# deployment/manifests/deployment.yaml - initContainer로 권한 문제 해결 apiVersion: apps/v1 kind: Deployment metadata: name: vector-api labels: app: vector-api version: v1.0.0 annotations: deployment.kubernetes.io/revision: "1" description: "Vector DB API with initContainer Permission Fix" spec: replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 maxSurge: 1 selector: matchLabels: app: vector-api template: metadata: labels: app: vector-api version: v1.0.0 annotations: prometheus.io/scrape: "true" prometheus.io/port: "8000" prometheus.io/path: "/metrics" spec: # 🚀 initContainer로 Poetry 설정 파일 생성 (볼륨에) initContainers: - name: setup-poetry-config image: busybox:1.35 command: - /bin/sh - -c - | echo "🔧 Poetry 설정 생성 중... (볼륨 기반)" # 볼륨 마운트된 경로에 Poetry 설정 생성 mkdir -p /cache/poetry-config mkdir -p /cache/poetry-data # Poetry 설정 파일을 볼륨에 생성 cat > /cache/poetry-config/config.toml << 'EOF' [virtualenvs] create = true in-project = false path = "/home/appuser/.cache/pypoetry/venvs" [cache-dir] path = "/home/appuser/.cache/pypoetry/cache" [installer] no-cache = false EOF echo "✅ Poetry 설정 생성 완료!" echo "📝 설정 파일 내용:" cat /cache/poetry-config/config.toml echo "📁 캐시 디렉토리:" ls -la /cache/ securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 allowPrivilegeEscalation: false readOnlyRootFilesystem: false capabilities: drop: - ALL volumeMounts: - name: cache-volume mountPath: /cache containers: - name: vector-api image: acrdigitalgarage03.azurecr.io/vector-api:latest imagePullPolicy: Always # 🔧 컨테이너 포트 ports: - name: http containerPort: 8000 protocol: TCP # 🔧 보안 컨텍스트 (appuser 사용) securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 allowPrivilegeEscalation: false readOnlyRootFilesystem: false capabilities: drop: - ALL # 🔧 리소스 설정 resources: requests: memory: "4Gi" cpu: "1000m" ephemeral-storage: "2Gi" limits: memory: "8Gi" cpu: "2000m" ephemeral-storage: "5Gi" # 🏥 헬스체크 설정 livenessProbe: httpGet: path: /health port: http scheme: HTTP initialDelaySeconds: 120 periodSeconds: 30 timeoutSeconds: 15 failureThreshold: 3 readinessProbe: httpGet: path: /health port: http scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 10 failureThreshold: 3 # 🚀 시작 프로브 (초기 시작 시간 고려) startupProbe: httpGet: path: /health port: http scheme: HTTP initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 10 failureThreshold: 30 # 최대 5분 대기 successThreshold: 1 # 📂 볼륨 마운트 (홈 디렉토리 기반 + Poetry 설정) volumeMounts: - name: vector-db-storage mountPath: /home/appuser/vectordb # ✅ PVC 마운트 - name: tmp-volume mountPath: /tmp - name: cache-volume mountPath: /home/appuser/.cache # 전체 캐시 디렉토리 # 🌍 환경변수 설정 - ConfigMap에서 모든 값 가져오기 envFrom: - configMapRef: name: vector-api-config # 🔐 Secret에서 민감한 정보 가져오기 env: - name: CLAUDE_API_KEY valueFrom: secretKeyRef: name: vector-api-secret key: CLAUDE_API_KEY # 🔧 런타임 환경변수 (Poetry 설정을 볼륨으로 이동) - name: PYTHONPATH value: "/home/appuser" - name: HOME value: "/home/appuser" - name: USER value: "appuser" - name: POETRY_CONFIG_DIR value: "/home/appuser/.cache/poetry-config" # 볼륨 마운트된 경로로 변경 - name: POETRY_DATA_DIR value: "/home/appuser/.cache/poetry-data" # 볼륨 마운트된 경로로 변경 - name: POETRY_CACHE_DIR value: "/home/appuser/.cache/pypoetry/cache" - name: POETRY_VENV_PATH value: "/home/appuser/.cache/pypoetry/venvs" - name: POETRY_NO_INTERACTION value: "1" - name: POETRY_VIRTUALENVS_CREATE value: "true" - name: POETRY_VIRTUALENVS_IN_PROJECT value: "false" # 🔧 성능 최적화 환경변수 - name: MALLOC_ARENA_MAX value: "2" - name: MALLOC_MMAP_THRESHOLD_ value: "131072" # 🔧 컨테이너 생명주기 관리 lifecycle: preStop: exec: command: - /bin/sh - -c - | echo "Gracefully shutting down Vector API..." curl -X POST http://localhost:8000/shutdown || true sleep 10 # 📦 볼륨 설정 volumes: - name: vector-db-storage persistentVolumeClaim: claimName: vector-db-pvc - name: tmp-volume emptyDir: sizeLimit: 1Gi - name: cache-volume emptyDir: sizeLimit: 2Gi # 🔐 이미지 Pull Secret imagePullSecrets: - name: acr-secret # 🎯 노드 선택 및 배치 설정 nodeSelector: agentpool: aipool tolerations: - key: "dedicated" operator: "Equal" value: "aipool" effect: "NoSchedule" # 🔧 Pod 배치 정책 affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - vector-api topologyKey: kubernetes.io/hostname # 🔧 Pod 설정 restartPolicy: Always dnsPolicy: ClusterFirst terminationGracePeriodSeconds: 60 # 🔧 보안 컨텍스트 (Pod 레벨) securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000