feat: Configure production deployment with math-tables namespace and ingress

Changes made:

- Remove problematic configuration-snippet from base ingress

- Add namespace creation for math-tables

- Configure ingress with nginx class and letsencrypt-prod issuer

- Set production hostname to math-tables.cl1.parano.ch

- Reduce production replicas to 1

- Update copyright year in index.html

deploy/README.md

@@ -0,0 +1,83 @@
+# Math Exercises Application - Kubernetes Deployment
+
+This directory contains the Kubernetes deployment configuration for the Math Exercises application, with security best practices applied.
+
+## Directory Structure
+
+```
+deploy/
+├── base/                 # Base kustomize configuration
+│   ├── deployment.yaml      # Application deployment
+│   ├── service.yaml         # Internal service
+│   ├── ingress.yaml         # External access configuration
+│   ├── network-policy.yaml  # Network security policies
+│   ├── configmap.yaml       # Application configuration
+│   ├── pod-disruption-budget.yaml  # High availability
+│   └── kustomization.yaml   # Base kustomize file
+├── overlays/             # Environment-specific configurations
+│   ├── development/         # Development environment
+│   │   ├── deployment-patch.yaml   # Dev-specific deployment settings
+│   │   └── kustomization.yaml      # Dev kustomize file
+│   └── production/          # Production environment
+│       ├── deployment-patch.yaml   # Prod-specific deployment settings
+│       ├── security-patch.yaml     # Additional security settings
+│       └── kustomization.yaml      # Prod kustomize file
+└── SECURITY_CHECKLIST.md    # Security implementation checklist
+```
+
+## Security Features Implemented
+
+The deployment implements the following security best practices:
+
+1. **Pod Security**:
+   - Non-root user execution
+   - ReadOnly root filesystem
+   - Disabled privilege escalation
+   - Minimal container capabilities
+   - Seccomp profiles
+
+2. **Network Security**:
+   - Network policies restricting traffic
+   - TLS-enforced ingress with security headers
+   - Internal service exposure only
+
+3. **Configuration Security**:
+   - ConfigMaps for configuration separation
+   - Resource limits and requests
+   - Health checks with appropriate timeouts
+
+4. **Operational Security**:
+   - PodDisruptionBudget for high availability
+   - Environment-specific configurations
+   - Versioned image tags
+
+## Deployment Instructions
+
+### Development Environment
+
+```bash
+kubectl apply -k deploy/overlays/development
+```
+
+### Production Environment
+
+```bash
+kubectl apply -k deploy/overlays/production
+```
+
+## Security Verification
+
+To verify security settings are properly applied:
+
+```bash
+# Check security context
+kubectl get deployment math-exercises-app -o jsonpath='{.spec.template.spec.containers[0].securityContext}'
+
+# Check network policies
+kubectl get networkpolicy
+
+# Check resource limits
+kubectl get deployment math-exercises-app -o jsonpath='{.spec.template.spec.containers[0].resources}'
+```
+
+See `SECURITY_CHECKLIST.md` for a comprehensive list of implemented security measures.