fischer-agentkit/deploy/helm/agentkit/templates/deployment.yaml

133 lines
5.3 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "agentkit.fullname" . }}
labels:
{{- include "agentkit.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "agentkit.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "agentkit.selectorLabels" . | nindent 8 }}
annotations:
# ConfigMap 变更触发 rollout
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
serviceAccountName: {{ include "agentkit.serviceAccountName" . }}
{{- with .Values.image.pullSecret }}
imagePullSecrets:
- name: {{ . }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: agentkit
# DEPLOY-9: digest pinning 优先于 tag政企生产防篡改
{{- if .Values.image.digest }}
image: "{{ .Values.image.repository }}@{{ .Values.image.digest }}"
{{- else }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
args:
- serve
- --config
- /etc/agentkit/agentkit.yaml
- --host
- 0.0.0.0
- --port
- {{ .Values.service.apiPort | quote }}
ports:
- name: api
containerPort: {{ .Values.service.apiPort }}
protocol: TCP
- name: gui
containerPort: {{ .Values.service.guiPort }}
protocol: TCP
env:
# --- 密钥从统一 Secret 注入Sealed Secret / External Secret 渲染)---
- name: JWT_SIGNING_KEY
valueFrom:
secretKeyRef:
name: {{ include "agentkit.secretName" . }}
key: {{ .Values.secrets.jwtSigningKey.key }}
- name: API_KEY
valueFrom:
secretKeyRef:
name: {{ include "agentkit.secretName" . }}
key: {{ .Values.secrets.apiKey.key }}
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ include "agentkit.secretName" . }}
key: {{ .Values.secrets.dbCredentials.key }}
- name: IDP_SIGNING_CERTS
valueFrom:
secretKeyRef:
name: {{ include "agentkit.secretName" . }}
key: {{ .Values.secrets.idpSigningCerts.key }}
- name: THIRD_PARTY_API_KEYS
valueFrom:
secretKeyRef:
name: {{ include "agentkit.secretName" . }}
key: {{ .Values.secrets.thirdPartyApiKeys.key }}
- name: MTLS_CLIENT_CERT
valueFrom:
secretKeyRef:
name: {{ include "agentkit.secretName" . }}
key: {{ .Values.secrets.mtlsClientCert.key }}
- name: KMS_HSM_PIN
valueFrom:
secretKeyRef:
name: {{ include "agentkit.secretName" . }}
key: {{ .Values.secrets.kmsHsmPin.key }}
- name: OTEL_EXPORTER_OTLP_HEADERS
valueFrom:
secretKeyRef:
name: {{ include "agentkit.secretName" . }}
key: {{ .Values.secrets.otelExporterToken.key }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "agentkit.secretName" . }}
key: {{ .Values.secrets.redisPassword.key }}
# DEPLOY-4: 移除 POSTGRES_PASSWORD env — 应用通过 DATABASE_URLSlot 3
# 消费 PG 密码DSN 内嵌POSTGRES_PASSWORD 仅用于 PostgreSQL StatefulSet
# 初始化(由独立 PG chart / StatefulSet 引用 secrets.postgresPassword
# 此处注入是死 env误导运维以为应用读 POSTGRES_PASSWORD。
# --- 非密配置OTel endpoint、service name---
{{- if .Values.otel.enabled }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: {{ .Values.otel.endpoint | quote }}
- name: OTEL_SERVICE_NAME
value: {{ .Values.otel.serviceName | quote }}
{{- end }}
envFrom:
# agentkit.yaml 从 ConfigMap 注入(通过 AGENTKIT_CONFIG 环境变量指向挂载路径)
- configMapRef:
name: {{ include "agentkit.fullname" . }}
volumeMounts:
- name: config
mountPath: /etc/agentkit
readOnly: true
- name: tmp
mountPath: /tmp
resources:
{{- toYaml .Values.resources | nindent 12 }}
livenessProbe:
{{- toYaml .Values.probes.liveness | nindent 12 }}
readinessProbe:
{{- toYaml .Values.probes.readiness | nindent 12 }}
volumes:
- name: config
configMap:
name: {{ include "agentkit.fullname" . }}
- name: tmp
emptyDir: {}