan-24": "RTX 3080 8GB (local GPU)"}
            - name: KEYCLOAK_ENABLED
              value: "true"
            - name: KEYCLOAK_URL
              value: https://sso.bstein.dev
            - name: KEYCLOAK_REALM
              value: atlas
            - name: KEYCLOAK_CLIENT_ID
              value: bstein-dev-home
            - name: KEYCLOAK_ISSUER
              value: https://sso.bstein.dev/realms/atlas
            - name: KEYCLOAK_JWKS_URL
              value: http://keycloak.sso.svc.cluster.local/realms/atlas/protocol/openid-connect/certs
            - name: KEYCLOAK_ADMIN_URL
              value: http://keycloak.sso.svc.cluster.local
            - name: KEYCLOAK_ADMIN_REALM
              value: atlas
            - name: KEYCLOAK_ADMIN_CLIENT_ID
              value: bstein-dev-home-admin
            - name: ACCOUNT_ALLOWED_GROUPS
              value: ""
            - name: HTTP_CHECK_TIMEOUT_SEC
              value: "2"
            - name: ACCESS_REQUEST_SUBMIT_RATE_LIMIT
              value: "30"
            - name: ACCESS_REQUEST_SUBMIT_RATE_WINDOW_SEC
              value: "3600"
            - name: ACCESS_REQUEST_STATUS_RATE_LIMIT
              value: "120"
            - name: ACCESS_REQUEST_STATUS_RATE_WINDOW_SEC
              value: "60"
            - name: ACCESS_REQUEST_INTERNAL_EMAIL_ALLOWLIST
              value: robotuser@bstein.dev
          ports:
            - name: http
              containerPort: 8080
          readinessProbe:
            httpGet:
              path: /api/healthz
              port: http
            initialDelaySeconds: 2
            periodSeconds: 5
            timeoutSeconds: 3
          livenessProbe:
            httpGet:
              path: /api/healthz
              port: http
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 3
          volumeMounts:
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: bstein-dev-home-vault
        - name: vault-scripts
          configMap:
            name: bstein-dev-home-vault-env
            defaultMode: 0555
Add bstein-dev-home deployment and Jenkins job 2025-12-18 01:14:09 -03:00			`# services/bstein-dev-home/backend-deployment.yaml`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: bstein-dev-home-backend`
			`namespace: bstein-dev-home`
			`spec:`
chore(bstein-dev-home): scale to 1 replica and pass ai meta env 2025-12-21 00:17:08 -03:00			`replicas: 1`
Add bstein-dev-home deployment and Jenkins job 2025-12-18 01:14:09 -03:00			`revisionHistoryLimit: 3`
			`selector:`
			`matchLabels:`
			`app: bstein-dev-home-backend`
			`template:`
			`metadata:`
			`labels:`
			`app: bstein-dev-home-backend`
			`spec:`
fix(ai): ensure backend token mount and annotate ollama pods 2025-12-21 01:13:35 -03:00			`automountServiceAccountToken: true`
feat(bstein-dev-home): add SA/RBAC for ai pod discovery 2025-12-21 00:46:09 -03:00			`serviceAccountName: bstein-dev-home`
Add bstein-dev-home deployment and Jenkins job 2025-12-18 01:14:09 -03:00			`nodeSelector:`
			`kubernetes.io/arch: arm64`
			`node-role.kubernetes.io/worker: "true"`
			`imagePullSecrets:`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`- name: harbor-regcred`
Add bstein-dev-home deployment and Jenkins job 2025-12-18 01:14:09 -03:00			`containers:`
			`- name: backend`
chore(bstein-dev-home): automated image update 2026-01-13 12:48:56 +00:00			`image: registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"}`
Add bstein-dev-home deployment and Jenkins job 2025-12-18 01:14:09 -03:00			`imagePullPolicy: Always`
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`command: ["/bin/sh", "-c"]`
fix(bstein-dev-home): harden backend gunicorn 2026-01-04 02:25:40 -03:00			`args:`
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`- >-`
			`. /vault/scripts/bstein_dev_home_vault_env.sh`
			`&& exec gunicorn -b 0.0.0.0:8080 --workers 2 --timeout 180 app:app`
ai: add ollama service and wire chat backend 2025-12-20 14:10:34 -03:00			`env:`
			`- name: AI_CHAT_API`
			`value: http://ollama.ai.svc.cluster.local:11434`
			`- name: AI_CHAT_MODEL`
bstein-dev-home: default chat model to qwen2.5-coder 2025-12-20 15:22:05 -03:00			`value: qwen2.5-coder:7b-instruct-q4_0`
ai: add ollama service and wire chat backend 2025-12-20 14:10:34 -03:00			`- name: AI_CHAT_TIMEOUT_SEC`
fix(ai): increase chat timeout to 60s 2025-12-21 01:31:03 -03:00			`value: "60"`
chore(bstein-dev-home): scale to 1 replica and pass ai meta env 2025-12-21 00:17:08 -03:00			`- name: AI_NODE_NAME`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: spec.nodeName`
			`- name: AI_NODE_GPU_MAP`
			`value: \|`
gpu: enable time-slicing and refresh dashboards 2026-01-01 14:16:08 -03:00			`{"titan-20": "Jetson Xavier (edge GPU)", "titan-21": "Jetson Xavier (edge GPU)", "titan-22": "RTX 3050 8GB (local GPU)", "titan-24": "RTX 3080 8GB (local GPU)"}`
bstein-dev-home: enable Keycloak portal 2026-01-01 21:45:33 -03:00			`- name: KEYCLOAK_ENABLED`
			`value: "true"`
			`- name: KEYCLOAK_URL`
			`value: https://sso.bstein.dev`
			`- name: KEYCLOAK_REALM`
			`value: atlas`
			`- name: KEYCLOAK_CLIENT_ID`
			`value: bstein-dev-home`
			`- name: KEYCLOAK_ISSUER`
			`value: https://sso.bstein.dev/realms/atlas`
			`- name: KEYCLOAK_JWKS_URL`
			`value: http://keycloak.sso.svc.cluster.local/realms/atlas/protocol/openid-connect/certs`
			`- name: KEYCLOAK_ADMIN_URL`
			`value: http://keycloak.sso.svc.cluster.local`
			`- name: KEYCLOAK_ADMIN_REALM`
			`value: atlas`
			`- name: KEYCLOAK_ADMIN_CLIENT_ID`
			`value: bstein-dev-home-admin`
bstein-dev-home: add portal db + relax account gating 2026-01-02 00:42:02 -03:00			`- name: ACCOUNT_ALLOWED_GROUPS`
			`value: ""`
mailu: add wait-mode sync endpoint Also bump portal timeouts and relax access request rate limits. 2026-01-02 02:53:55 -03:00			`- name: HTTP_CHECK_TIMEOUT_SEC`
bstein-dev-home: reduce lab status probe timeout 2026-01-03 20:02:53 -03:00			`value: "2"`
mailu: add wait-mode sync endpoint Also bump portal timeouts and relax access request rate limits. 2026-01-02 02:53:55 -03:00			`- name: ACCESS_REQUEST_SUBMIT_RATE_LIMIT`
			`value: "30"`
			`- name: ACCESS_REQUEST_SUBMIT_RATE_WINDOW_SEC`
			`value: "3600"`
			`- name: ACCESS_REQUEST_STATUS_RATE_LIMIT`
			`value: "120"`
			`- name: ACCESS_REQUEST_STATUS_RATE_WINDOW_SEC`
			`value: "60"`
tests(portal): verify access requests via email 2026-01-04 01:48:46 -03:00			`- name: ACCESS_REQUEST_INTERNAL_EMAIL_ALLOWLIST`
			`value: robotuser@bstein.dev`
Add bstein-dev-home deployment and Jenkins job 2025-12-18 01:14:09 -03:00			`ports:`
			`- name: http`
			`containerPort: 8080`
			`readinessProbe:`
			`httpGet:`
			`path: /api/healthz`
			`port: http`
			`initialDelaySeconds: 2`
			`periodSeconds: 5`
bstein-dev-home: relax health probe timeouts 2026-01-03 22:34:39 -03:00			`timeoutSeconds: 3`
Add bstein-dev-home deployment and Jenkins job 2025-12-18 01:14:09 -03:00			`livenessProbe:`
			`httpGet:`
			`path: /api/healthz`
			`port: http`
			`initialDelaySeconds: 10`
			`periodSeconds: 10`
bstein-dev-home: relax health probe timeouts 2026-01-03 22:34:39 -03:00			`timeoutSeconds: 3`
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`volumeMounts:`
			`- name: vault-secrets`
			`mountPath: /vault/secrets`
			`readOnly: true`
			`- name: vault-scripts`
			`mountPath: /vault/scripts`
			`readOnly: true`
Add bstein-dev-home deployment and Jenkins job 2025-12-18 01:14:09 -03:00			`resources:`
			`requests:`
fix(bstein-dev-home): harden backend gunicorn 2026-01-04 02:25:40 -03:00			`cpu: 100m`
			`memory: 128Mi`
Add bstein-dev-home deployment and Jenkins job 2025-12-18 01:14:09 -03:00			`limits:`
fix(bstein-dev-home): harden backend gunicorn 2026-01-04 02:25:40 -03:00			`cpu: 500m`
			`memory: 512Mi`
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`volumes:`
			`- name: vault-secrets`
			`csi:`
			`driver: secrets-store.csi.k8s.io`
			`readOnly: true`
			`volumeAttributes:`
			`secretProviderClass: bstein-dev-home-vault`
			`- name: vault-scripts`
			`configMap:`
			`name: bstein-dev-home-vault-env`
			`defaultMode: 0555`