From 482fcd180a567830421bc866ec37bb5b42678f37 Mon Sep 17 00:00:00 2001
From: vikingowl <christian@nachtigall.dev>
Date: Wed, 1 Apr 2026 00:07:01 +0200
Subject: [PATCH] feat(helm): add Go runtime tuning, startup probe, upgrade to
 Helm 4

- Set GOMAXPROCS and GOMEMLIMIT from cgroup limits to prevent
  thread oversubscription and unbounded GC memory growth
- Add startup probe (60s budget) to gate liveness/readiness during
  connection pool initialization
- Increase liveness failureThreshold to 5 to avoid restarts on
  transient issues
- Remove initialDelaySeconds (startup probe replaces this)
- Upgrade CI from alpine/helm:3.17 to alpine/helm:4.1
- Replace deprecated --atomic with --rollback-on-failure + --wait=watcher
---
 backend/.woodpecker.yml                       |  5 +++--
 backend/deploy/helm/templates/deployment.yaml | 18 ++++++++++++++++--
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/backend/.woodpecker.yml b/backend/.woodpecker.yml
index 463c777..25ba2a5 100644
--- a/backend/.woodpecker.yml
+++ b/backend/.woodpecker.yml
@@ -40,7 +40,7 @@ steps:
 
   # Deploy via Helm using the exact SHA tag just pushed
   deploy:
-    image: alpine/helm:3.17
+    image: alpine/helm:4.1
     environment:
       KUBECONFIG_DATA:
         from_secret: kubeconfig
@@ -70,7 +70,8 @@ steps:
           --set ai.apiKey="$AI_API_KEY" \
           --set ai.agentSimple="$AI_AGENT_SIMPLE" \
           --set turnstile.secretKey="$TURNSTILE_SECRET_KEY" \
-          --atomic \
+          --rollback-on-failure \
+          --wait=watcher \
           --timeout 5m
     when:
       - event: push
diff --git a/backend/deploy/helm/templates/deployment.yaml b/backend/deploy/helm/templates/deployment.yaml
index d3f9637..61a9768 100644
--- a/backend/deploy/helm/templates/deployment.yaml
+++ b/backend/deploy/helm/templates/deployment.yaml
@@ -55,6 +55,15 @@ spec:
                 name: {{ include "marktvogt-backend.fullname" . }}-ci-secrets
             {{- end }}
           env:
+            # Go runtime tuning — match cgroup limits, not node CPU/memory
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
             # DB credentials from CNPG-managed secret
             - name: DB_HOST
               valueFrom:
@@ -81,18 +90,23 @@ spec:
                 secretKeyRef:
                   name: {{ include "marktvogt-backend.pgAppSecret" . }}
                   key: dbname
+          startupProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            failureThreshold: 30
+            periodSeconds: 2
           livenessProbe:
             httpGet:
               path: /healthz
               port: http
-            initialDelaySeconds: 5
             periodSeconds: 10
             timeoutSeconds: 3
+            failureThreshold: 5
           readinessProbe:
             httpGet:
               path: /readyz
               port: http
-            initialDelaySeconds: 5
             periodSeconds: 10
             timeoutSeconds: 3
           resources: