apiVersion: apps/v1
kind: Deployment
metadata:
  name: model-registry-deployment
  labels:
    component: model-registry-server
spec:
  replicas: 1
  selector:
    matchLabels:
      component: model-registry-server
  template:
    metadata:
      labels:
        sidecar.istio.io/inject: "true"
        component: model-registry-server
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
        runAsNonRoot: true
      containers:
        - name: rest-container
          args:
            - --hostname=0.0.0.0
            - --port=8080
            - --mlmd-hostname=localhost
            - --mlmd-port=9090
            - --datastore-type=mlmd
          command:
            - /model-registry
            - proxy
          image: ghcr.io/kubeflow/model-registry/server:latest
          # empty placeholder environment for patching
          env: []
          ports:
            - name: http-api
              containerPort: 8080
          livenessProbe:
            initialDelaySeconds: 30
            periodSeconds: 5
            tcpSocket:
              port: http-api
            timeoutSeconds: 2
          readinessProbe:
            initialDelaySeconds: 3
            periodSeconds: 5
            tcpSocket:
              port: http-api
            timeoutSeconds: 2
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
        - name: grpc-container
          # ! Sync to the same MLMD version:
          # * backend/metadata_writer/requirements.in and requirements.txt
          # * @kubeflow/frontend/src/mlmd/generated
          # * .cloudbuild.yaml and .release.cloudbuild.yaml
          # * manifests/kustomize/base/metadata/base/model-registry-deployment.yaml
          # * test/tag_for_hosted.sh
          image: gcr.io/tfx-oss-public/ml_metadata_store_server:1.14.0
          env:
          - name: DBCONFIG_USER
            valueFrom:
              secretKeyRef:
                name: mysql-secret
                key: username
          - name: DBCONFIG_PASSWORD
            valueFrom:
              secretKeyRef:
                name: mysql-secret
                key: password
          - name: MYSQL_DATABASE
            valueFrom:
              configMapKeyRef:
                name: pipeline-install-config
                key: mlmdDb
          - name: MYSQL_HOST
            valueFrom:
              configMapKeyRef:
                name: pipeline-install-config
                key: dbHost
          - name: MYSQL_PORT
            valueFrom:
              configMapKeyRef:
                name: pipeline-install-config
                key: dbPort
          command: ["/bin/metadata_store_server"]
          args: ["--grpc_port=9090",
                 "--mysql_config_database=$(MYSQL_DATABASE)",
                 "--mysql_config_host=$(MYSQL_HOST)",
                 "--mysql_config_port=$(MYSQL_PORT)",
                 "--mysql_config_user=$(DBCONFIG_USER)",
                 "--mysql_config_password=$(DBCONFIG_PASSWORD)",
                 "--enable_database_upgrade=true"
                 ]
          ports:
          - name: grpc-api
            containerPort: 9090
          livenessProbe:
            tcpSocket:
              port: grpc-api
            initialDelaySeconds: 3
            periodSeconds: 5
            timeoutSeconds: 2
          readinessProbe:
            tcpSocket:
              port: grpc-api
            initialDelaySeconds: 3
            periodSeconds: 5
            timeoutSeconds: 2
          securityContext:
            runAsUser: 65534
            runAsGroup: 65534
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
      serviceAccountName: model-registry-server