diff --git a/kubernetes/app/immich/cronjob-backup.yaml b/kubernetes/app/immich/cronjob-backup.yaml index 9de9fa2..6e14660 100644 --- a/kubernetes/app/immich/cronjob-backup.yaml +++ b/kubernetes/app/immich/cronjob-backup.yaml @@ -88,7 +88,7 @@ spec: restartPolicy: OnFailure containers: - name: resticprofile-backup - image: creativeprojects/resticprofile:latest + image: creativeprojects/resticprofile:0.32.0 command: - sh - -c diff --git a/kubernetes/app/immich/database.yaml b/kubernetes/app/immich/database.yaml index c012fa2..8f76e18 100644 --- a/kubernetes/app/immich/database.yaml +++ b/kubernetes/app/immich/database.yaml @@ -20,6 +20,8 @@ spec: runAsUser: 999 runAsGroup: 999 fsGroup: 999 + seccompProfile: + type: RuntimeDefault containers: - name: postgres image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0 @@ -60,6 +62,12 @@ spec: port: 5432 initialDelaySeconds: 5 periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + memory: 1Gi volumeMounts: - name: data mountPath: /var/lib/postgresql/data diff --git a/kubernetes/app/immich/networkpolicy.yaml b/kubernetes/app/immich/networkpolicy.yaml index 65bd2c5..92de992 100644 --- a/kubernetes/app/immich/networkpolicy.yaml +++ b/kubernetes/app/immich/networkpolicy.yaml @@ -44,9 +44,6 @@ spec: - podSelector: matchLabels: app.kubernetes.io/name: server - - podSelector: - matchLabels: - app.kubernetes.io/name: microservices - podSelector: matchLabels: app: immich-db-backup @@ -68,9 +65,6 @@ spec: - podSelector: matchLabels: app.kubernetes.io/name: server - - podSelector: - matchLabels: - app.kubernetes.io/name: microservices --- # Allow immich pods to reach machine-learning apiVersion: networking.k8s.io/v1 @@ -89,6 +83,35 @@ spec: - podSelector: matchLabels: app.kubernetes.io/name: server +--- +# Allow backup pods egress to Synology (rest-server), B2, DNS, and DB +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-backup-egress + namespace: immich +spec: + podSelector: + matchLabels: + app: immich-backup + policyTypes: + - Egress + egress: + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - ports: + - port: 8888 + protocol: TCP + - ports: + - port: 443 + protocol: TCP + - ports: + - port: 5432 + protocol: TCP + to: - podSelector: matchLabels: - app.kubernetes.io/name: microservices + app: immich-db diff --git a/kubernetes/app/immich/pv-db.yaml b/kubernetes/app/immich/pv-db.yaml index 3eb3611..3965e9e 100644 --- a/kubernetes/app/immich/pv-db.yaml +++ b/kubernetes/app/immich/pv-db.yaml @@ -11,7 +11,8 @@ spec: persistentVolumeReclaimPolicy: Retain mountOptions: - hard - - nointr + - timeo=30 + - retrans=3 nfs: server: synology.storage.lviv path: /volume3/k8s-storage/immich-db diff --git a/kubernetes/app/immich/pv-library.yaml b/kubernetes/app/immich/pv-library.yaml index 19b13dc..d6e8f7b 100644 --- a/kubernetes/app/immich/pv-library.yaml +++ b/kubernetes/app/immich/pv-library.yaml @@ -11,7 +11,8 @@ spec: persistentVolumeReclaimPolicy: Retain mountOptions: - hard - - nointr + - timeo=30 + - retrans=3 nfs: server: synology.storage.lviv path: ${IMMICH_UPLOAD_NFS_PATH} diff --git a/kubernetes/app/immich/release.yaml b/kubernetes/app/immich/release.yaml index 3e79a96..fc3d080 100644 --- a/kubernetes/app/immich/release.yaml +++ b/kubernetes/app/immich/release.yaml @@ -19,10 +19,21 @@ spec: values: controllers: main: + strategy: Recreate + pod: + securityContext: + seccompProfile: + type: RuntimeDefault containers: main: image: tag: v2.5.6 + resources: + requests: + cpu: 100m + memory: 512Mi + limits: + memory: 2Gi env: DB_HOSTNAME: immich-db DB_USERNAME: @@ -63,6 +74,21 @@ spec: secretName: immich-tls machine-learning: enabled: true + controllers: + main: + strategy: Recreate + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + main: + resources: + requests: + cpu: 50m + memory: 512Mi + limits: + memory: 2Gi persistence: cache: enabled: true @@ -72,6 +98,20 @@ spec: type: persistentVolumeClaim valkey: enabled: true + controllers: + main: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + main: + resources: + requests: + cpu: 25m + memory: 64Mi + limits: + memory: 256Mi persistence: data: enabled: true diff --git a/kubernetes/app/immich/service.yaml b/kubernetes/app/immich/service.yaml index 555ece1..8dad601 100644 --- a/kubernetes/app/immich/service.yaml +++ b/kubernetes/app/immich/service.yaml @@ -6,11 +6,9 @@ metadata: labels: app: immich-db spec: - type: ClusterIP ports: - - name: 5432-5432 + - name: postgres port: 5432 targetPort: 5432 - protocol: TCP selector: app: immich-db