diff --git a/kubernetes/README.md b/kubernetes/README.md
index 3cd5c0d..eab5406 100644
--- a/kubernetes/README.md
+++ b/kubernetes/README.md
@@ -13,7 +13,7 @@ This directory contains base Kubernetes manifests to self-host Rallly. It separa
 1.  **Secrets (`secrets.yaml`):**
     - **Important:** Do not commit the `secrets.yaml` file with real credentials to version control.
     - Update `POSTGRES_PASSWORD` and `SECRET_PASSWORD` (use `openssl rand -hex 32` to generate).
-    - Update `DATABASE_URL` to match your postgres password.
+    - **Critical:** Ensure the password in `DATABASE_URL` matches `POSTGRES_PASSWORD`. Both must use the same value.
 
 2.  **Config (`rallly-config.yaml`):**
     - Update `NEXT_PUBLIC_BASE_URL` to match your domain.
@@ -22,6 +22,7 @@ This directory contains base Kubernetes manifests to self-host Rallly. It separa
 3.  **Ingress (`ingress.yaml`):**
     - Change `host: rallly.example.com` to your actual domain.
     - Ensure `ingressClassName` matches your cluster's controller (default is set to `nginx`).
+    - **TLS:** Create the TLS certificate Secret named `rallly-tls` or enable cert-manager (see comments in `ingress.yaml` for options).
 
 ## Deployment Order
 
@@ -40,7 +41,18 @@ kubectl apply -f rallly.yaml
 
 # 4. Apply Ingress
 kubectl apply -f ingress.yaml
+```
 
-# 5. Check that the pods are running - should show '1/1 Running' for each pod.
+## Verification
+
+Check that the pods are running:
+
+```bash
 kubectl get pods
 ```
+
+The Postgres pod should show `1/1 Running` and the Rallly pod should eventually show `1/1 Running` once the liveness probe passes.
+
+## Notes on Storage
+
+The PostgreSQL StatefulSet requests a 1Gi PersistentVolume. Ensure your cluster has a default StorageClass configured, or update the `volumeClaimTemplates` in `postgres.yaml` to specify a StorageClass.
diff --git a/kubernetes/README.pdf b/kubernetes/README.pdf
deleted file mode 100644
index 8e44d78..0000000
Binary files a/kubernetes/README.pdf and /dev/null differ
diff --git a/kubernetes/ingress.yaml b/kubernetes/ingress.yaml
index da28f3b..57202d7 100644
--- a/kubernetes/ingress.yaml
+++ b/kubernetes/ingress.yaml
@@ -28,3 +28,7 @@ spec:
     - hosts:
         - rallly.example.com
       secretName: rallly-tls
+      # Note: This Secret must be created separately. Options:
+      # 1. Use cert-manager (uncomment annotation above) to auto-provision
+      # 2. Manually create: kubectl create secret tls rallly-tls --cert=path/to/cert --key=path/to/key
+      # 3. Use an existing cluster-issued certificate secret
diff --git a/kubernetes/rallly-config.yaml b/kubernetes/rallly-config.yaml
index edd96e2..878f9d7 100644
--- a/kubernetes/rallly-config.yaml
+++ b/kubernetes/rallly-config.yaml
@@ -10,7 +10,10 @@ data:
   NEXT_PUBLIC_BASE_URL: "https://rallly.example.com"
 
   # Email Settings
+  # Note: This is distinct from INITIAL_ADMIN_EMAIL (defined in secrets), which creates the admin account.
+  # SUPPORT_EMAIL is the user-facing support contact shown to users.
   SUPPORT_EMAIL: "admin@example.com"
+
   EMAIL_LOGIN_ENABLED: "true"
   # SECURITY: This allows ANY email to register. Restrict to "*@example.com" or specific emails for production.
   ALLOWED_EMAILS: "*"
diff --git a/kubernetes/rallly.yaml b/kubernetes/rallly.yaml
index 4f76352..27dfb16 100644
--- a/kubernetes/rallly.yaml
+++ b/kubernetes/rallly.yaml
@@ -26,6 +26,10 @@ spec:
       app: rallly
   strategy:
     type: RollingUpdate
+    # Zero-donwtime deployment strategy
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 1
   template:
     metadata:
       labels: