pegasus: pin image digest + command + probes + tls

2025-09-15 13:00:39 -05:00 · 2025-09-15 13:00:39 -05:00 · 65de7602c9
commit 65de7602c9
parent 9b77a89b0d
1 changed files with 42 additions and 27 deletions
--- a/services/pegasus/deployment.yaml
+++ b/services/pegasus/deployment.yaml
@ -6,13 +6,20 @@ metadata:
  namespace: jellyfin
 spec:
  replicas: 1
+  revisionHistoryLimit: 3
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
  selector: { matchLabels: { app: pegasus } }
  template:
    metadata: { labels: { app: pegasus } }
    spec:
      nodeSelector:
-        kubernetes.io/hostname: titan-22
        kubernetes.io/arch: amd64
+      imagePullSecrets:
+        - name: zot-regcred
      securityContext:
        runAsNonRoot: true
        runAsUser: 10001
@ -21,8 +28,9 @@ spec:
        fsGroupChangePolicy: "OnRootMismatch"
      containers:
      - name: pegasus
-        image: registry.bstein.dev/pegasus:1.1.0
-        imagePullPolicy: IfNotPresent
+        image: registry.bstein.dev/pegasus@sha256:fb3ae0577c0d48ebee857123467186526d2ba0fbb982b8f2fdf94b09b62b5ce9
+        imagePullPolicy: Always
+        command: ["/pegasus"]
        env:
          - name: PEGASUS_MEDIA_ROOT
            valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } }
@ -39,6 +47,23 @@ spec:
          - name: PEGASUS_DRY_RUN
            value: "1"
        ports: [{ name: http, containerPort: 8080 }]
+        readinessProbe:
+          httpGet: { path: /metrics, port: http }
+          initialDelaySeconds: 2
+          periodSeconds: 5
+          timeoutSeconds: 1
+        livenessProbe:
+          httpGet: { path: /metrics, port: http }
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 2
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities: { drop: ["ALL"] }
+        resources:
+          requests: { cpu: 100m, memory: 256Mi }
+          limits:   { cpu: 1000m, memory: 1Gi }
        volumeMounts:
          - name: media
            mountPath: /media
@ -47,15 +72,6 @@ spec:
            readOnly: true
          - name: tmp
            mountPath: /tmp
-        readinessProbe: { httpGet: { path: "/", port: http } }
-        livenessProbe:  { httpGet: { path: "/metrics", port: http } }
-        securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          capabilities: { drop: ["ALL"] }
-        resources:
-          requests: { cpu: 100m, memory: 256Mi }
-          limits:   { cpu: 1000m, memory: 1Gi }
      volumes:
        - name: media
          persistentVolumeClaim:
@ -64,4 +80,3 @@ spec:
          configMap: { name: pegasus-user-map }
        - name: tmp
          emptyDir: {}
-      imagePullSecrects: [{"name":"zot-regcred"}]