--- apiVersion: apps/v1 kind: Deployment metadata: name: umami spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: umami template: metadata: labels: app.kubernetes.io/name: umami spec: initContainers: - name: init-db image: umami command: - /app/node_modules/.bin/npm-run-all args: - check-db - update-tracker env: - name: DATABASE_URL valueFrom: secretKeyRef: name: default-cluster-pguser-umami key: PQ_URL envFrom: - configMapRef: name: umami-config resources: requests: memory: "256Mi" cpu: "150m" limits: memory: "384Mi" cpu: "250m" securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true containers: - name: umami image: umami args: - node - server.js env: - name: DATABASE_URL valueFrom: secretKeyRef: name: db-credentials-umami key: PQ_URL envFrom: - configMapRef: name: umami-config resources: requests: memory: "64Mi" cpu: "150m" limits: memory: "256Mi" cpu: "300m" ports: - containerPort: 3000 protocol: TCP name: web livenessProbe: httpGet: path: /api/heartbeat port: 3000 initialDelaySeconds: 15 periodSeconds: 20 readinessProbe: httpGet: path: /api/heartbeat port: 3000 initialDelaySeconds: 5 periodSeconds: 10 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: kubernetes.io/arch operator: In values: - arm64 securityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true