apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "agentkit.fullname" . }} labels: {{- include "agentkit.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: {{- include "agentkit.selectorLabels" . | nindent 6 }} template: metadata: labels: {{- include "agentkit.selectorLabels" . | nindent 8 }} annotations: # ConfigMap 变更触发 rollout checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} spec: serviceAccountName: {{ include "agentkit.serviceAccountName" . }} {{- with .Values.image.pullSecret }} imagePullSecrets: - name: {{ . }} {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: agentkit # DEPLOY-9: digest pinning 优先于 tag(政企生产防篡改) {{- if .Values.image.digest }} image: "{{ .Values.image.repository }}@{{ .Values.image.digest }}" {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} args: - serve - --config - /etc/agentkit/agentkit.yaml - --host - 0.0.0.0 - --port - {{ .Values.service.apiPort | quote }} ports: - name: api containerPort: {{ .Values.service.apiPort }} protocol: TCP - name: gui containerPort: {{ .Values.service.guiPort }} protocol: TCP env: # --- 密钥从统一 Secret 注入(Sealed Secret / External Secret 渲染)--- - name: JWT_SIGNING_KEY valueFrom: secretKeyRef: name: {{ include "agentkit.secretName" . }} key: {{ .Values.secrets.jwtSigningKey.key }} - name: API_KEY valueFrom: secretKeyRef: name: {{ include "agentkit.secretName" . }} key: {{ .Values.secrets.apiKey.key }} - name: DATABASE_URL valueFrom: secretKeyRef: name: {{ include "agentkit.secretName" . }} key: {{ .Values.secrets.dbCredentials.key }} - name: IDP_SIGNING_CERTS valueFrom: secretKeyRef: name: {{ include "agentkit.secretName" . }} key: {{ .Values.secrets.idpSigningCerts.key }} - name: THIRD_PARTY_API_KEYS valueFrom: secretKeyRef: name: {{ include "agentkit.secretName" . }} key: {{ .Values.secrets.thirdPartyApiKeys.key }} - name: MTLS_CLIENT_CERT valueFrom: secretKeyRef: name: {{ include "agentkit.secretName" . }} key: {{ .Values.secrets.mtlsClientCert.key }} - name: KMS_HSM_PIN valueFrom: secretKeyRef: name: {{ include "agentkit.secretName" . }} key: {{ .Values.secrets.kmsHsmPin.key }} - name: OTEL_EXPORTER_OTLP_HEADERS valueFrom: secretKeyRef: name: {{ include "agentkit.secretName" . }} key: {{ .Values.secrets.otelExporterToken.key }} - name: REDIS_PASSWORD valueFrom: secretKeyRef: name: {{ include "agentkit.secretName" . }} key: {{ .Values.secrets.redisPassword.key }} # DEPLOY-4: 移除 POSTGRES_PASSWORD env — 应用通过 DATABASE_URL(Slot 3) # 消费 PG 密码(DSN 内嵌),POSTGRES_PASSWORD 仅用于 PostgreSQL StatefulSet # 初始化(由独立 PG chart / StatefulSet 引用 secrets.postgresPassword)。 # 此处注入是死 env,误导运维以为应用读 POSTGRES_PASSWORD。 # --- 非密配置(OTel endpoint、service name)--- {{- if .Values.otel.enabled }} - name: OTEL_EXPORTER_OTLP_ENDPOINT value: {{ .Values.otel.endpoint | quote }} - name: OTEL_SERVICE_NAME value: {{ .Values.otel.serviceName | quote }} {{- end }} envFrom: # agentkit.yaml 从 ConfigMap 注入(通过 AGENTKIT_CONFIG 环境变量指向挂载路径) - configMapRef: name: {{ include "agentkit.fullname" . }} volumeMounts: - name: config mountPath: /etc/agentkit readOnly: true - name: tmp mountPath: /tmp resources: {{- toYaml .Values.resources | nindent 12 }} livenessProbe: {{- toYaml .Values.probes.liveness | nindent 12 }} readinessProbe: {{- toYaml .Values.probes.readiness | nindent 12 }} volumes: - name: config configMap: name: {{ include "agentkit.fullname" . }} - name: tmp emptyDir: {}