--- apiVersion: apps/v1 kind: StatefulSet metadata: name: snips spec: replicas: 1 serviceName: snips selector: matchLabels: app.kubernetes.io/name: snips template: metadata: labels: app.kubernetes.io/name: snips spec: initContainers: - name: init-litestream image: litestream args: ['restore', '-if-db-not-exists', '-if-replica-exists', '/data/snips.db'] env: - name: LITESTREAM_ACCESS_KEY_ID valueFrom: secretKeyRef: name: snips-secrets key: garage-access-key - name: LITESTREAM_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: snips-secrets key: garage-secret-key volumeMounts: - name: data mountPath: /data - name: litestream-config mountPath: /etc/litestream.yml subPath: litestream.yml securityContext: capabilities: drop: - ALL allowPrivilegeEscalation: false readOnlyRootFilesystem: true containers: - name: snips image: snips envFrom: - configMapRef: name: snips-config env: - name: SNIPS_HMACKEY valueFrom: secretKeyRef: name: snips-secrets key: hmackey ports: - containerPort: 8080 protocol: TCP name: http - containerPort: 2222 protocol: TCP name: ssh livenessProbe: tcpSocket: port: 2222 initialDelaySeconds: 5 periodSeconds: 5 readinessProbe: tcpSocket: port: 2222 initialDelaySeconds: 5 periodSeconds: 5 resources: limits: cpu: 100m memory: 200Mi requests: cpu: 50m memory: 50Mi volumeMounts: - name: snips-secrets readOnly: true mountPath: /etc/snips - name: data mountPath: /data securityContext: capabilities: drop: - ALL allowPrivilegeEscalation: false readOnlyRootFilesystem: true - name: litestream image: litestream args: ['replicate'] volumeMounts: - name: data mountPath: /data - name: litestream-config mountPath: /etc/litestream.yml subPath: litestream.yml env: - name: LITESTREAM_ACCESS_KEY_ID valueFrom: secretKeyRef: name: snips-secrets key: garage-access-key - name: LITESTREAM_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: snips-secrets key: garage-secret-key readinessProbe: httpGet: path: /metrics port: 9090 initialDelaySeconds: 5 periodSeconds: 5 livenessProbe: httpGet: path: /metrics port: 9090 initialDelaySeconds: 5 periodSeconds: 5 ports: - name: metrics containerPort: 9090 securityContext: capabilities: drop: - ALL allowPrivilegeEscalation: false readOnlyRootFilesystem: true securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 runAsNonRoot: true affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app.kubernetes.io/name operator: In values: - snips topologyKey: topology.kubernetes.io/zone volumes: - name: data emptyDir: {} - name: snips-secrets secret: secretName: snips-secrets items: - key: authorized_keys path: authorized_keys - key: snips path: snips - key: snips.pub path: snips.pub - name: litestream-config configMap: name: litestream-config