apiVersion: apps/v1
kind: Deployment
metadata:
  name: buildah-external
  namespace: apps--droneio--prd
  labels:
    app: buildah-external
    purpose: on-demand-builds
spec:
  replicas: 0  # Default to 0 - scaled up only during builds for atomic locking
  selector:
    matchLabels:
      app: buildah-external
  template:
    metadata:
      labels:
        app: buildah-external
    spec:
      serviceAccountName: drone-buildah-sa
      terminationGracePeriodSeconds: 5  # Faster termination
      containers:
      - name: buildah
        image: quay.io/buildah/stable:latest
        # Signal-aware command that responds to SIGTERM immediately
        command: ["/bin/bash"]
        args: ["-c", "trap 'exit 0' TERM; while true; do sleep 30 & wait $!; done"]
        securityContext:
          privileged: true
          runAsUser: 0
          capabilities:
            add:
            - SYS_ADMIN
            - MKNOD
            - SYS_CHROOT
        volumeMounts:
        - name: workspace
          mountPath: /workspace
        - name: buildah-storage
          mountPath: /var/lib/containers
        resources:
          requests:
            memory: "256Mi"
            cpu: "100m"
          limits:
            memory: "2Gi"
            cpu: "1000m"
        env:
        - name: STORAGE_DRIVER
          value: "vfs"
        - name: BUILDAH_ISOLATION
          value: "chroot"
        # Readiness probe to ensure container is ready for builds
        readinessProbe:
          exec:
            command:
            - /bin/bash
            - -c
            - "buildah --version"
          initialDelaySeconds: 5
          periodSeconds: 10
      volumes:
      - name: workspace
        emptyDir:
          sizeLimit: 2Gi
      - name: buildah-storage
        emptyDir:
          sizeLimit: 2Gi
      restartPolicy: Always