From 937af84abcadb5a9d272c49d4ccbc3bf6c3cf367 Mon Sep 17 00:00:00 2001 From: adelyaou Date: Wed, 15 Oct 2025 16:14:10 +0700 Subject: [PATCH] init: manifest repository for deploying pipelines --- base/backend/backend-deployment.yaml | 83 +++++++++++++++++++ base/backend/be-networkpolicy.yaml | 44 ++++++++++ base/configmap.yaml | 9 ++ base/database/db-deployment.yaml | 109 +++++++++++++++++++++++++ base/database/db-networkpolicy.yaml | 20 +++++ base/frontend/fe-networkpolicy-fe.yaml | 38 +++++++++ base/frontend/frontend-deployment.yaml | 84 +++++++++++++++++++ base/kustomization.yaml | 11 +++ base/networkpolicy-default.yaml | 10 +++ base/rbac.yaml | 104 +++++++++++++++++++++++ base/secret.yaml | 9 ++ overlays/dev/kustomization.yaml | 22 +++++ overlays/dev/patch-deployment.yaml | 34 ++++++++ overlays/prod/kustomization.yaml | 19 +++++ overlays/prod/patch-deployment.yaml | 35 ++++++++ overlays/stag/kustomization.yaml | 19 +++++ overlays/stag/patch-deployment.yaml | 35 ++++++++ 17 files changed, 685 insertions(+) create mode 100644 base/backend/backend-deployment.yaml create mode 100644 base/backend/be-networkpolicy.yaml create mode 100644 base/configmap.yaml create mode 100644 base/database/db-deployment.yaml create mode 100644 base/database/db-networkpolicy.yaml create mode 100644 base/frontend/fe-networkpolicy-fe.yaml create mode 100644 base/frontend/frontend-deployment.yaml create mode 100644 base/kustomization.yaml create mode 100644 base/networkpolicy-default.yaml create mode 100644 base/rbac.yaml create mode 100644 base/secret.yaml create mode 100644 overlays/dev/kustomization.yaml create mode 100644 overlays/dev/patch-deployment.yaml create mode 100644 overlays/prod/kustomization.yaml create mode 100644 overlays/prod/patch-deployment.yaml create mode 100644 overlays/stag/kustomization.yaml create mode 100644 overlays/stag/patch-deployment.yaml diff --git a/base/backend/backend-deployment.yaml b/base/backend/backend-deployment.yaml new file mode 100644 index 0000000..2841cda --- /dev/null +++ b/base/backend/backend-deployment.yaml @@ -0,0 +1,83 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend-deployment + namespace: intern-workspace + labels: + app: employee-backend +spec: + replicas: 1 + selector: + matchLabels: + app: employee-backend + template: + metadata: + labels: + app: employee-backend + + spec: + serviceAccountName: backend-sa + + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + + containers: + - name: employee-backend + image: adelyao/employee-backend:latest + imagePullPolicy: Always + ports: + - containerPort: 4000 + + envFrom: + - configMapRef: + name: app-config + - secretRef: + name: db-secret + + readinessProbe: + httpGet: + path: /api/health + port: 4000 + initialDelaySeconds: 15 + periodSeconds: 5 + livenessProbe: + httpGet: + path: /api/health + port: 4000 + initialDelaySeconds: 15 + periodSeconds: 5 + + resources: + requests: + memory: "64Mi" + cpu: "100m" + limits: + memory: "128Mi" + cpu: "200m" + + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + +--- +apiVersion: v1 +kind: Service +metadata: + name: backend-service + namespace: intern-workspace + labels: + app: employee-backend +spec: + type: ClusterIP + ports: + - port: 4000 + targetPort: 4000 + protocol: TCP + selector: + app: employee-backend \ No newline at end of file diff --git a/base/backend/be-networkpolicy.yaml b/base/backend/be-networkpolicy.yaml new file mode 100644 index 0000000..0d1a887 --- /dev/null +++ b/base/backend/be-networkpolicy.yaml @@ -0,0 +1,44 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: backend-policy + namespace: intern-workspace +spec: + podSelector: + matchLabels: + app: employee-backend + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: + matchLabels: + app: employee-frontend + ports: + - protocol: TCP + port: 4000 + egress: + - to: + - podSelector: + matchLabels: + app: employee-frontend + ports: + - protocol: TCP + port: 4000 + + - to: + - podSelector: + matchLabels: + app: mysql + ports: + - protocol: TCP + port: 3306 + + - to: + - namespaceSelector: {} + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 \ No newline at end of file diff --git a/base/configmap.yaml b/base/configmap.yaml new file mode 100644 index 0000000..f38ef69 --- /dev/null +++ b/base/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-config +data: + DB_NAME: "employee_app" + DB_HOST: "db" + DB_PORT: "3306" + FRONTEND_URL: "http://localhost:30080" diff --git a/base/database/db-deployment.yaml b/base/database/db-deployment.yaml new file mode 100644 index 0000000..ad12445 --- /dev/null +++ b/base/database/db-deployment.yaml @@ -0,0 +1,109 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mysql-pvc + namespace: intern-workspace + labels: + app: mysql +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysql-deployment + namespace: intern-workspace + labels: + app: mysql +spec: + replicas: 1 + selector: + matchLabels: + app: mysql + template: + metadata: + labels: + app: mysql + spec: + serviceAccountName: database-sa + + securityContext: + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + + containers: + - name: mysql + image: mysql:8.0 + ports: + - containerPort: 3306 + envFrom: + - configMapRef: + name: app-config + - secretRef: + name: db-secret + + readinessProbe: + exec: + command: + - sh + - -c + - mysqladmin ping -h 127.0.0.1 -u root -p$(MYSQL_ROOT_PASSWORD) + initialDelaySeconds: 10 + periodSeconds: 5 + livenessProbe: + exec: + command: + - sh + - -c + - mysqladmin ping -h 127.0.0.1 -u root -p$(MYSQL_ROOT_PASSWORD) + initialDelaySeconds: 20 + periodSeconds: 10 + + resources: + requests: + memory: "512Mi" + cpu: "500m" + limits: + memory: "1Gi" + cpu: "1000m" + + + volumeMounts: + - name: mysql-storage + mountPath: /var/lib/mysql + + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + volumes: + - name: mysql-storage + persistentVolumeClaim: + claimName: mysql-pvc + + + +--- +apiVersion: v1 +kind: Service +metadata: + name: db + labels: + app: mysql +spec: + type: ClusterIP + ports: + - port: 3306 + targetPort: 3306 + protocol: TCP + selector: + app: mysql diff --git a/base/database/db-networkpolicy.yaml b/base/database/db-networkpolicy.yaml new file mode 100644 index 0000000..124b709 --- /dev/null +++ b/base/database/db-networkpolicy.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: db-policy + namespace: intern-workspace +spec: + podSelector: + matchLabels: + app: mysql + policyTypes: + - Ingress + + ingress: + - from: + - podSelector: + matchLabels: + app: employee-backend + ports: + - protocol: TCP + port: 3306 diff --git a/base/frontend/fe-networkpolicy-fe.yaml b/base/frontend/fe-networkpolicy-fe.yaml new file mode 100644 index 0000000..9ca3a1d --- /dev/null +++ b/base/frontend/fe-networkpolicy-fe.yaml @@ -0,0 +1,38 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: frontend-policy + namespace: intern-workspace +spec: + podSelector: + matchLabels: + app: employee-frontend + policyTypes: + - Ingress + - Egress + ingress: + - from: [] + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + - protocol: TCP + port: 30080 + + egress: + - to: + - podSelector: + matchLabels: + app: employee-backend + ports: + - protocol: TCP + port: 4000 + + - to: + - namespaceSelector: {} + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 \ No newline at end of file diff --git a/base/frontend/frontend-deployment.yaml b/base/frontend/frontend-deployment.yaml new file mode 100644 index 0000000..05a0e41 --- /dev/null +++ b/base/frontend/frontend-deployment.yaml @@ -0,0 +1,84 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend-deployment + namespace: intern-workspace + labels: + app: employee-frontend +spec: + replicas: 1 + selector: + matchLabels: + app: employee-frontend + template: + metadata: + labels: + app: employee-frontend + spec: + serviceAccountName: frontend-sa + + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + + containers: + - name: employee-frontend + image: adelyao/employee-frontend:latest + ports: + - containerPort: 8080 + + readinessProbe: + httpGet: + path: / + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 10 + livenessProbe: + httpGet: + path: / + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 10 + + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + resources: + requests: + memory: "64Mi" + cpu: "100m" + limits: + memory: "128Mi" + cpu: "200m" + + volumeMounts: + - name: run + mountPath: /run + + volumes: + - name: run + emptyDir: {} + +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend-service + namespace: intern-workspace + labels: + app: employee-frontend +spec: + type: NodePort + ports: + - port: 8080 + targetPort: 8080 + nodePort: 30080 + protocol: TCP + selector: + app: employee-frontend \ No newline at end of file diff --git a/base/kustomization.yaml b/base/kustomization.yaml new file mode 100644 index 0000000..332b539 --- /dev/null +++ b/base/kustomization.yaml @@ -0,0 +1,11 @@ +resources: + - backend/backend-deployment.yaml + - backend/be-networkpolicy.yaml + - frontend/frontend-deployment.yaml + - frontend/fe-networkpolicy.yaml + - database/db-deployment.yaml + - database/db-networkpolicy.yaml + - networkpolicy-default.yaml + - configmap.yaml + - secret.yaml + - rbac.yaml \ No newline at end of file diff --git a/base/networkpolicy-default.yaml b/base/networkpolicy-default.yaml new file mode 100644 index 0000000..97c911d --- /dev/null +++ b/base/networkpolicy-default.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: your-namespace +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/base/rbac.yaml b/base/rbac.yaml new file mode 100644 index 0000000..d434aa7 --- /dev/null +++ b/base/rbac.yaml @@ -0,0 +1,104 @@ +# Frontend Tier +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: frontend-sa + namespace: intern-workspace +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: frontend-role + namespace: intern-workspace +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: frontend-rolebinding + namespace: intern-workspace +subjects: + - kind: ServiceAccount + name: frontend-sa + namespace: intern-workspace +roleRef: + kind: Role + name: frontend-role + apiGroup: rbac.authorization.k8s.io + + +# Backend Tier +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: backend-sa + namespace: intern-workspace +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: backend-role + namespace: intern-workspace +rules: + - apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: backend-rolebinding + namespace: intern-workspace +subjects: + - kind: ServiceAccount + name: backend-sa + namespace: intern-workspace +roleRef: + kind: Role + name: backend-role + apiGroup: rbac.authorization.k8s.io + + +# Database Tier +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: database-sa + namespace: intern-workspace +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: database-role + namespace: intern-workspace +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: database-rolebinding + namespace: intern-workspace +subjects: + - kind: ServiceAccount + name: database-sa + namespace: intern-workspace +roleRef: + kind: Role + name: database-role + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/base/secret.yaml b/base/secret.yaml new file mode 100644 index 0000000..f5c3f95 --- /dev/null +++ b/base/secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: db-secret +type: Opaque +data: + DB_USER: "ZW1wX3VzZXI=" + DB_PASSWORD: "a2FyeWF3YW4h" + MYSQL_ROOT_PASSWORD: "YWRtaW4=" diff --git a/overlays/dev/kustomization.yaml b/overlays/dev/kustomization.yaml new file mode 100644 index 0000000..f9ce6b3 --- /dev/null +++ b/overlays/dev/kustomization.yaml @@ -0,0 +1,22 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +namespace: employee-dev +namePrefix: dev- +commonLabels: + environment: dev + +images: + - name: registry.gitlab.com/octavianadelya/employee-app/backend + newTag: latest + - name: registry.gitlab.com/octavianadelya/employee-app/frontend + newTag: latest + +patches: + - path: patch-deployment.yaml + target: + kind: Deployment + name: backend-deployment diff --git a/overlays/dev/patch-deployment.yaml b/overlays/dev/patch-deployment.yaml new file mode 100644 index 0000000..01dd137 --- /dev/null +++ b/overlays/dev/patch-deployment.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend-deployment +spec: + replicas: 2 + template: + spec: + containers: + - name: employee-backend + image: registry.gitlab.com/adelya/employee-app/backend + env: + - name: NODE_ENV + value: "development" + - name: LOG_LEVEL + value: "debug" + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend-deployment +spec: + replicas: 2 + template: + spec: + containers: + - name: employee-frontend + image: registry.gitlab.com/adelya/employee-app/frontend + env: + - name: VITE_API_URL + value: "http://backend-service:4000" + - name: MODE + value: "development" diff --git a/overlays/prod/kustomization.yaml b/overlays/prod/kustomization.yaml new file mode 100644 index 0000000..8fa61ef --- /dev/null +++ b/overlays/prod/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +namespace: employee-prod +namePrefix: prod- +commonLabels: + environment: production + +images: + - name: registry.gitlab.com/octavianadelya/employee-app/backend + newTag: prod-latest + - name: registry.gitlab.com/octavianadelya/employee-app/frontend + newTag: prod-latest + +patches: + - path: patch-deployment.yaml diff --git a/overlays/prod/patch-deployment.yaml b/overlays/prod/patch-deployment.yaml new file mode 100644 index 0000000..7826c8a --- /dev/null +++ b/overlays/prod/patch-deployment.yaml @@ -0,0 +1,35 @@ +# BACKEND +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend-deployment +spec: + replicas: 3 + template: + spec: + containers: + - name: employee-backend + env: + - name: NODE_ENV + value: "production" + - name: LOG_LEVEL + value: "warn" + +--- + +# FRONTEND PATCH +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend-deployment +spec: + replicas: 3 + template: + spec: + containers: + - name: employee-frontend + env: + - name: VITE_API_URL + value: "https://api.example.com" + - name: MODE + value: "production" diff --git a/overlays/stag/kustomization.yaml b/overlays/stag/kustomization.yaml new file mode 100644 index 0000000..f90b153 --- /dev/null +++ b/overlays/stag/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +namespace: employee-staging +namePrefix: staging- +commonLabels: + environment: staging + +images: + - name: registry.gitlab.com/octavianadelya/employee-app/backend + newTag: staging-latest + - name: registry.gitlab.com/octavianadelya/employee-app/frontend + newTag: staging-latest + +patches: + - path: patch-deployment.yaml diff --git a/overlays/stag/patch-deployment.yaml b/overlays/stag/patch-deployment.yaml new file mode 100644 index 0000000..9ceece7 --- /dev/null +++ b/overlays/stag/patch-deployment.yaml @@ -0,0 +1,35 @@ +#BACKEND +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend-deployment +spec: + replicas: 2 + template: + spec: + containers: + - name: employee-backend + env: + - name: NODE_ENV + value: "staging" + - name: LOG_LEVEL + value: "info" + +--- + +# FRONTEND +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend-deployment +spec: + replicas: 2 + template: + spec: + containers: + - name: employee-frontend + env: + - name: VITE_API_URL + value: "https://staging-api.example.com" + - name: MODE + value: "staging"