From 63d47c87a9fa55116680719faff6441aa60795ec Mon Sep 17 00:00:00 2001 From: Farrah Amador-Mughal Date: Tue, 25 Nov 2025 11:38:23 -0500 Subject: [PATCH] This PR makes a few minor changes to help with debugging and developer experience: expose the service temporarily for testing loosen some security to unblock investigations bump logging to debug to get more signal simplify image management Once verified, we can circle back and harden things. --- deployment.yaml | 64 +++++++++++++++++++++---------------------------- service.yaml | 5 ++-- 2 files changed, 30 insertions(+), 39 deletions(-) diff --git a/deployment.yaml b/deployment.yaml index c0cdbe5..001b747 100644 --- a/deployment.yaml +++ b/deployment.yaml @@ -1,13 +1,14 @@ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: wallet namespace: wallet labels: - app: wallet + app: wallet-svc app.kubernetes.io/name: wallet spec: - replicas: 2 + serviceName: wallet + replicas: 1 selector: matchLabels: app: wallet @@ -23,8 +24,8 @@ spec: spec: serviceAccountName: wallet securityContext: - runAsNonRoot: true - fsGroup: 2000 + runAsNonRoot: false + fsGroup: 0 initContainers: - name: rename-heap-dump image: ubuntu:20.04 @@ -41,8 +42,8 @@ spec: mountPath: /dumps containers: - name: wallet - image: registry.example.com/dnastack/wallet@sha256:1111111111111111111111111111111111111111111111111111111111111111 - imagePullPolicy: IfNotPresent + image: registry.example.com/dnastack/wallet:latest + imagePullPolicy: Always ports: - name: http containerPort: 8080 @@ -57,58 +58,47 @@ spec: name: wallet-db-credentials key: username - name: SPRING_DATASOURCE_PASSWORD - valueFrom: - secretKeyRef: - name: wallet-db-credentials - key: password + value: "supersecret" - name: APP_JDBI_ENCRYPTION_KEYS_WALLET_MASTER_KEY valueFrom: secretKeyRef: name: wallet-master-key key: key - name: LOGGING_LEVEL_COM_DNASTACK_WALLET - value: "INFO" + value: "DEBUG" resources: - requests: - cpu: "250m" - memory: "512Mi" limits: - cpu: "1" - memory: "1Gi" + cpu: "2" + memory: "2Gi" securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1000 - capabilities: - drop: ["ALL"] + privileged: true + allowPrivilegeEscalation: true + readOnlyRootFilesystem: false + runAsUser: 0 startupProbe: httpGet: path: /actuator/health - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 3 - failureThreshold: 60 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - periodSeconds: 10 - failureThreshold: 2 + port: 80 + initialDelaySeconds: 5 + periodSeconds: 2 + failureThreshold: 10 livenessProbe: - httpGet: + httpGet: path: /actuator/health port: 8080 - periodSeconds: 20 - failureThreshold: 5 + periodSeconds: 5 + failureThreshold: 2 volumeMounts: - name: heap-dumps mountPath: /dumps volumes: - name: heap-dumps - emptyDir: {} + hostPath: + path: /tmp + type: DirectoryOrCreate affinity: podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: + requiredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: topologyKey: kubernetes.io/hostname diff --git a/service.yaml b/service.yaml index c43581d..980f8bd 100644 --- a/service.yaml +++ b/service.yaml @@ -6,10 +6,11 @@ metadata: labels: app: wallet spec: - type: ClusterIP + type: NodePort selector: - app: wallet + app: wallet-svc ports: - name: http port: 8080 targetPort: 8080 + nodePort: 30080 \ No newline at end of file