apiVersion: apps/v1 kind: Deployment metadata: name: shower namespace: shower spec: replicas: 1 # SQLite + RWO data PVC: only one writer at a time. Recreate ensures the # old pod's lock on the local-path volume is released before the new one # mounts it. strategy: type: Recreate selector: matchLabels: app: shower template: metadata: labels: app: shower spec: securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: - name: shower image: registry.ops.eblu.me/blumeops/shower:kustomized securityContext: runAsNonRoot: true allowPrivilegeEscalation: false ports: - containerPort: 8000 name: http envFrom: - configMapRef: name: shower-app-config - secretRef: name: shower-app-secrets volumeMounts: - name: media mountPath: /app/media - name: data mountPath: /app/data resources: requests: memory: "128Mi" cpu: "50m" limits: memory: "512Mi" cpu: "500m" livenessProbe: httpGet: path: / port: 8000 httpHeaders: - name: Host value: shower.ops.eblu.me - name: X-Forwarded-Proto value: https initialDelaySeconds: 30 periodSeconds: 30 readinessProbe: httpGet: path: / port: 8000 httpHeaders: - name: Host value: shower.ops.eblu.me - name: X-Forwarded-Proto value: https initialDelaySeconds: 10 periodSeconds: 10 volumes: - name: media persistentVolumeClaim: claimName: shower-media - name: data persistentVolumeClaim: claimName: shower-data