apiVersion: apps/v1
kind: Deployment
metadata:
  name: matrix-media-repo
spec:
  template:
    spec:
      # This does not currently work as there are some weird expectations on
      # run scripts as running as non-root
      securityContext:
        fsGroup: 1000
      containers:
        - name: media-repo
          image: turt2live/matrix-media-repo
          command:
            - media_repo 
          ports:
            - name: http
              containerPort: 8000
              protocol: TCP
            - name: metrics
              containerPort: 9000
              protocol: TCP
          volumeMounts:
            - mountPath: /media/
              name: ephemeral
            - mountPath: /data/media-repo.yaml
              name: config
              subPath: config.yaml
              readOnly: true
            - mountPath: /mnt/keys/mmr.signing.key                                                                                
              name: signing-key                                                                                                   
              readOnly: true                                                                                                      
              subPath: signing.key
          securityContext:
            capabilities:
              drop:
                - ALL
            allowPrivilegeEscalation: false
            # Right now setting this to true is not possible
            readOnlyRootFilesystem: false
      volumes:
        - name: config
          secret:
            secretName: mmr-config
        - name: signing-key
          secret:
            defaultMode: 420
            secretName: mmr-signing-key
        - name: ephemeral
          emptyDir: {}