gitea_admin/k8s-manifests
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
k8s-manifests/README.md
gitea_admin 9f57a5b411 first commit
2026-02-06 17:23:19 +00:00

271 lines
6.4 KiB
Markdown
Raw Permalink Blame History

# Kubernetes Manifests for Inventory App
GitOps repository for inventory management system deployment. Managed by ArgoCD.
## Structure
```
k8s-manifests/
├── base/
│ ├── mysql/ # MySQL StatefulSet + Service + Secret
│ ├── backend/ # Backend Deployment + Service + ConfigMap
│ └── frontend/ # Frontend Deployment + Service + Ingress
├── overlays/
│ ├── prod/ # Production configuration
│ ├── dev/ # Development configuration (optional)
│ └── staging/ # Staging configuration (optional)
└── argocd/
└── applications/ # ArgoCD Application manifests
```
## Components
### MySQL (StatefulSet)
- **Image**: mysql:8.0
- **Storage**: 10Gi PVC
- **Replicas**: 1 (StatefulSet)
- **Service**: Headless ClusterIP
- **Secrets**: Root password, app user credentials
### Backend (Deployment)
- **Image**: Updated by CI/CD pipeline
- **Replicas**: 3 (prod), 2 (base)
- **Service**: ClusterIP on port 3000
- **InitContainer**: Wait for MySQL readiness
- **Probes**:
- Liveness: `/health`
- Readiness: `/ready` (checks DB)
### Frontend (Deployment)
- **Image**: Updated by CI/CD pipeline
- **Replicas**: 3 (prod), 2 (base)
- **Service**: ClusterIP on port 80
- **Ingress**: Routes `/api` to backend, `/` to frontend
## Deployment Flow
1. **CI/CD pushes code** → Triggers Gitea Actions
2. **Build & test** → Docker image created
3. **Image pushed** → Gitea container registry
4. **Update manifests** → CI updates image tag in `overlays/prod/kustomization.yaml`
5. **ArgoCD detects change** → Syncs cluster to Git state
6. **Rollout** → Kubernetes deploys new version
## Image Tagging Strategy
CI/CD pipeline tags images as:
```
{branch}-{git-sha} # e.g., main-a3f5c21 (immutable)
{branch} # e.g., main (moving)
latest # Latest on main branch
```
Kustomize uses immutable SHA tags for predictable rollbacks.
## Manual Deployment (Without ArgoCD)
```bash
# Create namespace
kubectl create namespace inventory
# Deploy base + production overlay
kubectl apply -k overlays/prod
# Check status
kubectl get all -n inventory
# View logs
kubectl logs -n inventory deployment/backend
kubectl logs -n inventory deployment/frontend
kubectl logs -n inventory mysql-0
```
## Deploy with ArgoCD
```bash
# Apply ArgoCD application
kubectl apply -f argocd/applications/inventory-app.yaml
# Check sync status
argocd app get inventory-app
# Manual sync (if auto-sync disabled)
argocd app sync inventory-app
# View history
argocd app history inventory-app
```
## Rollback Procedures
### Method 1: ArgoCD UI
1. Open ArgoCD → Select `inventory-app`
2. Click "History and Rollback"
3. Select previous healthy revision
4. Click "Rollback"
### Method 2: Git Revert (GitOps)
```bash
# Find bad commit
git log overlays/prod/kustomization.yaml
# Revert to previous state
git revert <bad-commit-sha>
git push
# ArgoCD auto-syncs within 3 minutes
```
### Method 3: Manual Image Update
```bash
# Edit overlays/prod/kustomization.yaml
vim overlays/prod/kustomization.yaml
# Change image tags to previous working SHA
images:
- name: gitea.example.com/inventory/backend
newTag: main-abc1234 # Previous working version
git add overlays/prod/kustomization.yaml
git commit -m "Rollback to known-good version"
git push
```
### Method 4: Emergency kubectl (Last Resort)
```bash
# Rollback deployment
kubectl rollout undo deployment/backend -n inventory
# Update Git to match (important for GitOps!)
# Otherwise ArgoCD will revert back
```
## Configuration Management
### Secrets
MySQL credentials stored in `base/mysql/secret.yaml`:
- **IMPORTANT**: Replace placeholder passwords before deploying!
- Consider using external secret management (Sealed Secrets, Vault)
```bash
# Generate secure passwords
openssl rand -base64 32
```
### ConfigMaps
Backend configuration in `base/backend/configmap.yaml`:
- Database host
- Database name
### Environment-Specific Overrides
Use Kustomize overlays to customize per environment:
```yaml
# overlays/prod/kustomization.yaml
replicas:
- name: backend
count: 3
```
## Ingress Configuration
Default host: `inventory.local`
**Change for your domain:**
```yaml
# base/frontend/ingress.yaml
spec:
rules:
- host: inventory.yourdomain.com # Update this
```
Routes:
- `inventory.local/api/*` → Backend service
- `inventory.local/health` → Backend health
- `inventory.local/ready` → Backend readiness
- `inventory.local/*` → Frontend (catch-all)
## Monitoring & Troubleshooting
### Check pod status
```bash
kubectl get pods -n inventory
kubectl describe pod <pod-name> -n inventory
```
### View logs
```bash
# Backend logs
kubectl logs -f deployment/backend -n inventory
# Frontend logs
kubectl logs -f deployment/frontend -n inventory
# MySQL logs
kubectl logs -f mysql-0 -n inventory
```
### Test connectivity
```bash
# Port-forward backend
kubectl port-forward -n inventory svc/backend 3000:3000
# Test API
curl http://localhost:3000/health
curl http://localhost:3000/api/items
# Port-forward frontend
kubectl port-forward -n inventory svc/frontend 8080:80
# Open http://localhost:8080
```
### Check ArgoCD sync status
```bash
argocd app get inventory-app
argocd app diff inventory-app
argocd app sync inventory-app --dry-run
```
## Resource Requirements
### Minimal Cluster Size
- **Nodes**: 2+ (for HA)
- **CPU**: 2 cores minimum
- **Memory**: 4GB minimum
- **Storage**: 20GB for MySQL PVC
### Production Recommendations
- **Nodes**: 3+ (one per replica)
- **CPU**: 4+ cores
- **Memory**: 8GB+
- **Storage**: StorageClass with backup support
## CI/CD Integration
CI pipeline automatically updates this repo:
```bash
# In Gitea Actions
sed -i "s|newTag:.*|newTag: ${BRANCH}-${SHA}|" overlays/prod/kustomization.yaml
git commit -m "Update image to ${BRANCH}-${SHA}"
git push
```
ArgoCD polls Git every 3 minutes or receives webhooks for instant sync.
## Security Considerations
- ✓ Non-root containers
- ✓ Resource limits enforced
- ✓ Network policies (optional, add if needed)
- ✓ Secrets not in Git (use external secrets in production)
- ✓ Ingress TLS (add cert-manager for HTTPS)
- ✓ RBAC for ArgoCD service accounts
## Next Steps
1. **Replace secret passwords** in `base/mysql/secret.yaml`
2. **Update Ingress host** to your domain
3. **Configure TLS** with cert-manager
4. **Set up monitoring** (Prometheus, Grafana)
5. **Add network policies** for pod isolation
6. **Configure backup** for MySQL PVC
Reference in New Issue View Git Blame Copy Permalink