apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "recipya.fullname" . }} labels: {{- include "recipya.labels" . | nindent 4 }} annotations: checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} checksum/init-script: {{ include (print $.Template.BasePath "/configmap-init-script.yaml") . | sha256sum }} spec: replicas: {{ .Values.replicaCount }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} selector: matchLabels: {{- include "recipya.selectorLabels" . | nindent 6 }} strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 maxSurge: 1 template: metadata: labels: {{- include "recipya.selectorLabels" . | nindent 8 }} annotations: {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} # Set security context for the pod securityContext: fsGroup: 1000 # Init container to configure the application initContainers: - name: init-config image: alpine:3.18 command: ["/bin/sh", "-c"] args: - | echo "Installing jq..." apk add --no-cache jq echo "Running initialization script..." /scripts/init.sh securityContext: runAsUser: 0 # Run as root to modify config files runAsGroup: 0 volumeMounts: - name: data mountPath: /home/recipya/.config/Recipya - name: init-script mountPath: /scripts resources: requests: cpu: 50m memory: 64Mi limits: cpu: 100m memory: 128Mi # Main application container containers: - name: {{ .Chart.Name }} securityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true readOnlyRootFilesystem: false capabilities: drop: - ALL image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if .Values.startupArgs }} args: {{- range .Values.startupArgs }} - {{ . | quote }} {{- end }} {{- end }} ports: - name: http containerPort: {{ .Values.service.port }} protocol: TCP {{- if .Values.probes.liveness.enabled }} livenessProbe: httpGet: path: {{ .Values.probes.liveness.path }} port: http initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.probes.liveness.periodSeconds }} timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} failureThreshold: {{ .Values.probes.liveness.failureThreshold }} successThreshold: {{ .Values.probes.liveness.successThreshold }} {{- end }} {{- if .Values.probes.readiness.enabled }} readinessProbe: httpGet: path: {{ .Values.probes.readiness.path }} port: http initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.probes.readiness.periodSeconds }} timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} failureThreshold: {{ .Values.probes.readiness.failureThreshold }} successThreshold: {{ .Values.probes.readiness.successThreshold }} {{- end }} env: # Critical environment variables for proper directory structure - name: HOME value: "/home/recipya" - name: RECIPYA_SERVER_URL value: {{ .Values.config.server.url | quote }} - name: RECIPYA_SERVER_AUTOLOGIN value: {{ .Values.config.server.autologin | quote }} - name: RECIPYA_SERVER_IS_DEMO value: {{ .Values.config.server.is_demo | quote }} - name: RECIPYA_SERVER_IS_PROD value: {{ .Values.config.server.is_prod | quote }} - name: RECIPYA_SERVER_NO_SIGNUPS value: {{ .Values.config.server.no_signups | quote }} {{- if .Values.config.email.existingSecret }} - name: RECIPYA_EMAIL valueFrom: secretKeyRef: name: {{ .Values.config.email.existingSecret }} key: {{ .Values.config.email.addressKey }} - name: RECIPYA_EMAIL_SENDGRID valueFrom: secretKeyRef: name: {{ .Values.config.email.existingSecret }} key: {{ .Values.config.email.sendgridKey }} {{- else }} {{- if .Values.config.email.address }} - name: RECIPYA_EMAIL valueFrom: secretKeyRef: name: {{ include "recipya.fullname" . }}-secrets key: {{ .Values.config.email.addressKey }} optional: true {{- end }} {{- if .Values.config.email.sendgrid }} - name: RECIPYA_EMAIL_SENDGRID valueFrom: secretKeyRef: name: {{ include "recipya.fullname" . }}-secrets key: {{ .Values.config.email.sendgridKey }} optional: true {{- end }} {{- end }} {{- if .Values.config.documentIntelligence.existingSecret }} - name: RECIPYA_DI_ENDPOINT valueFrom: secretKeyRef: name: {{ .Values.config.documentIntelligence.existingSecret }} key: {{ .Values.config.documentIntelligence.endpointKey }} - name: RECIPYA_DI_KEY valueFrom: secretKeyRef: name: {{ .Values.config.documentIntelligence.existingSecret }} key: {{ .Values.config.documentIntelligence.keyKey }} {{- else }} {{- if .Values.config.documentIntelligence.endpoint }} - name: RECIPYA_DI_ENDPOINT valueFrom: secretKeyRef: name: {{ include "recipya.fullname" . }}-secrets key: {{ .Values.config.documentIntelligence.endpointKey }} optional: true {{- end }} {{- if .Values.config.documentIntelligence.key }} - name: RECIPYA_DI_KEY valueFrom: secretKeyRef: name: {{ include "recipya.fullname" . }}-secrets key: {{ .Values.config.documentIntelligence.keyKey }} optional: true {{- end }} {{- end }} {{- range .Values.env }} - name: {{ .name }} value: {{ .value | quote }} {{- end }} {{- with .Values.extraEnv }} {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - name: data mountPath: /home/recipya/.config/Recipya {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} volumes: - name: data persistentVolumeClaim: claimName: {{ include "recipya.fullname" . }}-data - name: init-script configMap: name: {{ include "recipya.fullname" . }}-init-script defaultMode: 0755 {{- with .Values.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }}