# services/maintenance/metis-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: metis namespace: maintenance spec: replicas: 1 revisionHistoryLimit: 3 selector: matchLabels: app: metis template: metadata: labels: app: metis annotations: prometheus.io/scrape: "true" prometheus.io/port: "8080" prometheus.io/path: "/metrics" metis.bstein.dev/config-rev: "2026-04-24-01" vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "maintenance" vault.hashicorp.com/agent-inject-secret-metis-runtime-env.sh: "kv/data/atlas/maintenance/metis-runtime" vault.hashicorp.com/agent-inject-template-metis-runtime-env.sh: | {{ with secret "kv/data/atlas/maintenance/metis-runtime" }} export METIS_K3S_TOKEN="{{ .Data.data.k3s_token }}" {{ end }} vault.hashicorp.com/agent-inject-secret-metis-harbor-env.sh: "kv/data/atlas/harbor/harbor-core" vault.hashicorp.com/agent-inject-template-metis-harbor-env.sh: | {{ with secret "kv/data/atlas/harbor/harbor-core" }} export METIS_HARBOR_PASSWORD="{{ .Data.data.harbor_admin_password }}" {{ end }} vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys" vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: | {{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }} export METIS_SSH_KEY_BASTION="{{ or .Data.data.bastion_pub .Data.data.brad_pub "" }}" export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}" export METIS_SSH_KEY_ANANKE_TETHYS="{{ or .Data.data.ananke_tethys_pub .Data.data.hecate_tethys_pub "" }}" export METIS_SSH_KEY_ANANKE_DB="{{ or .Data.data.ananke_db_pub .Data.data.hecate_db_pub "" }}" {{ end }} spec: serviceAccountName: metis terminationGracePeriodSeconds: 30 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: - arm64 - key: accelerator operator: In values: - nvidia preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: kubernetes.io/hostname operator: In values: - titan-20 - weight: 80 preference: matchExpressions: - key: kubernetes.io/hostname operator: In values: - titan-21 containers: - name: metis image: registry.bstein.dev/bstein/metis:latest imagePullPolicy: Always command: ["/bin/sh", "-c"] args: - >- . /vault/secrets/metis-runtime-env.sh && . /vault/secrets/metis-harbor-env.sh && . /vault/secrets/metis-ssh-env.sh && exec metis serve envFrom: - configMapRef: name: metis ports: - name: http containerPort: 8080 livenessProbe: httpGet: path: /healthz port: http initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 2 readinessProbe: httpGet: path: /healthz port: http initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 2 volumeMounts: - name: metis-inventory mountPath: /etc/metis readOnly: true - name: metis-data mountPath: /var/lib/metis - name: host-dev mountPath: /dev - name: host-sys mountPath: /sys readOnly: true - name: host-udev mountPath: /run/udev readOnly: true resources: requests: cpu: 150m memory: 256Mi limits: cpu: "1" memory: 1Gi securityContext: privileged: true runAsUser: 0 volumes: - name: metis-inventory configMap: name: metis-inventory defaultMode: 0444 - name: metis-data persistentVolumeClaim: claimName: metis-data - name: host-dev hostPath: path: /dev - name: host-sys hostPath: path: /sys - name: host-udev hostPath: path: /run/udev