apiVersion: apps/v1 kind: Deployment metadata: name: messages-mta-in namespace: lasuite spec: replicas: 1 # Recreate: hostPort 25 blocks RollingUpdate — the new pod can't # schedule while the old one still holds the port. strategy: type: Recreate selector: matchLabels: app: messages-mta-in template: metadata: labels: app: messages-mta-in spec: containers: - name: messages-mta-in image: messages-mta-in ports: - containerPort: 25 env: - name: MDA_API_BASE_URL valueFrom: configMapKeyRef: name: messages-config key: MDA_API_BASE_URL - name: MDA_API_SECRET valueFrom: secretKeyRef: name: messages-django-secret key: MDA_API_SECRET - name: MAX_INCOMING_EMAIL_SIZE value: "30000000" # Liveness: verify the delivery milter process is running and the # unix socket exists. The milter is a long-lived Python process that # can hang silently after days of uptime (COE-2026-002 addendum). # Without this probe, postfix returns 451 to all inbound mail and # nobody notices until senders complain. livenessProbe: exec: command: - sh - -c - "test -S /var/spool/postfix/milter/delivery.sock && kill -0 $(cat /var/run/milter.pid 2>/dev/null || pgrep -f delivery_milter.py)" initialDelaySeconds: 15 periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: tcpSocket: port: 25 initialDelaySeconds: 10 periodSeconds: 15 securityContext: capabilities: add: ["NET_BIND_SERVICE"] resources: limits: memory: 256Mi cpu: 250m requests: memory: 64Mi cpu: 50m