titan-iac/services/typhon/deployment.yaml

# services/typhon/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: typhon
  namespace: climate
  labels:
    app: typhon
spec:
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app: typhon
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
  template:
    metadata:
      labels:
        app: typhon
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "9108"
        prometheus.io/path: "/metrics"
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "typhon"
        vault.hashicorp.com/agent-inject-secret-aci-env.sh: "kv/data/atlas/climate/typhon/ac-infinity"
        vault.hashicorp.com/agent-inject-template-aci-env.sh: |
          {{- with secret "kv/data/atlas/climate/typhon/ac-infinity" -}}
          export ACI_EMAIL="{{ .Data.data.ACI_EMAIL }}"
          export ACI_PASSWORD="{{ .Data.data.ACI_PASSWORD }}"
          {{- if index .Data.data "ACI_HOST" }}
          export ACI_HOST="{{ index .Data.data "ACI_HOST" }}"
          {{- end }}
          {{- end -}}
        typhon.bstein.dev/restart-rev: "2"
    spec:
      serviceAccountName: typhon
      imagePullSecrets:
        - name: harbor-regcred
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      containers:
        - name: typhon
          image: registry.bstein.dev/bstein/typhon:main
          imagePullPolicy: Always
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -eu
              . /vault/secrets/aci-env.sh
              exec node dist/index.js
          env:
            - name: POLL_INTERVAL_SECONDS
              value: "30"
            - name: REQUEST_TIMEOUT_MS
              value: "10000"
            - name: LISTEN_PORT
              value: "9108"
            - name: LOG_LEVEL
              value: "info"
          ports:
            - name: metrics
              containerPort: 9108
          volumeMounts:
            - name: tmp
              mountPath: /tmp
          livenessProbe:
            httpGet:
              path: /healthz
              port: metrics
            initialDelaySeconds: 20
            periodSeconds: 20
            timeoutSeconds: 3
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /healthz
              port: metrics
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 3
            failureThreshold: 3
          securityContext:
            runAsNonRoot: true
            runAsUser: 65532
            runAsGroup: 65532
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: ["ALL"]
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi
      volumes:
        - name: tmp
          emptyDir: {}