From 07c5882052c1bb7dbd763e2fd79ea0e77a483a57 Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Fri, 29 Aug 2025 20:50:11 +0200 Subject: [PATCH] chore: probes --- .../default/prowlarr/app/helmrelease.yaml | 30 +++++++++++++--- .../radarr-archive/app/helmrelease.yaml | 35 ++++++++++++++----- .../apps/default/radarr/app/helmrelease.yaml | 35 ++++++++++++++----- .../apps/default/sonarr/app/helmrelease.yaml | 24 +++++++------ 4 files changed, 91 insertions(+), 33 deletions(-) diff --git a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml index 745cfc25d..0cd2cb648 100644 --- a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml @@ -43,12 +43,28 @@ spec: name: prowlarr-secret - secretRef: name: prowlarr-db-secret + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /ping + port: *port + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } resources: requests: cpu: 100m - memory: 100Mi limits: - memory: 500Mi + memory: 1Gi service: app: controller: *app @@ -67,6 +83,12 @@ spec: - name: *app port: *port persistence: - config: - enabled: true + tmpfs: type: emptyDir + advancedMounts: + prowlarr: + app: + - path: /config + subPath: config + - path: /tmp + subPath: tmp diff --git a/kubernetes/apps/default/radarr-archive/app/helmrelease.yaml b/kubernetes/apps/default/radarr-archive/app/helmrelease.yaml index 8ad1eca8d..2abc66097 100644 --- a/kubernetes/apps/default/radarr-archive/app/helmrelease.yaml +++ b/kubernetes/apps/default/radarr-archive/app/helmrelease.yaml @@ -18,12 +18,6 @@ spec: strategy: rollback retries: 3 values: - defaultPodOptions: - securityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch controllers: radarr-archive: annotations: @@ -53,12 +47,35 @@ spec: name: radarr-secret - secretRef: name: radarr-archive-db-secret + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /ping + port: *port + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: [ALL] } resources: requests: - cpu: 500m - memory: 500Mi + cpu: 100m limits: - memory: 2000Mi + memory: 2Gi + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch service: app: controller: *app diff --git a/kubernetes/apps/default/radarr/app/helmrelease.yaml b/kubernetes/apps/default/radarr/app/helmrelease.yaml index a5a56997d..e309241b0 100644 --- a/kubernetes/apps/default/radarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/radarr/app/helmrelease.yaml @@ -18,12 +18,6 @@ spec: strategy: rollback retries: 3 values: - defaultPodOptions: - securityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch controllers: radarr: annotations: @@ -53,12 +47,35 @@ spec: name: radarr-secret - secretRef: name: radarr-db-secret + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /ping + port: *port + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: [ALL] } resources: requests: - cpu: 500m - memory: 500Mi + cpu: 100m limits: - memory: 2000Mi + memory: 2Gi + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch service: app: controller: *app diff --git a/kubernetes/apps/default/sonarr/app/helmrelease.yaml b/kubernetes/apps/default/sonarr/app/helmrelease.yaml index 054e52075..a9dc4ea64 100644 --- a/kubernetes/apps/default/sonarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/sonarr/app/helmrelease.yaml @@ -19,12 +19,6 @@ spec: strategy: rollback retries: 3 values: - defaultPodOptions: - securityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch controllers: sonarr: annotations: @@ -64,14 +58,22 @@ spec: timeoutSeconds: 1 failureThreshold: 3 readiness: *probes - startup: - enabled: false + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: [ALL] } resources: requests: - cpu: 10m - memory: 256M + cpu: 100m limits: - memory: 4Gi + memory: 2Gi + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch service: app: controller: *app