added monerod

services/monero/monerod/cm-release-keys.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: monero-release-keys
+  namespace: monero
+data:
+  binaryfate.asc: |
+    81AC 591F E9C4 B65C 5806  AFC3  F0AF 4D46 2A0B DF92

services/monero/monerod/deployment.yaml

@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: monerod
+  namespace: monero
+  labels: { app: monerod }
+spec:
+  replicas: 1
+  strategy: { type: Recreate }
+  selector: { matchLabels: { app: monerod } }
+  template:
+    metadata:
+      labels: { app: monerod }
+    spec:
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+      initContainers:
+      - name: fetch-monero-cli
+        image: debian:bookworm-slim
+        command: ["/bin/sh","-lc"]
+        args:
+          - |
+            set -euo pipefail
+            apt-get update
+            apt-get install -y --no-install-recommends ca-certificates curl gnupg tar bzip2
+            mkdir -p /opt/monero/bin /tmp/gnupg
+            gpg --homedir /tmp/gnupg --import /keys/binaryfate.asc
+            curl -fL https://downloads.getmonero.org/cli/linux64 -o /tmp/monero-cli.tar.bz2
+            curl -fL https://downloads.getmonero.org/cli/linux64.sig -o /tmp/monero-cli.tar.bz2.asc
+            gpg --homedir /tmp/gnupg --verify /tmp/monero-cli.tar.bz2.asc /tmp/monero-cli.tar.bz2
+            tar -xjf /tmp/monero-cli.tar.bz2 -C /opt/monero
+            MONEROD=$(find /opt/monero -type f -name monerod | head -n1)
+            install -m 0755 "$MONEROD" /opt/monero/bin/monerod
+        volumeMounts:
+        - { name: monero-bin, mountPath: /opt/monero }
+        - { name: release-keys, mountPath: /keys, readOnly: true }
+
+      containers:
+      - name: monerod
+        image: debian:bookworm-slim
+        command: ["/bin/sh","-lc"]
+        args:
+          - |
+            exec /opt/monero/bin/monerod \
+              --data-dir /chain \
+              --prune-blockchain \
+              --rpc-bind-ip 0.0.0.0 --rpc-bind-port 18081 \
+              --confirm-external-bind \
+              --non-interactive \
+              --max-concurrency 2
+        ports:
+        - { containerPort: 18081, name: rpc }
+        volumeMounts:
+        - { name: chain, mountPath: /chain }
+        - { name: monero-bin, mountPath: /opt/monero/bin }
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+          capabilities: { drop: ["ALL"] }
+        readinessProbe:
+          httpGet: { path: /get_info, port: 18081 }
+          initialDelaySeconds: 20
+          periodSeconds: 10
+        livenessProbe:
+          httpGet: { path: /get_info, port: 18081 }
+          initialDelaySeconds: 60
+          periodSeconds: 20
+      volumes:
+      - name: chain
+        persistentVolumeClaim: { claimName: monerod-chain }
+      - name: monero-bin
+        emptyDir: {}
+      - name: release-keys
+        configMap: { name: monero-release-keys }

services/monero/monerod/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - pvc.yaml
+  - cm-release-keys.yaml
+  - deploy.yaml
+  - svc.yaml

services/monero/monerod/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: monerod-chain
+  namespace: monero
+spec:
+  accessModes: ["ReadWriteOnce"]
+  storageClassName: astreae
+  resources:
+    requests:
+      storage: 120Gi

services/monero/monerod/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: monerod
+  namespace: monero
+  labels: { app: monerod }
+spec:
+  type: ClusterIP
+  selector: { app: monerod }
+  ports:
+  - { name: rpc, port: 18081, targetPort: 18081 }