Skip to content

Commit

Permalink
Add phase 1 of production deployment
Browse files Browse the repository at this point in the history
  • Loading branch information
EarthlingDavey committed Oct 1, 2024
1 parent b3ef297 commit a2d36ea
Show file tree
Hide file tree
Showing 5 changed files with 136 additions and 8 deletions.
64 changes: 63 additions & 1 deletion deploy/production/deployment.tpl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,31 @@ spec:
containers:
- name: nginx
image: ${ECR_URL}:${IMAGE_TAG_NGINX}
resources:
limits:
cpu: 500m
memory: 250Mi
requests:
cpu: 50m
memory: 100Mi
ports:
- containerPort: 8080
name: http
volumeMounts:
- name: uploads
mountPath: /var/www/html/public/app/uploads
- name: php-socket
mountPath: /sock
securityContext:
runAsUser: 101
readinessProbe:
httpGet:
path: /readiness
port: 8080
livenessProbe:
httpGet:
path: /liveness
port: 8080
env:
- name: IPS_FORMATTED
valueFrom:
Expand All @@ -48,18 +64,54 @@ spec:

- name: cron
image: ${ECR_URL}:${IMAGE_TAG_CRON}
resources:
limits:
cpu: 50m
memory: 30Mi
requests:
cpu: 1m
memory: 12Mi
securityContext:
runAsUser: 3001

- name: fpm
image: ${ECR_URL}:${IMAGE_TAG_FPM}
resources:
limits:
# If a pod exceeds its CPU limit, Kubernetes will simply throttle the pod.
cpu: "4"
# If a pod exceeds its memory limit, Kubernetes will kill the pod.
memory: 2000Mi
requests:
cpu: 500m
memory: 600Mi
volumeMounts:
- name: uploads
mountPath: /var/www/html/public/app/uploads
- name: php-socket
mountPath: /sock
securityContext:
runAsUser: 101
# Check frequently during startup, so that scaling up can happen as fast as possible.
startupProbe:
exec:
command:
- /usr/local/bin/fpm-health/fpm-readiness.sh
failureThreshold: 20
periodSeconds: 5
# Don't route traffic to this pod if the container is not ready.
readinessProbe:
exec:
command:
- /usr/local/bin/fpm-health/fpm-readiness.sh
periodSeconds: 10
failureThreshold: 1
# Restart the container if it fails liveness script.
livenessProbe:
exec:
command:
- /usr/local/bin/fpm-health/fpm-liveness.sh
periodSeconds: 10
env:
- name: AWS_S3_BUCKET
valueFrom:
Expand Down Expand Up @@ -100,7 +152,17 @@ spec:
valueFrom:
secretKeyRef:
name: basic-auth-secret
key: auth
key: auth
- name: CACHE_HOST
valueFrom:
secretKeyRef:
name: elasticache-output
key: primary_endpoint_address
- name: CACHE_PASSWORD
valueFrom:
secretKeyRef:
name: elasticache-output
key: auth_token
envFrom:
- configMapRef:
name: ${KUBE_NAMESPACE}
Expand Down
47 changes: 47 additions & 0 deletions deploy/production/hpa.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: intranet-production
namespace: intranet-production
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: intranet-production
minReplicas: 4
maxReplicas: 12
metrics:
# fpm
- type: ContainerResource
containerResource:
name: cpu
container: fpm
target:
type: Utilization
# If request is 500m let's early scale at 250m
# Rely on CPU usage for scaling more than memory usage.
# For scaling down, CPU settles quickly and memory is freed up slowly.
averageUtilization: 50
- type: ContainerResource
containerResource:
name: memory
container: fpm
target:
type: Utilization
# If request is 640Mi and php max is 384Mi let's scale at 512Mi
averageUtilization: 80
# nginx
- type: ContainerResource
containerResource:
name: cpu
container: nginx
target:
type: Utilization
averageUtilization: 60
- type: ContainerResource
containerResource:
name: memory
container: nginx
target:
type: Utilization
averageUtilization: 70
13 changes: 13 additions & 0 deletions deploy/production/pod-monitor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: intranet-production
namespace: intranet-production
spec:
selector:
matchLabels:
app: intranet-production
podMetricsEndpoints:
- port: http
path: "/metrics/fpm"
interval: 15s
12 changes: 12 additions & 0 deletions deploy/production/service.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-service
labels:
app: intranet-production
spec:
ports:
- port: 8080
name: http
selector:
app: intranet-production
8 changes: 1 addition & 7 deletions deploy/staging/ingress.tpl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,7 @@ metadata:
external-dns.alpha.kubernetes.io/aws-weight: "100"
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
nginx.ingress.kubernetes.io/modsecurity-snippet: |
SecRuleEngine On
SecDefaultAction "phase:2,pass,log,tag:github_team=central-digital-product-team"
SecDefaultAction "phase:4,pass,log,tag:github_team=central-digital-product-team"
SecRuleRemoveById 949110
# nginx.ingress.kubernetes.io/auth-type: basic
# nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
# nginx.ingress.kubernetes.io/auth-realm: 'Staging User | Authentication Required'
${MODSEC_CONFIG}
nginx.ingress.kubernetes.io/server-snippet: |
location = /health {
auth_basic off;
Expand Down

0 comments on commit a2d36ea

Please sign in to comment.