titan-iac/services/maintenance/soteria-deployment.yaml

# services/maintenance/soteria-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: soteria
  namespace: maintenance
  labels:
    app: soteria
spec:
  replicas: 0
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app: soteria
  template:
    metadata:
      labels:
        app: soteria
      annotations:
        soteria.bstein.dev/config-revision: "2026-04-13-restic-v1"
    spec:
      serviceAccountName: soteria
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/hostname
                    operator: NotIn
                    values: ["titan-10"]
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: atlas.bstein.dev/spillover
                    operator: DoesNotExist
            - weight: 95
              preference:
                matchExpressions:
                  - key: kubernetes.io/hostname
                    operator: NotIn
                    values:
                      - titan-13
                      - titan-15
                      - titan-17
                      - titan-19
            - weight: 90
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi5"]
            - weight: 50
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi4"]
      containers:
        - name: soteria
          image: registry.bstein.dev/bstein/soteria:0.1.0-21
          imagePullPolicy: Always
          envFrom:
            - configMapRef:
                name: soteria
          ports:
            - name: http
              containerPort: 8080
          startupProbe:
            httpGet:
              path: /healthz
              port: http
            periodSeconds: 5
            failureThreshold: 24
            timeoutSeconds: 2
          livenessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 30
            periodSeconds: 10
            timeoutSeconds: 2
          readinessProbe:
            httpGet:
              path: /readyz
              port: http
            initialDelaySeconds: 5
            periodSeconds: 5
            timeoutSeconds: 2
          resources:
            requests:
              cpu: 50m
              memory: 64Mi
            limits:
              cpu: 200m
              memory: 256Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
            runAsNonRoot: true
            runAsUser: 65532
maintenance(soteria): add protected UI, OIDC bootstrap, and backup health panel wiring 2026-04-12 11:16:29 -03:00			`# services/maintenance/soteria-deployment.yaml`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: soteria`
			`namespace: maintenance`
			`labels:`
			`app: soteria`
			`spec:`
maintenance(soteria): pause backup scheduler during backlog incident 2026-04-16 21:29:14 -03:00			`replicas: 0`
maintenance(soteria): add protected UI, OIDC bootstrap, and backup health panel wiring 2026-04-12 11:16:29 -03:00			`revisionHistoryLimit: 3`
			`selector:`
			`matchLabels:`
			`app: soteria`
			`template:`
			`metadata:`
			`labels:`
			`app: soteria`
maintenance(soteria): roll pods after restic config switch 2026-04-13 02:24:05 -03:00			`annotations:`
			`soteria.bstein.dev/config-revision: "2026-04-13-restic-v1"`
maintenance(soteria): add protected UI, OIDC bootstrap, and backup health panel wiring 2026-04-12 11:16:29 -03:00			`spec:`
			`serviceAccountName: soteria`
			`nodeSelector:`
			`kubernetes.io/arch: arm64`
			`node-role.kubernetes.io/worker: "true"`
			`affinity:`
			`nodeAffinity:`
maintenance(soteria): avoid titan-10 scheduling 2026-04-13 01:16:59 -03:00			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: kubernetes.io/hostname`
			`operator: NotIn`
			`values: ["titan-10"]`
maintenance(soteria): add protected UI, OIDC bootstrap, and backup health panel wiring 2026-04-12 11:16:29 -03:00			`preferredDuringSchedulingIgnoredDuringExecution:`
scheduling: de-prefer spillover nodes for non-longhorn services 2026-04-21 21:00:56 -03:00			`- weight: 100`
			`preference:`
			`matchExpressions:`
			`- key: atlas.bstein.dev/spillover`
			`operator: DoesNotExist`
			`- weight: 95`
			`preference:`
			`matchExpressions:`
			`- key: kubernetes.io/hostname`
			`operator: NotIn`
			`values:`
			`- titan-13`
			`- titan-15`
			`- titan-17`
			`- titan-19`
maintenance(soteria): add protected UI, OIDC bootstrap, and backup health panel wiring 2026-04-12 11:16:29 -03:00			`- weight: 90`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi5"]`
			`- weight: 50`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi4"]`
			`containers:`
			`- name: soteria`
			`image: registry.bstein.dev/bstein/soteria:0.1.0-21`
			`imagePullPolicy: Always`
			`envFrom:`
			`- configMapRef:`
			`name: soteria`
			`ports:`
			`- name: http`
			`containerPort: 8080`
maintenance(soteria): add startup probe and relax liveness 2026-04-16 19:54:07 -03:00			`startupProbe:`
			`httpGet:`
			`path: /healthz`
			`port: http`
			`periodSeconds: 5`
			`failureThreshold: 24`
			`timeoutSeconds: 2`
maintenance(soteria): add protected UI, OIDC bootstrap, and backup health panel wiring 2026-04-12 11:16:29 -03:00			`livenessProbe:`
			`httpGet:`
			`path: /healthz`
			`port: http`
maintenance(soteria): add startup probe and relax liveness 2026-04-16 19:54:07 -03:00			`initialDelaySeconds: 30`
maintenance(soteria): add protected UI, OIDC bootstrap, and backup health panel wiring 2026-04-12 11:16:29 -03:00			`periodSeconds: 10`
			`timeoutSeconds: 2`
			`readinessProbe:`
			`httpGet:`
			`path: /readyz`
			`port: http`
maintenance(soteria): add startup probe and relax liveness 2026-04-16 19:54:07 -03:00			`initialDelaySeconds: 5`
maintenance(soteria): add protected UI, OIDC bootstrap, and backup health panel wiring 2026-04-12 11:16:29 -03:00			`periodSeconds: 5`
			`timeoutSeconds: 2`
			`resources:`
			`requests:`
			`cpu: 50m`
			`memory: 64Mi`
			`limits:`
			`cpu: 200m`
			`memory: 256Mi`
			`securityContext:`
			`allowPrivilegeEscalation: false`
			`capabilities:`
			`drop: ["ALL"]`
			`runAsNonRoot: true`
			`runAsUser: 65532`