153 lines
4.4 KiB
HCL
153 lines
4.4 KiB
HCL
# SPDX-License-Identifier: GPL-2.0-only
|
|
terraform {
|
|
required_providers {
|
|
kubernetes = {
|
|
source = "hashicorp/kubernetes"
|
|
version = ">= 2.25"
|
|
}
|
|
}
|
|
required_version = ">= 1.6.2"
|
|
}
|
|
|
|
provider "kubernetes" {
|
|
config_path = var.kubeconfig_path
|
|
config_context = var.kubeconfig_context
|
|
}
|
|
|
|
resource "kubernetes_deployment_v1" "app" {
|
|
metadata {
|
|
name = var.app_name
|
|
namespace = data.kubernetes_namespace_v1.app.metadata[0].name
|
|
labels = merge({
|
|
"app.kubernetes.io/name" = var.app_name
|
|
"app.kubernetes.io/version" = var.app_version
|
|
"app.kubernetes.io/managed-by" = "opentofu"
|
|
"app.kubernetes.io/instance" = var.app_name
|
|
}, var.deployment_additional_labels)
|
|
annotations = var.deployment_annotations
|
|
}
|
|
spec {
|
|
selector {
|
|
match_labels = {
|
|
"app.kubernetes.io/name" = var.app_name
|
|
}
|
|
}
|
|
template {
|
|
metadata {
|
|
annotations = var.pods_annotations
|
|
labels = merge({
|
|
"app.kubernetes.io/component" = "server"
|
|
"app.kubernetes.io/name" = var.app_name
|
|
"app.kubernetes.io/version" = var.app_version
|
|
"app.kubernetes.io/part-of" = var.app_name
|
|
"app.kubernetes.io/managed-by" = "opentofu"
|
|
"app.kubernetes.io/instance" = var.app_name
|
|
}, var.pods_additional_labels)
|
|
}
|
|
spec {
|
|
service_account_name = var.service_account_name
|
|
security_context {
|
|
run_as_non_root = true
|
|
run_as_group = 1000
|
|
run_as_user = 1000
|
|
}
|
|
## Web service
|
|
container {
|
|
name = var.app_name
|
|
image = var.container_invidious_image
|
|
image_pull_policy = var.container_invidious_image_pull_policy
|
|
port {
|
|
name = "http"
|
|
container_port = 3000
|
|
protocol = "TCP"
|
|
}
|
|
security_context {
|
|
allow_privilege_escalation = false
|
|
privileged = false
|
|
capabilities {
|
|
drop = ["ALL"]
|
|
}
|
|
}
|
|
readiness_probe {
|
|
initial_delay_seconds = 60
|
|
failure_threshold = 3
|
|
period_seconds = 10
|
|
success_threshold = 1
|
|
timeout_seconds = 3
|
|
http_get {
|
|
port = "http"
|
|
path = "/"
|
|
scheme = "HTTP"
|
|
}
|
|
}
|
|
liveness_probe {
|
|
initial_delay_seconds = 60
|
|
failure_threshold = 3
|
|
period_seconds = 10
|
|
success_threshold = 1
|
|
timeout_seconds = 5
|
|
http_get {
|
|
port = "http"
|
|
path = "/"
|
|
scheme = "HTTP"
|
|
}
|
|
}
|
|
startup_probe {
|
|
initial_delay_seconds = 60
|
|
failure_threshold = 30
|
|
period_seconds = 5
|
|
success_threshold = 1
|
|
timeout_seconds = 1
|
|
http_get {
|
|
port = "http"
|
|
path = "/"
|
|
scheme = "HTTP"
|
|
}
|
|
}
|
|
env_from {
|
|
secret_ref {
|
|
name = kubernetes_secret_v1.app_secrets.metadata[0].name
|
|
optional = false
|
|
}
|
|
}
|
|
# Linked to https://github.com/iv-org/invidious/issues/2970
|
|
env {
|
|
name = "INVIDIOUS_PORT"
|
|
value = 3000
|
|
}
|
|
resources {
|
|
requests = var.container_invidious_resources_requests
|
|
}
|
|
}
|
|
## IV Sig helper
|
|
container {
|
|
name = "${var.app_name}-sig-helper"
|
|
image = var.container_iv_sig_helper_image
|
|
image_pull_policy = var.container_iv_sig_helper_image_pull_policy
|
|
args = ["--tcp", "127.0.0.1:12999"]
|
|
|
|
port {
|
|
name = "http"
|
|
container_port = 12999
|
|
protocol = "TCP"
|
|
}
|
|
security_context {
|
|
allow_privilege_escalation = false
|
|
privileged = false
|
|
read_only_root_filesystem = true
|
|
capabilities {
|
|
drop = ["ALL"]
|
|
}
|
|
}
|
|
env {
|
|
name = "RUST_LOG"
|
|
value = "info"
|
|
}
|
|
resources {
|
|
requests = var.container_iv_sig_helper_resources_requests
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|