From e3811fe66684b29e23ececde8fc478220f6b60cb Mon Sep 17 00:00:00 2001 From: cmsassot Date: Tue, 2 Apr 2024 16:07:07 +0200 Subject: [PATCH] feat(hydra-sql): non root deployment with caddy --- .../resources/hydra-sql-deployment.yaml | 140 ++++++++++-------- 1 file changed, 78 insertions(+), 62 deletions(-) diff --git a/components/hydra-sql/resources/hydra-sql-deployment.yaml b/components/hydra-sql/resources/hydra-sql-deployment.yaml index 6484b14..5403202 100644 --- a/components/hydra-sql/resources/hydra-sql-deployment.yaml +++ b/components/hydra-sql/resources/hydra-sql-deployment.yaml @@ -18,83 +18,99 @@ spec: spec: containers: - name: hydra-sql-fpm - image: reg.cadoles.com/cadoles/hydra-sql-base:2023.12.14-develop.1107.740a756 + image: reg.cadoles.com/cadoles/hydra-sql-base:2024.4.2-develop.953.fc87b24 imagePullPolicy: Always args: ["/usr/sbin/php-fpm81", "-F", "-e"] readinessProbe: exec: command: - - sh - - -c - - test -f /etc/php81/php-fpm.d/www.conf + - sh + - -c + - test -f /etc/php81/php-fpm.d/www.conf livenessProbe: exec: command: - - php - - bin/console - - -V + - php + - bin/console + - -V initialDelaySeconds: 10 periodSeconds: 30 resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 envFrom: - - configMapRef: - name: hydra-sql-env + - configMapRef: + name: hydra-sql-env env: - - name: PHP_FPM_LISTEN - value: 127.0.0.1:9000 - - name: PHP_MEMORY_LIMIT - value: 128m - - name: PHP_FPM_MEMORY_LIMIT - value: 128m - - name: PHP_FPM_LOG_LEVEL - value: warning + - name: PHP_FPM_LISTEN + value: 127.0.0.1:9000 + - name: PHP_MEMORY_LIMIT + value: 128m + - name: PHP_FPM_MEMORY_LIMIT + value: 128m + - name: PHP_FPM_LOG_LEVEL + value: warning volumeMounts: - - name: sql-login-config - mountPath: "/app/config/sql_login_configuration/sql_login.yaml" - subPath: "sql_login.yaml" + - name: sql-login-config + mountPath: "/app/config/sql_login_configuration/sql_login.yaml" + subPath: "sql_login.yaml" - - name: hydra-sql-nginx - image: reg.cadoles.com/cadoles/hydra-sql-base:2023.12.14-develop.1107.740a756 - imagePullPolicy: Always - args: ["/usr/sbin/nginx"] - readinessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 5 - periodSeconds: 15 - envFrom: - - configMapRef: - name: hydra-sql-env - env: - - name: NGINX_APP_UPSTREAM_BACKEND_SERVER - value: 127.0.0.1:9000 - - name: NGINX_APP_ROOT - value: "/public" - - name: NGINX_APP_PHP_INDEX - value: "/index.php" - - name: NGINX_ERROR_LOG_LEVEL - value: "warn" - - name: NGINX_APP_PHP_NON_FILE_PATTERN - value: "^/index\\.php(/|$)" - resources: {} - ports: - - containerPort: 8080 - volumeMounts: - - name: sql-login-config - mountPath: "/app/config/sql_login_configuration/sql_login.yaml" - subPath: "sql_login.yaml" + - name: hydra-sql-nginx + image: reg.cadoles.com/cadoles/hydra-sql-base:2024.4.2-develop.953.fc87b24 + imagePullPolicy: Always + args: + [ + "/usr/sbin/caddy", + "run", + "--adapter", + "caddyfile", + "--config", + "/etc/caddy/Caddyfile", + ] + readinessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 15 + envFrom: + - configMapRef: + name: hydra-sql-env + env: + - name: CADDY_APP_UPSTREAM_BACKEND_SERVER + value: 127.0.0.1:9000 + - name: CADDY_HTTPS_PORT + value: "8443" + - name: CADDY_HTTP_PORT + value: "8080" + - name: CADDY_DATA_FS + value: "/tmp/caddy" + - name: CADDY_APP_ROOT_PUBLIC + value: "/app/public/" + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + ports: + - containerPort: 8080 + volumeMounts: + - name: sql-login-config + mountPath: "/app/config/sql_login_configuration/sql_login.yaml" + subPath: "sql_login.yaml" volumes: - - name: sql-login-config - configMap: - name: sql-login-config + - name: sql-login-config + configMap: + name: sql-login-config restartPolicy: Always