pegasus: pin image digest + command + probes + tls

services/pegasus/deployment.yaml

@@ -6,13 +6,20 @@ metadata:
   namespace: jellyfin
 spec:
   replicas: 1
+  revisionHistoryLimit: 3
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
   selector: { matchLabels: { app: pegasus } }
   template:
     metadata: { labels: { app: pegasus } }
     spec:
       nodeSelector:
-        kubernetes.io/hostname: titan-22
         kubernetes.io/arch: amd64
+      imagePullSecrets:
+        - name: zot-regcred
       securityContext:
         runAsNonRoot: true
         runAsUser: 10001
@@ -21,24 +28,42 @@ spec:
         fsGroupChangePolicy: "OnRootMismatch"
       containers:
       - name: pegasus
-        image: registry.bstein.dev/pegasus:1.1.0
-        imagePullPolicy: IfNotPresent
+        image: registry.bstein.dev/pegasus@sha256:fb3ae0577c0d48ebee857123467186526d2ba0fbb982b8f2fdf94b09b62b5ce9
+        imagePullPolicy: Always
+        command: ["/pegasus"]
         env:
-        - name: PEGASUS_MEDIA_ROOT
-          valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } }
-        - name: PEGASUS_BIND
-          valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } }
-        - name: PEGASUS_USER_MAP_FILE
-          value: "/config/user-map.yaml"
-        - name: PEGASUS_SESSION_KEY
-          valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } }
-        - name: JELLYFIN_URL
-          valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } }
-        - name: PEGASUS_DEBUG
-          value: "1"
-        - name: PEGASUS_DRY_RUN
-          value: "1"
+          - name: PEGASUS_MEDIA_ROOT
+            valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } }
+          - name: PEGASUS_BIND
+            valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } }
+          - name: PEGASUS_USER_MAP_FILE
+            value: "/config/user-map.yaml"
+          - name: PEGASUS_SESSION_KEY
+            valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } }
+          - name: JELLYFIN_URL
+            valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } }
+          - name: PEGASUS_DEBUG
+            value: "1"
+          - name: PEGASUS_DRY_RUN
+            value: "1"
         ports: [{ name: http, containerPort: 8080 }]
+        readinessProbe:
+          httpGet: { path: /metrics, port: http }
+          initialDelaySeconds: 2
+          periodSeconds: 5
+          timeoutSeconds: 1
+        livenessProbe:
+          httpGet: { path: /metrics, port: http }
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 2
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities: { drop: ["ALL"] }
+        resources:
+          requests: { cpu: 100m, memory: 256Mi }
+          limits:   { cpu: 1000m, memory: 1Gi }
         volumeMounts:
           - name: media
             mountPath: /media
@@ -47,15 +72,6 @@ spec:
             readOnly: true
           - name: tmp
             mountPath: /tmp
-        readinessProbe: { httpGet: { path: "/", port: http } }
-        livenessProbe:  { httpGet: { path: "/metrics", port: http } }
-        securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          capabilities: { drop: ["ALL"] }
-        resources:
-          requests: { cpu: 100m, memory: 256Mi }
-          limits:   { cpu: 1000m, memory: 1Gi }
       volumes:
         - name: media
           persistentVolumeClaim:
@@ -64,4 +80,3 @@ spec:
           configMap: { name: pegasus-user-map }
         - name: tmp
           emptyDir: {}
-      imagePullSecrects: [{"name":"zot-regcred"}]