Deploy svix in production
This deploys a svix-server instance in production configured to use a postgresql and a redis backend.
The redis instance the svix server communicates with is managed in the k8s-cluster-config [1]. It is not managed by the chart.
[1] k8s-clusters-conf!42 (closed)
helm diff
[cluster-components] Comparing changes between branches production and deploy-svix-in-production...
Switched to branch 'production'
Your branch is up to date with 'origin/production'.
[cluster-components] Generate config in production branch for cluster-components/values/admin-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/archive-production-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/archive-staging-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/gitlab-production.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/gitlab-staging.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/minikube.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/rancher.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/test-staging-rke2.yaml...
Switched to branch 'deploy-svix-in-production'
[cluster-components] Generate config in deploy-svix-in-production branch for cluster-components/values/admin-rke2.yaml...
[cluster-components] Generate config in deploy-svix-in-production branch for cluster-components/values/archive-production-rke2.yaml...
[cluster-components] Generate config in deploy-svix-in-production branch for cluster-components/values/archive-staging-rke2.yaml...
[cluster-components] Generate config in deploy-svix-in-production branch for cluster-components/values/gitlab-production.yaml...
[cluster-components] Generate config in deploy-svix-in-production branch for cluster-components/values/gitlab-staging.yaml...
[cluster-components] Generate config in deploy-svix-in-production branch for cluster-components/values/minikube.yaml...
[cluster-components] Generate config in deploy-svix-in-production branch for cluster-components/values/rancher.yaml...
[cluster-components] Generate config in deploy-svix-in-production branch for cluster-components/values/test-staging-rke2.yaml...
------------- diff for cluster-components/values/admin-rke2.yaml -------------
_ __ __
_| |_ _ / _|/ _| between /tmp/swh-chart.cluster-components.46J84Dji/admin-rke2.yaml.before, 29 documents
/ _' | | | | |_| |_ and /tmp/swh-chart.cluster-components.46J84Dji/admin-rke2.yaml.after, 29 documents
| (_| | |_| | _| _|
\__,_|\__, |_| |_| returned no differences
|___/
------------- diff for cluster-components/values/archive-production-rke2.yaml -------------
_ __ __
_| |_ _ / _|/ _| between /tmp/swh-chart.cluster-components.46J84Dji/archive-production-rke2.yaml.before, nine documents
/ _' | | | | |_| |_ and /tmp/swh-chart.cluster-components.46J84Dji/archive-production-rke2.yaml.after, 15 documents
| (_| | |_| | _| _|
\__,_|\__, |_| |_| returned one difference
|___/
(file level)
---
# Source: cluster-config/templates/svix/network-policies.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
│ name: default-deny-svix-ingress
│ namespace: svix-server
spec:
│ podSelector:
│ │ matchLabels: {}
│ policyTypes:
│ - Ingress
# Source: cluster-config/templates/svix/network-policies.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
│ name: all-access-svix-http
│ namespace: svix-server
spec:
│ podSelector:
│ │ matchLabels:
│ │ │ app: svix-server
│ ingress:
│ - from:
│ │ - namespaceSelector:
│ │ │ │ matchLabels:
│ │ │ │ │ kubernetes.io/metadata.name: ingress-nginx
│ │ ports:
│ │ - protocol: TCP
│ │ │ port: 8071
# Source: cluster-config/templates/svix/network-policies.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
│ name: svix-access-redis
│ namespace: svix-server
spec:
│ podSelector:
│ │ matchLabels:
│ │ │ app: redis-sa-svix
│ ingress:
│ - from:
│ │ - podSelector:
│ │ │ │ matchLabels:
│ │ │ │ │ app: svix-server
│ │ - podSelector:
│ │ │ │ matchLabels:
│ │ │ │ │ app: redis-sa-svix
│ │ ports:
│ │ - protocol: TCP
│ │ │ port: 6379
│ - from:
│ │ - ipBlock:
│ │ │ │ cidr: 0.0.0.0/0
│ │ ports:
│ │ - protocol: TCP
│ │ │ port: 9121
# Source: cluster-config/templates/svix/services.yaml
apiVersion: v1
kind: Service
metadata:
│ name: svix
│ namespace: svix-server
spec:
│ type: ClusterIP
│ selector:
│ │ app: svix-server
│ ports:
│ - port: 8071
│ │ targetPort: 8071
│ │ name: svix
# Source: cluster-config/templates/svix/svix-server.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
│ namespace: svix-server
│ name: svix-server
│ labels:
│ │ app: svix-server
spec:
│ revisionHistoryLimit: 2
│ replicas: 1
│ selector:
│ │ matchLabels:
│ │ │ app: svix-server
│ strategy:
│ │ type: RollingUpdate
│ │ rollingUpdate:
│ │ │ maxSurge: 1
│ template:
│ │ metadata:
│ │ │ labels:
│ │ │ │ app: svix-server
│ │ spec:
│ │ │ affinity:
│ │ │ │ nodeAffinity:
│ │ │ │ │ requiredDuringSchedulingIgnoredDuringExecution:
│ │ │ │ │ │ nodeSelectorTerms:
│ │ │ │ │ │ - matchExpressions:
│ │ │ │ │ │ │ - key: svix-server
│ │ │ │ │ │ │ │ operator: In
│ │ │ │ │ │ │ │ values:
│ │ │ │ │ │ │ │ - "true"
│ │ │ containers:
│ │ │ - name: svix-server
│ │ │ │ resources:
│ │ │ │ │ requests:
│ │ │ │ │ │ memory: 100Mi
│ │ │ │ │ │ cpu: 100m
│ │ │ │ image: "svix/svix-server:v1.16"
│ │ │ │ imagePullPolicy: IfNotPresent
│ │ │ │ ports:
│ │ │ │ - containerPort: 8071
│ │ │ │ │ name: svix
│ │ │ │ readinessProbe:
│ │ │ │ │ httpGet:
│ │ │ │ │ │ path: /
│ │ │ │ │ │ port: svix
│ │ │ │ │ initialDelaySeconds: 5
│ │ │ │ │ failureThreshold: 30
│ │ │ │ │ periodSeconds: 10
│ │ │ │ │ timeoutSeconds: 30
│ │ │ │ livenessProbe:
│ │ │ │ │ httpGet:
│ │ │ │ │ │ path: /
│ │ │ │ │ │ port: svix
│ │ │ │ │ initialDelaySeconds: 3
│ │ │ │ │ periodSeconds: 10
│ │ │ │ │ timeoutSeconds: 30
│ │ │ │ env:
│ │ │ │ - name: SVIX_JWT_SECRET
│ │ │ │ │ valueFrom:
│ │ │ │ │ │ secretKeyRef:
│ │ │ │ │ │ │ name: svix-server-secrets
│ │ │ │ │ │ │ key: SVIX_JWT_SECRET
│ │ │ │ - name: SVIX_DB_PASS
│ │ │ │ │ valueFrom:
│ │ │ │ │ │ secretKeyRef:
│ │ │ │ │ │ │ name: svix-server-secrets
│ │ │ │ │ │ │ key: APP_DB_PASS
│ │ │ │ - name: SVIX_DB_USER
│ │ │ │ │ valueFrom:
│ │ │ │ │ │ secretKeyRef:
│ │ │ │ │ │ │ name: svix-server-secrets
│ │ │ │ │ │ │ key: APP_DB_USER
│ │ │ │ - name: WAIT_FOR
│ │ │ │ │ value: "true" # We want to wait for the default services
│ │ │ │ - name: SVIX_QUEUE_TYPE
│ │ │ │ │ value: redis
│ │ │ │ - name: SVIX_CACHE_TYPE
│ │ │ │ │ value: redis
│ │ │ │ - name: SVIX_REDIS_DSN
│ │ │ │ │ value: "redis://redis-sa-svix.svix-server:6379"
│ │ │ │ - name: SVIX_DB_DSN
│ │ │ │ │ value: "postgresql://$(SVIX_DB_USER):$(SVIX_DB_PASS)@albertina.internal.softwareheritage.org"
# Source: cluster-config/templates/svix/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
│ namespace: svix-server
│ name: svix-ingress
│ annotations:
│ │ cert-manager.io/cluster-issuer: letsencrypt-production-gandi
│ │ kubernetes.io/tls-acme: "true"
│ │ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
│ │ nginx.ingress.kubernetes.io/whitelist-source-range: "10.42.0.0/16,10.43.0.0/16,192.168.50.0/24"
spec:
│ rules:
│ - host: svix.internal.softwareheritage.org
│ │ http:
│ │ │ paths:
│ │ │ - path: /
│ │ │ │ pathType: Prefix
│ │ │ │ backend:
│ │ │ │ │ service:
│ │ │ │ │ │ name: svix
│ │ │ │ │ │ port:
│ │ │ │ │ │ │ number: 8071
│ tls:
│ - hosts:
│ │ - svix.internal.softwareheritage.org
│ │ secretName: swh-svix-crt
------------- diff for cluster-components/values/archive-staging-rke2.yaml -------------
_ __ __
_| |_ _ / _|/ _| between /tmp/swh-chart.cluster-components.46J84Dji/archive-staging-rke2.yaml.before, 15 documents
/ _' | | | | |_| |_ and /tmp/swh-chart.cluster-components.46J84Dji/archive-staging-rke2.yaml.after, 15 documents
| (_| | |_| | _| _|
\__,_|\__, |_| |_| returned no differences
|___/
------------- diff for cluster-components/values/gitlab-production.yaml -------------
_ __ __
_| |_ _ / _|/ _| between /tmp/swh-chart.cluster-components.46J84Dji/gitlab-production.yaml.before
/ _' | | | | |_| |_ and /tmp/swh-chart.cluster-components.46J84Dji/gitlab-production.yaml.after
| (_| | |_| | _| _|
\__,_|\__, |_| |_| returned no differences
|___/
------------- diff for cluster-components/values/gitlab-staging.yaml -------------
_ __ __
_| |_ _ / _|/ _| between /tmp/swh-chart.cluster-components.46J84Dji/gitlab-staging.yaml.before
/ _' | | | | |_| |_ and /tmp/swh-chart.cluster-components.46J84Dji/gitlab-staging.yaml.after
| (_| | |_| | _| _|
\__,_|\__, |_| |_| returned no differences
|___/
------------- diff for cluster-components/values/minikube.yaml -------------
_ __ __
_| |_ _ / _|/ _| between /tmp/swh-chart.cluster-components.46J84Dji/minikube.yaml.before
/ _' | | | | |_| |_ and /tmp/swh-chart.cluster-components.46J84Dji/minikube.yaml.after
| (_| | |_| | _| _|
\__,_|\__, |_| |_| returned no differences
|___/
------------- diff for cluster-components/values/rancher.yaml -------------
_ __ __
_| |_ _ / _|/ _| between /tmp/swh-chart.cluster-components.46J84Dji/rancher.yaml.before
/ _' | | | | |_| |_ and /tmp/swh-chart.cluster-components.46J84Dji/rancher.yaml.after
| (_| | |_| | _| _|
\__,_|\__, |_| |_| returned no differences
|___/
------------- diff for cluster-components/values/test-staging-rke2.yaml -------------
_ __ __
_| |_ _ / _|/ _| between /tmp/swh-chart.cluster-components.46J84Dji/test-staging-rke2.yaml.before, 13 documents
/ _' | | | | |_| |_ and /tmp/swh-chart.cluster-components.46J84Dji/test-staging-rke2.yaml.after, 13 documents
| (_| | |_| | _| _|
\__,_|\__, |_| |_| returned no differences
|___/
Edited by Antoine R. Dumont