feat(pvc): Rework PVC permissions and split redis deployment

2025-05-22 23:11:41 +02:00 · 2025-05-22 23:11:41 +02:00 · 71e9378bbd
commit 71e9378bbd
parent 7fbe57fc90
3 changed files with 46 additions and 8 deletions
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@ -33,6 +33,7 @@ spec:
                runAsUser: 991
                runAsGroup: 991
                fsGroup: 991
+                fsGroupChangePolicy: "OnRootMismatch"
            containers:
              - name: mastodon-web
                image: ghcr.io/mastodon/mastodon:v4.3.7
@ -215,6 +216,48 @@ spec:
                volumeMounts:
                  - mountPath: "/mastodon/public/system"
                    name: mastodon-data
+            volumes:
+              - name: mastodon-data
+                persistentVolumeClaim:
+                  claimName: mastodon-pvc
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+    name: redis
+    namespace: mastodon
+spec:
+    replicas: 1
+    selector:
+        matchLabels:
+            app: redis
+    template:
+        metadata:
+            labels:
+                app: redis
+        spec:
+            affinity:
+              podAffinity:
+                preferredDuringSchedulingIgnoredDuringExecution:
+                  - weight: 100
+                    podAffinityTerm:
+                      labelSelector:
+                        matchExpressions:
+                          - key: cnpg.io/cluster
+                            operator: In
+                            values:
+                              - mastodon-db
+                          - key: cnpg.io/instanceRole
+                            operator: In
+                            values:
+                              - primary
+                      topologyKey: "kubernetes.io/hostname"
+            securityContext:
+                runAsUser: 1000
+                runAsGroup: 1000
+                fsGroup: 1000
+                fsGroupChangePolicy: "OnRootMismatch"
+            containers:
              - name: redis
                image: redis:7.4.2
                ports:
@ -223,9 +266,6 @@ spec:
                  - mountPath: "/data"
                    name: redis-data
            volumes:
-              - name: mastodon-data
-                persistentVolumeClaim:
-                  claimName: mastodon-pvc
              - name: redis-data
                persistentVolumeClaim:
                  claimName: redis-pvc
--- a/manifests/pvc.yaml
+++ b/manifests/pvc.yaml
@ -14,14 +14,12 @@ spec:
      storage: 50Gi
  storageClassName: redundant-storage-class
 ---
+
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: redis-pvc
  namespace: mastodon
-  labels:
-    recurring-job.longhorn.io/source: enabled
-    recurring-job-group.longhorn.io/standard-pvc: enabled
 spec:
  accessModes:
    - ReadWriteOnce
--- a/manifests/redis-service.yaml
+++ b/manifests/redis-service.yaml
@ -4,7 +4,7 @@ metadata:
    name: redis-svc
    namespace: mastodon
    labels:
-      app.kubernetes.io/name: mastodon
+      app.kubernetes.io/name: redis
 spec:
    ports:
        - name: http
@ -12,4 +12,4 @@ spec:
          protocol: TCP
          targetPort: 6379
    selector:
-        app: mastodon
+        app: redis