# SPDX-License-Identifier: GPL-2.0-only terraform { required_providers { kubernetes = { source = "hashicorp/kubernetes" version = ">= 2.25" } } required_version = ">= 1.6.2" } provider "kubernetes" { config_path = var.kubeconfig_path config_context = var.kubeconfig_context } resource "kubernetes_deployment_v1" "app" { metadata { name = var.app_name namespace = data.kubernetes_namespace_v1.app.metadata[0].name labels = merge({ "app.kubernetes.io/name" = var.app_name "app.kubernetes.io/version" = var.app_version "app.kubernetes.io/managed-by" = "opentofu" "app.kubernetes.io/instance" = var.app_name }, var.deployment_additional_labels) annotations = var.deployment_annotations } spec { selector { match_labels = { "app.kubernetes.io/name" = var.app_name } } template { metadata { annotations = var.pods_annotations labels = merge({ "app.kubernetes.io/component" = "server" "app.kubernetes.io/name" = var.app_name "app.kubernetes.io/version" = var.app_version "app.kubernetes.io/part-of" = var.app_name "app.kubernetes.io/managed-by" = "opentofu" "app.kubernetes.io/instance" = var.app_name }, var.pods_additional_labels) } spec { service_account_name = var.service_account_name security_context { run_as_non_root = true run_as_group = 1000 run_as_user = 1000 } ## Web service container { name = var.app_name image = var.container_invidious_image image_pull_policy = var.container_invidious_image_pull_policy port { name = "http" container_port = 3000 protocol = "TCP" } security_context { allow_privilege_escalation = false privileged = false capabilities { drop = ["ALL"] } } readiness_probe { initial_delay_seconds = 60 failure_threshold = 3 period_seconds = 10 success_threshold = 1 timeout_seconds = 3 http_get { port = "http" path = "/" scheme = "HTTP" } } liveness_probe { initial_delay_seconds = 60 failure_threshold = 3 period_seconds = 10 success_threshold = 1 timeout_seconds = 5 http_get { port = "http" path = "/" scheme = "HTTP" } } startup_probe { initial_delay_seconds = 60 failure_threshold = 30 period_seconds = 5 success_threshold = 1 timeout_seconds = 1 http_get { port = "http" path = "/" scheme = "HTTP" } } env_from { secret_ref { name = kubernetes_secret_v1.app_secrets.metadata[0].name optional = false } } # Linked to https://github.com/iv-org/invidious/issues/2970 env { name = "INVIDIOUS_PORT" value = 3000 } resources { requests = var.container_invidious_resources_requests } } ## IV Sig helper container { name = "${var.app_name}-sig-helper" image = var.container_iv_sig_helper_image image_pull_policy = var.container_iv_sig_helper_image_pull_policy args = ["--tcp", "127.0.0.1:12999"] port { name = "http" container_port = 12999 protocol = "TCP" } security_context { allow_privilege_escalation = false privileged = false read_only_root_filesystem = true capabilities { drop = ["ALL"] } } env { name = "RUST_LOG" value = "info" } resources { requests = var.container_iv_sig_helper_resources_requests } } } } } }