chore: improve deployment

Author: martinothamar

infra/runtime/syncroot/base/studio-gateway.yaml

@@ -3,6 +3,16 @@ kind: Namespace
 metadata:
   name: runtime-gateway
 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: runtime-environment
+  namespace: runtime-gateway
+data:
+  upgrade_channel: ${UPGRADE_CHANNEL}
+  environment: ${ENVIRONMENT}
+  serviceowner: ${SERVICEOWNER_ID}
+---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:

src/Runtime/StudioGateway/.dockerignore

@@ -0,0 +1,5 @@
+.config/
+infra/
+tests/
+**/bin
+**/obj

src/Runtime/StudioGateway/infra/kustomize/deployment.yaml

@@ -1,3 +1,19 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: studio-gateway-pdb
+spec:
+  # Makes sure that during e.g. nodepool upgrades, when nodes are drained
+  # we apply a constraint that at most 1 AZ (hopefully, depending on skew)
+  # is disrupted at a time
+  # Examples:
+  #  2 replicas * 30% = 0.6 = 1 unavailable
+  #  3 replicas * 30% = 0.9 = 1 unavailable
+  maxUnavailable: '30%'
+  selector:
+    matchLabels:
+      app: studio-gateway
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -6,45 +22,119 @@ metadata:
     altinn.studio/image: studio-gateway:latest
     altinn.studio/image-tag: latest
 spec:
-  replicas: 1
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  progressDeadlineSeconds: 60
+  replicas: 2
+  strategy:
+    # Rolling upgrade of pods
+    type: RollingUpdate
+    rollingUpdate:
+      # Conservative rollout.
+      # Setting maxUnavailable to 0 means we will never scale lower than desired replicas
+      # during rollouts, but we might have to scale up the nodepool due to surge
+      # Surge examples:
+      #  2 replicas * 20% = 0.4 = 1 surge
+      #  3 replicas * 20% = 0.6 = 1 surge
+      maxUnavailable: 0
+      maxSurge: '20%'
   selector:
     matchLabels:
       app: studio-gateway
   template:
     metadata:
       labels:
         app: studio-gateway
+      annotations:
+        # for mTLS mainly
+        linkerd.io/inject: enabled
     spec:
+      topologySpreadConstraints:
+        # Try to spread across availability zones first (highest priority)
+        # A skew of 1 can result in 1 AZ being unused when AZs = 3 and replicas = 3
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          # ScheduleAnyway ensures progress even if distribution is imperfect
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: studio-gateway
+        # Try to spread across nodes within zones
+        # Prevents multiple replicas from running on the same node, improving fault tolerance
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: studio-gateway
       serviceAccountName: studio-gateway
+      terminationGracePeriodSeconds: 30
       # explicitly set security context to embedded .net non-root user (1654)
       securityContext:
         runAsUser: 1654
         runAsGroup: 1654
         fsGroup: 1654
         runAsNonRoot: true
+        # Seccomp (secure computing mode) restricts syscalls the container can make
+        # RuntimeDefault uses the container runtime's default profile, blocking risky syscalls
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: studio-gateway
-          image: studio-gateway:latest
+          image: ""
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
           ports:
             - containerPort: 8080
               name: http
               protocol: TCP
           env:
             - name: ASPNETCORE_HTTP_PORTS
               value: "8080"
+            - name: ASPNETCORE_ENVIRONMENT
+              valueFrom:
+                # Configmap is created in syncroot
+                configMapKeyRef:
+                  name: runtime-environment
+                  key: environment
+            - name: GATEWAY_UPGRADE_CHANNEL
+              valueFrom:
+                configMapKeyRef:
+                  name: runtime-environment
+                  key: upgrade_channel
+            - name: GATEWAY_ENVIRONMENT
+              valueFrom:
+                configMapKeyRef:
+                  name: runtime-environment
+                  key: environment
+            - name: GATEWAY_SERVICEOWNER
+              valueFrom:
+                configMapKeyRef:
+                  name: runtime-environment
+                  key: serviceowner
           livenessProbe:
             httpGet:
               path: /health/live
               port: 8080
-            initialDelaySeconds: 10
+            initialDelaySeconds: 2
             periodSeconds: 10
             timeoutSeconds: 3
             failureThreshold: 3
           readinessProbe:
             httpGet:
               path: /health/ready
               port: 8080
-            initialDelaySeconds: 5
+            initialDelaySeconds: 2
             periodSeconds: 5
             timeoutSeconds: 3
             failureThreshold: 3
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64Mi