apiVersion: apps/v1 kind: Deployment metadata: name: koha namespace: koha labels: app: koha component: plack spec: replicas: 1 selector: matchLabels: app: koha component: plack template: metadata: labels: app: koha component: plack spec: containers: - name: koha image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }} securityContext: runAsUser: 0 # Set root user allowPrivilegeEscalation: true privileged: true seccompProfile: type: Unconfined capabilities: add: - SETUID - SETGID - SYS_ADMIN env: - name: USE_PLACK value: "1" - name: USE_BACKEND value: "1" envFrom: - configMapRef: name: koha-map optional: false volumeMounts: - name: koha-pv mountPath: /var/lib/koha subPath: koha - name: koha-pv mountPath: /etc/koha/sites subPath: sites - name: koha-pv mountPath: /tmp/libshare subPath: lib volumes: - name: koha-pv persistentVolumeClaim: claimName: koha-pvc --- apiVersion: apps/v1 kind: Deployment metadata: name: koha-apache namespace: koha labels: app: koha component: apache spec: replicas: 1 selector: matchLabels: app: koha component: apache template: metadata: labels: app: koha component: apache spec: initContainers: - name: init-wait image: alpine command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 koha 5000 && exit 0 || sleep 3; done; exit 1"] securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000 # Set a non-root user seccompProfile: type: RuntimeDefault containers: - name: apache image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }} securityContext: runAsUser: 0 # Set root user #fsGroup: 1000 # www-data group allowPrivilegeEscalation: true privileged: true seccompProfile: type: Unconfined capabilities: add: - SETUID - SETGID - SYS_ADMIN env: - name: USE_APACHE2 value: "1" - name: USE_BACKEND value: "0" envFrom: - configMapRef: name: koha-map volumeMounts: - name: koha-pv mountPath: /etc/koha/sites subPath: sites - name: koha-pv mountPath: /tmp/libshare subPath: lib # ports: # - containerPort: {{ .Values.opac.port }} # - containerPort: {{ .Values.staff.port }} volumes: - name: koha-pv persistentVolumeClaim: claimName: koha-pvc {{ if not .Values.db.external }} --- apiVersion: apps/v1 kind: Deployment metadata: name: koha-mysql namespace: koha labels: app: koha component: db spec: replicas: 1 selector: matchLabels: app: koha component: db template: metadata: labels: app: koha component: db spec: securityContext: runAsUser: 999 fsGroup: 999 containers: - name: db image: mariadb:10.3 securityContext: runAsUser: 999 # Set root user allowPrivilegeEscalation: true privileged: true seccompProfile: type: Unconfined capabilities: add: - SETUID - SETGID - SYS_ADMIN envFrom: - configMapRef: name: koha-map ports: - containerPort: 3306 volumeMounts: - name: koha-mysql-pv mountPath: /var/lib/mysql volumes: - name: koha-mysql-pv persistentVolumeClaim: claimName: koha-mysql-pvc {{ end }} {{ if and .Values.elasticsearch.enabled (not .Values.elasticsearch.external) }} --- apiVersion: apps/v1 kind: Deployment metadata: name: koha-es namespace: koha labels: app: koha component: es spec: replicas: 1 selector: matchLabels: app: koha component: es template: metadata: labels: app: koha component: es spec: containers: - name: es image: koha/elasticsearch-icu securityContext: runAsUser: 0 # Set root user allowPrivilegeEscalation: true privileged: true seccompProfile: type: Unconfined capabilities: add: - SETUID - SETGID - SYS_ADMIN env: - name: cluster.name value: "docker-cluster" - name: bootstrap.memory_lock value: "true" - name: xpack.security.enabled value: "false" - name: ES_JAVA_OPTS value: "-Xms1g -Xmx1g" - name: SET_ULIMIT value: "1" initContainers: - name: set-max-map-count image: alpine securityContext: runAsUser: 0 # Set root user allowPrivilegeEscalation: true privileged: true seccompProfile: type: Unconfined capabilities: add: - SETUID - SETGID - SYS_ADMIN seccompProfile: type: RuntimeDefault command: ["sh", "-c", "sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536"] {{ end }} {{ if and .Values.memcached.enabled (not .Values.memcached.external) }} --- apiVersion: apps/v1 kind: Deployment metadata: name: koha-memcached namespace: koha labels: app: koha component: memcached spec: replicas: 1 selector: matchLabels: app: koha component: memcached template: metadata: labels: app: koha component: memcached spec: containers: - name: memcached image: memcached securityContext: runAsUser: 497 # Set root user allowPrivilegeEscalation: true privileged: true seccompProfile: type: Unconfined capabilities: add: - SETUID - SETGID - SYS_ADMIN command: [ "memcached", "-m", "64m" ] {{ end }}