diff --git a/apps/base/artifactapi/cnpg_cluster.yaml b/apps/base/artifactapi/cnpg_cluster.yaml new file mode 100644 index 0000000..91a4487 --- /dev/null +++ b/apps/base/artifactapi/cnpg_cluster.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: artifactapi-postgres + namespace: artifactapi +spec: + affinity: + podAntiAffinityType: preferred + bootstrap: + initdb: + database: artifacts3 + encoding: UTF8 + localeCType: C + localeCollate: C + owner: artifacts + secret: + name: postgres-password + enablePDB: true + enableSuperuserAccess: false + failoverDelay: 0 + imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie + instances: 3 + logLevel: info + maxSyncReplicas: 0 + minSyncReplicas: 0 + monitoring: + customQueriesConfigMap: + - key: queries + name: cnpg-default-monitoring + disableDefaultQueries: false + enablePodMonitor: false + postgresql: + parameters: + archive_mode: "on" + archive_timeout: 5min + dynamic_shared_memory_type: posix + effective_cache_size: 256MB + full_page_writes: "on" + log_destination: csvlog + log_directory: /controller/log + log_filename: postgres + log_rotation_age: "0" + log_rotation_size: "0" + log_truncate_on_rotation: "false" + logging_collector: "on" + max_connections: "200" + max_parallel_workers: "16" + max_replication_slots: "16" + max_worker_processes: "16" + shared_buffers: 128MB + shared_memory_type: mmap + ssl_max_protocol_version: TLSv1.3 + ssl_min_protocol_version: TLSv1.3 + wal_keep_size: 256MB + wal_level: logical + wal_log_hints: "on" + wal_receiver_timeout: 5s + wal_sender_timeout: 5s + syncReplicaElectionConstraint: + enabled: false + primaryUpdateMethod: restart + primaryUpdateStrategy: unsupervised + probes: + liveness: + isolationCheck: + connectionTimeout: 1000 + enabled: true + requestTimeout: 1000 + replicationSlots: + highAvailability: + enabled: true + slotPrefix: _cnpg_ + synchronizeReplicas: + enabled: true + updateInterval: 30 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 250m + memory: 256Mi + smartShutdownTimeout: 180 + startDelay: 3600 + stopDelay: 1800 + storage: + resizeInUseVolumes: true + size: 10Gi + storageClass: cephrbd-fast-delete + switchoverDelay: 3600 diff --git a/apps/base/artifactapi/cnpg_pooler.yaml b/apps/base/artifactapi/cnpg_pooler.yaml new file mode 100644 index 0000000..3f7a789 --- /dev/null +++ b/apps/base/artifactapi/cnpg_pooler.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Pooler +metadata: + name: artifactapi-postgres-pooler + namespace: artifactapi +spec: + cluster: + name: artifactapi-postgres + instances: 2 + pgbouncer: + parameters: + default_pool_size: "100" + max_client_conn: "400" + paused: false + poolMode: session + template: + metadata: + labels: + app: artifactapi-pooler + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactapi-pooler + topologyKey: kubernetes.io/hostname + containers: [] + type: rw diff --git a/apps/base/artifactapi/configmap_v3.yaml b/apps/base/artifactapi/configmap_v3.yaml new file mode 100644 index 0000000..807e5a7 --- /dev/null +++ b/apps/base/artifactapi/configmap_v3.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: artifactapi-v3-env + namespace: artifactapi +data: + DBHOST: artifactapi-postgres-pooler + DBNAME: artifacts3 + DBPORT: "5432" + DBUSER: artifacts + MINIO_BUCKET: artifactapi-prod-k8s-syd1-au + MINIO_ENDPOINT: radosgw.service.consul + MINIO_SECURE: "true" + REDIS_URL: redis://redis-v3-service:6379 + REQUESTS_CA_BUNDLE: /etc/pki/tls/certs/ca-bundle.crt + SSL_CERT_FILE: /etc/pki/tls/certs/ca-bundle.crt diff --git a/apps/base/artifactapi/deployment_api.yaml b/apps/base/artifactapi/deployment_api.yaml new file mode 100644 index 0000000..1c4cefc --- /dev/null +++ b/apps/base/artifactapi/deployment_api.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: artifactapi-api + namespace: artifactapi + annotations: + reloader.stakater.com/auto: "true" +spec: + selector: + matchLabels: + app: artifactapi-api + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: artifactapi-api + spec: + automountServiceAccountToken: true + containers: + - name: artifactapi + image: git.unkin.net/unkin/artifactapi:v3.0.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8000 + name: http + protocol: TCP + envFrom: + - configMapRef: + name: artifactapi-v3-env + optional: false + - secretRef: + name: environment + optional: false + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 4Gi + requests: + cpu: 100m + memory: 256Mi + restartPolicy: Always diff --git a/apps/base/artifactapi/deployment_redis.yaml b/apps/base/artifactapi/deployment_redis.yaml new file mode 100644 index 0000000..2b6996b --- /dev/null +++ b/apps/base/artifactapi/deployment_redis.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-v3-deployment + namespace: artifactapi +spec: + replicas: 1 + selector: + matchLabels: + app: redis-v3 + strategy: + type: Recreate + template: + spec: + containers: + - name: redis + image: redis:7-alpine + imagePullPolicy: IfNotPresent + command: + - redis-server + - --save + - "20" + - "1" + ports: + - containerPort: 6379 + name: redis + protocol: TCP + livenessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 50m + memory: 128Mi + volumeMounts: + - mountPath: /data + mountPropagation: None + name: data + restartPolicy: Always + volumes: + - name: data + persistentVolumeClaim: + claimName: artifactapi-v3-redis-data diff --git a/apps/base/artifactapi/deployment_ui.yaml b/apps/base/artifactapi/deployment_ui.yaml new file mode 100644 index 0000000..7f8462a --- /dev/null +++ b/apps/base/artifactapi/deployment_ui.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: artifactapi-ui + namespace: artifactapi +spec: + selector: + matchLabels: + app: artifactapi-ui + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: artifactapi-ui + spec: + containers: + - name: ui + image: git.unkin.net/unkin/artifactapi-ui:v3.0.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + name: http + protocol: TCP + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: http + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 3 + httpGet: + path: / + port: http + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 50m + memory: 64Mi + restartPolicy: Always diff --git a/apps/base/artifactapi/gateway_v3.yaml b/apps/base/artifactapi/gateway_v3.yaml new file mode 100644 index 0000000..7e567af --- /dev/null +++ b/apps/base/artifactapi/gateway_v3.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + labels: + traefik.io/instance: internal + annotations: + cert-manager.io/cluster-issuer: vault-issuer + cert-manager.io/common-name: artifactapi3.k8s.syd1.au.unkin.net + cert-manager.io/private-key-size: "4096" + external-dns.alpha.kubernetes.io/hostname: artifactapi3.k8s.syd1.au.unkin.net + external-dns.alpha.kubernetes.io/target: 198.18.200.4 + name: artifactapi3 + namespace: artifactapi +spec: + gatewayClassName: traefik-internal + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: artifactapi3.k8s.syd1.au.unkin.net + name: http + port: 80 + protocol: HTTP + - allowedRoutes: + namespaces: + from: Same + hostname: artifactapi3.k8s.syd1.au.unkin.net + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: "" + kind: Secret + name: artifactapi3-tls + mode: Terminate diff --git a/apps/base/artifactapi/hpa_api.yaml b/apps/base/artifactapi/hpa_api.yaml new file mode 100644 index 0000000..242f952 --- /dev/null +++ b/apps/base/artifactapi/hpa_api.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: artifactapi-api-hpa + namespace: artifactapi +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: artifactapi-api + minReplicas: 2 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 60 + behavior: + scaleUp: + stabilizationWindowSeconds: 0 + selectPolicy: Max + policies: + - type: Percent + value: 100 + periodSeconds: 30 + - type: Pods + value: 4 + periodSeconds: 30 + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Min + policies: + - type: Percent + value: 10 + periodSeconds: 60 + - type: Pods + value: 2 + periodSeconds: 60 diff --git a/apps/base/artifactapi/hpa_ui.yaml b/apps/base/artifactapi/hpa_ui.yaml new file mode 100644 index 0000000..3f61c07 --- /dev/null +++ b/apps/base/artifactapi/hpa_ui.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: artifactapi-ui-hpa + namespace: artifactapi +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: artifactapi-ui + minReplicas: 1 + maxReplicas: 4 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 70 + behavior: + scaleUp: + stabilizationWindowSeconds: 0 + selectPolicy: Max + policies: + - type: Percent + value: 100 + periodSeconds: 30 + - type: Pods + value: 2 + periodSeconds: 30 + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Min + policies: + - type: Percent + value: 25 + periodSeconds: 60 + - type: Pods + value: 1 + periodSeconds: 60 diff --git a/apps/base/artifactapi/httproute_v3.yaml b/apps/base/artifactapi/httproute_v3.yaml new file mode 100644 index 0000000..c191fc8 --- /dev/null +++ b/apps/base/artifactapi/httproute_v3.yaml @@ -0,0 +1,112 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: artifactapi3-http-redirect + namespace: artifactapi +spec: + hostnames: + - artifactapi3.k8s.syd1.au.unkin.net + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: artifactapi3 + sectionName: http + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: artifactapi3-ui + namespace: artifactapi +spec: + hostnames: + - artifactapi3.k8s.syd1.au.unkin.net + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: artifactapi3 + sectionName: https + rules: + - backendRefs: + - group: "" + kind: Service + name: artifactapi-v3-ui + port: 80 + weight: 1 + matches: + - path: + type: PathPrefix + value: /ui +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: artifactapi3-api + namespace: artifactapi +spec: + hostnames: + - artifactapi3.k8s.syd1.au.unkin.net + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: artifactapi3 + sectionName: https + rules: + - backendRefs: + - group: "" + kind: Service + name: artifactapi-v3-api + port: 80 + weight: 1 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: api-ipallowlist + matches: + - path: + type: PathPrefix + value: /api + - backendRefs: + - group: "" + kind: Service + name: artifactapi-v3-api + port: 80 + weight: 1 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: api-ipallowlist + matches: + - path: + type: PathPrefix + value: /config + - backendRefs: + - group: "" + kind: Service + name: artifactapi-v3-api + port: 80 + weight: 1 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: api-ipallowlist + matches: + - path: + type: PathPrefix + value: /health diff --git a/apps/base/artifactapi/kustomization.yaml b/apps/base/artifactapi/kustomization.yaml index 015e9e6..02b2ed1 100644 --- a/apps/base/artifactapi/kustomization.yaml +++ b/apps/base/artifactapi/kustomization.yaml @@ -3,16 +3,32 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + # v2 (existing) - artifactapi-deployment.yaml - artifactapi-hpa.yaml - configmap.yaml - - gateway.yaml - httproute.yaml + - services.yaml + # v3 (new) + - cnpg_cluster.yaml + - cnpg_pooler.yaml + - configmap_v3.yaml + - deployment_api.yaml + - deployment_redis.yaml + - deployment_ui.yaml + - gateway_v3.yaml + - hpa_api.yaml + - hpa_ui.yaml + - httproute_v3.yaml + - middleware.yaml + - pvc_v3.yaml + - services_v3.yaml + # shared + - gateway.yaml - namespace.yaml - postgres-deployment.yaml - pvc.yaml - redis-deployment.yaml - - services.yaml - vaultauth.yaml - vaultstaticsecret.yaml diff --git a/apps/base/artifactapi/middleware.yaml b/apps/base/artifactapi/middleware.yaml new file mode 100644 index 0000000..f8e958a --- /dev/null +++ b/apps/base/artifactapi/middleware.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: api-ipallowlist + namespace: artifactapi +spec: + ipAllowList: + sourceRange: + - 10.10.10.200/32 diff --git a/apps/base/artifactapi/pvc_v3.yaml b/apps/base/artifactapi/pvc_v3.yaml new file mode 100644 index 0000000..2daf955 --- /dev/null +++ b/apps/base/artifactapi/pvc_v3.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: artifactapi-v3-redis-data + namespace: artifactapi +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: cephrbd-fast-delete + volumeMode: Filesystem diff --git a/apps/base/artifactapi/services_v3.yaml b/apps/base/artifactapi/services_v3.yaml new file mode 100644 index 0000000..473ea61 --- /dev/null +++ b/apps/base/artifactapi/services_v3.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: artifactapi-v3-api + namespace: artifactapi +spec: + internalTrafficPolicy: Cluster + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app: artifactapi-api + sessionAffinity: None + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: artifactapi-v3-ui + namespace: artifactapi +spec: + internalTrafficPolicy: Cluster + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app: artifactapi-ui + sessionAffinity: None + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-v3-service + namespace: artifactapi +spec: + internalTrafficPolicy: Cluster + ports: + - name: redis + port: 6379 + protocol: TCP + targetPort: redis + selector: + app: redis-v3 + sessionAffinity: None + type: ClusterIP