--- apiVersion: apps/v1 kind: Deployment metadata: name: backend namespace: artifact-keeper labels: app.kubernetes.io/name: artifact-keeper app.kubernetes.io/instance: ak app.kubernetes.io/part-of: artifact-keeper app.kubernetes.io/component: backend annotations: reloader.stakater.com/auto: "true" spec: replicas: 2 selector: matchLabels: app.kubernetes.io/name: artifact-keeper app.kubernetes.io/instance: ak app.kubernetes.io/component: backend template: metadata: labels: app.kubernetes.io/name: artifact-keeper app.kubernetes.io/instance: ak app.kubernetes.io/component: backend spec: serviceAccountName: backend automountServiceAccountToken: false securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app.kubernetes.io/component operator: In values: - backend topologyKey: kubernetes.io/hostname initContainers: - name: wait-for-postgres image: postgres:16-alpine securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: cpu: 10m memory: 16Mi limits: cpu: 100m memory: 64Mi command: ["/bin/sh", "-c"] args: - | echo "Waiting for PostgreSQL..." until pg_isready -h artifact-keeper-postgres-pooler -p 5432 -U registry; do sleep 3 done echo "PostgreSQL is ready" - name: wait-for-meilisearch image: alpine:3.20 securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: cpu: 10m memory: 16Mi ephemeral-storage: 32Mi limits: cpu: 100m memory: 64Mi ephemeral-storage: 64Mi command: ["/bin/sh", "-c"] args: - | echo "Waiting for Meilisearch..." until wget -qO- http://meilisearch:7700/health >/dev/null 2>&1; do sleep 3 done echo "Meilisearch is ready" containers: - name: backend image: "ghcr.io/artifact-keeper/artifact-keeper-backend:dev" imagePullPolicy: Always securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL command: ["/bin/sh", "-c"] args: - | if [ -f /shared/dtrack-api-key ] && [ -s /shared/dtrack-api-key ]; then export DEPENDENCY_TRACK_API_KEY="$(cat /shared/dtrack-api-key)" fi exec /usr/local/bin/artifact-keeper ports: - name: http containerPort: 8080 protocol: TCP - name: grpc containerPort: 9090 protocol: TCP envFrom: - configMapRef: name: config - configMapRef: name: s3-env - secretRef: name: s3-credentials - secretRef: name: app-secrets resources: limits: cpu: "2" memory: 2Gi requests: cpu: 250m memory: 256Mi livenessProbe: httpGet: path: /livez port: http periodSeconds: 15 timeoutSeconds: 5 failureThreshold: 5 volumeMounts: - name: tmp mountPath: /tmp - name: storage mountPath: /data/storage subPath: storage - name: storage mountPath: /data/backups subPath: backups - name: storage mountPath: /data/plugins subPath: plugins - name: scan-workspace mountPath: /scan-workspace - name: shared-config mountPath: /shared readOnly: true volumes: - name: tmp emptyDir: sizeLimit: 256Mi - name: storage persistentVolumeClaim: claimName: storage - name: scan-workspace persistentVolumeClaim: claimName: scan-workspace - name: shared-config persistentVolumeClaim: claimName: shared-config