apiVersion: apps/v1 kind: Deployment metadata: name: redis namespace: honeydue labels: app.kubernetes.io/name: redis app.kubernetes.io/part-of: honeydue spec: replicas: 1 strategy: type: Recreate # ReadWriteOnce PVC — can't attach to two pods selector: matchLabels: app.kubernetes.io/name: redis template: metadata: labels: app.kubernetes.io/name: redis app.kubernetes.io/part-of: honeydue spec: serviceAccountName: redis # No nodeSelector — single node dev cluster securityContext: runAsNonRoot: true runAsUser: 999 runAsGroup: 999 fsGroup: 999 seccompProfile: type: RuntimeDefault containers: - name: redis image: redis:7-alpine command: - sh - -c - | ARGS="--appendonly yes --appendfsync everysec --maxmemory 256mb --maxmemory-policy noeviction" if [ -n "$REDIS_PASSWORD" ]; then ARGS="$ARGS --requirepass $REDIS_PASSWORD" fi exec redis-server $ARGS ports: - containerPort: 6379 protocol: TCP securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: ["ALL"] env: - name: REDIS_PASSWORD valueFrom: secretKeyRef: name: honeydue-secrets key: REDIS_PASSWORD optional: true volumeMounts: - name: redis-data mountPath: /data - name: tmp mountPath: /tmp resources: requests: cpu: 50m memory: 64Mi limits: cpu: 500m memory: 512Mi readinessProbe: exec: command: - sh - -c - | if [ -n "$REDIS_PASSWORD" ]; then redis-cli -a "$REDIS_PASSWORD" ping 2>/dev/null | grep -q PONG else redis-cli ping | grep -q PONG fi initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 livenessProbe: exec: command: - sh - -c - | if [ -n "$REDIS_PASSWORD" ]; then redis-cli -a "$REDIS_PASSWORD" ping 2>/dev/null | grep -q PONG else redis-cli ping | grep -q PONG fi initialDelaySeconds: 15 periodSeconds: 20 timeoutSeconds: 5 volumes: - name: redis-data persistentVolumeClaim: claimName: redis-data - name: tmp emptyDir: medium: Memory sizeLimit: 64Mi