init: manifest repository for deploying pipelines

2025-10-15 16:14:10 +07:00 · 2025-10-15 16:14:10 +07:00 · 937af84abc
commit 937af84abc
17 changed files with 685 additions and 0 deletions
--- a/base/backend/backend-deployment.yaml
+++ b/base/backend/backend-deployment.yaml
@ -0,0 +1,83 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: backend-deployment
  namespace: intern-workspace
  labels:
    app: employee-backend
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: employee-backend
  template:
    metadata:
      labels:
        app: employee-backend
    spec:
      serviceAccountName: backend-sa
      securityContext:
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
      containers:
        - name: employee-backend
          image: adelyao/employee-backend:latest
          imagePullPolicy: Always
          ports:
            - containerPort: 4000
          envFrom:
            - configMapRef:
                name: app-config
            - secretRef:
                name: db-secret
          readinessProbe:
            httpGet:
              path: /api/health
              port: 4000
            initialDelaySeconds: 15
            periodSeconds: 5            
          livenessProbe:
            httpGet:
              path: /api/health
              port: 4000
            initialDelaySeconds: 15
            periodSeconds: 5
          resources:
            requests:
              memory: "64Mi"
              cpu: "100m"
            limits:
              memory: "128Mi"
              cpu: "200m"
          securityContext:
            runAsNonRoot: true
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: backend-service
  namespace: intern-workspace
  labels:
    app: employee-backend
 spec:
  type: ClusterIP
  ports:
    - port: 4000
      targetPort: 4000
      protocol: TCP
  selector:
    app: employee-backend
--- a/base/backend/be-networkpolicy.yaml
+++ b/base/backend/be-networkpolicy.yaml
@ -0,0 +1,44 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: backend-policy
  namespace: intern-workspace
 spec:
  podSelector:
    matchLabels:
      app: employee-backend
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: employee-frontend
      ports:
        - protocol: TCP
          port: 4000
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: employee-frontend
      ports:
        - protocol: TCP
          port: 4000
    - to:
        - podSelector:
            matchLabels:
              app: mysql
      ports:
        - protocol: TCP
          port: 3306
    - to:
        - namespaceSelector: {}
      ports:
          - protocol: UDP
            port: 53
          - protocol: TCP
            port: 53
--- a/base/configmap.yaml
+++ b/base/configmap.yaml
@ -0,0 +1,9 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: app-config
 data:
  DB_NAME: "employee_app"
  DB_HOST: "db"
  DB_PORT: "3306"
  FRONTEND_URL: "http://localhost:30080"
--- a/base/database/db-deployment.yaml
+++ b/base/database/db-deployment.yaml
@ -0,0 +1,109 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: mysql-pvc
  namespace: intern-workspace
  labels:
    app: mysql
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: mysql-deployment
  namespace: intern-workspace
  labels:
    app: mysql
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: mysql
  template:
    metadata:
      labels:
        app: mysql
    spec:
      serviceAccountName: database-sa
      securityContext:
        runAsUser: 999
        runAsGroup: 999
        fsGroup: 999
      containers:
        - name: mysql
          image: mysql:8.0
          ports:
            - containerPort: 3306
          envFrom:
            - configMapRef:
                name: app-config
            - secretRef:
                name: db-secret
          readinessProbe:
            exec:
              command:
                - sh
                - -c
                - mysqladmin ping -h 127.0.0.1 -u root -p$(MYSQL_ROOT_PASSWORD)
            initialDelaySeconds: 10
            periodSeconds: 5
          livenessProbe:
            exec:
              command:
                - sh
                - -c
                - mysqladmin ping -h 127.0.0.1 -u root -p$(MYSQL_ROOT_PASSWORD)
            initialDelaySeconds: 20
            periodSeconds: 10
          resources:
            requests:
              memory: "512Mi"
              cpu: "500m"
            limits:
              memory: "1Gi"
              cpu: "1000m"
          volumeMounts:
            - name: mysql-storage
              mountPath: /var/lib/mysql
          securityContext:
            runAsNonRoot: true
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
      volumes:
        - name: mysql-storage
          persistentVolumeClaim:
            claimName: mysql-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: db
  labels:
    app: mysql
 spec:
  type: ClusterIP
  ports:
    - port: 3306
      targetPort: 3306
      protocol: TCP
  selector:
    app: mysql
--- a/base/database/db-networkpolicy.yaml
+++ b/base/database/db-networkpolicy.yaml
@ -0,0 +1,20 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: db-policy
  namespace: intern-workspace
 spec:
  podSelector:
    matchLabels:
      app: mysql
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: employee-backend
      ports:
        - protocol: TCP
          port: 3306
--- a/base/frontend/fe-networkpolicy-fe.yaml
+++ b/base/frontend/fe-networkpolicy-fe.yaml
@ -0,0 +1,38 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: frontend-policy
  namespace: intern-workspace
 spec:
  podSelector:
    matchLabels:
      app: employee-frontend
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from: []
      ports:
        - protocol: TCP
          port: 80
        - protocol: TCP
          port: 443
        - protocol: TCP
          port: 30080
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: employee-backend
      ports:
        - protocol: TCP
          port: 4000
    - to:
        - namespaceSelector: {}
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53
--- a/base/frontend/frontend-deployment.yaml
+++ b/base/frontend/frontend-deployment.yaml
@ -0,0 +1,84 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: frontend-deployment
  namespace: intern-workspace
  labels:
    app: employee-frontend
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: employee-frontend
  template:
    metadata:
      labels:
        app: employee-frontend
    spec:
      serviceAccountName: frontend-sa
      securityContext:
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
      containers:
        - name: employee-frontend
          image: adelyao/employee-frontend:latest
          ports:
            - containerPort: 8080
          readinessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 20
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 30
            periodSeconds: 10
          securityContext:
            runAsNonRoot: true
            readOnlyRootFilesystem: false
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
          resources:
            requests:
              memory: "64Mi"
              cpu: "100m"
            limits:
              memory: "128Mi"
              cpu: "200m"
          volumeMounts:
            - name: run
              mountPath: /run
      volumes:
        - name: run
          emptyDir: {}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: frontend-service
  namespace: intern-workspace
  labels:
    app: employee-frontend
 spec: 
  type: NodePort
  ports:
    - port: 8080
      targetPort: 8080
      nodePort: 30080
      protocol: TCP
  selector:
    app: employee-frontend
--- a/base/kustomization.yaml
+++ b/base/kustomization.yaml
@ -0,0 +1,11 @@
 resources:
  - backend/backend-deployment.yaml
  - backend/be-networkpolicy.yaml
  - frontend/frontend-deployment.yaml
  - frontend/fe-networkpolicy.yaml
  - database/db-deployment.yaml
  - database/db-networkpolicy.yaml
  - networkpolicy-default.yaml
  - configmap.yaml
  - secret.yaml
  - rbac.yaml
--- a/base/networkpolicy-default.yaml
+++ b/base/networkpolicy-default.yaml
@ -0,0 +1,10 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: default-deny
  namespace: your-namespace
 spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
--- a/base/rbac.yaml
+++ b/base/rbac.yaml
@ -0,0 +1,104 @@
 # Frontend Tier
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: frontend-sa
  namespace: intern-workspace
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: frontend-role
  namespace: intern-workspace
 rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: frontend-rolebinding
  namespace: intern-workspace
 subjects:
  - kind: ServiceAccount
    name: frontend-sa
    namespace: intern-workspace
 roleRef:
  kind: Role
  name: frontend-role
  apiGroup: rbac.authorization.k8s.io
 # Backend Tier
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: backend-sa
  namespace: intern-workspace
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: backend-role
  namespace: intern-workspace
 rules:
  - apiGroups: [""]
    resources: ["secrets", "configmaps"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: backend-rolebinding
  namespace: intern-workspace
 subjects:
  - kind: ServiceAccount
    name: backend-sa
    namespace: intern-workspace
 roleRef:
  kind: Role
  name: backend-role
  apiGroup: rbac.authorization.k8s.io
 # Database Tier
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: database-sa
  namespace: intern-workspace
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: database-role
  namespace: intern-workspace
 rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: database-rolebinding
  namespace: intern-workspace
 subjects:
  - kind: ServiceAccount
    name: database-sa
    namespace: intern-workspace
 roleRef:
  kind: Role
  name: database-role
  apiGroup: rbac.authorization.k8s.io
--- a/base/secret.yaml
+++ b/base/secret.yaml
@ -0,0 +1,9 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: db-secret
 type: Opaque
 data:
  DB_USER: "ZW1wX3VzZXI="
  DB_PASSWORD: "a2FyeWF3YW4h"
  MYSQL_ROOT_PASSWORD: "YWRtaW4="
--- a/overlays/dev/kustomization.yaml
+++ b/overlays/dev/kustomization.yaml
@ -0,0 +1,22 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
 namespace: employee-dev
 namePrefix: dev-
 commonLabels:
  environment: dev
 images:
  - name: registry.gitlab.com/octavianadelya/employee-app/backend
    newTag: latest
  - name: registry.gitlab.com/octavianadelya/employee-app/frontend
    newTag: latest
 patches:
  - path: patch-deployment.yaml
    target:
      kind: Deployment
      name: backend-deployment
--- a/overlays/dev/patch-deployment.yaml
+++ b/overlays/dev/patch-deployment.yaml
@ -0,0 +1,34 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: backend-deployment
 spec:
  replicas: 2
  template:
    spec:
      containers:
        - name: employee-backend
          image: registry.gitlab.com/adelya/employee-app/backend
          env:
            - name: NODE_ENV
              value: "development"
            - name: LOG_LEVEL
              value: "debug"
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: frontend-deployment
 spec:
  replicas: 2
  template:
    spec:
      containers:
        - name: employee-frontend
          image: registry.gitlab.com/adelya/employee-app/frontend
          env:
            - name: VITE_API_URL
              value: "http://backend-service:4000"
            - name: MODE
              value: "development"
--- a/overlays/prod/kustomization.yaml
+++ b/overlays/prod/kustomization.yaml
@ -0,0 +1,19 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
 namespace: employee-prod
 namePrefix: prod-
 commonLabels:
  environment: production
 images:
  - name: registry.gitlab.com/octavianadelya/employee-app/backend
    newTag: prod-latest
  - name: registry.gitlab.com/octavianadelya/employee-app/frontend
    newTag: prod-latest
 patches:
  - path: patch-deployment.yaml
--- a/overlays/prod/patch-deployment.yaml
+++ b/overlays/prod/patch-deployment.yaml
@ -0,0 +1,35 @@
 # BACKEND 
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: backend-deployment
 spec:
  replicas: 3
  template:
    spec:
      containers:
        - name: employee-backend
          env:
            - name: NODE_ENV
              value: "production"
            - name: LOG_LEVEL
              value: "warn"
 ---
 # FRONTEND PATCH
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: frontend-deployment
 spec:
  replicas: 3
  template:
    spec:
      containers:
        - name: employee-frontend
          env:
            - name: VITE_API_URL
              value: "https://api.example.com"
            - name: MODE
              value: "production"
--- a/overlays/stag/kustomization.yaml
+++ b/overlays/stag/kustomization.yaml
@ -0,0 +1,19 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
 namespace: employee-staging
 namePrefix: staging-
 commonLabels:
  environment: staging
 images:
  - name: registry.gitlab.com/octavianadelya/employee-app/backend
    newTag: staging-latest
  - name: registry.gitlab.com/octavianadelya/employee-app/frontend
    newTag: staging-latest
 patches:
  - path: patch-deployment.yaml
--- a/overlays/stag/patch-deployment.yaml
+++ b/overlays/stag/patch-deployment.yaml
@ -0,0 +1,35 @@
 #BACKEND
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: backend-deployment
 spec:
  replicas: 2
  template:
    spec:
      containers:
        - name: employee-backend
          env:
            - name: NODE_ENV
              value: "staging"
            - name: LOG_LEVEL
              value: "info"
 ---
 # FRONTEND 
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: frontend-deployment
 spec:
  replicas: 2
  template:
    spec:
      containers:
        - name: employee-frontend
          env:
            - name: VITE_API_URL
              value: "https://staging-api.example.com"
            - name: MODE
              value: "staging"