---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: snips
spec:
replicas: 1
serviceName: snips
selector:
matchLabels:
app.kubernetes.io/name: snips
template:
metadata:
labels:
app.kubernetes.io/name: snips
spec:
initContainers:
- name: init-litestream
image: litestream
args: ['restore', '-replica=Garage', '-if-db-not-exists', '-if-replica-exists', '/data/snips.db']
env:
- name: LITESTREAM_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: snips-secrets
key: garage-access-key
- name: LITESTREAM_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: snips-secrets
key: garage-secret-key
volumeMounts:
- name: data
mountPath: /data
- name: litestream-config
mountPath: /etc/litestream.yml
subPath: litestream.yml
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
containers:
- name: snips
image: snips
envFrom:
- configMapRef:
name: snips-config
env:
- name: SNIPS_HMACKEY
valueFrom:
secretKeyRef:
name: snips-secrets
key: hmackey
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
ports:
- containerPort: 8080
protocol: TCP
name: http
- containerPort: 2222
protocol: TCP
name: ssh
livenessProbe:
tcpSocket:
port: 2222
initialDelaySeconds: 5
periodSeconds: 5
readinessProbe:
tcpSocket:
port: 2222
initialDelaySeconds: 5
periodSeconds: 5
resources:
limits:
cpu: 100m
memory: 200Mi
requests:
cpu: 50m
memory: 50Mi
volumeMounts:
- name: snips-secrets
readOnly: true
mountPath: /etc/snips
- name: data
mountPath: /data
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
- name: litestream
image: litestream
args: ['replicate']
volumeMounts:
- name: data
mountPath: /data
- name: litestream-config
mountPath: /etc/litestream.yml
subPath: litestream.yml
env:
- name: LITESTREAM_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: snips-secrets
key: garage-access-key
- name: LITESTREAM_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: snips-secrets
key: garage-secret-key
readinessProbe:
httpGet:
path: /metrics
port: 9090
initialDelaySeconds: 5
periodSeconds: 5
livenessProbe:
httpGet:
path: /metrics
port: 9090
initialDelaySeconds: 5
periodSeconds: 5
ports:
- name: metrics
containerPort: 9090
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- snips
topologyKey: topology.kubernetes.io/zone
volumes:
- name: data
emptyDir: {}
- name: snips-secrets
secret:
secretName: snips-secrets
items:
- key: authorized_keys
path: authorized_keys
- key: snips
path: snips
- key: snips.pub
path: snips.pub
- name: litestream-config
configMap:
name: litestream-config