Conversation
|
Share My K8S Config. apiVersion: v1
kind: ConfigMap
metadata:
name: esm-config
namespace: esm
data:
config.json: |
{
"port": 80,
"tlsPort": 0,
"nsPort": 8088,
"buildConcurrency": 0,
"workDir": "~/.esmd",
"cache": "memory:default",
"database": "bolt:~/.esmd/esm.db",
"storage": "local:~/.esmd/storage",
"logDir": "~/.esmd/log",
"logLevel": "debug",
"origin": "https://esm.example.com",
"basePath": "/",
"npmRegistry": "https://registry.npmmirror.com/",
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: esm
namespace: esm
labels:
app.kubernetes.io/instance: esm
app.kubernetes.io/name: esm
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: esm
app.kubernetes.io/name: esm
template:
metadata:
labels:
app.kubernetes.io/instance: esm
app.kubernetes.io/name: esm
spec:
containers:
- name: esm
image: change to your image
volumeMounts:
- name: config-volume
mountPath: /home/esm/config.json
subPath: config.json
ports:
- name: http
containerPort: 80
protocol: TCP
resources: {}
livenessProbe:
httpGet:
path: /
port: http
scheme: HTTP
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /
port: http
scheme: HTTP
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
volumes:
- name: config-volume
configMap:
name: esm-config
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
serviceAccountName: default
serviceAccount: default
securityContext:
runAsUser: 0
runAsGroup: 0
schedulerName: default-scheduler
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
---
apiVersion: v1
kind: Service
metadata:
name: esm
namespace: esm
labels:
app.kubernetes.io/instance: esm
app.kubernetes.io/name: esm
spec:
ports:
- name: http
protocol: TCP
port: 80
targetPort: http
selector:
app.kubernetes.io/instance: esm
app.kubernetes.io/name: esm
type: ClusterIP
sessionAffinity: None
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
internalTrafficPolicy: Cluster |
thats great! does this handle clusters? |
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
i need to put my own token for the CI right?
There was a problem hiding this comment.
You don't need to change it.
GitHub provides some contexts for each task.
See https://docs.github.com/en/actions/learn-github-actions/contexts
That will auto-login to your GHCR instance.
|
|
||
| on: | ||
| push: | ||
| branches: [ "main" ] |
There was a problem hiding this comment.
maybe just on tags like v124? because we may put bad code to the main branch
There was a problem hiding this comment.
Yes, you can.
But it's hard to debug if I do not have the repo permission.
I have no permission to push images to your GHCR instance.
Github action has strict permission.
I recommend you copy the action from my existing file.
It can auto-build images based on tag, branch, and pull requests.
And will auto-comment the result to PR if the action trigger comes from PR.
That tags will be like that.
The PR Comments
| context: . | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: true | ||
| tags: ghcr.io/${{ github.repository_owner }}/esmd:latest |
There was a problem hiding this comment.
i prefer ghcr.io/owner/esm.sh instead of ghcr.io/owner/esmd, can you pls change?
There was a problem hiding this comment.
Sorry, I don't want to change it anymore.
It's hard for me to debug the code because of the action permission.
You can merge it first and change it.
| RUN useradd -u 1000 -m esm | ||
| RUN mkdir /esm && chown esm:esm /esm | ||
| RUN git clone https://github.com/esm-dev/esm.sh /esm/esm.sh | ||
| RUN git checkout v124 |
There was a problem hiding this comment.
again, let's use the latest tag instead of main branch
There was a problem hiding this comment.
Reading the version information from git is better than manual changes each time.
| RUN apk add --no-cache libc6-compat xz | ||
| RUN addgroup -g $GROUP_ID $GROUP_NAME && \ | ||
| adduser --shell /sbin/nologin --disabled-password \ | ||
| --uid $USER_ID --ingroup $GROUP_NAME $USER_NAME | ||
| RUN mkdir -p /usr/local/lib && chown -R $USER_NAME:$GROUP_NAME /usr/local |
There was a problem hiding this comment.
This code is prepared for non-root users.
Create a user and give the right permissions.
You must add the lib libc6-compat.
If not the server will crash.
| WORKDIR /esm | ||
| RUN go build -o bin/esmd esm.sh/main.go | ||
| FROM node:18-alpine3.16 | ||
| ENV USER_ID=65535 |
There was a problem hiding this comment.
just wondered, can we remove the USER_ID and GROUP_ID perm?
There was a problem hiding this comment.
If you want the script to run as root, you can.
You can pass the -u 0:0 params to docker.
That will be run as root.
That full command is: docker run --rm -it -p 8077:80 -u 0:0 ghcr.io/zsnmwy/esmd:latest.
That's a security question.
See https://docs.docker.com/engine/security/rootless/
|
I have to say that the k8s share code is not enough to handle large service requests. ESM should support S3 and Redis. |
2 participants
The origin Dockerfile is not working.
linux/amd64linux/arm64You can try
docker run --rm -it -p 8077:80 ghcr.io/zsnmwy/esmd:latest.