Kubernetes Manifests for Inventory App
GitOps repository for inventory management system deployment. Managed by ArgoCD.
Structure
k8s-manifests/
├── base/
│ ├── mysql/ # MySQL StatefulSet + Service + Secret
│ ├── backend/ # Backend Deployment + Service + ConfigMap
│ └── frontend/ # Frontend Deployment + Service + Ingress
├── overlays/
│ ├── prod/ # Production configuration
│ ├── dev/ # Development configuration (optional)
│ └── staging/ # Staging configuration (optional)
└── argocd/
└── applications/ # ArgoCD Application manifests
Components
MySQL (StatefulSet)
- Image: mysql:8.0
- Storage: 10Gi PVC
- Replicas: 1 (StatefulSet)
- Service: Headless ClusterIP
- Secrets: Root password, app user credentials
Backend (Deployment)
- Image: Updated by CI/CD pipeline
- Replicas: 3 (prod), 2 (base)
- Service: ClusterIP on port 3000
- InitContainer: Wait for MySQL readiness
- Probes:
- Liveness:
/health - Readiness:
/ready(checks DB)
- Liveness:
Frontend (Deployment)
- Image: Updated by CI/CD pipeline
- Replicas: 3 (prod), 2 (base)
- Service: ClusterIP on port 80
- Ingress: Routes
/apito backend,/to frontend
Deployment Flow
- CI/CD pushes code → Triggers Gitea Actions
- Build & test → Docker image created
- Image pushed → Gitea container registry
- Update manifests → CI updates image tag in
overlays/prod/kustomization.yaml - ArgoCD detects change → Syncs cluster to Git state
- Rollout → Kubernetes deploys new version
Image Tagging Strategy
CI/CD pipeline tags images as:
{branch}-{git-sha} # e.g., main-a3f5c21 (immutable)
{branch} # e.g., main (moving)
latest # Latest on main branch
Kustomize uses immutable SHA tags for predictable rollbacks.
Manual Deployment (Without ArgoCD)
# Create namespace
kubectl create namespace inventory
# Deploy base + production overlay
kubectl apply -k overlays/prod
# Check status
kubectl get all -n inventory
# View logs
kubectl logs -n inventory deployment/backend
kubectl logs -n inventory deployment/frontend
kubectl logs -n inventory mysql-0
Deploy with ArgoCD
# Apply ArgoCD application
kubectl apply -f argocd/applications/inventory-app.yaml
# Check sync status
argocd app get inventory-app
# Manual sync (if auto-sync disabled)
argocd app sync inventory-app
# View history
argocd app history inventory-app
Rollback Procedures
Method 1: ArgoCD UI
- Open ArgoCD → Select
inventory-app - Click "History and Rollback"
- Select previous healthy revision
- Click "Rollback"
Method 2: Git Revert (GitOps)
# Find bad commit
git log overlays/prod/kustomization.yaml
# Revert to previous state
git revert <bad-commit-sha>
git push
# ArgoCD auto-syncs within 3 minutes
Method 3: Manual Image Update
# Edit overlays/prod/kustomization.yaml
vim overlays/prod/kustomization.yaml
# Change image tags to previous working SHA
images:
- name: gitea.example.com/inventory/backend
newTag: main-abc1234 # Previous working version
git add overlays/prod/kustomization.yaml
git commit -m "Rollback to known-good version"
git push
Method 4: Emergency kubectl (Last Resort)
# Rollback deployment
kubectl rollout undo deployment/backend -n inventory
# Update Git to match (important for GitOps!)
# Otherwise ArgoCD will revert back
Configuration Management
Secrets
MySQL credentials stored in base/mysql/secret.yaml:
- IMPORTANT: Replace placeholder passwords before deploying!
- Consider using external secret management (Sealed Secrets, Vault)
# Generate secure passwords
openssl rand -base64 32
ConfigMaps
Backend configuration in base/backend/configmap.yaml:
- Database host
- Database name
Environment-Specific Overrides
Use Kustomize overlays to customize per environment:
# overlays/prod/kustomization.yaml
replicas:
- name: backend
count: 3
Ingress Configuration
Default host: inventory.local
Change for your domain:
# base/frontend/ingress.yaml
spec:
rules:
- host: inventory.yourdomain.com # Update this
Routes:
inventory.local/api/*→ Backend serviceinventory.local/health→ Backend healthinventory.local/ready→ Backend readinessinventory.local/*→ Frontend (catch-all)
Monitoring & Troubleshooting
Check pod status
kubectl get pods -n inventory
kubectl describe pod <pod-name> -n inventory
View logs
# Backend logs
kubectl logs -f deployment/backend -n inventory
# Frontend logs
kubectl logs -f deployment/frontend -n inventory
# MySQL logs
kubectl logs -f mysql-0 -n inventory
Test connectivity
# Port-forward backend
kubectl port-forward -n inventory svc/backend 3000:3000
# Test API
curl http://localhost:3000/health
curl http://localhost:3000/api/items
# Port-forward frontend
kubectl port-forward -n inventory svc/frontend 8080:80
# Open http://localhost:8080
Check ArgoCD sync status
argocd app get inventory-app
argocd app diff inventory-app
argocd app sync inventory-app --dry-run
Resource Requirements
Minimal Cluster Size
- Nodes: 2+ (for HA)
- CPU: 2 cores minimum
- Memory: 4GB minimum
- Storage: 20GB for MySQL PVC
Production Recommendations
- Nodes: 3+ (one per replica)
- CPU: 4+ cores
- Memory: 8GB+
- Storage: StorageClass with backup support
CI/CD Integration
CI pipeline automatically updates this repo:
# In Gitea Actions
sed -i "s|newTag:.*|newTag: ${BRANCH}-${SHA}|" overlays/prod/kustomization.yaml
git commit -m "Update image to ${BRANCH}-${SHA}"
git push
ArgoCD polls Git every 3 minutes or receives webhooks for instant sync.
Security Considerations
- ✓ Non-root containers
- ✓ Resource limits enforced
- ✓ Network policies (optional, add if needed)
- ✓ Secrets not in Git (use external secrets in production)
- ✓ Ingress TLS (add cert-manager for HTTPS)
- ✓ RBAC for ArgoCD service accounts
Next Steps
- Replace secret passwords in
base/mysql/secret.yaml - Update Ingress host to your domain
- Configure TLS with cert-manager
- Set up monitoring (Prometheus, Grafana)
- Add network policies for pod isolation
- Configure backup for MySQL PVC