From eed5156c2ff6a08837110866da5911b675a54e86 Mon Sep 17 00:00:00 2001 From: Jude Niroshan Date: Wed, 22 Oct 2025 10:06:22 +0200 Subject: [PATCH 1/5] separate dev and prod env setup Signed-off-by: Jude Niroshan --- .github/workflows/build-dev-image.yml | 3 +- .github/workflows/build-release-image.yml | 33 +++-- README.md | 59 ++++++++- deploy/Makefile | 141 ++++++++++++++-------- deploy/argocd/application.yaml | 42 ------- deploy/sast-ai-chart/values.yaml | 81 ++++--------- 6 files changed, 191 insertions(+), 168 deletions(-) delete mode 100644 deploy/argocd/application.yaml diff --git a/.github/workflows/build-dev-image.yml b/.github/workflows/build-dev-image.yml index f8b868f6..58035785 100644 --- a/.github/workflows/build-dev-image.yml +++ b/.github/workflows/build-dev-image.yml @@ -58,8 +58,7 @@ jobs: with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | - type=raw,value=latest-dev,enable={{is_default_branch}} - type=sha,prefix={{branch}}- + type=raw,value=latest,enable={{is_default_branch}} - name: Build and push Docker image id: build diff --git a/.github/workflows/build-release-image.yml b/.github/workflows/build-release-image.yml index 18814a33..9db5efd1 100644 --- a/.github/workflows/build-release-image.yml +++ b/.github/workflows/build-release-image.yml @@ -85,8 +85,8 @@ jobs: # Update pom.xml version (without 'v' prefix) ./mvnw versions:set -DnewVersion=$POM_VERSION -DgenerateBackupPoms=false - # Update Helm values.yaml with full release tag (with 'v') - sed -i "s/tag: \".*\"/tag: \"$RELEASE_TAG\"/" deploy/sast-ai-chart/values.yaml + # Update Helm prod values.yaml with full release tag (with 'v') + sed -i "s/tag: \".*\"/tag: \"$RELEASE_TAG\"/" deploy/sast-ai-chart/values-prod.yaml # Update Helm Chart.yaml versions (without 'v' prefix) - be specific to avoid updating dependency versions sed -i "s/^version: .*/version: $POM_VERSION/" deploy/sast-ai-chart/Chart.yaml @@ -95,8 +95,8 @@ jobs: # Verify the changes echo "Updated pom.xml version:" ./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout - echo "Updated values.yaml:" - grep -A 5 -B 5 "tag:" deploy/sast-ai-chart/values.yaml + echo "Updated prod values.yaml:" + grep -A 5 -B 5 "tag:" deploy/sast-ai-chart/values-prod.yaml echo "Updated Chart.yaml:" grep -E "(version|appVersion):" deploy/sast-ai-chart/Chart.yaml @@ -104,7 +104,7 @@ jobs: run: | git config --local user.email "action@github.com" git config --local user.name "GitHub Action" - git add pom.xml deploy/sast-ai-chart/values.yaml deploy/sast-ai-chart/Chart.yaml + git add pom.xml deploy/sast-ai-chart/values-prod.yaml deploy/sast-ai-chart/Chart.yaml if git diff --staged --quiet; then echo "No changes to commit" else @@ -113,8 +113,8 @@ jobs: git checkout $DEFAULT_BRANCH git pull origin $DEFAULT_BRANCH # Re-add and commit the changes - git add pom.xml deploy/sast-ai-chart/values.yaml deploy/sast-ai-chart/Chart.yaml - git commit -m "Update versions to ${{ github.event.release.tag_name }}" + git add pom.xml deploy/sast-ai-chart/values-prod.yaml deploy/sast-ai-chart/Chart.yaml + git commit -m "Update production versions to ${{ github.event.release.tag_name }}" git push origin $DEFAULT_BRANCH fi @@ -134,23 +134,34 @@ jobs: ## ๐Ÿ“ฆ Container Images - This release includes the following container images published to Quay.io: + This release includes the following container image published to Quay.io: - \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}\` - - \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest\` ### ๐Ÿณ Usage \`\`\`bash - # Pull specific version + # Pull specific version for production podman pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} - # Pull latest + # For development, use the latest tag podman pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \`\`\` ### ๐Ÿ”— Registry View all versions: [Quay.io Repository](https://quay.io/repository/ecosystem-appeng/sast-ai-orchestrator) + + ### ๐Ÿš€ Deployment + + **Production Deployment (sast-ai-prod namespace):** + \`\`\`bash + make deploy-prod + \`\`\` + + **Development Deployment (sast-ai-dev namespace):** + \`\`\`bash + make deploy-dev + \`\`\` `; await github.rest.repos.updateRelease({ diff --git a/README.md b/README.md index 939d25c9..372dee33 100644 --- a/README.md +++ b/README.md @@ -270,16 +270,67 @@ Java Quarkus REST API that manages [SAST-AI-Workflow](https://github.com/RHEcosy ## Deployment +### Environment Strategy + +The project supports two deployment environments: + +- **Development** (`sast-ai-dev` namespace): + - Uses `latest` container images + - Updated automatically on every main branch push + - Debug logging and relaxed resource limits + +- **Production** (`sast-ai-prod` namespace): + - Uses release-tagged container images (e.g., `v1.0.1`) + - Updated only on GitHub releases + - Production-grade resource allocation and logging + +### Quick Deployment + +```bash +# Development environment +cd deploy +make deploy-dev + +# Production environment +cd deploy +make deploy-prod + +# Check deployment status +make status +``` + +### Container Images + +- **Development**: `quay.io/ecosystem-appeng/sast-ai-orchestrator:latest` +- **Production**: `quay.io/ecosystem-appeng/sast-ai-orchestrator:v1.0.x` + ### Docker Deployment ```bash -# JVM Mode (Fast startup) -docker build -f src/main/docker/Dockerfile.jvm -t sast-ai-orchestrator:jvm . +# Development (latest) +docker run -p 8080:8080 quay.io/ecosystem-appeng/sast-ai-orchestrator:latest + +# Production (specific version) +docker run -p 8080:8080 quay.io/ecosystem-appeng/sast-ai-orchestrator:v1.0.1 ``` ### Kubernetes Deployment - **Helm Chart**: See `deploy/sast-ai-chart/` for Helm deployment -- **ArgoCD**: See `deploy/argocd/` for GitOps deployment -- **Documentation**: Refer to `deploy/README.md` for detailed instructions +- **ArgoCD**: See `deploy/argocd/` for GitOps deployment +- **Documentation**: Use `make help` in the `deploy/` directory for available commands + +### Environment-Specific Access + +After deployment, access the applications: + +```bash +# Development +kubectl port-forward svc/sast-ai-orchestrator-dev 8080:80 -n sast-ai-dev +curl http://localhost:8080/api/v1/health + +# Production +kubectl port-forward svc/sast-ai-orchestrator-prod 8080:80 -n sast-ai-prod +curl http://localhost:8080/api/v1/health +``` ## Configuration diff --git a/deploy/Makefile b/deploy/Makefile index 01596c82..206fe8a5 100644 --- a/deploy/Makefile +++ b/deploy/Makefile @@ -1,9 +1,13 @@ # Detect OpenShift vs Kubernetes KUBECTL_CMD := $(shell command -v oc 2>/dev/null || echo kubectl) -# Get current namespace from kubectl/oc, fallback to sast-ai-workflow +# Environment-specific settings +DEV_NAMESPACE := sast-ai-dev +PROD_NAMESPACE := sast-ai-prod + +# Get current namespace from kubectl/oc, fallback to dev CURRENT_NAMESPACE := $(shell $(KUBECTL_CMD) config view --minify --output 'jsonpath={..namespace}' 2>/dev/null) -NAMESPACE ?= $(if $(CURRENT_NAMESPACE),$(CURRENT_NAMESPACE),sast-ai-workflow) +NAMESPACE ?= $(if $(CURRENT_NAMESPACE),$(CURRENT_NAMESPACE),$(DEV_NAMESPACE)) RELEASE_NAME ?= sast-ai-orchestrator CHART_PATH ?= ./sast-ai-chart @@ -11,79 +15,105 @@ HELM_TIMEOUT ?= 300s .DEFAULT_GOAL := help -.PHONY: deploy -deploy: ## Deploy SAST AI to the cluster - @echo "Deploying SAST AI..." - @echo "Namespace: $(NAMESPACE)" - @echo "Release: $(RELEASE_NAME)" +.PHONY: deploy-dev +deploy-dev: ## Deploy to development environment (sast-ai-dev namespace) + @echo "๐Ÿš€ Deploying SAST AI to DEVELOPMENT environment..." + @echo "Namespace: $(DEV_NAMESPACE)" + @echo "Release: $(RELEASE_NAME)-dev" + @echo "Using: $(KUBECTL_CMD)" + @$(MAKE) _deploy NAMESPACE=$(DEV_NAMESPACE) RELEASE_NAME=$(RELEASE_NAME)-dev VALUES_FILE=values-dev.yaml + +.PHONY: deploy-prod +deploy-prod: ## Deploy to production environment (sast-ai-prod namespace) + @echo "๐Ÿš€ Deploying SAST AI to PRODUCTION environment..." + @echo "Namespace: $(PROD_NAMESPACE)" + @echo "Release: $(RELEASE_NAME)-prod" @echo "Using: $(KUBECTL_CMD)" + @$(MAKE) _deploy NAMESPACE=$(PROD_NAMESPACE) RELEASE_NAME=$(RELEASE_NAME)-prod VALUES_FILE=values-prod.yaml + +.PHONY: _deploy +_deploy: ## Internal deployment target @helm repo add bitnami https://charts.bitnami.com/bitnami >/dev/null 2>&1 || true @helm repo update >/dev/null 2>&1 @cd $(CHART_PATH) && helm dependency update @helm install $(RELEASE_NAME) $(CHART_PATH) \ -f $(CHART_PATH)/values.yaml \ + -f $(CHART_PATH)/$(VALUES_FILE) \ -n $(NAMESPACE) \ --create-namespace \ --timeout=$(HELM_TIMEOUT) \ --set app.env.SAST_AI_WORKFLOW_NAMESPACE=$(NAMESPACE) - @echo "Deployment completed!" - @$(MAKE) wait-pods - @echo "Checking for ArgoCD availability..." + @echo "โœ… Deployment completed!" + @$(MAKE) wait-pods NAMESPACE=$(NAMESPACE) + @echo "๐Ÿ” Checking for ArgoCD availability..." @if $(KUBECTL_CMD) get crd applications.argoproj.io >/dev/null 2>&1; then \ - echo "ArgoCD detected! Creating ArgoCD Application..."; \ - $(MAKE) argocd; \ + echo "๐Ÿ“ฆ ArgoCD detected! Creating ArgoCD Application..."; \ + $(MAKE) argocd NAMESPACE=$(NAMESPACE); \ else \ - echo "ArgoCD not available in cluster, skipping ArgoCD Application creation."; \ + echo "โš ๏ธ ArgoCD not available in cluster, skipping ArgoCD Application creation."; \ fi - @$(MAKE) show-access + @$(MAKE) show-access NAMESPACE=$(NAMESPACE) -.PHONY: upgrade -upgrade: ## Upgrade existing deployment - @echo "Upgrading SAST AI..." +.PHONY: upgrade-dev +upgrade-dev: ## Upgrade development deployment + @echo "โฌ†๏ธ Upgrading SAST AI DEVELOPMENT deployment..." + @$(MAKE) _upgrade NAMESPACE=$(DEV_NAMESPACE) RELEASE_NAME=$(RELEASE_NAME)-dev VALUES_FILE=values-dev.yaml + +.PHONY: upgrade-prod +upgrade-prod: ## Upgrade production deployment + @echo "โฌ†๏ธ Upgrading SAST AI PRODUCTION deployment..." + @$(MAKE) _upgrade NAMESPACE=$(PROD_NAMESPACE) RELEASE_NAME=$(RELEASE_NAME)-prod VALUES_FILE=values-prod.yaml + +.PHONY: _upgrade +_upgrade: ## Internal upgrade target @helm repo add bitnami https://charts.bitnami.com/bitnami >/dev/null 2>&1 || true @helm repo update >/dev/null 2>&1 @cd $(CHART_PATH) && helm dependency update @helm upgrade $(RELEASE_NAME) $(CHART_PATH) \ -f $(CHART_PATH)/values.yaml \ + -f $(CHART_PATH)/$(VALUES_FILE) \ -n $(NAMESPACE) \ --timeout=$(HELM_TIMEOUT) \ --set app.env.SAST_AI_WORKFLOW_NAMESPACE=$(NAMESPACE) - @echo "Upgrade completed!" - @$(MAKE) wait + @echo "โœ… Upgrade completed!" + @$(MAKE) wait-pods NAMESPACE=$(NAMESPACE) -.PHONY: install -install: deploy ## Alias for deploy +.PHONY: clean-dev +clean-dev: ## Remove development deployment + @echo "๐Ÿงน Removing SAST AI DEVELOPMENT deployment..." + @$(MAKE) _clean NAMESPACE=$(DEV_NAMESPACE) RELEASE_NAME=$(RELEASE_NAME)-dev -.PHONY: clean -clean: ## Remove the deployment - @echo "Removing SAST AI deployment..." - @echo "Checking for ArgoCD Application..." - @if $(KUBECTL_CMD) get crd applications.argoproj.io >/dev/null 2>&1; then \ - if $(KUBECTL_CMD) get application $(RELEASE_NAME)-syncer -n $(NAMESPACE) >/dev/null 2>&1; then \ - echo "Removing ArgoCD Application..."; \ - echo "Removing finalizers to prevent hanging..."; \ - $(KUBECTL_CMD) patch application $(RELEASE_NAME)-syncer -n $(NAMESPACE) --type='merge' -p='{"metadata":{"finalizers":[]}}' 2>/dev/null || true; \ - $(KUBECTL_CMD) delete application $(RELEASE_NAME)-syncer -n $(NAMESPACE) --ignore-not-found=true; \ - echo "ArgoCD Application removed!"; \ - else \ - echo "ArgoCD Application '$(RELEASE_NAME)-syncer' not found in namespace '$(NAMESPACE)'"; \ - fi; \ - else \ - echo "ArgoCD not available in cluster, skipping ArgoCD Application removal."; \ - fi +.PHONY: clean-prod +clean-prod: ## Remove production deployment + @echo "๐Ÿงน Removing SAST AI PRODUCTION deployment..." + @$(MAKE) _clean NAMESPACE=$(PROD_NAMESPACE) RELEASE_NAME=$(RELEASE_NAME)-prod + +.PHONY: _clean +_clean: ## Internal clean target @if helm list -n $(NAMESPACE) | grep -q "^$(RELEASE_NAME)"; then \ helm uninstall $(RELEASE_NAME) -n $(NAMESPACE) --timeout=$(HELM_TIMEOUT); \ - echo "Deployment removed!"; \ + @echo "Cleaning up remaining resources by label..." + @$(KUBECTL_CMD) delete all,pvc,secrets,configmaps,ingress,routes,networkpolicy,pdb,sa,role,rolebinding,job -n $(NAMESPACE) -l "app.kubernetes.io/instance=$(RELEASE_NAME)" --ignore-not-found=true 2>/dev/null || true + @echo "Force cleaning any remaining resources with release name prefix..." + @for resource_type in deployment replicaset pod service configmap secret pvc role rolebinding serviceaccount networkpolicy poddisruptionbudget job cronjob ingress route; do \ + $(KUBECTL_CMD) get $$resource_type -n $(NAMESPACE) -o name 2>/dev/null | grep "$(RELEASE_NAME)" | xargs -r $(KUBECTL_CMD) delete -n $(NAMESPACE) --ignore-not-found=true 2>/dev/null || true; \ + done + @echo "Cleanup completed!" + echo "โœ… Deployment removed from $(NAMESPACE)"; \ else \ echo "Release '$(RELEASE_NAME)' not found in namespace '$(NAMESPACE)'"; \ fi - @echo "Cleaning up remaining resources by label..." - @$(KUBECTL_CMD) delete all,pvc,secrets,configmaps,ingress,routes,networkpolicy,pdb,sa,role,rolebinding,job -n $(NAMESPACE) -l "app.kubernetes.io/instance=$(RELEASE_NAME)" --ignore-not-found=true 2>/dev/null || true - @echo "Force cleaning any remaining resources with release name prefix..." - @for resource_type in deployment replicaset pod service configmap secret pvc role rolebinding serviceaccount networkpolicy poddisruptionbudget job cronjob ingress route; do \ - $(KUBECTL_CMD) get $$resource_type -n $(NAMESPACE) -o name 2>/dev/null | grep "$(RELEASE_NAME)" | xargs -r $(KUBECTL_CMD) delete -n $(NAMESPACE) --ignore-not-found=true 2>/dev/null || true; \ - done - @echo "Cleanup completed!" + +.PHONY: status +status: ## Show deployment status + @echo "๐Ÿ“Š SAST AI Deployment Status" + @echo "============================" + @echo "" + @echo "๐Ÿ” Development Environment ($(DEV_NAMESPACE)):" + @helm status $(RELEASE_NAME)-dev -n $(DEV_NAMESPACE) 2>/dev/null || echo " โŒ Not deployed" + @echo "" + @echo "๐Ÿ” Production Environment ($(PROD_NAMESPACE)):" + @helm status $(RELEASE_NAME)-prod -n $(PROD_NAMESPACE) 2>/dev/null || echo " โŒ Not deployed" .PHONY: wait-pods wait-pods: ## Wait for pods to be ready @@ -150,10 +180,19 @@ argocd: ## Deploy ArgoCD Application to current namespace .PHONY: help help: ## Show this help message - @echo "SAST AI Deployment Helper" + @echo "SAST AI Deployment Commands" + @echo "============================" + @echo "" + @echo "Environment-specific deployments:" + @echo " deploy-dev Deploy to development environment (sast-ai-dev namespace)" + @echo " deploy-prod Deploy to production environment (sast-ai-prod namespace)" + @echo " upgrade-dev Upgrade development deployment" + @echo " upgrade-prod Upgrade production deployment" + @echo " clean-dev Remove development deployment" + @echo " clean-prod Remove production deployment" @echo "" - @echo " make deploy # Deploy and wait until ready (sast-ai-workflow)" - @echo " make upgrade # Upgrade and wait until ready" - @echo " make clean # Remove deployment" - @echo " make argocd # Deploy ArgoCD Application" + @echo "Utility commands:" + @echo " status Show deployment status for both environments" + @echo " argocd Deploy ArgoCD Application" @echo "" + @awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf " %-12s %s\n", $$1, $$2}' $(MAKEFILE_LIST) diff --git a/deploy/argocd/application.yaml b/deploy/argocd/application.yaml deleted file mode 100644 index 80110fd2..00000000 --- a/deploy/argocd/application.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: sast-ai-orchestrator-syncer - namespace: $NAMESPACE - labels: - app.kubernetes.io/name: sast-ai-orchestrator-syncer - app.kubernetes.io/part-of: sast-ai - finalizers: - - resources-finalizer.argocd.argoproj.io/background -spec: - project: default - source: - repoURL: https://github.com/RHEcosystemAppEng/sast-ai-orchestrator - targetRevision: HEAD - path: deploy/sast-ai-chart - helm: - releaseName: sast-ai-orchestrator - valueFiles: - - values.yaml - parameters: - - name: app.env.SAST_AI_WORKFLOW_NAMESPACE - value: $NAMESPACE - destination: - server: https://kubernetes.default.svc - namespace: $NAMESPACE - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - PrunePropagationPolicy=foreground - - PruneLast=true - retry: - limit: 5 - backoff: - duration: 5s - factor: 2 - maxDuration: 3m - revisionHistoryLimit: 10 \ No newline at end of file diff --git a/deploy/sast-ai-chart/values.yaml b/deploy/sast-ai-chart/values.yaml index c6999f52..2d49c241 100644 --- a/deploy/sast-ai-chart/values.yaml +++ b/deploy/sast-ai-chart/values.yaml @@ -1,45 +1,26 @@ # Default values for sast-ai. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +# This file contains shared configuration used by all environments. +# Environment-specific overrides are in values-dev.yaml and values-prod.yaml. -## Application configuration +## Application configuration (shared) app: name: sast-ai image: repository: quay.io/ecosystem-appeng/sast-ai-orchestrator - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "v1.0.1" - - # Number of replicas - replicas: 1 + # pullPolicy and tag are set in environment-specific files # Container port port: 8080 - # Environment variables + # Environment variables (common to all environments) env: - # Quarkus configuration - QUARKUS_PROFILE: prod - QUARKUS_LOG_LEVEL: INFO - QUARKUS_HIBERNATE_ORM_LOG_SQL: false + # Quarkus configuration (overridden per environment) QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION: update QUARKUS_KUBERNETES_CLIENT_TRUST_CERTS: false - # SAST AI specific configuration - SAST_AI_WORKFLOW_NAMESPACE: sast-ai # Google Service Account configuration GOOGLE_SERVICE_ACCOUNT_SECRET_PATH: /etc/secrets/google-service-account-secret/service_account.json - - # Resource limits and requests - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 500m - memory: 512Mi - # Liveness and readiness probes + # Liveness and readiness probes (shared) livenessProbe: httpGet: path: /api/v1/health @@ -58,22 +39,21 @@ app: timeoutSeconds: 10 failureThreshold: 15 - # Node selector, tolerations, and affinity + # Node selector, tolerations, and affinity (can be overridden) nodeSelector: {} tolerations: [] affinity: {} -## Service configuration +## Service configuration (shared) service: type: ClusterIP port: 80 targetPort: 8080 annotations: {} -## OpenShift Route configuration (instead of Ingress) +## OpenShift Route configuration (base settings) route: enabled: true - host: "" # If empty, OpenShift will generate a hostname path: "/" tls: enabled: true @@ -81,32 +61,17 @@ route: insecureEdgeTerminationPolicy: Redirect annotations: {} -## PostgreSQL configuration +## PostgreSQL configuration (base settings) postgresql: enabled: true - auth: - postgresPassword: "postgres" - username: "quarkus" - password: "quarkus" - database: "sast-ai" # Inherit labels from parent chart for proper cleanup commonLabels: app.kubernetes.io/name: "{{ include \"sast-ai.name\" . }}" app.kubernetes.io/instance: "{{ .Release.Name }}" app.kubernetes.io/version: "{{ .Chart.AppVersion }}" app.kubernetes.io/managed-by: "{{ .Release.Service }}" + # OpenShift compatibility primary: - persistence: - enabled: true - size: 8Gi - storageClass: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi # OpenShift compatibility podSecurityContext: enabled: false @@ -133,7 +98,7 @@ externalDatabase: existingSecret: "" existingSecretPasswordKey: "" -## ServiceAccount configuration +## ServiceAccount configuration (shared) serviceAccount: # Specifies whether a service account should be created create: true @@ -143,7 +108,7 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "sast-ai-orchestrator-sa" -## RBAC configuration - for SAST AI Orchestrator +## RBAC configuration - for SAST AI Orchestrator (shared) rbac: # Specifies whether RBAC resources should be created create: true @@ -186,7 +151,7 @@ rbac: resources: ["clustertasks"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -## ConfigMap for application configuration +## ConfigMap for application configuration (shared) configMap: create: true data: @@ -210,23 +175,19 @@ configMap: # Logging configuration quarkus.log.category."org.jboss.logging".level=${QUARKUS_LOG_LEVEL} -## Horizontal Pod Autoscaler +## Horizontal Pod Autoscaler (disabled by default) hpa: enabled: false minReplicas: 1 maxReplicas: 5 targetCPUUtilizationPercentage: 70 -## Pod Disruption Budget +## Pod Disruption Budget (disabled by default) pdb: enabled: false minAvailable: 1 -## Network Policy - disabled by default for simplicity -networkPolicy: - enabled: false - -## Monitoring and observability +## Monitoring and observability (disabled by default) monitoring: enabled: false serviceMonitor: @@ -234,6 +195,10 @@ monitoring: interval: 30s scrapeTimeout: 10s +## Network Policy - disabled by default for simplicity +networkPolicy: + enabled: false + ## Image pull secrets imagePullSecrets: [] @@ -241,4 +206,4 @@ imagePullSecrets: [] labels: {} ## Additional annotations for all resources -annotations: {} \ No newline at end of file +annotations: {} \ No newline at end of file From 5c31dd06739c3d2f563c3fc8cb606ca02ae44f92 Mon Sep 17 00:00:00 2001 From: Jude Niroshan Date: Thu, 20 Nov 2025 08:20:15 +0100 Subject: [PATCH 2/5] add missing values files Signed-off-by: Jude Niroshan --- deploy/sast-ai-chart/values-dev.yaml | 70 +++++++++++++++++++++++++ deploy/sast-ai-chart/values-prod.yaml | 74 +++++++++++++++++++++++++++ 2 files changed, 144 insertions(+) create mode 100644 deploy/sast-ai-chart/values-dev.yaml create mode 100644 deploy/sast-ai-chart/values-prod.yaml diff --git a/deploy/sast-ai-chart/values-dev.yaml b/deploy/sast-ai-chart/values-dev.yaml new file mode 100644 index 00000000..3b3c4a1e --- /dev/null +++ b/deploy/sast-ai-chart/values-dev.yaml @@ -0,0 +1,70 @@ +# Development environment overrides for sast-ai. +# This file contains only development-specific settings that override values.yaml. + +## Application configuration +app: + image: + pullPolicy: Always # Always pull latest for dev + tag: "latest" # Development uses latest tag (updated by CI/CD) + + # Number of replicas - single replica for dev + replicas: 1 + + # Environment variables - development specific + env: + # Quarkus configuration - development settings + QUARKUS_PROFILE: dev + QUARKUS_LOG_LEVEL: INFO + QUARKUS_HIBERNATE_ORM_LOG_SQL: false + # SAST AI specific configuration - dev namespace + SAST_AI_WORKFLOW_NAMESPACE: sast-ai-dev + + # Resource limits and requests - lower for dev + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 250m + memory: 256Mi + +## OpenShift Route configuration - dev specific +route: + host: "sast-ai-dev" # Dev-specific hostname prefix + annotations: + haproxy.router.openshift.io/timeout: 60s + +## PostgreSQL configuration - smaller resources for dev +postgresql: + auth: + postgresPassword: "postgres-dev" + username: "quarkus" + password: "quarkus-dev" + database: "sast-ai-dev" + primary: + persistence: + enabled: true + size: 4Gi # Smaller storage for dev + resources: + limits: + cpu: 250m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + +## Horizontal Pod Autoscaler - disabled for dev +hpa: + enabled: false + +## Pod Disruption Budget - disabled for dev +pdb: + enabled: false + +## Monitoring - enabled for dev testing +monitoring: + enabled: true + serviceMonitor: + enabled: true + interval: 30s + scrapeTimeout: 10s \ No newline at end of file diff --git a/deploy/sast-ai-chart/values-prod.yaml b/deploy/sast-ai-chart/values-prod.yaml new file mode 100644 index 00000000..c322d0b4 --- /dev/null +++ b/deploy/sast-ai-chart/values-prod.yaml @@ -0,0 +1,74 @@ +# Production environment overrides for sast-ai. +# This file contains only production-specific settings that override values.yaml. + +## Application configuration +app: + image: + pullPolicy: Always + tag: "v1.0.1" # Production uses release tags (updated by CI/CD) + + # Number of replicas - multiple for HA + replicas: 2 + + # Environment variables - production specific + env: + # Quarkus configuration - production settings + QUARKUS_PROFILE: prod + QUARKUS_LOG_LEVEL: INFO + QUARKUS_HIBERNATE_ORM_LOG_SQL: false + # SAST AI specific configuration - prod namespace + SAST_AI_WORKFLOW_NAMESPACE: sast-ai-prod + + # Resource limits and requests - production sizing + resources: + limits: + cpu: 2000m + memory: 2Gi + requests: + cpu: 1000m + memory: 1Gi + +## OpenShift Route configuration - production specific +route: + host: "sast-ai" # Production hostname + annotations: + haproxy.router.openshift.io/timeout: 300s + +## PostgreSQL configuration - production sizing +postgresql: + auth: + postgresPassword: "postgres-prod-secure" + username: "quarkus" + password: "quarkus-prod-secure" + database: "sast-ai-prod" + primary: + persistence: + enabled: true + size: 20Gi # Larger storage for prod + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 500m + memory: 512Mi + +## Horizontal Pod Autoscaler - enabled for prod +hpa: + enabled: true + minReplicas: 2 + maxReplicas: 10 + targetCPUUtilizationPercentage: 70 + +## Pod Disruption Budget - enabled for prod +pdb: + enabled: true + minAvailable: 1 + +## Monitoring - enabled for prod +monitoring: + enabled: true + serviceMonitor: + enabled: true + interval: 15s + scrapeTimeout: 10s \ No newline at end of file From ccffa4dcd709706e2ed50e4b3f1051b1fea982e2 Mon Sep 17 00:00:00 2001 From: Jude Niroshan Date: Fri, 21 Nov 2025 14:07:30 +0100 Subject: [PATCH 3/5] document route access Signed-off-by: Jude Niroshan --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index a4aa5432..270253f6 100644 --- a/README.md +++ b/README.md @@ -435,16 +435,17 @@ docker run -p 8080:8080 quay.io/ecosystem-appeng/sast-ai-orchestrator:v1.0.1 ### Environment-Specific Access -After deployment, access the applications: +After deployment, access the applications via OpenShift routes: ```bash -# Development -kubectl port-forward svc/sast-ai-orchestrator-dev 8080:80 -n sast-ai-dev -curl http://localhost:8080/api/v1/health +# Get the route URL for production +kubectl get route sast-ai-orchestrator-prod -n sast-ai-prod -# Production -kubectl port-forward svc/sast-ai-orchestrator-prod 8080:80 -n sast-ai-prod -curl http://localhost:8080/api/v1/health +# Get the route URL for development +kubectl get route sast-ai-orchestrator-dev -n sast-ai-dev + +# Access the API directly via route +curl https:///api/v1/health ``` ## Configuration From cbb84848da8efc04602f7a9ffe6484e26b12d752 Mon Sep 17 00:00:00 2001 From: Jude Niroshan Date: Fri, 21 Nov 2025 14:10:19 +0100 Subject: [PATCH 4/5] add new argocd yaml files Signed-off-by: Jude Niroshan --- deploy/argocd/application-dev.yaml | 44 +++++++++++++++++++++++++++++ deploy/argocd/application-prod.yaml | 44 +++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 deploy/argocd/application-dev.yaml create mode 100644 deploy/argocd/application-prod.yaml diff --git a/deploy/argocd/application-dev.yaml b/deploy/argocd/application-dev.yaml new file mode 100644 index 00000000..8d54d2e0 --- /dev/null +++ b/deploy/argocd/application-dev.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: sast-ai-orchestrator-dev + namespace: argocd + labels: + app.kubernetes.io/name: sast-ai-orchestrator-dev + app.kubernetes.io/part-of: sast-ai + environment: development + finalizers: + - resources-finalizer.argocd.argoproj.io/background +spec: + project: default + source: + repoURL: https://github.com/RHEcosystemAppEng/sast-ai-orchestrator + targetRevision: HEAD + path: deploy/sast-ai-chart + helm: + releaseName: sast-ai-orchestrator-dev + valueFiles: + - values.yaml + - values-dev.yaml + parameters: + - name: app.env.SAST_AI_WORKFLOW_NAMESPACE + value: sast-ai-dev + destination: + server: https://kubernetes.default.svc + namespace: sast-ai-dev + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/deploy/argocd/application-prod.yaml b/deploy/argocd/application-prod.yaml new file mode 100644 index 00000000..c2b39082 --- /dev/null +++ b/deploy/argocd/application-prod.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: sast-ai-orchestrator-prod + namespace: argocd + labels: + app.kubernetes.io/name: sast-ai-orchestrator-prod + app.kubernetes.io/part-of: sast-ai + environment: production + finalizers: + - resources-finalizer.argocd.argoproj.io/background +spec: + project: default + source: + repoURL: https://github.com/RHEcosystemAppEng/sast-ai-orchestrator + targetRevision: HEAD + path: deploy/sast-ai-chart + helm: + releaseName: sast-ai-orchestrator-prod + valueFiles: + - values.yaml + - values-prod.yaml + parameters: + - name: app.env.SAST_AI_WORKFLOW_NAMESPACE + value: sast-ai-prod + destination: + server: https://kubernetes.default.svc + namespace: sast-ai-prod + syncPolicy: + automated: + prune: false # Manual sync for production + selfHeal: false + allowEmpty: false + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + retry: + limit: 3 + backoff: + duration: 10s + factor: 2 + maxDuration: 5m + revisionHistoryLimit: 10 From c779397e7d7d5680fa21b47199ae8991661362ee Mon Sep 17 00:00:00 2001 From: Jude Niroshan Date: Mon, 24 Nov 2025 10:11:41 +0100 Subject: [PATCH 5/5] increase dev resource quota limits Signed-off-by: Jude Niroshan --- deploy/sast-ai-chart/values-dev.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/sast-ai-chart/values-dev.yaml b/deploy/sast-ai-chart/values-dev.yaml index 3b3c4a1e..eb3970fe 100644 --- a/deploy/sast-ai-chart/values-dev.yaml +++ b/deploy/sast-ai-chart/values-dev.yaml @@ -22,8 +22,8 @@ app: # Resource limits and requests - lower for dev resources: limits: - cpu: 500m - memory: 512Mi + cpu: 1000m + memory: 1Gi requests: cpu: 250m memory: 256Mi