apiVersion: apps/v1
kind: Deployment
metadata:
  name: buildah-external
  namespace: apps--droneio--prd
  labels:
    app: buildah-external
    purpose: on-demand-builds
spec:
  # Default to 0 - scaled up only during builds for atomic locking
  replicas: 0  
  selector:
    matchLabels:
      app: buildah-external
  template:
    metadata:
      labels:
        app: buildah-external
    spec:
      serviceAccountName: drone-buildah-sa
      containers:
      - name: buildah
        image: quay.io/buildah/stable:latest
        command: ["/bin/bash"]
        args: ["/scripts/entrypoint.sh"]
        securityContext:
          privileged: true
          runAsUser: 0
          capabilities:
            add:
            - SYS_ADMIN
            - MKNOD
            - SYS_CHROOT
        volumeMounts:
        - name: entrypoint-script
          mountPath: /scripts
          readOnly: true
        - name: workspace
          mountPath: /workspace
        - name: buildah-storage
          mountPath: /var/lib/containers
        resources:
          requests:
            memory: "256Mi"
            cpu: "100m"
          limits:
            memory: "2Gi"
            cpu: "1200m"
        env:
        - name: STORAGE_DRIVER
          value: "vfs"
        - name: BUILDAH_ISOLATION
          value: "chroot"
      volumes:
      - name: entrypoint-script
        configMap:
          name: buildah-entrypoint
          defaultMode: 0755
      - name: workspace
        emptyDir:
          sizeLimit: 2Gi
      - name: buildah-storage
        emptyDir:
          sizeLimit: 2Gi
      restartPolicy: Always