apiVersion: apps/v1 kind: Deployment metadata: name: prod-pod labels: app: inventory-api # Uncomment the following annotation if using Vault Agent Injector # annotations: # vault.hashicorp.com/agent-inject: "true" # vault.hashicorp.com/agent-inject-status: "update" # vault.hashicorp.com/role: "inventory-api" # vault.hashicorp.com/agent-inject-secret-config: "secret/data/inventory-api/config" # vault.hashicorp.com/agent-inject-template-config: | # {{- with secret "secret/data/inventory-api/config" -}} # export SECRET_KEY="{{ .Data.data.secret_key }}" # export FIRST_SUPERUSER_PASSWORD="{{ .Data.data.admin_password }}" # {{- end -}} spec: replicas: 1 # Use only 1 replica to minimize resource requirements selector: matchLabels: app: inventory-api strategy: type: Recreate # Changed from RollingUpdate to Recreate to avoid running multiple pods template: metadata: labels: app: inventory-api # Uncomment the following annotations if using Vault Agent Injector # annotations: # vault.hashicorp.com/agent-inject: "true" # vault.hashicorp.com/agent-inject-status: "update" # vault.hashicorp.com/role: "inventory-api" # vault.hashicorp.com/agent-inject-secret-config: "secret/data/inventory-api/config" # vault.hashicorp.com/agent-inject-template-config: | # {{- with secret "secret/data/inventory-api/config" -}} # export SECRET_KEY="{{ .Data.data.secret_key }}" # export FIRST_SUPERUSER_PASSWORD="{{ .Data.data.admin_password }}" # {{- end -}} spec: # If using Vault, you might need to add an initContainer to wait for Vault secrets # initContainers: # - name: wait-for-vault # image: busybox # command: ['sh', '-c', 'until [ -f /vault/secrets/config ]; do echo "Waiting for Vault secrets..."; sleep 2; done'] # volumeMounts: # - name: vault-secrets # mountPath: /vault/secrets containers: - name: app image: ${IMAGE_REPOSITORY}:${IMAGE_TAG} imagePullPolicy: IfNotPresent # Use existing images when possible resources: requests: cpu: "10m" # Absolute minimum CPU request memory: "64Mi" # Absolute minimum memory request # Removed limits to allow the pod to use available resources if needed ports: - containerPort: 8000 name: http env: - name: SECRET_KEY valueFrom: secretKeyRef: name: inventory-api-secrets key: secret-key - name: SERVER_NAME value: "Inventory Management System" - name: SERVER_HOST value: "https://inventory.example.com" - name: FIRST_SUPERUSER value: "admin@example.com" - name: FIRST_SUPERUSER_PASSWORD valueFrom: secretKeyRef: name: inventory-api-secrets key: admin-password # Simplified probes to reduce load during startup livenessProbe: httpGet: path: /health port: 8000 initialDelaySeconds: 60 # Increased to give pod more time to start periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 5 readinessProbe: httpGet: path: /health port: 8000 initialDelaySeconds: 30 # Increased to give pod more time to start periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 5 volumeMounts: - name: storage-volume mountPath: /app/storage # If using Vault, add the following volume mount # - name: vault-secrets # mountPath: /vault/secrets volumes: - name: storage-volume # Uncomment the following if PVC fails to provision # emptyDir: {} persistentVolumeClaim: claimName: inventory-api-pvc # If using Vault, add this volume # - name: vault-secrets # emptyDir: # medium: Memory # Maximum scheduling flexibility tolerations: - operator: "Exists" # Tolerate all taints dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} terminationGracePeriodSeconds: 30 schedulerName: default-scheduler # No nodeSelector, no affinity to allow maximum scheduling flexibility