From aac1b654bb8a455c2ea57756f84e2728de18c33b Mon Sep 17 00:00:00 2001 From: BenVincent Date: Fri, 26 Jun 2026 22:18:07 +1000 Subject: [PATCH] feat: migrate to artifactapi 3+ (#197) What changed: - Adds new v3 API and UI deployments (separate api-deployment.yaml, ui-deployment.yaml) alongside the existing monolithic artifactapi-deployment.yaml - Adds CNPG PostgreSQL cluster + pooler to replace the standalone postgres deployment - Adds new api-env configmap, new Vault secrets (postgres-credentials, environment), and a second VaultAuth (default1) - Adds new services targeting the split api and ui selectors - Adds HPAs for both new deployments - Updates kustomization to include all new resources --------- Co-authored-by: Ben Vincent Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/197 --- apps/base/artifactapi/api-deployment.yaml | 91 ++++++++++++++++++++ apps/base/artifactapi/api-hpa.yaml | 41 +++++++++ apps/base/artifactapi/cnpg_cluster.yaml | 91 ++++++++++++++++++++ apps/base/artifactapi/cnpg_pooler.yaml | 33 +++++++ apps/base/artifactapi/configmap.yaml | 17 ++++ apps/base/artifactapi/kustomization.yaml | 20 ++++- apps/base/artifactapi/services.yaml | 52 +++++++++++ apps/base/artifactapi/ui-deployment.yaml | 58 +++++++++++++ apps/base/artifactapi/ui-hpa.yaml | 41 +++++++++ apps/base/artifactapi/vaultauth.yaml | 19 ++++ apps/base/artifactapi/vaultstaticsecret.yaml | 35 ++++++++ 11 files changed, 494 insertions(+), 4 deletions(-) create mode 100644 apps/base/artifactapi/api-deployment.yaml create mode 100644 apps/base/artifactapi/api-hpa.yaml create mode 100644 apps/base/artifactapi/cnpg_cluster.yaml create mode 100644 apps/base/artifactapi/cnpg_pooler.yaml create mode 100644 apps/base/artifactapi/ui-deployment.yaml create mode 100644 apps/base/artifactapi/ui-hpa.yaml diff --git a/apps/base/artifactapi/api-deployment.yaml b/apps/base/artifactapi/api-deployment.yaml new file mode 100644 index 0000000..8abe40a --- /dev/null +++ b/apps/base/artifactapi/api-deployment.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: api + namespace: artifactapi + annotations: + reloader.stakater.com/auto: "true" +spec: + selector: + matchLabels: + app: api + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: api + spec: + automountServiceAccountToken: true + initContainers: + - name: combine-certs + image: alpine:3 + command: + - sh + - -c + - cat /etc/ssl/certs/ca-certificates.crt /custom-ca/ca.crt > /combined-certs/ca-certificates.crt + volumeMounts: + - name: vault-ca-cert + mountPath: /custom-ca + readOnly: true + - name: combined-certs + mountPath: /combined-certs + containers: + - name: api + image: git.unkin.net/unkin/artifactapi:v3.5.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8000 + name: http + protocol: TCP + envFrom: + - configMapRef: + name: api-env + optional: false + - secretRef: + name: environment2 + optional: false + volumeMounts: + - name: combined-certs + mountPath: /etc/ssl/combined + readOnly: true + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 4Gi + requests: + cpu: 100m + memory: 256Mi + volumes: + - name: vault-ca-cert + secret: + secretName: vault-ca-cert + items: + - key: ca.crt + path: ca.crt + - name: combined-certs + emptyDir: {} + restartPolicy: Always diff --git a/apps/base/artifactapi/api-hpa.yaml b/apps/base/artifactapi/api-hpa.yaml new file mode 100644 index 0000000..5d844e6 --- /dev/null +++ b/apps/base/artifactapi/api-hpa.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: api-hpa + namespace: artifactapi +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: api + minReplicas: 2 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 60 + behavior: + scaleUp: + stabilizationWindowSeconds: 0 + selectPolicy: Max + policies: + - type: Percent + value: 100 + periodSeconds: 30 + - type: Pods + value: 4 + periodSeconds: 30 + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Min + policies: + - type: Percent + value: 10 + periodSeconds: 60 + - type: Pods + value: 2 + periodSeconds: 60 diff --git a/apps/base/artifactapi/cnpg_cluster.yaml b/apps/base/artifactapi/cnpg_cluster.yaml new file mode 100644 index 0000000..bb92358 --- /dev/null +++ b/apps/base/artifactapi/cnpg_cluster.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: postgres + namespace: artifactapi +spec: + affinity: + podAntiAffinityType: preferred + bootstrap: + initdb: + database: artifacts + encoding: UTF8 + localeCType: C + localeCollate: C + owner: artifacts + secret: + name: postgres-credentials + enablePDB: true + enableSuperuserAccess: false + failoverDelay: 0 + imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie + instances: 3 + logLevel: info + maxSyncReplicas: 0 + minSyncReplicas: 0 + monitoring: + customQueriesConfigMap: + - key: queries + name: cnpg-default-monitoring + disableDefaultQueries: false + enablePodMonitor: false + postgresql: + parameters: + archive_mode: "on" + archive_timeout: 5min + dynamic_shared_memory_type: posix + effective_cache_size: 256MB + full_page_writes: "on" + log_destination: csvlog + log_directory: /controller/log + log_filename: postgres + log_rotation_age: "0" + log_rotation_size: "0" + log_truncate_on_rotation: "false" + logging_collector: "on" + max_connections: "200" + max_parallel_workers: "16" + max_replication_slots: "16" + max_worker_processes: "16" + shared_buffers: 128MB + shared_memory_type: mmap + ssl_max_protocol_version: TLSv1.3 + ssl_min_protocol_version: TLSv1.3 + wal_keep_size: 256MB + wal_level: logical + wal_log_hints: "on" + wal_receiver_timeout: 5s + wal_sender_timeout: 5s + syncReplicaElectionConstraint: + enabled: false + primaryUpdateMethod: restart + primaryUpdateStrategy: unsupervised + probes: + liveness: + isolationCheck: + connectionTimeout: 1000 + enabled: true + requestTimeout: 1000 + replicationSlots: + highAvailability: + enabled: true + slotPrefix: _cnpg_ + synchronizeReplicas: + enabled: true + updateInterval: 30 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 250m + memory: 256Mi + smartShutdownTimeout: 180 + startDelay: 3600 + stopDelay: 1800 + storage: + resizeInUseVolumes: true + size: 20Gi + storageClass: cephrbd-fast-delete + switchoverDelay: 3600 diff --git a/apps/base/artifactapi/cnpg_pooler.yaml b/apps/base/artifactapi/cnpg_pooler.yaml new file mode 100644 index 0000000..2bb6f84 --- /dev/null +++ b/apps/base/artifactapi/cnpg_pooler.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Pooler +metadata: + name: postgres-pooler + namespace: artifactapi +spec: + cluster: + name: postgres + instances: 2 + pgbouncer: + parameters: + default_pool_size: "100" + max_client_conn: "400" + paused: false + poolMode: session + template: + metadata: + labels: + app: pooler + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - pooler + topologyKey: kubernetes.io/hostname + containers: [] + type: rw diff --git a/apps/base/artifactapi/configmap.yaml b/apps/base/artifactapi/configmap.yaml index ddbfd7d..6552dcb 100644 --- a/apps/base/artifactapi/configmap.yaml +++ b/apps/base/artifactapi/configmap.yaml @@ -25,3 +25,20 @@ metadata: data: POSTGRES_DB: artifacts POSTGRES_USER: artifacts +### +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: api-env + namespace: artifactapi +data: + DBHOST: postgres-pooler + DBNAME: artifacts + DBPORT: "5432" + DBUSER: artifacts + MINIO_BUCKET: artifactapi-prod-k8s-syd1-au + MINIO_ENDPOINT: radosgw.service.consul + MINIO_SECURE: "true" + REDIS_URL: redis://redis:6379 + SSL_CERT_FILE: /etc/ssl/combined/ca-certificates.crt diff --git a/apps/base/artifactapi/kustomization.yaml b/apps/base/artifactapi/kustomization.yaml index f17827b..afdb406 100644 --- a/apps/base/artifactapi/kustomization.yaml +++ b/apps/base/artifactapi/kustomization.yaml @@ -5,16 +5,28 @@ kind: Kustomization resources: - artifactapi-deployment.yaml - artifactapi-hpa.yaml - - configmap.yaml - httproute.yaml + - postgres-deployment.yaml + - redis-deployment.yaml + - pvc.yaml + # shared + - configmap.yaml - services.yaml - gateway.yaml - namespace.yaml - - postgres-deployment.yaml - - pvc.yaml - - redis-deployment.yaml - vaultauth.yaml - vaultstaticsecret.yaml + # new + - api-deployment.yaml + - api-hpa.yaml + - cnpg_cluster.yaml + - cnpg_pooler.yaml + - ui-deployment.yaml + - ui-hpa.yaml + # to copy still + # - httproute.yaml + # - redis-deployment.yaml + configMapGenerator: - name: remotes-config diff --git a/apps/base/artifactapi/services.yaml b/apps/base/artifactapi/services.yaml index f598cac..aaa05fd 100644 --- a/apps/base/artifactapi/services.yaml +++ b/apps/base/artifactapi/services.yaml @@ -49,3 +49,55 @@ spec: app: redis sessionAffinity: None type: ClusterIP +#### +--- +apiVersion: v1 +kind: Service +metadata: + name: artifactapi + namespace: artifactapi +spec: + internalTrafficPolicy: Cluster + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app: api + sessionAffinity: None + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: ui + namespace: artifactapi +spec: + internalTrafficPolicy: Cluster + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app: ui + sessionAffinity: None + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: redis + namespace: artifactapi +spec: + internalTrafficPolicy: Cluster + ports: + - name: redis + port: 6379 + protocol: TCP + targetPort: redis + selector: + app: redis + sessionAffinity: None + type: ClusterIP diff --git a/apps/base/artifactapi/ui-deployment.yaml b/apps/base/artifactapi/ui-deployment.yaml new file mode 100644 index 0000000..a698c27 --- /dev/null +++ b/apps/base/artifactapi/ui-deployment.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ui + namespace: artifactapi + annotations: + reloader.stakater.com/auto: "true" +spec: + selector: + matchLabels: + app: ui + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: ui + spec: + automountServiceAccountToken: true + containers: + - name: ui + image: git.unkin.net/unkin/artifactapi-ui:v3.5.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + name: http + protocol: TCP + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: http + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 3 + httpGet: + path: / + port: http + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 50m + memory: 128Mi + restartPolicy: Always diff --git a/apps/base/artifactapi/ui-hpa.yaml b/apps/base/artifactapi/ui-hpa.yaml new file mode 100644 index 0000000..8ba433a --- /dev/null +++ b/apps/base/artifactapi/ui-hpa.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: ui-hpa + namespace: artifactapi +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: ui + minReplicas: 2 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 60 + behavior: + scaleUp: + stabilizationWindowSeconds: 0 + selectPolicy: Max + policies: + - type: Percent + value: 100 + periodSeconds: 30 + - type: Pods + value: 4 + periodSeconds: 30 + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Min + policies: + - type: Percent + value: 10 + periodSeconds: 60 + - type: Pods + value: 2 + periodSeconds: 60 diff --git a/apps/base/artifactapi/vaultauth.yaml b/apps/base/artifactapi/vaultauth.yaml index 669e976..6714f4a 100644 --- a/apps/base/artifactapi/vaultauth.yaml +++ b/apps/base/artifactapi/vaultauth.yaml @@ -16,3 +16,22 @@ spec: method: kubernetes mount: k8s/au/syd1 vaultConnectionRef: vso-system/default +### change to default from default1 +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: default1 + namespace: artifactapi +spec: + allowedNamespaces: + - artifactapi + kubernetes: + audiences: + - vault + role: default + serviceAccount: default + tokenExpirationSeconds: 600 + method: kubernetes + mount: k8s/au/syd1 + vaultConnectionRef: vso-system/default diff --git a/apps/base/artifactapi/vaultstaticsecret.yaml b/apps/base/artifactapi/vaultstaticsecret.yaml index 68c1af5..695e1a6 100644 --- a/apps/base/artifactapi/vaultstaticsecret.yaml +++ b/apps/base/artifactapi/vaultstaticsecret.yaml @@ -32,3 +32,38 @@ spec: refreshAfter: 5m type: kv-v2 vaultAuthRef: default +### change auth ref to default from default1 +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgres-credentials + namespace: artifactapi +spec: + destination: + create: true + name: postgres-credentials + overwrite: true + hmacSecretData: true + mount: kv + path: kubernetes/namespace/artifactapi/default/postgres-credentials + refreshAfter: 5m + type: kv-v2 + vaultAuthRef: default1 +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: environment2 + namespace: artifactapi +spec: + destination: + create: true + name: environment + overwrite: true + hmacSecretData: true + mount: kv + path: kubernetes/namespace/artifactapi/default/environment + refreshAfter: 5m + type: kv-v2 + vaultAuthRef: default1