secretumvault/k8s/03-deployment.yaml

---
# SecretumVault Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vault
  namespace: secretumvault
  labels:
    app: vault
    version: v1
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  selector:
    matchLabels:
      app: vault
  template:
    metadata:
      labels:
        app: vault
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "9090"
        prometheus.io/path: "/metrics"
    spec:
      serviceAccountName: vault
      securityContext:
        fsGroup: 1000
        runAsNonRoot: true
        runAsUser: 1000

      containers:
      - name: vault
        image: secretumvault:latest
        imagePullPolicy: IfNotPresent

        ports:
        - name: api
          containerPort: 8200
          protocol: TCP
        - name: metrics
          containerPort: 9090
          protocol: TCP

        env:
        - name: RUST_LOG
          value: "info"
        - name: VAULT_CONFIG
          value: "/etc/secretumvault/svault.toml"

        volumeMounts:
        - name: config
          mountPath: /etc/secretumvault
          readOnly: true
        - name: data
          mountPath: /var/lib/secretumvault

        livenessProbe:
          httpGet:
            path: /v1/sys/health
            port: api
          initialDelaySeconds: 15
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3

        readinessProbe:
          httpGet:
            path: /v1/sys/health
            port: api
          initialDelaySeconds: 10
          periodSeconds: 5
          timeoutSeconds: 3
          failureThreshold: 3

        startupProbe:
          httpGet:
            path: /v1/sys/health
            port: api
          initialDelaySeconds: 5
          periodSeconds: 5
          failureThreshold: 30

        resources:
          requests:
            memory: "256Mi"
            cpu: "250m"
          limits:
            memory: "512Mi"
            cpu: "500m"

        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
            - ALL

      volumes:
      - name: config
        configMap:
          name: vault-config
      - name: data
        emptyDir:
          sizeLimit: 1Gi

      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values:
                  - vault
              topologyKey: kubernetes.io/hostname

      terminationGracePeriodSeconds: 30
chore: source code, docs and tools 2025-12-22 21:34:01 +00:00			`---`
			`# SecretumVault Deployment`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: vault`
			`namespace: secretumvault`
			`labels:`
			`app: vault`
			`version: v1`
			`spec:`
			`replicas: 1`
			`strategy:`
			`type: RollingUpdate`
			`rollingUpdate:`
			`maxSurge: 1`
			`maxUnavailable: 0`
			`selector:`
			`matchLabels:`
			`app: vault`
			`template:`
			`metadata:`
			`labels:`
			`app: vault`
			`annotations:`
			`prometheus.io/scrape: "true"`
			`prometheus.io/port: "9090"`
			`prometheus.io/path: "/metrics"`
			`spec:`
			`serviceAccountName: vault`
			`securityContext:`
			`fsGroup: 1000`
			`runAsNonRoot: true`
			`runAsUser: 1000`

			`containers:`
			`- name: vault`
			`image: secretumvault:latest`
			`imagePullPolicy: IfNotPresent`

			`ports:`
			`- name: api`
			`containerPort: 8200`
			`protocol: TCP`
			`- name: metrics`
			`containerPort: 9090`
			`protocol: TCP`

			`env:`
			`- name: RUST_LOG`
			`value: "info"`
			`- name: VAULT_CONFIG`
			`value: "/etc/secretumvault/svault.toml"`

			`volumeMounts:`
			`- name: config`
			`mountPath: /etc/secretumvault`
			`readOnly: true`
			`- name: data`
			`mountPath: /var/lib/secretumvault`

			`livenessProbe:`
			`httpGet:`
			`path: /v1/sys/health`
			`port: api`
			`initialDelaySeconds: 15`
			`periodSeconds: 10`
			`timeoutSeconds: 5`
			`failureThreshold: 3`

			`readinessProbe:`
			`httpGet:`
			`path: /v1/sys/health`
			`port: api`
			`initialDelaySeconds: 10`
			`periodSeconds: 5`
			`timeoutSeconds: 3`
			`failureThreshold: 3`

			`startupProbe:`
			`httpGet:`
			`path: /v1/sys/health`
			`port: api`
			`initialDelaySeconds: 5`
			`periodSeconds: 5`
			`failureThreshold: 30`

			`resources:`
			`requests:`
			`memory: "256Mi"`
			`cpu: "250m"`
			`limits:`
			`memory: "512Mi"`
			`cpu: "500m"`

			`securityContext:`
			`allowPrivilegeEscalation: false`
			`readOnlyRootFilesystem: true`
			`capabilities:`
			`drop:`
			`- ALL`

			`volumes:`
			`- name: config`
			`configMap:`
			`name: vault-config`
			`- name: data`
			`emptyDir:`
			`sizeLimit: 1Gi`

			`affinity:`
			`podAntiAffinity:`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 100`
			`podAffinityTerm:`
			`labelSelector:`
			`matchExpressions:`
			`- key: app`
			`operator: In`
			`values:`
			`- vault`
			`topologyKey: kubernetes.io/hostname`

			`terminationGracePeriodSeconds: 30`