resource "kubectl_manifest" "Deployment_openproject-worker-default" { yaml_body = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: openproject-worker-default labels: ${jsonencode(local.common-labels)} namespace: ${var.namespace} ownerReferences: ${jsonencode(var.install_owner)} spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: openproject app.kubernetes.io/instance: openproject openproject/process: worker-default template: metadata: annotations: checksum/env-core: a4294db8b065a4d77e098d233e1b73e5ad4557890fd69436ba8fc7c2daf7a181 checksum/env-memcached: f4f558dde2e4422edc31e686317ce225beea60a136cbb9459cfca7d1f5548be6 checksum/env-oidc: 2a3d493b7fac498a180683454c58815e0a3bc6319adaf87d6e1eb459db3a8c04 checksum/env-s3: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b checksum/env-environment: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b labels: app.kubernetes.io/name: openproject helm.sh/chart: openproject-5.1.4 app.kubernetes.io/instance: openproject app.kubernetes.io/managed-by: Helm app.kubernetes.io/version: '14' openproject/process: worker-default spec: securityContext: fsGroup: 1000 serviceAccountName: openproject volumes: - name: tmp ephemeral: volumeClaimTemplate: spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi - name: app-tmp ephemeral: volumeClaimTemplate: spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi - name: data persistentVolumeClaim: claimName: openproject initContainers: - name: wait-for-db securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault image: docker.io/openproject/openproject:14-slim imagePullPolicy: IfNotPresent envFrom: - secretRef: name: openproject-core - secretRef: name: openproject-oidc - secretRef: name: openproject-memcached env: - name: OPENPROJECT_DB_PASSWORD valueFrom: secretKeyRef: name: openproject-postgresql key: password command: - bash - /app/docker/prod/wait-for-db containers: - name: openproject securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault image: docker.io/openproject/openproject:14-slim imagePullPolicy: IfNotPresent envFrom: - secretRef: name: openproject-core - secretRef: name: openproject-oidc - secretRef: name: openproject-memcached command: - bash - /app/docker/prod/worker env: - name: OPENPROJECT_DB_PASSWORD valueFrom: secretKeyRef: name: openproject-postgresql key: password - name: QUEUE value: '' volumeMounts: - mountPath: /tmp name: tmp - mountPath: /app/tmp name: app-tmp - name: data mountPath: /var/openproject/assets resources: limits: cpu: '4' memory: 4Gi requests: cpu: 250m memory: 512Mi EOF } resource "kubectl_manifest" "Deployment_openproject-web" { yaml_body = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: openproject-web labels: ${jsonencode(local.common-labels)} namespace: ${var.namespace} ownerReferences: ${jsonencode(var.install_owner)} spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: openproject app.kubernetes.io/instance: openproject openproject/process: web template: metadata: annotations: checksum/env-core: a4294db8b065a4d77e098d233e1b73e5ad4557890fd69436ba8fc7c2daf7a181 checksum/env-memcached: f4f558dde2e4422edc31e686317ce225beea60a136cbb9459cfca7d1f5548be6 checksum/env-oidc: 2a3d493b7fac498a180683454c58815e0a3bc6319adaf87d6e1eb459db3a8c04 checksum/env-s3: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b checksum/env-environment: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b labels: app.kubernetes.io/name: openproject helm.sh/chart: openproject-5.1.4 app.kubernetes.io/instance: openproject app.kubernetes.io/managed-by: Helm app.kubernetes.io/version: '14' openproject/process: web spec: securityContext: fsGroup: 1000 serviceAccountName: openproject volumes: - name: tmp ephemeral: volumeClaimTemplate: spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi - name: app-tmp ephemeral: volumeClaimTemplate: spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi - name: data persistentVolumeClaim: claimName: openproject initContainers: - name: wait-for-db securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault image: docker.io/openproject/openproject:14-slim imagePullPolicy: IfNotPresent envFrom: - secretRef: name: openproject-core - secretRef: name: openproject-oidc - secretRef: name: openproject-memcached env: - name: OPENPROJECT_DB_PASSWORD valueFrom: secretKeyRef: name: openproject-postgresql key: password command: - bash - /app/docker/prod/wait-for-db containers: - name: openproject securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault image: docker.io/openproject/openproject:14-slim imagePullPolicy: IfNotPresent envFrom: - secretRef: name: openproject-core - secretRef: name: openproject-oidc - secretRef: name: openproject-memcached env: - name: OPENPROJECT_DB_PASSWORD valueFrom: secretKeyRef: name: openproject-postgresql key: password command: - bash - /app/docker/prod/web volumeMounts: - mountPath: /tmp name: tmp - mountPath: /app/tmp name: app-tmp - name: data mountPath: /var/openproject/assets ports: - name: http containerPort: 8080 protocol: TCP livenessProbe: httpGet: path: /health_checks/default port: 8080 httpHeaders: - name: Host value: localhost initialDelaySeconds: 120 timeoutSeconds: 3 periodSeconds: 30 failureThreshold: 3 successThreshold: 1 readinessProbe: httpGet: path: /health_checks/default port: 8080 httpHeaders: - name: Host value: localhost initialDelaySeconds: 30 timeoutSeconds: 3 periodSeconds: 15 failureThreshold: 30 successThreshold: 1 resources: limits: cpu: '4' memory: 4Gi requests: cpu: 250m memory: 512Mi EOF } resource "kubectl_manifest" "StatefulSet_openproject-postgresql" { yaml_body = <<-EOF apiVersion: apps/v1 kind: StatefulSet metadata: name: openproject-postgresql namespace: ${var.namespace} labels: ${jsonencode(local.common-labels)} ownerReferences: ${jsonencode(var.install_owner)} spec: replicas: 1 serviceName: openproject-postgresql-hl updateStrategy: rollingUpdate: {} type: RollingUpdate selector: matchLabels: app.kubernetes.io/instance: openproject app.kubernetes.io/name: postgresql app.kubernetes.io/component: primary template: metadata: name: openproject-postgresql labels: app.kubernetes.io/instance: openproject app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: postgresql app.kubernetes.io/version: 15.4.0 helm.sh/chart: postgresql-12.12.10 app.kubernetes.io/component: primary spec: serviceAccountName: default affinity: podAffinity: null podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/instance: openproject app.kubernetes.io/name: postgresql app.kubernetes.io/component: primary topologyKey: kubernetes.io/hostname weight: 1 nodeAffinity: null securityContext: fsGroup: 1001 hostNetwork: false hostIPC: false containers: - name: postgresql image: docker.io/bitnami/postgresql:15.4.0-debian-11-r45 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsGroup: 0 runAsNonRoot: true runAsUser: 1001 seccompProfile: type: RuntimeDefault env: - name: BITNAMI_DEBUG value: 'false' - name: POSTGRESQL_PORT_NUMBER value: '5432' - name: POSTGRESQL_VOLUME_DIR value: /bitnami/postgresql - name: PGDATA value: /bitnami/postgresql/data - name: POSTGRES_USER value: openproject - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: openproject-postgresql key: password - name: POSTGRES_POSTGRES_PASSWORD valueFrom: secretKeyRef: name: openproject-postgresql key: postgres-password - name: POSTGRES_DATABASE value: openproject - name: POSTGRESQL_ENABLE_LDAP value: no - name: POSTGRESQL_ENABLE_TLS value: no - name: POSTGRESQL_LOG_HOSTNAME value: 'false' - name: POSTGRESQL_LOG_CONNECTIONS value: 'false' - name: POSTGRESQL_LOG_DISCONNECTIONS value: 'false' - name: POSTGRESQL_PGAUDIT_LOG_CATALOG value: off - name: POSTGRESQL_CLIENT_MIN_MESSAGES value: error - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES value: pgaudit ports: - name: tcp-postgresql containerPort: 5432 livenessProbe: failureThreshold: 6 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 exec: command: - /bin/sh - -c - exec pg_isready -U "openproject" -d "dbname=openproject" -h 127.0.0.1 -p 5432 readinessProbe: failureThreshold: 6 initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 exec: command: - /bin/sh - -c - -e - | exec pg_isready -U "openproject" -d "dbname=openproject" -h 127.0.0.1 -p 5432 [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] resources: limits: {} requests: cpu: 250m memory: 256Mi volumeMounts: - name: dshm mountPath: /dev/shm - name: data mountPath: /bitnami/postgresql volumes: - name: dshm emptyDir: medium: Memory volumeClaimTemplates: - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi EOF } resource "kubectl_manifest" "Deployment_openproject-memcached" { yaml_body = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: openproject-memcached namespace: ${var.namespace} labels: ${jsonencode(local.common-labels)} ownerReferences: ${jsonencode(var.install_owner)} spec: selector: matchLabels: app.kubernetes.io/instance: openproject app.kubernetes.io/name: memcached replicas: 1 strategy: rollingUpdate: {} type: RollingUpdate template: metadata: labels: app.kubernetes.io/instance: openproject app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: memcached app.kubernetes.io/version: 1.6.24 helm.sh/chart: memcached-6.14.0 annotations: null spec: automountServiceAccountToken: false affinity: podAffinity: null podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/instance: openproject app.kubernetes.io/name: memcached topologyKey: kubernetes.io/hostname weight: 1 nodeAffinity: null securityContext: fsGroup: 1001 fsGroupChangePolicy: Always supplementalGroups: [] sysctls: [] serviceAccountName: openproject-memcached containers: - name: memcached image: docker.io/bitnami/memcached:1.6.24-debian-12-r0 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: false runAsGroup: 1001 runAsNonRoot: true runAsUser: 1001 seccompProfile: type: RuntimeDefault env: - name: BITNAMI_DEBUG value: 'false' - name: MEMCACHED_PORT_NUMBER value: '11211' ports: - name: memcache containerPort: 11211 livenessProbe: failureThreshold: 6 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 tcpSocket: port: memcache readinessProbe: failureThreshold: 6 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 tcpSocket: port: memcache volumeMounts: - name: empty-dir mountPath: /opt/bitnami/memcached/conf subPath: app-conf-dir - name: empty-dir mountPath: /tmp subPath: tmp-dir volumes: - name: empty-dir emptyDir: {} EOF }