bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pegasus: pin image digest + command + probes + tls

Browse Source
This commit is contained in:
Brad Stein 2025-09-15 13:00:39 -05:00
parent 9b77a89b0d
commit 65de7602c9
1 changed files with 42 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
services/pegasus/deployment.yaml
View File

@ -6,13 +6,20 @@ metadata:
namespace: jellyfin namespace: jellyfin
spec: spec:
replicas: 1 replicas: 1
revisionHistoryLimit: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
selector: { matchLabels: { app: pegasus } } selector: { matchLabels: { app: pegasus } }
template: template:
metadata: { labels: { app: pegasus } } metadata: { labels: { app: pegasus } }
spec: spec:
nodeSelector: nodeSelector:
kubernetes.io/hostname: titan-22
kubernetes.io/arch: amd64 kubernetes.io/arch: amd64
imagePullSecrets:
- name: zot-regcred
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
runAsUser: 10001 runAsUser: 10001
@ -21,24 +28,42 @@ spec:
fsGroupChangePolicy: "OnRootMismatch" fsGroupChangePolicy: "OnRootMismatch"
containers: containers:
- name: pegasus - name: pegasus
image: registry.bstein.dev/pegasus:1.1.0 image: registry.bstein.dev/pegasus@sha256:fb3ae0577c0d48ebee857123467186526d2ba0fbb982b8f2fdf94b09b62b5ce9
imagePullPolicy: IfNotPresent imagePullPolicy: Always
command: ["/pegasus"]
env: env:
- name: PEGASUS_MEDIA_ROOT - name: PEGASUS_MEDIA_ROOT
valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } } valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } }
- name: PEGASUS_BIND - name: PEGASUS_BIND
valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } } valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } }
- name: PEGASUS_USER_MAP_FILE - name: PEGASUS_USER_MAP_FILE
value: "/config/user-map.yaml" value: "/config/user-map.yaml"
- name: PEGASUS_SESSION_KEY - name: PEGASUS_SESSION_KEY
valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } } valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } }
- name: JELLYFIN_URL - name: JELLYFIN_URL
valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } } valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } }
- name: PEGASUS_DEBUG - name: PEGASUS_DEBUG
value: "1" value: "1"
- name: PEGASUS_DRY_RUN - name: PEGASUS_DRY_RUN
value: "1" value: "1"
ports: [{ name: http, containerPort: 8080 }] ports: [{ name: http, containerPort: 8080 }]
readinessProbe:
httpGet: { path: /metrics, port: http }
initialDelaySeconds: 2
periodSeconds: 5
timeoutSeconds: 1
livenessProbe:
httpGet: { path: /metrics, port: http }
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 2
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources:
requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 1000m, memory: 1Gi }
volumeMounts: volumeMounts:
- name: media - name: media
mountPath: /media mountPath: /media
@ -47,15 +72,6 @@ spec:
readOnly: true readOnly: true
- name: tmp - name: tmp
mountPath: /tmp mountPath: /tmp
readinessProbe: { httpGet: { path: "/", port: http } }
livenessProbe: { httpGet: { path: "/metrics", port: http } }
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources:
requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 1000m, memory: 1Gi }
volumes: volumes:
- name: media - name: media
persistentVolumeClaim: persistentVolumeClaim:
@ -64,4 +80,3 @@ spec:
configMap: { name: pegasus-user-map } configMap: { name: pegasus-user-map }
- name: tmp - name: tmp
emptyDir: {} emptyDir: {}
imagePullSecrects: [{"name":"zot-regcred"}]