apiVersion: apps/v1 kind: Deployment metadata: name: test_project-deployment namespace: test_project labels: app: test_project version: "1.0.0" component: backend spec: replicas: 3 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 selector: matchLabels: app: test_project template: metadata: labels: app: test_project version: "1.0.0" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9090" prometheus.io/path: "/metrics" spec: serviceAccountName: test_project-service-account securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 containers: - name: test_project image: ghcr.io/test_project:latest imagePullPolicy: IfNotPresent ports: - name: http containerPort: 8000 protocol: TCP envFrom: - configMapRef: name: test_project-config - secretRef: name: test_project-secrets env: # Override sensitive values from secrets - name: DATABASE_URL valueFrom: secretKeyRef: name: test_project-secrets key: database-url - name: JWT_SECRET valueFrom: secretKeyRef: name: test_project-secrets key: jwt-secret resources: requests: memory: "256Mi" cpu: "250m" limits: memory: "512Mi" cpu: "500m" livenessProbe: httpGet: path: /health port: 8000 scheme: HTTP initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 3 readinessProbe: httpGet: path: /health/ready port: 8000 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 3 successThreshold: 1 failureThreshold: 3 startupProbe: httpGet: path: /health port: 8000 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 10 timeoutSeconds: 3 successThreshold: 1 failureThreshold: 30 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false capabilities: drop: - ALL add: - NET_BIND_SERVICE volumeMounts: - name: tmp mountPath: /tmp - name: logs mountPath: /var/log/app volumes: - name: tmp emptyDir: {} - name: logs emptyDir: {} restartPolicy: Always terminationGracePeriodSeconds: 30 dnsPolicy: ClusterFirst