# === STREAM SERVER DEPLOYMENT === apiVersion: apps/v1 kind: Deployment metadata: name: veza-stream-server namespace: veza-production labels: app: veza-stream-server version: v2.0.0 component: streaming spec: replicas: 5 strategy: type: RollingUpdate rollingUpdate: maxSurge: 2 maxUnavailable: 1 selector: matchLabels: app: veza-stream-server template: metadata: labels: app: veza-stream-server version: v2.0.0 annotations: prometheus.io/scrape: "true" prometheus.io/port: "9090" prometheus.io/path: "/metrics" spec: serviceAccountName: veza-stream-server securityContext: runAsNonRoot: true runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 containers: - name: stream-server image: veza/stream-server:2.0.0 imagePullPolicy: Always ports: - name: http containerPort: 8080 protocol: TCP - name: websocket containerPort: 8081 protocol: TCP - name: grpc containerPort: 50051 protocol: TCP - name: metrics containerPort: 9090 protocol: TCP env: - name: RUST_LOG value: "info" - name: ENVIRONMENT value: "production" - name: DATABASE_URL valueFrom: secretKeyRef: name: postgres-secret key: url - name: REDIS_URL valueFrom: secretKeyRef: name: redis-secret key: url - name: JWT_SECRET valueFrom: secretKeyRef: name: jwt-secret key: secret - name: PROMETHEUS_PORT value: "9090" - name: MAX_CONNECTIONS value: "100000" - name: WORKER_THREADS value: "16" resources: requests: cpu: "2000m" memory: "4Gi" limits: cpu: "8000m" memory: "16Gi" readinessProbe: httpGet: path: /health/ready port: 8080 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 3 successThreshold: 1 failureThreshold: 3 livenessProbe: httpGet: path: /health/live port: 8080 scheme: HTTP initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 3 lifecycle: preStop: exec: command: ["/bin/sh", "-c", "sleep 30"] volumeMounts: - name: app-data mountPath: /app/data - name: app-logs mountPath: /app/logs - name: tls-certs mountPath: /app/certs readOnly: true volumes: - name: app-data emptyDir: {} - name: app-logs emptyDir: {} - name: tls-certs secret: secretName: tls-secret terminationGracePeriodSeconds: 30 nodeSelector: node-type: streaming tolerations: - key: "streaming" operator: "Equal" value: "true" effect: "NoSchedule" --- # === SERVICE === apiVersion: v1 kind: Service metadata: name: veza-stream-server namespace: veza-production labels: app: veza-stream-server spec: type: ClusterIP ports: - name: http port: 8080 targetPort: 8080 protocol: TCP - name: websocket port: 8081 targetPort: 8081 protocol: TCP - name: grpc port: 50051 targetPort: 50051 protocol: TCP - name: metrics port: 9090 targetPort: 9090 protocol: TCP selector: app: veza-stream-server --- # === HORIZONTAL POD AUTOSCALER === apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: veza-stream-server-hpa namespace: veza-production spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: veza-stream-server minReplicas: 5 maxReplicas: 50 metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 - type: Resource resource: name: memory target: type: Utilization averageUtilization: 80 behavior: scaleUp: stabilizationWindowSeconds: 300 policies: - type: Percent value: 100 periodSeconds: 15 scaleDown: stabilizationWindowSeconds: 600 policies: - type: Percent value: 10 periodSeconds: 60 --- # === NETWORK POLICY === apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: veza-stream-server-netpol namespace: veza-production spec: podSelector: matchLabels: app: veza-stream-server policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: veza-production - namespaceSelector: matchLabels: name: ingress-nginx ports: - protocol: TCP port: 8080 - protocol: TCP port: 8081 - protocol: TCP port: 50051 egress: - to: - namespaceSelector: matchLabels: name: veza-production ports: - protocol: TCP port: 5432 # PostgreSQL - protocol: TCP port: 6379 # Redis - to: [] ports: - protocol: TCP port: 53 # DNS - protocol: UDP port: 53 # DNS