devstar-devcontainer-operator/internal/controller/templates/statefulset.yaml

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: {{.ObjectMeta.Name}}
  namespace: {{.ObjectMeta.Namespace}}
  labels:
    app: {{.ObjectMeta.Name}}
    devstar-resource-type: devstar-devcontainer
spec:
  podManagementPolicy: OrderedReady
  replicas: 1
  selector:
    matchLabels:
      app: {{.ObjectMeta.Name}}
      devstar-resource-type: devstar-devcontainer
  template:
    metadata:
      labels:
        app: {{.ObjectMeta.Name}}
        devstar-resource-type: devstar-devcontainer
    spec:
      # 安全策略，禁止挂载 ServiceAccount Token
      automountServiceAccountToken: false
      volumes:
        - name: root-ssh-dir
          emptyDir: {}
      initContainers:
        - name: init-root-ssh-dir
          image: devstar.cn/public/busybox:27a71e19c956
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
            - -c
            - {{range .Spec.StatefulSet.SSHPublicKeyList}} echo "{{.}}" >> /root/.ssh/authorized_keys  && {{end}} chmod -R 700 /root/.ssh/ && echo 'SSH Public Key(s) imported.'
            # 注意，必须递归设置 ~/.ssh/ 目录下权限 700，否则即使配置了 ~/.ssh/authorized_keys 也不会生效
          volumeMounts:
            - name: root-ssh-dir
              mountPath: /root/.ssh
        - name: init-git-repo-dir
          image: {{.Spec.StatefulSet.Image}}
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
            - -c
            - if [ ! -d '/data/workspace' ]; then git clone {{.Spec.StatefulSet.GitRepositoryURL}} /data/workspace && echo "Git Repository cloned."; else echo "Folder already exists."; fi
          volumeMounts:
            - name: pvc-devcontainer
              mountPath: /data
      containers:
        - name: {{.ObjectMeta.Name}}
          image: {{.Spec.StatefulSet.Image}}
          command:
          {{range .Spec.StatefulSet.Command}}
          - {{.}}
          {{end}}
          imagePullPolicy: IfNotPresent
          # securityContext: TODO: 设置 DevContainer 安全策略
          ports:
            - name: ssh-port
              protocol: TCP
              containerPort: {{.Spec.StatefulSet.ContainerPort}}
          volumeMounts:
          - name: pvc-devcontainer
            mountPath: /data
          - name: root-ssh-dir
            mountPath: /root/.ssh
          livenessProbe:
            exec:
              command:
              - /bin/sh
              - -c
              - exec ls ~
            failureThreshold: 6
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            exec:
              command:
              - /bin/sh
              - -c
              - exec cat /etc/ssh/ssh_host*.pub
            failureThreshold: 6
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          resources:
            limits:
              cpu: 300m
              ephemeral-storage: 8Gi
              memory: 512Mi
            requests:
              cpu: 100m
              ephemeral-storage: 50Mi
              memory: 128Mi
  volumeClaimTemplates:
    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: pvc-devcontainer
      spec:
        storageClassName: openebs-hostpath
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 10Gi