titan-iac/services/finance/firefly-deployment.yaml

# services/finance/firefly-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: firefly
  namespace: finance
  labels:
    app: firefly
spec:
  replicas: 1
  selector:
    matchLabels:
      app: firefly
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
  template:
    metadata:
      labels:
        app: firefly
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "finance"
        vault.hashicorp.com/agent-inject-secret-firefly-env.sh: "kv/data/atlas/finance/firefly-db"
        vault.hashicorp.com/agent-inject-template-firefly-env.sh: |
          {{ with secret "kv/data/atlas/finance/firefly-db" }}
          export DB_CONNECTION="pgsql"
          export DB_HOST="{{ .Data.data.DB_HOST }}"
          export DB_PORT="{{ .Data.data.DB_PORT }}"
          export DB_DATABASE="{{ .Data.data.DB_DATABASE }}"
          export DB_USERNAME="{{ .Data.data.DB_USERNAME }}"
          export DB_PASSWORD="$(cat /vault/secrets/firefly-db-password)"
          {{ end }}
          {{ with secret "kv/data/atlas/finance/firefly-secrets" }}
          export APP_KEY="$(cat /vault/secrets/firefly-app-key)"
          export STATIC_CRON_TOKEN="$(cat /vault/secrets/firefly-cron-token)"
          {{ end }}
          {{ with secret "kv/data/atlas/shared/postmark-relay" }}
          export MAIL_USERNAME="{{ index .Data.data "relay-username" }}"
          export MAIL_PASSWORD="{{ index .Data.data "relay-password" }}"
          {{ end }}
        vault.hashicorp.com/agent-inject-secret-firefly-db-password: "kv/data/atlas/finance/firefly-db"
        vault.hashicorp.com/agent-inject-template-firefly-db-password: |
          {{- with secret "kv/data/atlas/finance/firefly-db" -}}
          {{ .Data.data.DB_PASSWORD }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-firefly-app-key: "kv/data/atlas/finance/firefly-secrets"
        vault.hashicorp.com/agent-inject-template-firefly-app-key: |
          {{- with secret "kv/data/atlas/finance/firefly-secrets" -}}
          {{ .Data.data.APP_KEY }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-firefly-cron-token: "kv/data/atlas/finance/firefly-secrets"
        vault.hashicorp.com/agent-inject-template-firefly-cron-token: |
          {{- with secret "kv/data/atlas/finance/firefly-secrets" -}}
          {{ .Data.data.STATIC_CRON_TOKEN }}
          {{- end -}}
        firefly.bstein.dev/restart-rev: "2"
    spec:
      serviceAccountName: finance-vault
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi5"]
            - weight: 70
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi4"]
      securityContext:
        fsGroup: 33
        fsGroupChangePolicy: OnRootMismatch
      initContainers:
        - name: init-storage-permissions
          image: docker.io/alpine:3.20
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -e
              mkdir -p /var/www/html/storage
              chown -R 33:33 /var/www/html/storage
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          volumeMounts:
            - name: firefly-storage
              mountPath: /var/www/html/storage
      containers:
        - name: firefly
          image: fireflyiii/core:version-6.4.15
          command: ["/bin/sh", "-c"]
          args: [". /vault/secrets/firefly-env.sh && exec /init"]
          env:
            - name: APP_ENV
              value: production
            - name: APP_DEBUG
              value: "false"
            - name: APP_URL
              value: https://money.bstein.dev
            - name: SITE_OWNER
              value: brad@bstein.dev
            - name: TZ
              value: Etc/UTC
            - name: TRUSTED_PROXIES
              value: "**"
            - name: AUTHENTICATION_GUARD
              value: web
            - name: MAIL_MAILER
              value: smtp
            - name: MAIL_HOST
              value: mail.bstein.dev
            - name: MAIL_PORT
              value: "587"
            - name: MAIL_ENCRYPTION
              value: tls
            - name: MAIL_FROM_ADDRESS
              value: no-reply-firefly@bstein.dev
            - name: MAIL_FROM_NAME
              value: Firefly III
            - name: CACHE_DRIVER
              value: file
            - name: SESSION_DRIVER
              value: file
          ports:
            - name: http
              containerPort: 8080
          volumeMounts:
            - name: firefly-storage
              mountPath: /var/www/html/storage
          readinessProbe:
            httpGet:
              path: /
              port: http
            initialDelaySeconds: 20
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 6
          livenessProbe:
            httpGet:
              path: /
              port: http
            initialDelaySeconds: 30
            periodSeconds: 20
            timeoutSeconds: 5
            failureThreshold: 6
          resources:
            requests:
              cpu: 200m
              memory: 512Mi
            limits:
              cpu: "1"
              memory: 1Gi
      volumes:
        - name: firefly-storage
          persistentVolumeClaim:
            claimName: firefly-storage