apiVersion: apps/v1 kind: Deployment metadata: namespace: {{ deploy.namespace }} name: sfive-{{ deploy.worker.name }} labels: app: sfive worker: {{ deploy.worker.name }} spec: replicas: 1 selector: matchLabels: app: sfive worker: {{ deploy.worker.name }} strategy: type: Recreate revisionHistoryLimit: 5 template: metadata: labels: app: sfive worker: {{ deploy.worker.name }} {% if deploy.worker.flags.sfive == 'proxy' and 'stream-onion' in deploy.worker.flags %} spreadspace.org/onion-service: {{ deploy.worker.flags['stream-onion'] }} {% endif %} spec: nodeName: {{ deploy.worker.name }} serviceAccountName: sfive securityContext: runAsUser: 998 fsGroup: 998 hostNetwork: true dnsPolicy: ClusterFirstWithHostNet initContainers: - name: prepare-hub-data image: busybox command: ['sh', '-c', 'chown 998:998 /srv/data && chmod 0750 /srv/data'] securityContext: runAsUser: 0 volumeMounts: - name: hub-data mountPath: /srv/data - name: copy-certificates image: busybox command: ['sh', '-c', 'chmod 0750 /srv/acme && cp /var/lib/acme/live/{{ deploy.worker.flags['stream-hostname'] }}/* /srv/acme && chown -R 998 /srv/acme'] securityContext: runAsUser: 0 volumeMounts: - name: proxy-cert mountPath: /srv/acme - name: acme-lib mountPath: /var/lib/acme {% if deploy.worker.flags.sfive == 'proxy' and 'stream-onion' in deploy.worker.flags %} - name: prepare-onion-lib image: busybox command: ['sh', '-c', 'chown 998:998 /var/lib/tor && chmod 0750 /var/lib/tor'] securityContext: runAsUser: 0 volumeMounts: - name: onion-lib mountPath: /var/lib/tor - name: generate-onion-key image: spreadspace/onion-service:{{ desc.globals.deployment.parameter.onion_service_image_version }} command: ['sh', '-c', '/keygen.py && touch /var/lib/tor/onion_service/onion_service_non_anonymous'] env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: onion-lib mountPath: /var/lib/tor {% endif %} containers: {% if deploy.worker.flags.sfive == 'proxy' %} - name: proxy image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }} imagePullPolicy: Always args: [ 's5proxy', '-config', '/srv/config/proxy.json' ] volumeMounts: - name: home mountPath: /srv - name: proxy-config mountPath: /srv/config - name: proxy-cert mountPath: /srv/acme {% if 'stream-onion' in deploy.worker.flags %} - name: proxy-onion image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }} imagePullPolicy: Always args: [ 's5proxy', '-config', '/srv/config/proxy-onion.json' ] volumeMounts: - name: home mountPath: /srv - name: proxy-config mountPath: /srv/config - name: onion-service image: spreadspace/onion-service:{{ desc.globals.deployment.parameter.onion_service_image_version }} imagePullPolicy: Always args: [ '/usr/bin/tor', '-f', '/srv/config/torrc', '--RunAsDaemon', '0' ] volumeMounts: - name: onion-lib mountPath: /var/lib/tor - name: onion-config mountPath: /srv/config {% endif %} {% endif %} - name: hub image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }} imagePullPolicy: Always args: - sfive-hub - -db - /srv/data/db.bolt - -start-pipe-server=false - -start-web-server=false - -start-pipegram-server - -pipegram - /srv/hub.sock volumeMounts: - name: home mountPath: /srv - name: hub-data mountPath: /srv/data volumes: - name: home emptyDir: medium: Memory - name: hub-data hostPath: type: DirectoryOrCreate path: /var/lib/sfive/{{ desc.globals.name }} {% if deploy.worker.flags.sfive == 'proxy' and 'stream-onion' in deploy.worker.flags %} - name: onion-config configMap: name: onion-service-{{ deploy.worker.flags.stream }} - name: onion-lib emptyDir: medium: Memory {% endif %} - name: proxy-config configMap: name: sfive-{{ deploy.worker.name }} - name: proxy-cert emptyDir: medium: Memory - name: acme-lib hostPath: type: Directory path: /var/lib/acme readOnly: yes