c502a42f17
- Extract OidcProviderHelper for shared discovery + JWK source construction - Add SystemRole.normalizeScope() to centralize role normalization - Merge duplicate claim extraction in OidcTokenExchanger - Add PKCE (S256) to OIDC authorization flow (frontend + backend) - Add SecurityContext (runAsNonRoot) to all K8s deployments - Fix postgres probe to use $POSTGRES_USER instead of hardcoded username - Remove default credentials from Dockerfile - Extract sanitize_branch() to shared .gitea/sanitize-branch.sh - Fix sidebar to use /exchanges/ paths directly, remove legacy redirects - Centralize basePath computation in router.tsx via config module Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
139 lines
4.1 KiB
YAML
139 lines
4.1 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: cameleer3-server
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: cameleer3-server
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: cameleer3-server
|
|
spec:
|
|
imagePullSecrets:
|
|
- name: gitea-registry
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
containers:
|
|
- name: server
|
|
image: gitea.siegeln.net/cameleer/cameleer3-server:latest
|
|
ports:
|
|
- containerPort: 8081
|
|
env:
|
|
- name: CAMELEER_TENANT_ID
|
|
value: "default"
|
|
- name: SPRING_DATASOURCE_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: postgres-credentials
|
|
key: POSTGRES_USER
|
|
- name: SPRING_DATASOURCE_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: postgres-credentials
|
|
key: POSTGRES_PASSWORD
|
|
- name: SPRING_FLYWAY_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: postgres-credentials
|
|
key: POSTGRES_USER
|
|
- name: SPRING_FLYWAY_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: postgres-credentials
|
|
key: POSTGRES_PASSWORD
|
|
- name: CAMELEER_AUTH_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: cameleer-auth
|
|
key: CAMELEER_AUTH_TOKEN
|
|
- name: CAMELEER_UI_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: cameleer-auth
|
|
key: CAMELEER_UI_USER
|
|
optional: true
|
|
- name: CAMELEER_UI_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: cameleer-auth
|
|
key: CAMELEER_UI_PASSWORD
|
|
optional: true
|
|
- name: CAMELEER_UI_ORIGIN
|
|
value: "http://localhost:5173"
|
|
- name: CAMELEER_JWT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: cameleer-auth
|
|
key: CAMELEER_JWT_SECRET
|
|
optional: true
|
|
- name: CLICKHOUSE_ENABLED
|
|
value: "true"
|
|
- name: CLICKHOUSE_URL
|
|
value: "jdbc:clickhouse://clickhouse.cameleer.svc.cluster.local:8123/cameleer"
|
|
- name: CLICKHOUSE_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: clickhouse-credentials
|
|
key: CLICKHOUSE_USER
|
|
- name: CLICKHOUSE_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: clickhouse-credentials
|
|
key: CLICKHOUSE_PASSWORD
|
|
- name: CAMELEER_STORAGE_METRICS
|
|
value: "clickhouse"
|
|
- name: CAMELEER_STORAGE_SEARCH
|
|
value: "clickhouse"
|
|
- name: CAMELEER_STORAGE_STATS
|
|
value: "clickhouse"
|
|
- name: CAMELEER_STORAGE_DIAGRAMS
|
|
value: "clickhouse"
|
|
- name: CAMELEER_STORAGE_EVENTS
|
|
value: "clickhouse"
|
|
- name: CAMELEER_STORAGE_LOGS
|
|
value: "clickhouse"
|
|
- name: CAMELEER_STORAGE_EXECUTIONS
|
|
value: "clickhouse"
|
|
- name: CAMELEER_TENANT_ID
|
|
value: "default"
|
|
|
|
resources:
|
|
requests:
|
|
memory: "256Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "512Mi"
|
|
cpu: "500m"
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /api/v1/health
|
|
port: 8081
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
timeoutSeconds: 3
|
|
failureThreshold: 3
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /api/v1/health
|
|
port: 8081
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 5
|
|
timeoutSeconds: 3
|
|
failureThreshold: 3
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: cameleer3-server
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app: cameleer3-server
|
|
ports:
|
|
- port: 8081
|
|
targetPort: 8081
|