apiVersion: apps/v1 kind: Deployment metadata: name: api namespace: honeydue labels: app.kubernetes.io/name: api app.kubernetes.io/part-of: honeydue spec: replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 0 maxSurge: 1 selector: matchLabels: app.kubernetes.io/name: api template: metadata: labels: app.kubernetes.io/name: api app.kubernetes.io/part-of: honeydue spec: serviceAccountName: api imagePullSecrets: - name: ghcr-credentials securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: - name: api image: IMAGE_PLACEHOLDER # Replaced by 03-deploy.sh ports: - containerPort: 8000 protocol: TCP securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: ["ALL"] envFrom: - configMapRef: name: honeydue-config env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: honeydue-secrets key: POSTGRES_PASSWORD - name: SECRET_KEY valueFrom: secretKeyRef: name: honeydue-secrets key: SECRET_KEY - name: EMAIL_HOST_PASSWORD valueFrom: secretKeyRef: name: honeydue-secrets key: EMAIL_HOST_PASSWORD - name: FCM_SERVER_KEY valueFrom: secretKeyRef: name: honeydue-secrets key: FCM_SERVER_KEY - name: REDIS_PASSWORD valueFrom: secretKeyRef: name: honeydue-secrets key: REDIS_PASSWORD optional: true volumeMounts: - name: apns-key mountPath: /secrets/apns readOnly: true - name: tmp mountPath: /tmp resources: requests: cpu: 100m memory: 128Mi limits: cpu: "1" memory: 512Mi startupProbe: httpGet: path: /api/health/ port: 8000 failureThreshold: 12 periodSeconds: 5 readinessProbe: httpGet: path: /api/health/ port: 8000 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 livenessProbe: httpGet: path: /api/health/ port: 8000 initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 10 volumes: - name: apns-key secret: secretName: honeydue-apns-key items: - key: apns_auth_key.p8 path: apns_auth_key.p8 - name: tmp emptyDir: sizeLimit: 64Mi