tegwick
962c5a1b36
Thin Helm chart in charts/vergabe-teilnahme (Deployment + Service), plain values overlay in helm/vergabe-teilnahme-values.yaml, ingress + cert-manager TLS in manifests/vergabe-teilnahme-ingress.yaml. Makefile targets vergabe-dry-run|deploy|ingress-deploy|status|migrate|seed|superuser|logs. Secrets stay in K8s (vergabe-app-credentials + vergabe-teilnahme-env) — no SOPS needed. Live: pod Running 1/1, /health/ 200 ok, /ausschreibungen/dashboard/ renders Übersicht, /admin/login/ renders Django admin (German). cert-manager issued vergabe-teilnahme-tls in ~35s. Workplan T07 (migrate+seed+smoke) marked in_progress; migrate completed inline (10+ apps migrated) so the dashboard would render. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
72 lines
1.8 KiB
YAML
72 lines
1.8 KiB
YAML
image:
|
|
repository: gitea.coulomb.social/coulomb/vergabe-teilnahme
|
|
tag: "" # required; pinned via helm/vergabe-teilnahme-values.yaml
|
|
pullPolicy: IfNotPresent
|
|
|
|
replicaCount: 1 # v1 is single-instance; HA is deferred (RAILIANCE-WP-0002 Notes)
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 80
|
|
targetPort: 8000
|
|
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
limits:
|
|
cpu: 1000m
|
|
memory: 1Gi
|
|
|
|
# Env from the K8s Secret created out-of-band (vergabe-teilnahme-env).
|
|
# Holds SECRET_KEY + DATABASE_URL. Created by the operator with kubectl
|
|
# create secret generic vergabe-teilnahme-env --from-literal=...
|
|
envSecretName: vergabe-teilnahme-env
|
|
|
|
# Non-secret env injected directly into the Deployment.
|
|
env:
|
|
DJANGO_SETTINGS_MODULE: vergabe_teilnahme.settings.prod
|
|
ALLOWED_HOSTS: vergabe-teilnahme.whywhynot.de,localhost
|
|
CSRF_TRUSTED_ORIGINS: https://vergabe-teilnahme.whywhynot.de
|
|
|
|
probes:
|
|
enabled: true
|
|
path: /health/
|
|
port: 8000
|
|
hostHeader: vergabe-teilnahme.whywhynot.de # must be in ALLOWED_HOSTS
|
|
liveness:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 30
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
readiness:
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
|
|
# PVC for media uploads is deferred — Django MEDIA is in-pod ephemeral
|
|
# for v1. Switch to true + a storageClass once media uploads land.
|
|
persistence:
|
|
media:
|
|
enabled: false
|
|
storageClass: local-path
|
|
size: 5Gi
|
|
accessMode: ReadWriteOnce
|
|
|
|
podSecurityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 999 # matches the 'app' user in the Dockerfile
|
|
runAsGroup: 999
|
|
fsGroup: 999
|
|
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: false # whitenoise + collectstatic write to /app
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|