Kubernetes

Use Kubernetes for production deployments that need managed secrets, ingress, probes, rolling upgrades, and customer-managed databases.

Deployment shape

A production ObjectOS deployment normally includes:

Required configuration

At minimum configure:

env:
  - name: PORT
    value: "3000"
  - name: OS_AUTH_SECRET
    valueFrom:
      secretKeyRef:
        name: objectos-secrets
        key: auth-secret

For cloud-connected mode:

env:
  - name: OS_CLOUD_URL
    value: "https://cloud.example.com"
  - name: OS_CLOUD_API_KEY
    valueFrom:
      secretKeyRef:
        name: objectos-secrets
        key: cloud-api-key

For file-backed mode, mount the artifact and set:

env:
  - name: OS_ARTIFACT_FILE
    value: "/artifacts/objectstack.json"

Probes

ObjectOS exposes a built-in GET /health endpoint that responds before the project kernel is fully resolved, which makes it the right target for both liveness and readiness probes:

readinessProbe:
  httpGet:
    path: /health
    port: 3000
  initialDelaySeconds: 5
  periodSeconds: 10
livenessProbe:
  httpGet:
    path: /health
    port: 3000
  initialDelaySeconds: 15
  periodSeconds: 20

For stricter readiness checks, point an additional probe at an application-specific generated API route — this confirms the artifact loaded and the kernel is serving requests.

Ingress and CORS

Terminate TLS at the edge or ingress. Configure CORS explicitly for the front-end origins used by the customer. Do not combine wildcard origins with credentialed requests.

When ObjectOS runs behind a proxy, make sure the proxy strips client-supplied X-Forwarded-For values before setting its own. Rate limiting and audit trails depend on trustworthy caller identity.

Rolling upgrades

ObjectOS image versions and application artifact versions are separate. Roll them independently:

• ObjectOS image: upgrade by changing the container tag.
• Application artifact: publish or mount a new immutable artifact.
• Rollback: restore the previous image tag or artifact pointer.