chore: improve deployment

martinothamar · martinothamar · commit 589d65f1596d · 2025-11-28T20:11:54.000+01:00
diff --git a/infra/runtime/syncroot/base/studio-gateway.yaml b/infra/runtime/syncroot/base/studio-gateway.yaml
@@ -3,6 +3,16 @@ kind: Namespace
 metadata:
   name: runtime-gateway
 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: runtime-environment
+  namespace: runtime-gateway
+data:
+  upgrade_channel: ${UPGRADE_CHANNEL}
+  environment: ${ENVIRONMENT}
+  serviceowner: ${SERVICEOWNER_ID}
+---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
diff --git a/src/Runtime/StudioGateway/.dockerignore b/src/Runtime/StudioGateway/.dockerignore
@@ -0,0 +1,5 @@
+.config/
+infra/
+tests/
+**/bin
+**/obj
diff --git a/src/Runtime/StudioGateway/infra/kustomize/deployment.yaml b/src/Runtime/StudioGateway/infra/kustomize/deployment.yaml
@@ -1,3 +1,13 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: studio-gateway-pdb
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app: studio-gateway
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -6,45 +16,113 @@ metadata:
     altinn.studio/image: studio-gateway:latest
     altinn.studio/image-tag: latest
 spec:
-  replicas: 1
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  progressDeadlineSeconds: 60
+  replicas: 2
+  strategy:
+    # Rolling upgrade of pods
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 1
   selector:
     matchLabels:
       app: studio-gateway
   template:
     metadata:
       labels:
         app: studio-gateway
+      annotations:
+        # for mTLS mainly
+        linkerd.io/inject: enabled
     spec:
+      topologySpreadConstraints:
+        # Try to spread across availability zones first (highest priority)
+        # A skew of 1 can result in 1 AZ being unused when AZs = 3 and replicas = 3
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          # ScheduleAnyway ensures progress even if distribution is imperfect
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: studio-gateway
+        # Try to spread across nodes within zones
+        # Prevents multiple replicas from running on the same node, improving fault tolerance
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: studio-gateway
       serviceAccountName: studio-gateway
+      terminationGracePeriodSeconds: 30
       # explicitly set security context to embedded .net non-root user (1654)
       securityContext:
         runAsUser: 1654
         runAsGroup: 1654
         fsGroup: 1654
         runAsNonRoot: true
+        # Seccomp (secure computing mode) restricts syscalls the container can make
+        # RuntimeDefault uses the container runtime's default profile, blocking risky syscalls
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: studio-gateway
-          image: studio-gateway:latest
+          image: ""
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
           ports:
             - containerPort: 8080
               name: http
               protocol: TCP
           env:
             - name: ASPNETCORE_HTTP_PORTS
               value: "8080"
+            - name: ASPNETCORE_ENVIRONMENT
+              valueFrom:
+                # Configmap is created in syncroot
+                configMapKeyRef:
+                  name: runtime-environment
+                  key: environment
+            - name: GATEWAY_UPGRADE_CHANNEL
+              valueFrom:
+                configMapKeyRef:
+                  name: runtime-environment
+                  key: upgrade_channel
+            - name: GATEWAY_ENVIRONMENT
+              valueFrom:
+                configMapKeyRef:
+                  name: runtime-environment
+                  key: environment
+            - name: GATEWAY_SERVICEOWNER
+              valueFrom:
+                configMapKeyRef:
+                  name: runtime-environment
+                  key: serviceowner
           livenessProbe:
             httpGet:
               path: /health/live
               port: 8080
-            initialDelaySeconds: 10
+            initialDelaySeconds: 2
             periodSeconds: 10
             timeoutSeconds: 3
             failureThreshold: 3
           readinessProbe:
             httpGet:
               path: /health/ready
               port: 8080
-            initialDelaySeconds: 5
+            initialDelaySeconds: 2
             periodSeconds: 5
             timeoutSeconds: 3
             failureThreshold: 3
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64Mi

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +.config/
 +infra/
 +tests/
 +**/bin
 +**/obj