apiVersion: v1 kind: Service metadata: name: tenant-api namespace: ${NAMESPACE} spec: selector: app: tenant-api ports: - port: 3000 targetPort: 3000 --- apiVersion: apps/v1 kind: Deployment metadata: name: tenant-api namespace: ${NAMESPACE} spec: replicas: 2 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 selector: matchLabels: app: tenant-api template: metadata: labels: app: tenant-api spec: imagePullSecrets: - name: registry-codebaker containers: - name: tenant-api image: hub.codebaker.it/loginmaster-tenant/api-tenant:${IMAGE_TAG_API} ports: - containerPort: 3000 envFrom: - configMapRef: name: tenant-api-config env: - name: MONGODB_URI valueFrom: secretKeyRef: name: mongodb-tenant-auth key: MONGODB_URI - name: MASTER_ENCRYPTION_KEY valueFrom: secretKeyRef: name: tenant-api-secrets key: MASTER_ENCRYPTION_KEY - name: SMTP_PASSWORD valueFrom: secretKeyRef: name: tenant-api-secrets key: SMTP_PASSWORD volumeMounts: - name: mongo-ca mountPath: /etc/mongo-tls readOnly: true resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 512Mi startupProbe: httpGet: path: /health port: 3000 initialDelaySeconds: 5 periodSeconds: 5 failureThreshold: 30 readinessProbe: httpGet: path: /health port: 3000 periodSeconds: 10 timeoutSeconds: 3 failureThreshold: 3 livenessProbe: httpGet: path: /health port: 3000 periodSeconds: 20 timeoutSeconds: 5 failureThreshold: 3 volumes: - name: mongo-ca secret: # Solo la ca.crt dal Secret cert-manager; il cert di servizio non serve # all'API (non fa mTLS, valida solo il server). secretName: mongodb-tenant-tls items: - key: ca.crt path: ca.crt defaultMode: 0444 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: tenant-api-pdb namespace: ${NAMESPACE} spec: minAvailable: 1 selector: matchLabels: app: tenant-api