Kubernetes Manifests for Inventory App

GitOps repository for inventory management system deployment. Managed by ArgoCD.

Structure

k8s-manifests/
├── base/
│   ├── mysql/          # MySQL StatefulSet + Service + Secret
│   ├── backend/        # Backend Deployment + Service + ConfigMap
│   └── frontend/       # Frontend Deployment + Service + Ingress
├── overlays/
│   ├── prod/           # Production configuration
│   ├── dev/            # Development configuration (optional)
│   └── staging/        # Staging configuration (optional)
└── argocd/
    └── applications/   # ArgoCD Application manifests

Components

MySQL (StatefulSet)

• Image: mysql:8.0
• Storage: 10Gi PVC
• Replicas: 1 (StatefulSet)
• Service: Headless ClusterIP
• Secrets: Root password, app user credentials

Backend (Deployment)

• Image: Updated by CI/CD pipeline
• Replicas: 3 (prod), 2 (base)
• Service: ClusterIP on port 3000
• InitContainer: Wait for MySQL readiness
• Probes:
  • Liveness: /health
  • Readiness: /ready (checks DB)

Frontend (Deployment)

• Image: Updated by CI/CD pipeline
• Replicas: 3 (prod), 2 (base)
• Service: ClusterIP on port 80
• Ingress: Routes /api to backend, / to frontend

Deployment Flow

1. CI/CD pushes code → Triggers Gitea Actions
2. Build & test → Docker image created
3. Image pushed → Gitea container registry
4. Update manifests → CI updates image tag in overlays/prod/kustomization.yaml
5. ArgoCD detects change → Syncs cluster to Git state
6. Rollout → Kubernetes deploys new version

Image Tagging Strategy

CI/CD pipeline tags images as:

{branch}-{git-sha}     # e.g., main-a3f5c21 (immutable)
{branch}               # e.g., main (moving)
latest                 # Latest on main branch

Kustomize uses immutable SHA tags for predictable rollbacks.

Manual Deployment (Without ArgoCD)

# Create namespace
kubectl create namespace inventory

# Deploy base + production overlay
kubectl apply -k overlays/prod

# Check status
kubectl get all -n inventory

# View logs
kubectl logs -n inventory deployment/backend
kubectl logs -n inventory deployment/frontend
kubectl logs -n inventory mysql-0

Deploy with ArgoCD

# Apply ArgoCD application
kubectl apply -f argocd/applications/inventory-app.yaml

# Check sync status
argocd app get inventory-app

# Manual sync (if auto-sync disabled)
argocd app sync inventory-app

# View history
argocd app history inventory-app

Rollback Procedures

Method 1: ArgoCD UI

1. Open ArgoCD → Select inventory-app
2. Click "History and Rollback"
3. Select previous healthy revision
4. Click "Rollback"

Method 2: Git Revert (GitOps)

# Find bad commit
git log overlays/prod/kustomization.yaml

# Revert to previous state
git revert <bad-commit-sha>
git push

# ArgoCD auto-syncs within 3 minutes

Method 3: Manual Image Update

# Edit overlays/prod/kustomization.yaml
vim overlays/prod/kustomization.yaml

# Change image tags to previous working SHA
images:
  - name: gitea.example.com/inventory/backend
    newTag: main-abc1234  # Previous working version

git add overlays/prod/kustomization.yaml
git commit -m "Rollback to known-good version"
git push

Method 4: Emergency kubectl (Last Resort)

# Rollback deployment
kubectl rollout undo deployment/backend -n inventory

# Update Git to match (important for GitOps!)
# Otherwise ArgoCD will revert back

Configuration Management

Secrets

MySQL credentials stored in base/mysql/secret.yaml:

• IMPORTANT: Replace placeholder passwords before deploying!
• Consider using external secret management (Sealed Secrets, Vault)

# Generate secure passwords
openssl rand -base64 32

ConfigMaps

Backend configuration in base/backend/configmap.yaml:

• Database host
• Database name

Environment-Specific Overrides

Use Kustomize overlays to customize per environment:

# overlays/prod/kustomization.yaml
replicas:
  - name: backend
    count: 3

Ingress Configuration

Default host: inventory.local

Change for your domain:

# base/frontend/ingress.yaml
spec:
  rules:
  - host: inventory.yourdomain.com  # Update this

Routes:

• inventory.local/api/* → Backend service
• inventory.local/health → Backend health
• inventory.local/ready → Backend readiness
• inventory.local/* → Frontend (catch-all)

Monitoring & Troubleshooting

Check pod status

kubectl get pods -n inventory
kubectl describe pod <pod-name> -n inventory

View logs

# Backend logs
kubectl logs -f deployment/backend -n inventory

# Frontend logs
kubectl logs -f deployment/frontend -n inventory

# MySQL logs
kubectl logs -f mysql-0 -n inventory

Test connectivity

# Port-forward backend
kubectl port-forward -n inventory svc/backend 3000:3000

# Test API
curl http://localhost:3000/health
curl http://localhost:3000/api/items

# Port-forward frontend
kubectl port-forward -n inventory svc/frontend 8080:80
# Open http://localhost:8080

Check ArgoCD sync status

argocd app get inventory-app
argocd app diff inventory-app
argocd app sync inventory-app --dry-run

Resource Requirements

Minimal Cluster Size

• Nodes: 2+ (for HA)
• CPU: 2 cores minimum
• Memory: 4GB minimum
• Storage: 20GB for MySQL PVC

Production Recommendations

• Nodes: 3+ (one per replica)
• CPU: 4+ cores
• Memory: 8GB+
• Storage: StorageClass with backup support

CI/CD Integration

CI pipeline automatically updates this repo:

# In Gitea Actions
sed -i "s|newTag:.*|newTag: ${BRANCH}-${SHA}|" overlays/prod/kustomization.yaml
git commit -m "Update image to ${BRANCH}-${SHA}"
git push

ArgoCD polls Git every 3 minutes or receives webhooks for instant sync.

Security Considerations

• ✓ Non-root containers
• ✓ Resource limits enforced
• ✓ Network policies (optional, add if needed)
• ✓ Secrets not in Git (use external secrets in production)
• ✓ Ingress TLS (add cert-manager for HTTPS)
• ✓ RBAC for ArgoCD service accounts

Next Steps

1. Replace secret passwords in base/mysql/secret.yaml
2. Update Ingress host to your domain
3. Configure TLS with cert-manager
4. Set up monitoring (Prometheus, Grafana)
5. Add network policies for pod isolation
6. Configure backup for MySQL PVC