titan-iac/services/veles/backend-deployment.yaml

# services/veles/backend-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: veles-backend
  namespace: veles
  labels:
    app: veles-backend
spec:
  replicas: 0
  revisionHistoryLimit: 2
  selector:
    matchLabels:
      app: veles-backend
  template:
    metadata:
      labels:
        app: veles-backend
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/role: "veles"
        vault.hashicorp.com/agent-inject-secret-veles-env.sh: "kv/data/atlas/veles/veles-db"
        vault.hashicorp.com/agent-inject-template-veles-env.sh: |
          {{- with secret "kv/data/atlas/veles/veles-db" }}
          export DATABASE_URL="{{ .Data.data.DATABASE_URL }}"
          export VELES_DATABASE_USER="{{ .Data.data.POSTGRES_USER }}"
          export VELES_DATABASE_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
          {{- end }}
          {{- with secret "kv/data/atlas/veles/veles-oidc" }}
          export VELES_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}"
          {{- end }}
          {{- with secret "kv/data/atlas/veles/app-secrets" }}
          export VELES_SESSION_SECRET="{{ .Data.data.VELES_SESSION_SECRET }}"
          export VELES_BYOK_ENCRYPTION_KEY="{{ .Data.data.VELES_BYOK_ENCRYPTION_KEY }}"
          {{- end }}
    spec:
      serviceAccountName: veles-backend
      priorityClassName: veles-core
      nodeSelector:
        veles.bstein.dev/node-pool: oceanus
      tolerations:
        - key: veles.bstein.dev/simulation
          operator: Equal
          value: "true"
          effect: NoSchedule
      securityContext:
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: backend
          image: registry.bstein.dev/veles/veles-backend:0.1.0-0 # {"$imagepolicy": "veles:veles-backend"}
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-c"]
          args:
            - |
              if [ -f /vault/secrets/veles-env.sh ]; then
                . /vault/secrets/veles-env.sh
              fi
              exec /app/veles-backend
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          envFrom:
            - configMapRef:
                name: veles-app-config
          resources:
            requests:
              cpu: 500m
              memory: 1Gi
            limits:
              cpu: "2"
              memory: 4Gi
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
            runAsGroup: 1000
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
          volumeMounts:
            - name: artifacts
              mountPath: /data/veles-artifacts
      volumes:
        - name: artifacts
          persistentVolumeClaim:
            claimName: veles-artifacts