experiment(k8s): scaffold k3s-local + Kapsule poc overlays for matchID#55
Merged
Conversation
Adds a `deploy/k8s/` tree to drive matchID on a local k3d cluster and on the Scaleway Kapsule `poc` cluster (rhanka/poc-k8s). Not wired into CI/CD yet; meant to be applied by hand for the burst-mode test sessions described in the matchID onboarding intake against poc-k8s. Files added: - deploy/k8s/README.md local k3d + poc cluster flows, known gaps - deploy/k8s/Makefile k3d-up/down, apply-local/poc, port-forward, logs, status - deploy/k8s/base/ kustomize base * namespace.yaml matchid Namespace (skipped in poc overlay) * deces-backend.deployment + service.yaml matchid/deces-backend:latest, 8080 * deces-ui.deployment + service.yaml matchid/deces-ui:latest, 8083 * elasticsearch.statefulset.yaml ES 7.17.28, dev profile, JVM -Xmx512m * ingress.yaml Traefik IngressRoute (deces.local) * kustomization.yaml - deploy/k8s/local/kustomization.yaml alias overlay pointing at overlays/local/ - deploy/k8s/overlays/local/ k3d / k3s-local * NodePort services (UI 30083, backend 30080) * hostPath PV for ES (StorageClass matchid-local) * drops the privileged sysctl init container (k3s ships with vm.max_map_count high enough) - deploy/k8s/overlays/poc/ Scaleway Kapsule poc * nodeSelector pool=burst + toleration on every workload * replicas: 0 at rest on all three workloads (burst-mode tenant) * scw-bssd PVC for ES, IngressRoute on matchid-poc.matchid.io with cert-manager TLS * deletes the base Namespace (poc-k8s owns it under tenants/matchid/) Resource sizing matches the poc-k8s intake (PR request/matchid-onboarding): deces-backend 100m / 500m + 256Mi / 512Mi deces-ui 50m / 200m + 64Mi / 128Mi elasticsearch 250m / 1500m + 512Mi / 1Gi Validation: kubectl apply --dry-run=client --validate=false -k overlays/local/ OK kubectl apply --dry-run=client --validate=false -k overlays/poc/ OK Caveats / not yet wired (documented in deploy/k8s/README.md): - ES version drift: repo Makefiles pin 8.6.1 today; we ship 7.17.28 here to stay under 1 GiB heap on the poc cluster. Reconciliation is part of the surch swap follow-up. - Surch swap: long-term plan is to drop the ES StatefulSet and point deces-backend at the surch tenant's surch-api Service (blocked on the DSL inventory in EXPERIMENT_SURCH.md). - cert-manager / letsencrypt-prod ClusterIssuer is referenced but provisioned out-of-band by poc-k8s. - OIDC auth + SMTP secrets are envFrom: secretRef with optional: true; the Secret itself is provisioned out-of-tree. - No .github/workflows/k8s-*.yml yet; CI/CD wiring is a follow-up referenced in the poc-k8s intake (request/matchid-onboarding). - deces-dataprep (INSEE ingest Job) not manifested yet; read-path lands first. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…veat - Add "Environment tiers" section: CI=k3s/k3d, Dev=Kapsule poc, Prod=TBD - Document local prereqs: Docker + kubectl + k3d + ≥15% free disk on /, with the diagnostic+fix when kubelet's DiskPressure taint hits. Caught during a smoke run today: laptop at 99% on / put every Pod in Pending with FailedScheduling pointing at DiskPressure. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…e smoke Adds .github/workflows/k8s-smoke.yml driving two paths: - smoke-local (auto on push/PR with deploy/k8s/** changes): installs k3d inside the ubuntu-latest runner, brings up a single-node k3s cluster, applies overlays/local, waits Traefik CRDs + workload availability, curls the deces-backend healthcheck + UI through NodePort. Tear down at the end regardless of outcome. - smoke-poc (workflow_dispatch only): pulls a kubeconfig for the Scaleway Kapsule `poc` cluster via the SCW CLI, applies overlays/poc, waits availability, curls the IngressRoute (Host: matchid-poc.matchid.io). Falls back to port-forward if the Traefik LB IP isn't ready yet. Path-filter on deploy/k8s/** + workflow file to keep cost low. New secrets needed (header comment in the workflow lists them); the smoke-local path is the CI gate for this experimental branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Comprehensive audit of architectural patterns breaking under Kubernetes: - 8 P0 findings (in-memory state, file persistence, ES single-node) - 6 P1 findings (sticky sessions, job timeouts, worker isolation) - 4 P2 findings (logging, encryption, user DB) Most critical: 1. OTP store in memory (mail.ts:60) - loses all OTPs on pod restart 2. IP-rate-limit maps (auth.ts:4-5) - routing to different pods bypasses bans 3. Job state arrays (processStream.ts:57-60) - lost on restart, breaks bulk Effort: 6-8 weeks to K8s-ready (P0: 2w, P1: 2w, P2: 1w). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…n diags on cancel The first runs (#25974574306, #25974575275) cancelled at the 15min job cap with no diagnostics because `if: failure()` doesn't fire on cancellation. Patched workflow: - Split "Wait for deployments" into ES-first then backend/UI so a slow ES doesn't eat the budget meant for backend. - Background poller emits `kubectl get pods -o wide` + events every 30s during the wait, so the run logs always show why a pod is unhappy even when the parent step times out. - Diagnostics now triggers on `failure() || cancelled()` so we capture state when the runner reaps the job. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ES container runs as uid 1000; some storage drivers (hostPath in local overlay, plain manual PV) don't honour `fsGroup: 1000`, leaving the mount root-owned. ES then crashes on boot with: java.nio.file.AccessDeniedException: /usr/share/elasticsearch/data/nodes Caused by: org.elasticsearch.ElasticsearchException: failed to bind service Add a `fix-data-permissions` busybox init container that chowns the data dir to 1000:1000 before ES starts. Carried in base (so Kapsule inherits it harmlessly) and re-stated in the local overlay (since the overlay was previously setting `initContainers: []` to drop the sysctl init container). Caught by CI run #25974962800 — diagnostic poller surfaced the actual ES stack trace which the original `if: failure()`-only diag step would have missed (the run cancelled instead of failed cleanly). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…APP_FRONTEND) Three pod-level crash-loops on the prior smoke run: 1. deces-backend exited with "BullMQ Worker: concurrency must be a finite number greater than 0" because BACKEND_JOB_CONCURRENCY and BACKEND_CHUNK_CONCURRENCY were unset. Added defaults (2/2) plus the rest of the env vars the image's index.js reads at module load (APP_DNS, APP_URL, BACKEND_LOG_TIMER, BACKEND_TMP_*, DISPOSABLE_MAIL, COMMUNES_JSON, DB_JSON, WIKIDATA_LINKS → /dev/null for non-fatal warnings on missing data files). 2. deces-backend ALSO has no Redis to talk to. Added a minimal Redis Deployment + Service in base (redis:7.2-alpine, 128MB maxmem, ephemeral). Wired REDIS_HOST=redis / REDIS_PORT=6379 into the backend env block. Service name 'redis' resolves intra-namespace. 3. deces-ui:latest (built 2026-04-26) ships an older nginx/run.sh that checks `APP` (current main checks `APP_FRONTEND`). Setting both env vars on the Deployment so the manifest works against either tag. Workflow patched to wait for redis (2m) before ES (6m) before backend/ui (4m). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The deces-ui nginx run.sh substitutes every `<VAR>` placeholder in the template (nginx.conf.template + default.conf.template) with the value of the matching env var. Any unreplaced placeholder leaves invalid syntax like `$<API_USER_SCOPE>` in /etc/nginx/nginx.conf line 19, and nginx aborts with: [emerg] invalid variable name in /etc/nginx/nginx.conf:19 Adds deces-ui-nginx ConfigMap with defaults copied verbatim from packages/deces-ui/Makefile: API_USER_SCOPE, API_*_LIMIT_RATE, API_*_BURST, API_READ_TIMEOUT, API_SEND_TIMEOUT, API_MAX_BODY, NGINX_CSP, GOOGLE_ANALYTICS_ID, GOOGLE_ADSENSE_ID, DATAGOUV_*. deces-ui Deployment now `envFrom`-s it. Caught by CI run #25975385301 where backend / redis / ES all reached Ready 1/1 but deces-ui crashed in nginx config validation. ES went from CrashLoopBackOff to Running thanks to the previous chown init container fix. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Member
Author
Verdict
Follow-ups
Nits
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Scaffold of
deploy/k8s/with a kustomize base + overlays for:overlays/local— k3d / k3s local: NodePort, hostPath PV, no nodeSelector.overlays/poc— Scaleway Kapsulepoc:pool=burstnodeSelector,scw-bssdPVCs, Traefik IngressRoute.overlays/prod— placeholder only; production remains out of scope for this POC branch.This PR lands the POC scaffolding. It is not a production migration and it does not replace the current
deploy-remotepath.Scope
Workloads in
base/:matchid/deces-backend:latestmatchid/deces-ui:latestdocker.elastic.co/elasticsearch/elasticsearch:7.17.28redis:7-alpineES is pinned to 7.17.28 for the POC quota. The long-term ES-to-surch swap remains a separate experiment.
External Contract
rhanka/poc-k8s#3intake for matchID is merged.poc-k8stenant mechanism: tenant namespace + tenant kubeconfig /KUBE_CONFIG_DATA, or the later OIDC contract if/when it lands there.Validation
25975527555:smoke-local (k3s in runner)success25975528412:smoke-local (k3s in runner)successFollow-Ups
../poc-k8scontract, then run it.:latest/IfNotPresent, ES is single-node, and app state issues fromdeploy/k8s/K8S_READINESS_AUDIT.mdremain open.Generated with Claude Code