From 65de7602c92de00cf95a19024d14fd56de18545f Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Mon, 15 Sep 2025 13:00:39 -0500 Subject: [PATCH] pegasus: pin image digest + command + probes + tls --- services/pegasus/deployment.yaml | 69 +++++++++++++++++++------------- 1 file changed, 42 insertions(+), 27 deletions(-) diff --git a/services/pegasus/deployment.yaml b/services/pegasus/deployment.yaml index 887fcf1..1a4b7eb 100644 --- a/services/pegasus/deployment.yaml +++ b/services/pegasus/deployment.yaml @@ -6,13 +6,20 @@ metadata: namespace: jellyfin spec: replicas: 1 + revisionHistoryLimit: 3 + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 selector: { matchLabels: { app: pegasus } } template: metadata: { labels: { app: pegasus } } spec: nodeSelector: - kubernetes.io/hostname: titan-22 kubernetes.io/arch: amd64 + imagePullSecrets: + - name: zot-regcred securityContext: runAsNonRoot: true runAsUser: 10001 @@ -21,24 +28,42 @@ spec: fsGroupChangePolicy: "OnRootMismatch" containers: - name: pegasus - image: registry.bstein.dev/pegasus:1.1.0 - imagePullPolicy: IfNotPresent + image: registry.bstein.dev/pegasus@sha256:fb3ae0577c0d48ebee857123467186526d2ba0fbb982b8f2fdf94b09b62b5ce9 + imagePullPolicy: Always + command: ["/pegasus"] env: - - name: PEGASUS_MEDIA_ROOT - valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } } - - name: PEGASUS_BIND - valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } } - - name: PEGASUS_USER_MAP_FILE - value: "/config/user-map.yaml" - - name: PEGASUS_SESSION_KEY - valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } } - - name: JELLYFIN_URL - valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } } - - name: PEGASUS_DEBUG - value: "1" - - name: PEGASUS_DRY_RUN - value: "1" + - name: PEGASUS_MEDIA_ROOT + valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } } + - name: PEGASUS_BIND + valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } } + - name: PEGASUS_USER_MAP_FILE + value: "/config/user-map.yaml" + - name: PEGASUS_SESSION_KEY + valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } } + - name: JELLYFIN_URL + valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } } + - name: PEGASUS_DEBUG + value: "1" + - name: PEGASUS_DRY_RUN + value: "1" ports: [{ name: http, containerPort: 8080 }] + readinessProbe: + httpGet: { path: /metrics, port: http } + initialDelaySeconds: 2 + periodSeconds: 5 + timeoutSeconds: 1 + livenessProbe: + httpGet: { path: /metrics, port: http } + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 2 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: { cpu: 100m, memory: 256Mi } + limits: { cpu: 1000m, memory: 1Gi } volumeMounts: - name: media mountPath: /media @@ -47,15 +72,6 @@ spec: readOnly: true - name: tmp mountPath: /tmp - readinessProbe: { httpGet: { path: "/", port: http } } - livenessProbe: { httpGet: { path: "/metrics", port: http } } - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: { cpu: 100m, memory: 256Mi } - limits: { cpu: 1000m, memory: 1Gi } volumes: - name: media persistentVolumeClaim: @@ -64,4 +80,3 @@ spec: configMap: { name: pegasus-user-map } - name: tmp emptyDir: {} - imagePullSecrects: [{"name":"zot-regcred"}]