--- apiVersion: apps/v1 kind: Deployment metadata: name: airm-api namespace: airm spec: replicas: 1 selector: matchLabels: app: airm-api template: metadata: labels: app: airm-api auth-required: "true" spec: containers: - env: - name: OPENID_CLIENT_ID value: 354a0fa1-35ac-4a6d-9c4d-d661129c2cd0 - name: OPENID_CONFIGURATION_URL value: http://kc.aiplatform.combient.com/realms/airm/.well-known/openid-configuration - name: POST_REGISTRATION_REDIRECT_URL value: https://airmui.aiplatform.combient.com/ - name: DATABASE_HOST value: airm-cnpg-rw.airm.svc.cluster.local - name: DATABASE_PORT value: "5432" - name: DATABASE_USER valueFrom: secretKeyRef: key: username name: airm-cnpg-user - name: DATABASE_PASSWORD valueFrom: secretKeyRef: key: password name: airm-cnpg-user - name: RABBITMQ_HOST value: airm-rabbitmq.airm.svc.cluster.local - name: RABBITMQ_PORT value: "5672" - name: RABBITMQ_MANAGEMENT_URL value: http://airm-rabbitmq.airm.svc.cluster.local:15672/api - name: RABBITMQ_ADMIN_USER valueFrom: secretKeyRef: key: username name: airm-rabbitmq-admin - name: RABBITMQ_ADMIN_PASSWORD valueFrom: secretKeyRef: key: password name: airm-rabbitmq-admin - name: KEYCLOAK_ADMIN_SERVER_URL value: http://keycloak.keycloak.svc.cluster.local:8080 - name: KEYCLOAK_REALM value: airm - name: KEYCLOAK_ADMIN_CLIENT_ID valueFrom: secretKeyRef: key: client-id name: airm-keycloak-admin-client - name: KEYCLOAK_ADMIN_CLIENT_SECRET valueFrom: secretKeyRef: key: client-secret name: airm-keycloak-admin-client - name: MINIO_URL value: http://minio.minio-tenant-default.svc.cluster.local:80 - name: MINIO_BUCKET value: default-bucket - name: MINIO_ACCESS_KEY valueFrom: secretKeyRef: key: minio-access-key name: airm-api-minio-credentials - name: MINIO_SECRET_KEY valueFrom: secretKeyRef: key: minio-secret-key name: airm-api-minio-credentials - name: PROMETHEUS_URL value: http://lgtm-stack.otel-lgtm-stack.svc.cluster.local:9090 image: ghcr.io/silogen/airm-api:v2025.09.001 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /v1/health port: 8080 initialDelaySeconds: 10 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 2 name: airm ports: - containerPort: 8080 - containerPort: 9009 readinessProbe: failureThreshold: 3 httpGet: path: /v1/health port: 8080 initialDelaySeconds: 10 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 2 resources: limits: memory: 1Gi requests: cpu: 500m memory: 1Gi securityContext: allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault initContainers: - command: - sh - -c - | until pg_isready -h "airm-cnpg-rw.airm.svc.cluster.local" -p 5432 -U postgres; do echo "Waiting for database..." sleep 2 done echo "Database is ready!" image: postgres@sha256:5d14c08a257610d8e27c52ce0f10de5d9cce4c232e1277d44d7d6fb628b3d1a7 # Original tag: 17-alpine name: wait-for-db - command: - sh - -c - cp /code/migrations/* /mnt/code/migrations/ image: ghcr.io/silogen/airm-api:v2025.09.001 imagePullPolicy: IfNotPresent name: init-migration-scripts securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /mnt/code/migrations name: airm-migration-volume - command: - liquibase - --url=jdbc:postgresql://airm-cnpg-rw.airm.svc.cluster.local:5432/airm - --username=$(DATABASE_USER) - --password=$(DATABASE_PASSWORD) - --logLevel=INFO - --changeLogFile=changelog/changelog.xml - update env: - name: DATABASE_USER valueFrom: secretKeyRef: key: username name: airm-cnpg-user - name: DATABASE_PASSWORD valueFrom: secretKeyRef: key: password name: airm-cnpg-user image: docker.io/liquibase/liquibase@sha256:dc2e5237941efb92cc6ae0cffd40a5b6f476559d5ed20fd7ca711df4895997a3 # Original tag: 4.31 imagePullPolicy: IfNotPresent name: liquibase-migrate volumeMounts: - mountPath: /liquibase/changelog name: airm-migration-volume readOnly: true - command: - uv - run - -m - app.charts.registration env: - name: DATABASE_HOST value: airm-cnpg-rw.airm.svc.cluster.local - name: DATABASE_PORT value: "5432" - name: DATABASE_USER valueFrom: secretKeyRef: key: username name: airm-cnpg-user - name: DATABASE_PASSWORD valueFrom: secretKeyRef: key: password name: airm-cnpg-user - name: RABBITMQ_HOST value: airm-rabbitmq.airm.svc.cluster.local - name: RABBITMQ_PORT value: "5672" - name: RABBITMQ_MANAGEMENT_URL value: http://airm-rabbitmq.airm.svc.cluster.local:15672/api - name: RABBITMQ_ADMIN_USER valueFrom: secretKeyRef: key: username name: airm-rabbitmq-admin - name: RABBITMQ_ADMIN_PASSWORD valueFrom: secretKeyRef: key: password name: airm-rabbitmq-admin image: ghcr.io/silogen/airm-api:v2025.09.001 imagePullPolicy: IfNotPresent name: charts-registration securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault - command: - /bin/bash - -c - apt-get update -y 1> /dev/null 2>&1 && apt-get install ncat -y 1> /dev/null 2>&1 && while ! nc -z "$ENDPOINT_URL_TO_CHECK" "$ENDPOINT_PORT_TO_CHECK"; do echo "Waiting for Airm rabbitmq at ${ENDPOINT_URL_TO_CHECK}:${ENDPOINT_PORT_TO_CHECK}..."; sleep 3; done; echo "Airm rabbitmq is accepting connections at ${ENDPOINT_URL_TO_CHECK}:${ENDPOINT_PORT_TO_CHECK}."; sleep 3; exit 0 env: - name: ENDPOINT_URL_TO_CHECK value: airm-rabbitmq.airm.svc.cluster.local - name: ENDPOINT_PORT_TO_CHECK value: "15672" image: ubuntu@sha256:09506232a8004baa32c47d68f1e5c307d648fdd59f5e7eaa42aaf87914100db3 # Original tag: 22.04 imagePullPolicy: IfNotPresent name: check-rabbitmq-is-ready securityContext: allowPrivilegeEscalation: false capabilities: add: - SETUID - SETGID - CHOWN - DAC_OVERRIDE - FOWNER - FSETID drop: - ALL runAsNonRoot: false runAsUser: 0 seccompProfile: type: RuntimeDefault volumes: - emptyDir: {} name: airm-migration-volume