apiVersion: apps/v1 kind: Deployment metadata: name: monerod namespace: monero labels: { app: monerod } spec: replicas: 1 strategy: { type: Recreate } selector: { matchLabels: { app: monerod } } template: metadata: labels: { app: monerod } spec: securityContext: fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch initContainers: - name: fetch-monero-cli image: debian:bookworm-slim command: ["/bin/sh","-c"] args: - | set -euxo pipefail apt-get update apt-get install -y --no-install-recommends ca-certificates curl bzip2 update-ca-certificates ARCH="$(uname -m)" case "$ARCH" in x86_64) F="monero-linux-x64" ;; aarch64|arm64) F="monero-linux-armv8" ;; armv7l) F="monero-linux-armv7" ;; *) echo "Unsupported arch: $ARCH" >&2; exit 1 ;; esac VER="v0.18.4.1" # Prefer GitHub release URL (stable + explicit version): URL="https://github.com/monero-project/monero/releases/download/${VER}/${F}-${VER}.tar.bz2" echo "Downloading $URL" cd /data curl -fL "$URL" -o monero.tar.bz2 tar -xjf monero.tar.bz2 --strip-components=1 rm -f monero.tar.bz2 volumeMounts: - name: data mountPath: /data containers: - name: monerod image: debian:bookworm-slim command: ["/bin/sh","-c"] args: - exec /data/monerod \ --data-dir=/data \ --non-interactive \ --prune-blockchain \ --rpc-bind-ip=0.0.0.0 --rpc-bind-port=18081 \ --p2p-bind-ip=0.0.0.0 --p2p-bind-port=18080 ports: - { containerPort: 18081, name: rpc } - { containerPort: 18080, name: p2p } securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 capabilities: { drop: ["ALL"] } readinessProbe: httpGet: { path: /get_info, port: 18081 } initialDelaySeconds: 90 periodSeconds: 10 timeoutSeconds: 3 failureThreshold: 6 livenessProbe: httpGet: { path: /get_info, port: 18081 } initialDelaySeconds: 180 periodSeconds: 20 timeoutSeconds: 3 failureThreshold: 6 volumeMounts: - { name: data, mountPath: /data } - { name: tmp, mountPath: /tmp } volumes: - name: data persistentVolumeClaim: { claimName: monerod-chain } - name: tmp emptyDir: {}