secretumvault/deploy/helm/templates/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "secretumvault.fullname" . }}
  namespace: {{ .Values.global.namespace }}
  labels:
    {{- include "secretumvault.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.vault.replicas }}
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  selector:
    matchLabels:
      {{- include "secretumvault.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "secretumvault.selectorLabels" . | nindent 8 }}
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "{{ .Values.vault.service.metricsPort }}"
        prometheus.io/path: "/metrics"
    spec:
      serviceAccountName: {{ include "secretumvault.fullname" . }}
      securityContext:
        fsGroup: {{ .Values.vault.securityContext.fsGroup }}
        runAsNonRoot: {{ .Values.vault.securityContext.runAsNonRoot }}
        runAsUser: {{ .Values.vault.securityContext.runAsUser }}

      {{- if .Values.vault.affinity }}
      affinity:
        {{- toYaml .Values.vault.affinity | nindent 8 }}
      {{- end }}

      containers:
      - name: vault
        image: "{{ .Values.vault.image.repository }}:{{ .Values.vault.image.tag }}"
        imagePullPolicy: {{ .Values.vault.image.pullPolicy }}

        ports:
        - name: api
          containerPort: 8200
          protocol: TCP
        - name: metrics
          containerPort: {{ .Values.vault.service.metricsPort }}
          protocol: TCP

        env:
        - name: RUST_LOG
          value: "{{ .Values.vault.config.logging.level }}"
        - name: VAULT_CONFIG
          value: "/etc/secretumvault/svault.toml"

        volumeMounts:
        - name: config
          mountPath: /etc/secretumvault
          readOnly: true
        - name: data
          mountPath: /var/lib/secretumvault

        livenessProbe:
          httpGet:
            path: /v1/sys/health
            port: api
          initialDelaySeconds: {{ .Values.vault.livenessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.vault.livenessProbe.periodSeconds }}
          timeoutSeconds: {{ .Values.vault.livenessProbe.timeoutSeconds }}
          failureThreshold: {{ .Values.vault.livenessProbe.failureThreshold }}

        readinessProbe:
          httpGet:
            path: /v1/sys/health
            port: api
          initialDelaySeconds: {{ .Values.vault.readinessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.vault.readinessProbe.periodSeconds }}
          timeoutSeconds: {{ .Values.vault.readinessProbe.timeoutSeconds }}
          failureThreshold: {{ .Values.vault.readinessProbe.failureThreshold }}

        startupProbe:
          httpGet:
            path: /v1/sys/health
            port: api
          initialDelaySeconds: {{ .Values.vault.startupProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.vault.startupProbe.periodSeconds }}
          failureThreshold: {{ .Values.vault.startupProbe.failureThreshold }}

        resources:
          {{- toYaml .Values.vault.resources | nindent 12 }}

        securityContext:
          allowPrivilegeEscalation: {{ .Values.vault.securityContext.allowPrivilegeEscalation }}
          readOnlyRootFilesystem: {{ .Values.vault.securityContext.readOnlyRootFilesystem }}
          capabilities:
            drop:
            - ALL

      volumes:
      - name: config
        configMap:
          name: {{ include "secretumvault.fullname" . }}-config
      - name: data
        emptyDir:
          sizeLimit: 1Gi

      terminationGracePeriodSeconds: 30
chore: source code, docs and tools 2025-12-22 21:34:01 +00:00			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: {{ include "secretumvault.fullname" . }}`
			`namespace: {{ .Values.global.namespace }}`
			`labels:`
			`{{- include "secretumvault.labels" . \| nindent 4 }}`
			`spec:`
			`replicas: {{ .Values.vault.replicas }}`
			`strategy:`
			`type: RollingUpdate`
			`rollingUpdate:`
			`maxSurge: 1`
			`maxUnavailable: 0`
			`selector:`
			`matchLabels:`
			`{{- include "secretumvault.selectorLabels" . \| nindent 6 }}`
			`template:`
			`metadata:`
			`labels:`
			`{{- include "secretumvault.selectorLabels" . \| nindent 8 }}`
			`annotations:`
			`prometheus.io/scrape: "true"`
			`prometheus.io/port: "{{ .Values.vault.service.metricsPort }}"`
			`prometheus.io/path: "/metrics"`
			`spec:`
			`serviceAccountName: {{ include "secretumvault.fullname" . }}`
			`securityContext:`
			`fsGroup: {{ .Values.vault.securityContext.fsGroup }}`
			`runAsNonRoot: {{ .Values.vault.securityContext.runAsNonRoot }}`
			`runAsUser: {{ .Values.vault.securityContext.runAsUser }}`

			`{{- if .Values.vault.affinity }}`
			`affinity:`
			`{{- toYaml .Values.vault.affinity \| nindent 8 }}`
			`{{- end }}`

			`containers:`
			`- name: vault`
			`image: "{{ .Values.vault.image.repository }}:{{ .Values.vault.image.tag }}"`
			`imagePullPolicy: {{ .Values.vault.image.pullPolicy }}`

			`ports:`
			`- name: api`
			`containerPort: 8200`
			`protocol: TCP`
			`- name: metrics`
			`containerPort: {{ .Values.vault.service.metricsPort }}`
			`protocol: TCP`

			`env:`
			`- name: RUST_LOG`
			`value: "{{ .Values.vault.config.logging.level }}"`
			`- name: VAULT_CONFIG`
			`value: "/etc/secretumvault/svault.toml"`

			`volumeMounts:`
			`- name: config`
			`mountPath: /etc/secretumvault`
			`readOnly: true`
			`- name: data`
			`mountPath: /var/lib/secretumvault`

			`livenessProbe:`
			`httpGet:`
			`path: /v1/sys/health`
			`port: api`
			`initialDelaySeconds: {{ .Values.vault.livenessProbe.initialDelaySeconds }}`
			`periodSeconds: {{ .Values.vault.livenessProbe.periodSeconds }}`
			`timeoutSeconds: {{ .Values.vault.livenessProbe.timeoutSeconds }}`
			`failureThreshold: {{ .Values.vault.livenessProbe.failureThreshold }}`

			`readinessProbe:`
			`httpGet:`
			`path: /v1/sys/health`
			`port: api`
			`initialDelaySeconds: {{ .Values.vault.readinessProbe.initialDelaySeconds }}`
			`periodSeconds: {{ .Values.vault.readinessProbe.periodSeconds }}`
			`timeoutSeconds: {{ .Values.vault.readinessProbe.timeoutSeconds }}`
			`failureThreshold: {{ .Values.vault.readinessProbe.failureThreshold }}`

			`startupProbe:`
			`httpGet:`
			`path: /v1/sys/health`
			`port: api`
			`initialDelaySeconds: {{ .Values.vault.startupProbe.initialDelaySeconds }}`
			`periodSeconds: {{ .Values.vault.startupProbe.periodSeconds }}`
			`failureThreshold: {{ .Values.vault.startupProbe.failureThreshold }}`

			`resources:`
			`{{- toYaml .Values.vault.resources \| nindent 12 }}`

			`securityContext:`
			`allowPrivilegeEscalation: {{ .Values.vault.securityContext.allowPrivilegeEscalation }}`
			`readOnlyRootFilesystem: {{ .Values.vault.securityContext.readOnlyRootFilesystem }}`
			`capabilities:`
			`drop:`
			`- ALL`

			`volumes:`
			`- name: config`
			`configMap:`
			`name: {{ include "secretumvault.fullname" . }}-config`
			`- name: data`
			`emptyDir:`
			`sizeLimit: 1Gi`

			`terminationGracePeriodSeconds: 30`