--- apiVersion: apps/v1 kind: Deployment metadata: name: api namespace: artifactapi annotations: reloader.stakater.com/auto: "true" spec: selector: matchLabels: app: api strategy: rollingUpdate: maxUnavailable: 1 type: RollingUpdate template: metadata: labels: app: api spec: automountServiceAccountToken: true initContainers: - name: combine-certs image: alpine:3 command: - sh - -c - cat /etc/ssl/certs/ca-certificates.crt /custom-ca/ca.crt > /combined-certs/ca-certificates.crt volumeMounts: - name: vault-ca-cert mountPath: /custom-ca readOnly: true - name: combined-certs mountPath: /combined-certs containers: - name: api image: git.unkin.net/unkin/artifactapi:v3.7.3 imagePullPolicy: IfNotPresent ports: - containerPort: 8000 name: http protocol: TCP envFrom: - configMapRef: name: api-env optional: false - secretRef: name: environment optional: false env: # Terraform provider registry signing. The secret is mounted # optional, so the pod runs before it exists; artifactapi keeps the # registry disabled until a readable key is present. - name: TF_SIGNING_KEY_PATH value: /etc/artifactapi/tf-signing/private-key.asc - name: TF_SIGNING_KEY_PASSPHRASE valueFrom: secretKeyRef: name: artifactapi-tf-signing key: passphrase optional: true volumeMounts: - name: combined-certs mountPath: /etc/ssl/combined readOnly: true - name: tf-signing-key mountPath: /etc/artifactapi/tf-signing readOnly: true livenessProbe: failureThreshold: 3 httpGet: path: /health port: http scheme: HTTP initialDelaySeconds: 30 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 readinessProbe: failureThreshold: 3 httpGet: path: /health port: http scheme: HTTP initialDelaySeconds: 10 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: "1" memory: 4Gi requests: cpu: 100m memory: 256Mi volumes: - name: vault-ca-cert secret: secretName: vault-ca-cert items: - key: ca.crt path: ca.crt - name: combined-certs emptyDir: {} - name: tf-signing-key secret: secretName: artifactapi-tf-signing optional: true restartPolicy: Always