--- # SecretumVault Deployment apiVersion: apps/v1 kind: Deployment metadata: name: vault namespace: secretumvault labels: app: vault version: v1 spec: replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 selector: matchLabels: app: vault template: metadata: labels: app: vault annotations: prometheus.io/scrape: "true" prometheus.io/port: "9090" prometheus.io/path: "/metrics" spec: serviceAccountName: vault securityContext: fsGroup: 1000 runAsNonRoot: true runAsUser: 1000 containers: - name: vault image: secretumvault:latest imagePullPolicy: IfNotPresent ports: - name: api containerPort: 8200 protocol: TCP - name: metrics containerPort: 9090 protocol: TCP env: - name: RUST_LOG value: "info" - name: VAULT_CONFIG value: "/etc/secretumvault/svault.toml" volumeMounts: - name: config mountPath: /etc/secretumvault readOnly: true - name: data mountPath: /var/lib/secretumvault livenessProbe: httpGet: path: /v1/sys/health port: api initialDelaySeconds: 15 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: httpGet: path: /v1/sys/health port: api initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 3 startupProbe: httpGet: path: /v1/sys/health port: api initialDelaySeconds: 5 periodSeconds: 5 failureThreshold: 30 resources: requests: memory: "256Mi" cpu: "250m" limits: memory: "512Mi" cpu: "500m" securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL volumes: - name: config configMap: name: vault-config - name: data emptyDir: sizeLimit: 1Gi affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - vault topologyKey: kubernetes.io/hostname terminationGracePeriodSeconds: 30