oleksandr/homelab
1
0
Fork 0
Code Pull Requests Activity
Files
master
homelab/kubernetes/app/cryptpad/deployment.yaml

176 lines
5.7 KiB
YAML
Raw Permalink Blame History

apiVersion: apps/v1
kind: Deployment
metadata:
name: cryptpad
namespace: cryptpad
labels:
app: cryptpad
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: cryptpad
template:
metadata:
labels:
app: cryptpad
spec:
securityContext:
runAsUser: 4001
runAsGroup: 4001
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
initContainers:
# # Create required subdirectories on NFS volumes before subPath mounts are used
# - name: init-dirs
# image: busybox:1.36
# securityContext:
# runAsUser: 0
# runAsNonRoot: false
# command:
# - sh
# - -c
# - |
# mkdir -p /data/blob /data/datastore /data/data /data/block /data/onlyoffice
# mkdir -p /config/customize
# chown -R 4001:4001 /data /config
# volumeMounts:
# - name: data
# mountPath: /data
# - name: config
# mountPath: /config
# Clone the official CryptPad SSO plugin into an emptyDir shared with the main container
- name: install-sso-plugin
image: alpine/git:v2.47.2
securityContext:
runAsUser: 0
runAsNonRoot: false
command:
- sh
- -c
- |
git clone --depth=1 https://github.com/cryptpad/sso /plugin
chown -R 4001:4001 /plugin
volumeMounts:
- name: sso-plugin
mountPath: /plugin
containers:
- name: cryptpad
image: cryptpad/cryptpad:version-2026.2.0
ports:
- containerPort: 3000
name: http
protocol: TCP
- containerPort: 3003
name: api
protocol: TCP
env:
- name: CPAD_CONF
value: "/cryptpad/config/config.js"
- name: CPAD_MAIN_DOMAIN
value: "https://${CRYPTPAD_HOST}"
- name: CPAD_SANDBOX_DOMAIN
value: "https://${CRYPTPAD_SANDBOX_HOST}"
# Trust the Traefik pod CIDR so CryptPad sees real client IPs.
# Adjust if your pod CIDR is different.
- name: CPAD_TRUSTED_PROXY
value: "10.0.0.0/8"
- name: CPAD_REALIP_HEADER
value: "X-Forwarded-For"
- name: CPAD_REALIP_RECURSIVE
value: "on"
# Downloads and installs OnlyOffice frontend on first start (persisted via data PVC).
# First startup will be slower while OnlyOffice assets are fetched.
- name: CPAD_INSTALL_ONLYOFFICE
value: "yes"
volumeMounts:
# User data — split into subdirs on a single NFS PVC
- name: data
mountPath: /cryptpad/blob
subPath: blob
- name: data
mountPath: /cryptpad/datastore
subPath: datastore
- name: data
mountPath: /cryptpad/data
subPath: data
- name: data
mountPath: /cryptpad/block
subPath: block
# Customization (branding, themes) — persisted on NFS
- name: config
mountPath: /cryptpad/customize
subPath: customize
# OnlyOffice dist — local-path (not NFS): rdfind uses hard links which
# require a real filesystem, and scanning NFS for dedup is very slow
- name: onlyoffice
mountPath: /cryptpad/www/common/onlyoffice/dist
# SSO plugin — freshly cloned by init container on each pod start
- name: sso-plugin
mountPath: /cryptpad/lib/plugins/sso
# sso.js mounted directly from the secret — overlays the NFS config dir
# at this specific file path, no init container needed
- name: sso-secret
mountPath: /cryptpad/config/sso.js
subPath: sso.js
readOnly: true
- name: application-config
mountPath: /cryptpad/customize/application_config.js
subPath: application_config.js
readOnly: true
- name: application-config
mountPath: /cryptpad/config/config.js
subPath: config.js
readOnly: true
# npm run build runs on every start and can take several minutes.
# startupProbe absorbs that time; liveness/readiness take over once up.
startupProbe:
httpGet:
port: 3000
path: /
failureThreshold: 120
periodSeconds: 60
livenessProbe:
httpGet:
port: 3000
path: /
periodSeconds: 30
readinessProbe:
httpGet:
port: 3000
path: /
periodSeconds: 10
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
memory: 2Gi
volumes:
- name: data
persistentVolumeClaim:
claimName: cryptpad-data
- name: config
persistentVolumeClaim:
claimName: cryptpad-config
- name: sso-plugin
emptyDir: {}
- name: onlyoffice
persistentVolumeClaim:
claimName: cryptpad-onlyoffice
- name: sso-secret
secret:
secretName: cryptpad-credentials
items:
- key: sso.js
path: sso.js
- name: application-config
configMap:
name: cryptpad-config
View Git Blame Copy Permalink