phase 14-15: docker build validation and helm deployment

infra/k8s/risk-engine.yaml

@@ -6,6 +6,7 @@ metadata:
   labels:
     app: risk-engine
     app.kubernetes.io/part-of: stonks-oracle
+    stonks-oracle/tier: trading
 spec:
   replicas: 1
   selector:
@@ -15,18 +16,34 @@ spec:
     metadata:
       labels:
         app: risk-engine
+        stonks-oracle/tier: trading
     spec:
+      automountServiceAccountToken: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: risk-engine
           image: ghcr.io/celesrenata/stonks-oracle/risk:latest
           imagePullPolicy: Always
           ports:
             - containerPort: 8000
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: ["ALL"]
           envFrom:
             - configMapRef:
                 name: stonks-config
             - secretRef:
-                name: stonks-secrets
+                name: stonks-core-secrets
+            - secretRef:
+                name: stonks-broker-secrets
           resources:
             requests:
               cpu: 100m
@@ -34,6 +51,13 @@ spec:
             limits:
               cpu: 500m
               memory: 256Mi
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: tmp
+          emptyDir:
+            sizeLimit: 10Mi
 ---
 apiVersion: v1
 kind: Service