titan-iac/services/pegasus/deployment.yaml

# services/pegasus/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pegasus
  namespace: jellyfin
spec:
  replicas: 1
  revisionHistoryLimit: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
  selector: { matchLabels: { app: pegasus } }
  template:
    metadata: { labels: { app: pegasus } }
    spec:
      nodeSelector:
        kubernetes.io/arch: amd64
      imagePullSecrets:
        - name: zot-regcred
      securityContext:
        runAsNonRoot: true
        runAsUser: 10001
        runAsGroup: 10001
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
      containers:
      - name: pegasus
        image: registry.bstein.dev/pegasus:1.2.2 # {"$imagepolicy": "jellyfin:pegasus"}
        imagePullPolicy: Always
        command: ["/pegasus"]
        env:
          - name: PEGASUS_MEDIA_ROOT
            valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } }
          - name: PEGASUS_BIND
            valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } }
          - name: PEGASUS_USER_MAP_FILE
            value: "/config/user-map.yaml"
          - name: PEGASUS_SESSION_KEY
            valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } }
          - name: JELLYFIN_URL
            valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } }
          - name: PEGASUS_DEBUG
            value: "0"
          - name: PEGASUS_DRY_RUN
            value: "0"
        ports: [{ name: http, containerPort: 8080 }]
        readinessProbe:
          httpGet: { path: /healthz, port: http }
          initialDelaySeconds: 2
          periodSeconds: 5
          timeoutSeconds: 1
        livenessProbe:
          httpGet: { path: /healthz, port: http }
          initialDelaySeconds: 10
          periodSeconds: 10
          timeoutSeconds: 2
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities: { drop: ["ALL"] }
        resources:
          requests: { cpu: 100m, memory: 256Mi }
          limits:   { cpu: 1000m, memory: 1Gi }
        volumeMounts:
          - name: media
            mountPath: /media
          - name: config
            mountPath: /config
            readOnly: true
          - name: tmp
            mountPath: /tmp
      volumes:
        - name: media
          persistentVolumeClaim:
            claimName: jellyfin-media-asteria
        - name: config
          configMap: { name: pegasus-user-map }
        - name: tmp
          emptyDir: {}