socktop-webterm/kubernetes/03-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: socktop-webterm
  labels:
    app: socktop-webterm
spec:
  replicas: 3
  selector:
    matchLabels:
      app: socktop-webterm
  template:
    metadata:
      labels:
        app: socktop-webterm
    spec:
      # Use standard pod networking
      hostNetwork: false
      dnsPolicy: ClusterFirst

      # Security context for the pod
      securityContext:
        runAsUser: 100
        runAsGroup: 101
        fsGroup: 101

      # Init container to set up configuration
      initContainers:
        - name: init-config
          image: gt.wittyoneoff.com/jason/socktop-webterm:0.3.5
          imagePullPolicy: Always
          command: ["/bin/bash", "-c"]
          args:
            - |
              set -e
              echo "Setting up configuration directories..."
              mkdir -p /var/lib/socktop/.config/socktop/certs
              mkdir -p /var/lib/socktop/.config/alacritty

              if [ -f "/home/socktop/.config/socktop/profiles.json" ]; then
                cp /home/socktop/.config/socktop/profiles.json /var/lib/socktop/.config/socktop/profiles.json
                echo "Copied profiles.json"
              fi

              if [ -f "/home/socktop/.config/alacritty/alacritty.toml" ]; then
                cp /home/socktop/.config/alacritty/alacritty.toml /var/lib/socktop/.config/alacritty/alacritty.toml
                echo "Copied alacritty.toml"
              fi

              if [ -f "/home/socktop/.config/alacritty/catppuccin-frappe.toml" ]; then
                cp /home/socktop/.config/alacritty/catppuccin-frappe.toml /var/lib/socktop/.config/alacritty/catppuccin-frappe.toml
                echo "Copied catppuccin-frappe.toml"
              fi

              if [ -d "/home/socktop/.config/socktop/certs" ]; then
                cp /home/socktop/.config/socktop/certs/*.pem /var/lib/socktop/.config/socktop/certs/ 2>/dev/null || true
                echo "Copied certificates"
              fi

              # Fix paths in profiles.json
              if [ -f "/var/lib/socktop/.config/socktop/profiles.json" ]; then
                sed -i 's|/home/socktop/.config/socktop/rpi-|/var/lib/socktop/.config/socktop/certs/rpi-|g' /var/lib/socktop/.config/socktop/profiles.json
                echo "Updated certificate paths"
              fi

              echo "Configuration setup complete"              
          volumeMounts:
            - name: config
              mountPath: /home/socktop/.config/socktop/profiles.json
              subPath: profiles.json
            - name: config
              mountPath: /home/socktop/.config/alacritty/alacritty.toml
              subPath: alacritty.toml
            - name: config
              mountPath: /home/socktop/.config/alacritty/catppuccin-frappe.toml
              subPath: catppuccin-frappe.toml
            - name: certs
              mountPath: /home/socktop/.config/socktop/certs
              readOnly: true
            - name: socktop-home
              mountPath: /var/lib/socktop
          securityContext:
            runAsUser: 100
            runAsGroup: 101

      containers:
        - name: webterm
          image: gt.wittyoneoff.com/jason/socktop-webterm:0.3.5
          imagePullPolicy: Always

          command: ["/docker-entrypoint.sh"]
          args:
            [
              "webterm-server",
              "--host",
              "0.0.0.0",
              "--port",
              "8082",
              "--command",
              "/usr/local/bin/restricted-shell.sh",
            ]

          ports:
            - name: http
              containerPort: 8082
              protocol: TCP
            - name: agent
              containerPort: 3001
              protocol: TCP

          env:
            - name: TERM
              value: "xterm-256color"
            - name: TZ
              value: "America/New_York"
            - name: RUST_LOG
              value: "info"

          resources:
            limits:
              cpu: "2000m"
              memory: "1Gi"
            requests:
              cpu: "500m"
              memory: "256Mi"

          livenessProbe:
            httpGet:
              path: /
              port: 8082
            initialDelaySeconds: 10
            periodSeconds: 30
            timeoutSeconds: 5
            failureThreshold: 3

          readinessProbe:
            httpGet:
              path: /
              port: 8082
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 3
            failureThreshold: 3

          volumeMounts:
            - name: config
              mountPath: /home/socktop/.config/socktop/profiles.json
              subPath: profiles.json
            - name: config
              mountPath: /home/socktop/.config/alacritty/alacritty.toml
              subPath: alacritty.toml
            - name: config
              mountPath: /home/socktop/.config/alacritty/catppuccin-frappe.toml
              subPath: catppuccin-frappe.toml
            - name: certs
              mountPath: /home/socktop/.config/socktop/certs
              readOnly: true
            - name: socktop-home
              mountPath: /var/lib/socktop

          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: false
            runAsUser: 100
            runAsGroup: 101

      volumes:
        - name: config
          configMap:
            name: socktop-webterm-config
        - name: certs
          secret:
            secretName: socktop-webterm-certs
            optional: true
        - name: socktop-home
          emptyDir: {}

      restartPolicy: Always