codecrucible-synth

# CodeCrucible Synth Kubernetes Production Deployment # Enterprise-grade deployment with security, monitoring, and scaling apiVersion: v1 kind: Namespace metadata: name: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/environment: production --- # ConfigMap for application configuration apiVersion: v1 kind: ConfigMap metadata: name: codecrucible-config namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: config data: NODE_ENV: "production" LOG_LEVEL: "info" METRICS_ENABLED: "true" PROMETHEUS_METRICS_PORT: "9090" HEALTH_CHECK_PORT: "3003" PORT: "3002" # Add other non-sensitive configuration here --- # Secret for sensitive configuration apiVersion: v1 kind: Secret metadata: name: codecrucible-secrets namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: secrets type: Opaque data: # These should be base64 encoded in production JWT_SECRET: Y29kZWNydWNpYmxlLWp3dC1zZWNyZXQ= ENCRYPTION_KEY: Y29kZWNydWNpYmxlLWVuY3J5cHRpb24ta2V5 DATABASE_URL: cG9zdGdyZXNxbDovL3VzZXI6cGFzc0BkYi5leGFtcGxlLmNvbS9jb2RlY3J1Y2libGU= REDIS_URL: cmVkaXM6Ly9yZWRpcy5leGFtcGxlLmNvbTo2Mzc5 --- # ServiceAccount with minimal privileges apiVersion: v1 kind: ServiceAccount metadata: name: codecrucible-service-account namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: rbac automountServiceAccountToken: false --- # Role for limited permissions apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: codecrucible-role namespace: codecrucible-prod rules: - apiGroups: [""] resources: ["configmaps", "secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] --- # RoleBinding apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: codecrucible-rolebinding namespace: codecrucible-prod subjects: - kind: ServiceAccount name: codecrucible-service-account namespace: codecrucible-prod roleRef: kind: Role name: codecrucible-role apiGroup: rbac.authorization.k8s.io --- # PersistentVolumeClaim for logs apiVersion: v1 kind: PersistentVolumeClaim metadata: name: codecrucible-logs-pvc namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: storage spec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi storageClassName: fast-ssd --- # PersistentVolumeClaim for cache apiVersion: v1 kind: PersistentVolumeClaim metadata: name: codecrucible-cache-pvc namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: storage spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi storageClassName: fast-ssd --- # Main application deployment apiVersion: apps/v1 kind: Deployment metadata: name: codecrucible-synth namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: application app.kubernetes.io/version: "3.8.10" spec: replicas: 3 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 selector: matchLabels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: application template: metadata: labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: application app.kubernetes.io/version: "3.8.10" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9090" prometheus.io/path: "/metrics" spec: serviceAccountName: codecrucible-service-account automountServiceAccountToken: false securityContext: runAsNonRoot: true runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 seccompProfile: type: RuntimeDefault containers: - name: codecrucible-synth image: codecrucible/synth:3.8.10 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 capabilities: drop: - ALL ports: - name: http containerPort: 3002 protocol: TCP - name: health containerPort: 3003 protocol: TCP - name: metrics containerPort: 9090 protocol: TCP env: - name: NODE_ENV valueFrom: configMapKeyRef: name: codecrucible-config key: NODE_ENV - name: LOG_LEVEL valueFrom: configMapKeyRef: name: codecrucible-config key: LOG_LEVEL - name: PORT valueFrom: configMapKeyRef: name: codecrucible-config key: PORT - name: HEALTH_CHECK_PORT valueFrom: configMapKeyRef: name: codecrucible-config key: HEALTH_CHECK_PORT - name: METRICS_ENABLED valueFrom: configMapKeyRef: name: codecrucible-config key: METRICS_ENABLED - name: PROMETHEUS_METRICS_PORT valueFrom: configMapKeyRef: name: codecrucible-config key: PROMETHEUS_METRICS_PORT - name: JWT_SECRET valueFrom: secretKeyRef: name: codecrucible-secrets key: JWT_SECRET - name: ENCRYPTION_KEY valueFrom: secretKeyRef: name: codecrucible-secrets key: ENCRYPTION_KEY - name: DATABASE_URL valueFrom: secretKeyRef: name: codecrucible-secrets key: DATABASE_URL - name: REDIS_URL valueFrom: secretKeyRef: name: codecrucible-secrets key: REDIS_URL resources: requests: memory: "1Gi" cpu: "500m" limits: memory: "2Gi" cpu: "1000m" volumeMounts: - name: logs-volume mountPath: /app/logs - name: cache-volume mountPath: /app/cache - name: tmp-volume mountPath: /tmp - name: var-tmp-volume mountPath: /var/tmp livenessProbe: httpGet: path: /health port: health initialDelaySeconds: 60 periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 3 successThreshold: 1 readinessProbe: httpGet: path: /ready port: health initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 successThreshold: 1 startupProbe: httpGet: path: /health port: health initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 12 successThreshold: 1 volumes: - name: logs-volume persistentVolumeClaim: claimName: codecrucible-logs-pvc - name: cache-volume persistentVolumeClaim: claimName: codecrucible-cache-pvc - name: tmp-volume emptyDir: sizeLimit: 1Gi - name: var-tmp-volume emptyDir: sizeLimit: 1Gi nodeSelector: kubernetes.io/arch: amd64 node-type: application tolerations: - key: "application-workload" operator: "Equal" value: "true" effect: "NoSchedule" affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app.kubernetes.io/name operator: In values: - codecrucible-synth topologyKey: kubernetes.io/hostname --- # Horizontal Pod Autoscaler apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: codecrucible-synth-hpa namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: autoscaling spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: codecrucible-synth minReplicas: 3 maxReplicas: 10 metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 - type: Resource resource: name: memory target: type: Utilization averageUtilization: 80 behavior: scaleDown: stabilizationWindowSeconds: 300 policies: - type: Percent value: 50 periodSeconds: 60 scaleUp: stabilizationWindowSeconds: 60 policies: - type: Percent value: 100 periodSeconds: 15 - type: Pods value: 2 periodSeconds: 60 --- # Pod Disruption Budget apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: codecrucible-synth-pdb namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: availability spec: selector: matchLabels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: application minAvailable: 2 --- # Service for internal communication apiVersion: v1 kind: Service metadata: name: codecrucible-synth-service namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: service annotations: prometheus.io/scrape: "true" prometheus.io/port: "9090" prometheus.io/path: "/metrics" spec: type: ClusterIP ports: - name: http port: 80 targetPort: http protocol: TCP - name: health port: 3003 targetPort: health protocol: TCP - name: metrics port: 9090 targetPort: metrics protocol: TCP selector: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: application --- # Ingress for external access apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: codecrucible-synth-ingress namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: ingress annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "10m" nginx.ingress.kubernetes.io/proxy-connect-timeout: "60" nginx.ingress.kubernetes.io/proxy-send-timeout: "60" nginx.ingress.kubernetes.io/proxy-read-timeout: "60" nginx.ingress.kubernetes.io/rate-limit: "100" nginx.ingress.kubernetes.io/rate-limit-window: "1m" cert-manager.io/cluster-issuer: "letsencrypt-prod" nginx.ingress.kubernetes.io/configuration-snippet: | more_set_headers "X-Frame-Options: DENY"; more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "X-XSS-Protection: 1; mode=block"; more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self'; font-src 'self'; object-src 'none'; media-src 'self'; frame-src 'none'; child-src 'none'; form-action 'self'; upgrade-insecure-requests;"; spec: ingressClassName: nginx tls: - hosts: - api.codecrucible.com secretName: codecrucible-tls-cert rules: - host: api.codecrucible.com http: paths: - path: / pathType: Prefix backend: service: name: codecrucible-synth-service port: number: 80 --- # NetworkPolicy for security apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: codecrucible-synth-netpol namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: security spec: podSelector: matchLabels: app.kubernetes.io/name: codecrucible-synth policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: ingress-nginx - podSelector: matchLabels: app.kubernetes.io/name: prometheus ports: - protocol: TCP port: 3002 - protocol: TCP port: 3003 - protocol: TCP port: 9090 egress: - to: [] ports: - protocol: TCP port: 53 - protocol: UDP port: 53 - to: - namespaceSelector: matchLabels: name: kube-system - to: - podSelector: matchLabels: app.kubernetes.io/name: redis ports: - protocol: TCP port: 6379 - to: - podSelector: matchLabels: app.kubernetes.io/name: postgresql ports: - protocol: TCP port: 5432 --- # ServiceMonitor for Prometheus monitoring apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: codecrucible-synth-metrics namespace: codecrucible-prod labels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: monitoring spec: selector: matchLabels: app.kubernetes.io/name: codecrucible-synth app.kubernetes.io/component: service endpoints: - port: metrics path: /metrics interval: 30s scrapeTimeout: 10s namespaceSelector: matchNames: - codecrucible-prod