Move definitions to cloud-platform-environments

deploy/production/deployment.tpl.yml

@@ -30,15 +30,31 @@ spec:
       containers:
         - name: nginx
           image: ${ECR_URL}:${IMAGE_TAG_NGINX}
+          resources:
+            limits:
+              cpu: 500m
+              memory: 250Mi
+            requests:
+              cpu: 50m
+              memory: 100Mi
           ports:
             - containerPort: 8080
+              name: http
           volumeMounts:
             - name: uploads
               mountPath: /var/www/html/public/app/uploads
             - name: php-socket
               mountPath: /sock
           securityContext:
             runAsUser: 101
+          readinessProbe:
+            httpGet:
+              path: /readiness
+              port: 8080
+          livenessProbe:
+            httpGet:
+              path: /liveness
+              port: 8080
           env:
             - name: IPS_FORMATTED
               valueFrom:
@@ -48,18 +64,54 @@ spec:
 
         - name: cron
           image: ${ECR_URL}:${IMAGE_TAG_CRON}
+          resources:
+            limits:
+              cpu: 50m
+              memory: 30Mi
+            requests:
+              cpu: 1m
+              memory: 12Mi
           securityContext:
             runAsUser: 3001
 
         - name: fpm
           image: ${ECR_URL}:${IMAGE_TAG_FPM}
+          resources:
+            limits:
+              # If a pod exceeds its CPU limit, Kubernetes will simply throttle the pod.
+              cpu: "4"
+              # If a pod exceeds its memory limit, Kubernetes will kill the pod.
+              memory: 2000Mi
+            requests:
+              cpu: 500m
+              memory: 600Mi
           volumeMounts:
             - name: uploads
               mountPath: /var/www/html/public/app/uploads
             - name: php-socket
               mountPath: /sock
           securityContext:
             runAsUser: 101
+          # Check frequently during startup, so that scaling up can happen as fast as possible.
+          startupProbe:
+            exec:
+              command:
+              - /usr/local/bin/fpm-health/fpm-readiness.sh
+            failureThreshold: 20
+            periodSeconds: 5
+          # Don't route traffic to this pod if the container is not ready.
+          readinessProbe:
+            exec:
+              command:
+              - /usr/local/bin/fpm-health/fpm-readiness.sh
+            periodSeconds: 10
+            failureThreshold: 1
+          # Restart the container if it fails liveness script.
+          livenessProbe:
+            exec:
+              command:
+              - /usr/local/bin/fpm-health/fpm-liveness.sh
+            periodSeconds: 10
           env:
             - name: AWS_S3_BUCKET
               valueFrom:
@@ -100,7 +152,17 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: basic-auth-secret
-                  key: auth          
+                  key: auth
+            - name: CACHE_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: elasticache-output
+                  key: primary_endpoint_address
+            - name: CACHE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: elasticache-output
+                  key: auth_token
           envFrom:
             - configMapRef:
                 name: ${KUBE_NAMESPACE}

deploy/production/hpa.yml

@@ -0,0 +1,47 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: intranet-production
+  namespace: intranet-production
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: intranet-production
+  minReplicas: 4
+  maxReplicas: 12
+  metrics:
+    # fpm
+    - type: ContainerResource
+      containerResource:
+        name: cpu
+        container: fpm
+        target:
+          type: Utilization
+          # If request is 500m let's early scale at 250m
+          # Rely on CPU usage for scaling more than memory usage.
+          # For scaling down, CPU settles quickly and memory is freed up slowly.
+          averageUtilization: 50
+    - type: ContainerResource
+      containerResource:
+        name: memory
+        container: fpm
+        target:
+          type: Utilization
+          # If request is 640Mi and php max is 384Mi let's scale at 512Mi
+          averageUtilization: 80
+    # nginx
+    - type: ContainerResource
+      containerResource:
+        name: cpu
+        container: nginx
+        target:
+          type: Utilization
+          averageUtilization: 60
+    - type: ContainerResource
+      containerResource:
+        name: memory
+        container: nginx
+        target:
+          type: Utilization
+          averageUtilization: 70

deploy/production/ingress.tpl.yml

@@ -0,0 +1 @@
+# Intentionally empty file.

deploy/production/service.yml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-service
+  labels:
+    app: intranet-production
+spec:
+  ports:
+  - port: 8080
+    name: http
+  selector:
+    app: intranet-production

deploy/staging/ingress.tpl.yml

@@ -8,13 +8,7 @@ metadata:
     external-dns.alpha.kubernetes.io/aws-weight: "100"
     nginx.ingress.kubernetes.io/enable-modsecurity: "true"
     nginx.ingress.kubernetes.io/modsecurity-snippet: |
-      SecRuleEngine On
-      SecDefaultAction "phase:2,pass,log,tag:github_team=central-digital-product-team"
-      SecDefaultAction "phase:4,pass,log,tag:github_team=central-digital-product-team"
-      SecRuleRemoveById 949110
-    # nginx.ingress.kubernetes.io/auth-type: basic
-    # nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
-    # nginx.ingress.kubernetes.io/auth-realm: 'Staging User | Authentication Required'
+      ${MODSEC_CONFIG}
     nginx.ingress.kubernetes.io/server-snippet: |
       location = /health {
         auth_basic off;