titan-iac/services/monero/monerod/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: monerod
  namespace: monero
  labels: { app: monerod }
spec:
  replicas: 1
  strategy: { type: Recreate }
  selector: { matchLabels: { app: monerod } }
  template:
    metadata:
      labels: { app: monerod }
    spec:
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      initContainers:
      - name: fetch-monero-cli
        image: debian:bookworm-slim
        command: ["/bin/sh","-lc"]
        args:
          - |
            set -euo pipefail
            apt-get update
            apt-get install -y --no-install-recommends ca-certificates curl gnupg tar bzip2
            mkdir -p /opt/monero/bin /tmp/gnupg
            gpg --homedir /tmp/gnupg --import /keys/binaryfate.asc
            curl -fL https://downloads.getmonero.org/cli/linux64 -o /tmp/monero-cli.tar.bz2
            curl -fL https://downloads.getmonero.org/cli/linux64.sig -o /tmp/monero-cli.tar.bz2.asc
            gpg --homedir /tmp/gnupg --verify /tmp/monero-cli.tar.bz2.asc /tmp/monero-cli.tar.bz2
            tar -xjf /tmp/monero-cli.tar.bz2 -C /opt/monero
            MONEROD=$(find /opt/monero -type f -name monerod | head -n1)
            install -m 0755 "$MONEROD" /opt/monero/bin/monerod
        volumeMounts:
        - { name: monero-bin, mountPath: /opt/monero }
        - { name: release-keys, mountPath: /keys, readOnly: true }

      containers:
      - name: monerod
        image: debian:bookworm-slim
        command: ["/bin/sh","-lc"]
        args:
          - |
            exec /opt/monero/bin/monerod \
              --data-dir /chain \
              --prune-blockchain \
              --rpc-bind-ip 0.0.0.0 --rpc-bind-port 18081 \
              --confirm-external-bind \
              --non-interactive \
              --max-concurrency 2
        ports:
        - { containerPort: 18081, name: rpc }
        volumeMounts:
        - { name: chain, mountPath: /chain }
        - { name: monero-bin, mountPath: /opt/monero/bin }
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 1000
          capabilities: { drop: ["ALL"] }
        readinessProbe:
          httpGet: { path: /get_info, port: 18081 }
          initialDelaySeconds: 20
          periodSeconds: 10
        livenessProbe:
          httpGet: { path: /get_info, port: 18081 }
          initialDelaySeconds: 60
          periodSeconds: 20
      volumes:
      - name: chain
        persistentVolumeClaim: { claimName: monerod-chain }
      - name: monero-bin
        emptyDir: {}
      - name: release-keys
        configMap: { name: monero-release-keys }
added monerod 2025-08-10 20:41:01 -05:00			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: monerod`
			`namespace: monero`
			`labels: { app: monerod }`
			`spec:`
			`replicas: 1`
			`strategy: { type: Recreate }`
			`selector: { matchLabels: { app: monerod } }`
			`template:`
			`metadata:`
			`labels: { app: monerod }`
			`spec:`
			`securityContext:`
			`fsGroup: 1000`
			`fsGroupChangePolicy: OnRootMismatch`
			`initContainers:`
			`- name: fetch-monero-cli`
			`image: debian:bookworm-slim`
			`command: ["/bin/sh","-lc"]`
			`args:`
			`- \|`
			`set -euo pipefail`
			`apt-get update`
			`apt-get install -y --no-install-recommends ca-certificates curl gnupg tar bzip2`
			`mkdir -p /opt/monero/bin /tmp/gnupg`
			`gpg --homedir /tmp/gnupg --import /keys/binaryfate.asc`
			`curl -fL https://downloads.getmonero.org/cli/linux64 -o /tmp/monero-cli.tar.bz2`
			`curl -fL https://downloads.getmonero.org/cli/linux64.sig -o /tmp/monero-cli.tar.bz2.asc`
			`gpg --homedir /tmp/gnupg --verify /tmp/monero-cli.tar.bz2.asc /tmp/monero-cli.tar.bz2`
			`tar -xjf /tmp/monero-cli.tar.bz2 -C /opt/monero`
			`MONEROD=$(find /opt/monero -type f -name monerod \| head -n1)`
			`install -m 0755 "$MONEROD" /opt/monero/bin/monerod`
			`volumeMounts:`
			`- { name: monero-bin, mountPath: /opt/monero }`
			`- { name: release-keys, mountPath: /keys, readOnly: true }`

			`containers:`
			`- name: monerod`
			`image: debian:bookworm-slim`
			`command: ["/bin/sh","-lc"]`
			`args:`
			`- \|`
			`exec /opt/monero/bin/monerod \`
			`--data-dir /chain \`
			`--prune-blockchain \`
			`--rpc-bind-ip 0.0.0.0 --rpc-bind-port 18081 \`
			`--confirm-external-bind \`
			`--non-interactive \`
			`--max-concurrency 2`
			`ports:`
			`- { containerPort: 18081, name: rpc }`
			`volumeMounts:`
			`- { name: chain, mountPath: /chain }`
			`- { name: monero-bin, mountPath: /opt/monero/bin }`
			`securityContext:`
			`allowPrivilegeEscalation: false`
			`readOnlyRootFilesystem: true`
			`runAsNonRoot: true`
			`runAsUser: 1000`
			`capabilities: { drop: ["ALL"] }`
			`readinessProbe:`
			`httpGet: { path: /get_info, port: 18081 }`
			`initialDelaySeconds: 20`
			`periodSeconds: 10`
			`livenessProbe:`
			`httpGet: { path: /get_info, port: 18081 }`
			`initialDelaySeconds: 60`
			`periodSeconds: 20`
			`volumes:`
			`- name: chain`
			`persistentVolumeClaim: { claimName: monerod-chain }`
			`- name: monero-bin`
			`emptyDir: {}`
			`- name: release-keys`
			`configMap: { name: monero-release-keys }`