DEV Community: David Nwosu The latest articles on DEV Community by David Nwosu (@daviesbrown). https://dev.to/daviesbrown https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2691815%2Fd1a369ff-8f58-4965-a138-a4256af036f7.jpeg DEV Community: David Nwosu https://dev.to/daviesbrown en Bridging the Gap: Converting ASCII Diagrams to Professional Images for AI-Driven Documentation David Nwosu Mon, 05 Jan 2026 21:55:00 +0000 https://dev.to/daviesbrown/bridging-the-gap-converting-ascii-diagrams-to-professional-images-for-ai-driven-documentation-cf7 https://dev.to/daviesbrown/bridging-the-gap-converting-ascii-diagrams-to-professional-images-for-ai-driven-documentation-cf7 <p>As artificial intelligence tools become increasingly integrated into our creative workflows, a peculiar challenge has emerged: the disconnect between AI-generated text-based diagrams and the image formats required for professional documentation.</p> <h2> The Challenge </h2> <p>Modern AI assistants like ChatGPT, Claude, and GitHub Copilot excel at generating ASCII art, flowcharts, and text-based diagrams in markdown format. These tools can quickly produce complex visualizations using characters and symbols—perfect for code documentation, technical specifications, and research papers. However, these markdown diagrams often fail to render properly in Word documents, PowerPoint presentations, or PDF submissions. What looks perfectly aligned in a code editor becomes distorted in traditional document formats.</p> <p>For researchers, technical writers, and developers working with AI-generated content, manually recreating these diagrams in traditional design tools wastes valuable time and introduces potential errors.</p> <h2> A Simple Solution </h2> <p>I developed a single-file web application that converts ASCII art and markdown diagrams directly into high-quality JPG images. The tool requires no installation, no server, and no external dependencies—just open the HTML file in any browser. You can try it out <a href="https://daviesbrown.github.io/asciii-art-to-jpg/" rel="noopener noreferrer">here</a></p> <h2> Key Features for Professional Use </h2> <p>The converter offers granular control over output quality: adjustable font sizes, customizable colors, configurable padding, and JPG quality settings ranging from standard to maximum compression. Live preview functionality ensures the output matches expectations before export. The monospace font options preserve the precise character alignment essential to ASCII diagrams.</p> <h2> Real-World Applications </h2> <p>Academic researchers can convert methodology flowcharts generated by AI assistants into submission-ready figures. Software developers can transform architecture diagrams from code comments into documentation images. Technical writers can standardize AI-generated process flows across multiple document formats. Students preparing thesis presentations can convert text-based models into professional slide graphics.</p> <h2> The Broader Impact </h2> <p>This tool represents a larger trend: creating bridges between AI-native content formats and traditional publishing requirements. As generative AI becomes more prevalent in creative and technical work, we need more solutions that seamlessly translate between these ecosystems.</p> <p>The ASCII-to-image converter is open-source and freely available. It demonstrates that sometimes the most effective tools are the simplest ones—solving a specific pain point without unnecessary complexity.</p> <h2> Looking Forward </h2> <p>As AI assistants evolve, the content they generate will increasingly need to integrate with established workflows and formats. Tools that facilitate this integration, no matter how specialized, will become essential components of modern creative and technical pipelines.</p> <p>For anyone working at the intersection of AI-generated content and traditional documentation, I invite you to try the converter and share your feedback. The goal is simple: make AI-assisted creativity more accessible and professional.</p> <p>What challenges have you encountered when working with AI-generated content in professional contexts? I'd be interested to hear about other format conversion needs in the AI creative space.</p> asciitojpg Part 10: Scaling, Failure & Operating Like a Real Company David Nwosu Wed, 31 Dec 2025 01:25:12 +0000 https://dev.to/daviesbrown/part-10-scaling-failure-operating-like-a-real-company-2h3e https://dev.to/daviesbrown/part-10-scaling-failure-operating-like-a-real-company-2h3e <p><strong>Series:</strong> From "Just Put It on a Server" to Production DevOps<br><br> <strong>Reading time:</strong> 20 minutes<br><br> <strong>Level:</strong> Intermediate to Advanced</p> <h2> The Journey So Far </h2> <p>We've come a long way:</p> <p><strong>Part 1:</strong> Deployed manually (SSH + npm start)<br><br> <strong>Part 2:</strong> Added process management (PM2)<br><br> <strong>Part 3:</strong> Containerized with Docker<br><br> <strong>Part 4:</strong> Orchestrated locally (Docker Compose)<br><br> <strong>Part 5:</strong> Broke things to feel the pain<br><br> <strong>Part 6:</strong> Moved to Kubernetes<br><br> <strong>Part 7:</strong> Automated infrastructure (Terraform)<br><br> <strong>Part 8:</strong> Packaged apps (Helm)<br><br> <strong>Part 9:</strong> Automated deployments (Argo CD)</p> <p><strong>Now what? You're still not done.</strong></p> <p>Your CTO walks over:</p> <blockquote> <p>"Great! Now make it handle 10x traffic, cost 50% less, survive disasters, and keep hackers out."</p> </blockquote> <p><strong>This is Part 10. Production reality.</strong></p> <h2> Scaling: Handling Real Load </h2> <h3> Horizontal Pod Autoscaling (HPA) </h3> <p><strong>Problem:</strong> Traffic spikes at 9 AM. 3 API pods can't handle it. Users see 500 errors.</p> <p><strong>Solution:</strong> Auto-scale based on CPU/memory usage.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/hpa.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">autoscaling/v2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HorizontalPodAutoscaler</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-hpa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">scaleTargetRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="m">20</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Resource</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cpu</span> <span class="na">target</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Utilization</span> <span class="na">averageUtilization</span><span class="pi">:</span> <span class="m">70</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Resource</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">memory</span> <span class="na">target</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Utilization</span> <span class="na">averageUtilization</span><span class="pi">:</span> <span class="m">80</span> <span class="na">behavior</span><span class="pi">:</span> <span class="na">scaleUp</span><span class="pi">:</span> <span class="na">stabilizationWindowSeconds</span><span class="pi">:</span> <span class="m">60</span> <span class="na">policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Percent</span> <span class="na">value</span><span class="pi">:</span> <span class="m">50</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">60</span> <span class="na">scaleDown</span><span class="pi">:</span> <span class="na">stabilizationWindowSeconds</span><span class="pi">:</span> <span class="m">300</span> <span class="na">policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Pods</span> <span class="na">value</span><span class="pi">:</span> <span class="m">1</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">60</span> </code></pre> </div> <p><strong>What this does:</strong></p> <ul> <li>Starts with 3 replicas</li> <li>Scales up when CPU &gt; 70% or memory &gt; 80%</li> <li>Max 20 replicas (prevents runaway costs)</li> <li>Scale up gradually (50% every 60s)</li> <li>Scale down slowly (1 pod every 60s, wait 5 min before scaling down)</li> </ul> <p><strong>Apply:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infrastructure/k8s/hpa.yaml </code></pre> </div> <p><strong>Watch it work:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate load</span> kubectl run <span class="nt">-it</span> <span class="nt">--rm</span> load-generator <span class="nt">--image</span><span class="o">=</span>busybox /bin/sh <span class="c"># Inside pod:</span> <span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>wget <span class="nt">-q</span> <span class="nt">-O-</span> http://api-service:3000/api/v1/health<span class="p">;</span> <span class="k">done</span> <span class="c"># Watch scaling</span> kubectl get hpa <span class="nt">-w</span> </code></pre> </div> <h3> Queue-Based Worker Scaling </h3> <p><strong>Problem:</strong> 10,000 events arrive in 1 minute. Worker can't keep up.</p> <p><strong>Solution:</strong> Scale workers based on queue length.</p> <p>Use <strong>KEDA</strong> (Kubernetes Event-Driven Autoscaling):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">keda.sh/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ScaledObject</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">worker-scaler</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">scaleTargetRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">minReplicaCount</span><span class="pi">:</span> <span class="m">2</span> <span class="na">maxReplicaCount</span><span class="pi">:</span> <span class="m">50</span> <span class="na">triggers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">redis:6379</span> <span class="na">listName</span><span class="pi">:</span> <span class="s">signal-processing-queue</span> <span class="na">listLength</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10"</span> </code></pre> </div> <p><strong>What this does:</strong></p> <ul> <li>Scales workers when queue has &gt;10 items</li> <li>1 worker per 10 jobs</li> <li>Max 50 workers</li> </ul> <h2> Observability: Know What's Happening </h2> <h3> Structured Logging </h3> <p><strong>Bad logging:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Event received</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> </code></pre> </div> <p><strong>Good logging:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">logger</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./logger</span><span class="dl">'</span><span class="p">;</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">Event received</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">accountId</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">accountId</span><span class="p">,</span> <span class="na">eventType</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">eventType</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="p">});</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Database connection failed</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">stack</span><span class="p">,</span> <span class="na">retries</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">api</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p><strong>Why?</strong> You can search, filter, and aggregate structured logs.</p> <h3> Health Checks </h3> <p><strong>Liveness probe:</strong> Is the container alive?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> </code></pre> </div> <p><strong>Readiness probe:</strong> Should we send traffic?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health/ready</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">2</span> </code></pre> </div> <p><strong>Implement health endpoints:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// services/api/src/health.controller.ts</span> <span class="p">@</span><span class="nd">Get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">)</span> <span class="k">async</span> <span class="nf">liveness</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Basic check: is the server running?</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ok</span><span class="dl">'</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">};</span> <span class="p">}</span> <span class="p">@</span><span class="nd">Get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health/ready</span><span class="dl">'</span><span class="p">)</span> <span class="k">async</span> <span class="nf">readiness</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Deep check: can we serve traffic?</span> <span class="kd">const</span> <span class="nx">checks</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="k">this</span><span class="p">.</span><span class="nf">checkDatabase</span><span class="p">(),</span> <span class="k">this</span><span class="p">.</span><span class="nf">checkRedis</span><span class="p">(),</span> <span class="k">this</span><span class="p">.</span><span class="nf">checkElasticsearch</span><span class="p">(),</span> <span class="p">]);</span> <span class="kd">const</span> <span class="nx">allHealthy</span> <span class="o">=</span> <span class="nx">checks</span><span class="p">.</span><span class="nf">every</span><span class="p">(</span><span class="nx">c</span> <span class="o">=&gt;</span> <span class="nx">c</span><span class="p">.</span><span class="nx">healthy</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">status</span> <span class="o">=</span> <span class="nx">allHealthy</span> <span class="p">?</span> <span class="mi">200</span> <span class="p">:</span> <span class="mi">503</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="nx">allHealthy</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">ready</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">not ready</span><span class="dl">'</span><span class="p">,</span> <span class="nx">checks</span> <span class="p">};</span> <span class="p">}</span> <span class="k">private</span> <span class="k">async</span> <span class="nf">checkDatabase</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">SELECT 1</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">database</span><span class="dl">'</span><span class="p">,</span> <span class="na">healthy</span><span class="p">:</span> <span class="kc">true</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">database</span><span class="dl">'</span><span class="p">,</span> <span class="na">healthy</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Metrics with Prometheus </h3> <p>Expose metrics endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// services/api/src/metrics.controller.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Counter</span><span class="p">,</span> <span class="nx">Histogram</span><span class="p">,</span> <span class="nx">register</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">prom-client</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">httpRequestsTotal</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Counter</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http_requests_total</span><span class="dl">'</span><span class="p">,</span> <span class="na">help</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Total HTTP requests</span><span class="dl">'</span><span class="p">,</span> <span class="na">labelNames</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">route</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">status</span><span class="dl">'</span><span class="p">],</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">httpRequestDuration</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Histogram</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http_request_duration_seconds</span><span class="dl">'</span><span class="p">,</span> <span class="na">help</span><span class="p">:</span> <span class="dl">'</span><span class="s1">HTTP request duration</span><span class="dl">'</span><span class="p">,</span> <span class="na">labelNames</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">route</span><span class="dl">'</span><span class="p">],</span> <span class="na">buckets</span><span class="p">:</span> <span class="p">[</span><span class="mf">0.01</span><span class="p">,</span> <span class="mf">0.05</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">5</span><span class="p">],</span> <span class="p">});</span> <span class="p">@</span><span class="nd">Get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/metrics</span><span class="dl">'</span><span class="p">)</span> <span class="k">async</span> <span class="nf">metrics</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">register</span><span class="p">.</span><span class="nf">metrics</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// Middleware to track metrics</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">metricsMiddleware</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">start</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">finish</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">duration</span> <span class="o">=</span> <span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">start</span><span class="p">)</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">;</span> <span class="nx">httpRequestsTotal</span><span class="p">.</span><span class="nf">inc</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="na">route</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">route</span><span class="p">?.</span><span class="nx">path</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">unknown</span><span class="dl">'</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span> <span class="p">});</span> <span class="nx">httpRequestDuration</span><span class="p">.</span><span class="nf">observe</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="na">route</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">route</span><span class="p">?.</span><span class="nx">path</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">unknown</span><span class="dl">'</span> <span class="p">},</span> <span class="nx">duration</span><span class="p">);</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Security: Defense in Depth </h2> <h3> RBAC (Role-Based Access Control) </h3> <p><strong>Don't give everyone cluster-admin.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/rbac.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer-role</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-prod</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pods/log"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">apps"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">deployments"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">]</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer-binding</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-prod</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">User</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer@company.com</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer-role</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> </code></pre> </div> <p><strong>Principle:</strong> Give minimum permissions needed. Developers can read logs, not delete production.</p> <h3> Network Policies </h3> <p><strong>Don't let every pod talk to every pod.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-policy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">policyTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Ingress</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="pi">-</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">5432</span> </code></pre> </div> <p><strong>Result:</strong> Only API and Worker can connect to PostgreSQL. Random pods can't steal data.</p> <h3> Secrets Management </h3> <p><strong>Don't hardcode passwords.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database-credentials</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">DATABASE_URL</span><span class="pi">:</span> <span class="s">postgresql://user:password@postgres:5432/sspp</span> </code></pre> </div> <p><strong>Use in pods:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DATABASE_URL</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database-credentials</span> <span class="na">key</span><span class="pi">:</span> <span class="s">DATABASE_URL</span> </code></pre> </div> <p><strong>Better:</strong> Use external secrets management (AWS Secrets Manager, HashiCorp Vault, Sealed Secrets).</p> <h3> Image Security </h3> <p><strong>Don't run as root.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:18-alpine</span> <span class="c"># Create non-root user</span> <span class="k">RUN </span>addgroup <span class="nt">-g</span> 1001 <span class="nt">-S</span> nodejs <span class="o">&amp;&amp;</span> <span class="se">\ </span> adduser <span class="nt">-S</span> nodejs <span class="nt">-u</span> 1001 <span class="c"># Set ownership</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --chown=nodejs:nodejs package*.json ./</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="k">COPY</span><span class="s"> --chown=nodejs:nodejs . .</span> <span class="c"># Run as non-root</span> <span class="k">USER</span><span class="s"> nodejs</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node", "dist/main.js"]</span> </code></pre> </div> <p><strong>Scan images:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Use Trivy to scan for vulnerabilities</span> trivy image davidbrown77/sspp-api:latest </code></pre> </div> <h2> Cost Optimization </h2> <h3> Right-Size Resources </h3> <p><strong>Don't over-provision.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100m"</span> <span class="c1"># Minimum needed</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1000m"</span> <span class="c1"># Maximum allowed</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1Gi"</span> </code></pre> </div> <p><strong>How to find right size:</strong></p> <ol> <li>Monitor actual usage with Prometheus</li> <li>Set requests to P95 usage</li> <li>Set limits to P99 + 20% buffer</li> </ol> <h3> Use Spot Instances </h3> <p><strong>For non-critical workloads:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/main.tf</span> <span class="nx">resource</span> <span class="s2">"linode_lke_cluster"</span> <span class="s2">"sspp"</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"sspp-prod"</span> <span class="nx">k8s_version</span> <span class="p">=</span> <span class="s2">"1.28"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east"</span> <span class="nx">pool</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"g6-standard-4"</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">3</span> <span class="c1"># Use spot instances for worker pool</span> <span class="p">}</span> <span class="nx">pool</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"g6-standard-2"</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">5</span> <span class="c1"># Spot instances for batch jobs</span> <span class="c1"># 60-80% cheaper than on-demand</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Autoscale Down </h3> <p><strong>Don't run empty clusters overnight.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Scale down non-prod environments at night</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">autoscaling/v2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HorizontalPodAutoscaler</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-hpa-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># Scale to zero outside business hours</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <p>Use <strong>Karpenter</strong> or <strong>cluster-autoscaler</strong> to remove unused nodes.</p> <h2> Disaster Recovery </h2> <h3> Database Backups </h3> <p><strong>Automate backups with CronJob:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">batch/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CronJob</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-backup</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0</span><span class="nv"> </span><span class="s">2</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*"</span> <span class="c1"># 2 AM daily</span> <span class="na">jobTemplate</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backup</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:15</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/bin/bash</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">pg_dump $DATABASE_URL | gzip &gt; /backups/backup-$(date +%Y%m%d-%H%M%S).sql.gz</span> <span class="s"># Upload to S3/Object Storage</span> <span class="s">aws s3 cp /backups/backup-$(date +%Y%m%d-%H%M%S).sql.gz s3://sspp-backups/</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DATABASE_URL</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database-credentials</span> <span class="na">key</span><span class="pi">:</span> <span class="s">DATABASE_URL</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">OnFailure</span> </code></pre> </div> <p><strong>Test restores regularly:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Every quarter, restore backup to test environment</span> pg_restore <span class="nt">-d</span> sspp_test &lt; backup-20251222.sql.gz </code></pre> </div> <h3> GitOps Disaster Recovery </h3> <p><strong>Why GitOps helps:</strong></p> <p>Your entire cluster state is in Git. If cluster is destroyed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Recreate cluster with Terraform</span> <span class="nb">cd </span>infrastructure/terraform terraform apply <span class="c"># ArgoCD syncs everything from Git</span> kubectl create namespace argocd kubectl apply <span class="nt">-n</span> argocd <span class="nt">-f</span> https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml argocd app create sspp <span class="nt">--repo</span> https://github.com/daviesbrown/sspp <span class="nt">--path</span> infrastructure/k8s <span class="nt">--dest-server</span> https://kubernetes.default.svc <span class="nt">--dest-namespace</span> sspp-prod argocd app <span class="nb">sync </span>sspp </code></pre> </div> <p><strong>Recovery time:</strong> 15-20 minutes (mostly waiting for Terraform/ArgoCD).</p> <h2> Alerts: Know Before Users Do </h2> <h3> Prometheus AlertManager </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/alerts.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">monitoring.coreos.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PrometheusRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-alerts</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HighErrorRate</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">rate(http_requests_total{status=~"5.."}[5m]) &gt; </span><span class="m">0.05</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">High</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">rate</span><span class="nv"> </span><span class="s">detected"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">$value</span><span class="nv"> </span><span class="s">}}%</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">requests</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">failing"</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HighMemoryUsage</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">container_memory_usage_bytes / container_spec_memory_limit_bytes &gt; </span><span class="m">0.9</span> <span class="na">for</span><span class="pi">:</span> <span class="s">10m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Container</span><span class="nv"> </span><span class="s">using</span><span class="nv"> </span><span class="s">&gt;90%</span><span class="nv"> </span><span class="s">memory"</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">PodCrashLooping</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">rate(kube_pod_container_status_restarts_total[15m]) &gt; </span><span class="m">0</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Pod</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">crash</span><span class="nv"> </span><span class="s">looping"</span> </code></pre> </div> <p><strong>Send to Slack/PagerDuty:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">alertmanager-config</span> <span class="na">data</span><span class="pi">:</span> <span class="na">alertmanager.yml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">route:</span> <span class="s">receiver: 'slack'</span> <span class="s">receivers:</span> <span class="s">- name: 'slack'</span> <span class="s">slack_configs:</span> <span class="s">- api_url: 'https://hooks.slack.com/services/YOUR/WEBHOOK/URL'</span> <span class="s">channel: '#alerts'</span> <span class="s">title: '{{ .GroupLabels.alertname }}'</span> <span class="s">text: '{{ range .Alerts }}{{ .Annotations.description }}{{ end }}'</span> </code></pre> </div> <h2> When NOT to Scale </h2> <p><strong>Scaling is not always the answer.</strong></p> <h3> Optimize First </h3> <p><strong>Before adding 10 more API pods:</strong></p> <ol> <li> <strong>Profile the code</strong> - Is there an N+1 query?</li> <li> <strong>Add caching</strong> - Redis for hot data</li> <li> <strong>Optimize queries</strong> - Add indexes</li> <li> <strong>Use CDN</strong> - Offload static assets</li> </ol> <p><strong>Real example:</strong> Company spent $50k/month on compute. Fixed one database query. Cost dropped to $15k/month.</p> <h3> Know Your Limits </h3> <p><strong>Your database doesn't scale horizontally easily.</strong></p> <ul> <li>Postgres has connection limits (~100-300)</li> <li>Redis is single-threaded</li> <li>Elasticsearch needs careful tuning</li> </ul> <p><strong>Solution:</strong> Connection pooling, read replicas, sharding (when necessary).</p> <h2> DevOps is Decision-Making Under Uncertainty </h2> <p><strong>You've learned the tools:</strong></p> <ul> <li>✅ Docker, Kubernetes, Terraform, Helm, Argo CD</li> <li>✅ Monitoring, logging, alerting</li> <li>✅ Security, scaling, cost optimization</li> </ul> <p><strong>But tools don't make decisions. You do.</strong></p> <p><strong>Production questions you'll face:</strong></p> <ul> <li>Should we scale now or optimize code first?</li> <li>Is 99.9% uptime enough, or do we need 99.99%?</li> <li>Do we need multi-region, or is one region acceptable?</li> <li>Should we use managed PostgreSQL or run our own?</li> <li>Is this alert worth waking someone up at 3 AM?</li> </ul> <p><strong>There are no perfect answers.</strong> Only tradeoffs.</p> <p><strong>Your job:</strong> Make informed tradeoffs based on:</p> <ul> <li>Business requirements</li> <li>Team size</li> <li>Budget constraints</li> <li>Risk tolerance</li> </ul> <h2> The Complete Architecture </h2> <p><strong>What we built:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────┐ │ USER REQUEST │ └────────────────────┬────────────────────────────────────┘ │ ▼ ┌──────────────┐ │ Load Balancer│ (Linode NodeBalancer) │ (HTTPS) │ └──────┬───────┘ │ ┌──────────────┼──────────────┐ │ │ │ ▼ ▼ ▼ ┌────────┐ ┌────────┐ ┌────────┐ │ API Pod│ │ API Pod│ │ API Pod│ (Horizontal Pod Autoscaler) └────┬───┘ └────┬───┘ └────┬───┘ │ │ │ └──────────┬──┴─────────────┘ │ ┌────────┴────────┐ │ │ ▼ ▼ ┌─────────┐ ┌─────────┐ │ Redis │ │Postgres │ (StatefulSet) │ (Queue) │ │ (DB) │ └────┬────┘ └─────────┘ │ ▼ ┌──────────┐ │ Worker │ (KEDA Autoscaler) │ Pods │ └────┬─────┘ │ ├──────────────┬───────────────┐ ▼ ▼ ▼ ┌─────────┐ ┌──────────┐ ┌──────────────┐ │Postgres │ │ Redis │ │Elasticsearch │ └─────────┘ └──────────┘ └──────────────┘ ──────────────────────────────────────────────────────── OBSERVABILITY &amp; CONTROL ──────────────────────────────────────────────────────── ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ Prometheus │ │ Grafana │ │ Argo CD │ │ (Metrics) │ │ (Dashboards) │ │ (GitOps) │ └──────────────┘ └──────────────┘ └──────────────┘ ──────────────────────────────────────────────────────── INFRASTRUCTURE LAYER ──────────────────────────────────────────────────────── ┌──────────────────────────────────────────────────────┐ │ Kubernetes Cluster (Linode LKE) │ │ • 3-10 nodes (autoscaling) │ │ • Multiple availability zones │ │ • Managed control plane │ └──────────────────────────────────────────────────────┘ │ ▼ ┌────────────────┐ │ Terraform │ (Infrastructure as Code) └────────────────┘ </code></pre> </div> <h2> The Journey Recap </h2> <p><strong>Part 1:</strong> Started with SSH and <code>npm start</code> (pain: everything dies)<br><br> <strong>Part 2:</strong> Added PM2 (pain: still manual, environment drift)<br><br> <strong>Part 3:</strong> Containerized with Docker (pain: local only)<br><br> <strong>Part 4:</strong> Local orchestration with Docker Compose (pain: no auto-recovery)<br><br> <strong>Part 5:</strong> Broke things intentionally (pain: realized we need orchestration)<br><br> <strong>Part 6:</strong> Kubernetes fundamentals (pain: too much YAML, manual clicks)<br><br> <strong>Part 7:</strong> Terraform for infrastructure (pain: still manual deploys)<br><br> <strong>Part 8:</strong> Helm for packaging (pain: no auto-sync)<br><br> <strong>Part 9:</strong> Argo CD for GitOps (pain: no visibility, security, cost control)<br><br> <strong>Part 10:</strong> Production hardening (scaling, observability, security, cost)</p> <p><strong>You're now running production SaaS infrastructure.</strong></p> <h2> Try It Yourself </h2> <p><strong>Complete production checklist:</strong></p> <ul> <li>[ ] Horizontal Pod Autoscaling configured</li> <li>[ ] Resource limits on all containers</li> <li>[ ] Health checks (liveness + readiness)</li> <li>[ ] Structured logging with Winston</li> <li>[ ] Metrics endpoint exposed</li> <li>[ ] Prometheus + Grafana dashboards</li> <li>[ ] Alerts configured (Slack/PagerDuty)</li> <li>[ ] RBAC roles defined</li> <li>[ ] Network policies applied</li> <li>[ ] Secrets externalized</li> <li>[ ] Database backups automated</li> <li>[ ] Disaster recovery tested</li> <li>[ ] Cost monitoring enabled</li> <li>[ ] Security scanning in CI/CD</li> <li>[ ] Documentation up to date</li> </ul> <p><strong>If you can check all boxes, you're production-ready.</strong></p> <h2> What's Next? </h2> <p><strong>You've completed the journey.</strong> You now understand:</p> <ul> <li>Why tools exist (not just how to use them)</li> <li>How to think about tradeoffs</li> <li>What "production-ready" really means</li> <li>How to operate, not just deploy</li> </ul> <p><strong>Where to go from here:</strong></p> <ol> <li> <strong>Multi-region deployments</strong> - Latency, disaster recovery</li> <li> <strong>Service mesh</strong> - Istio, Linkerd for advanced networking</li> <li> <strong>Chaos engineering</strong> - Intentional failure testing</li> <li> <strong>FinOps</strong> - Advanced cost optimization</li> <li> <strong>Compliance</strong> - SOC 2, HIPAA, GDPR for SaaS</li> </ol> <p><strong>But you have the foundation.</strong> Everything else builds on what you've learned.</p> <h2> Final Thoughts </h2> <p><strong>DevOps is not about tools. It's about:</strong></p> <ul> <li><strong>Understanding problems before solutions</strong></li> <li><strong>Making systems reliable, not perfect</strong></li> <li><strong>Balancing speed, cost, and safety</strong></li> <li> <strong>Operating with empathy</strong> (for users, teammates, on-call engineers)</li> </ul> <p><strong>You started with SSH and <code>npm start</code>.</strong><br><br> <strong>You ended with GitOps-powered Kubernetes.</strong></p> <p><strong>That's production DevOps.</strong></p> <h2> <strong>Previous:</strong> <a href="https://dev.to/daviesbrown/part-9-gitops-with-argo-cd-when-git-deploys-your-app-1pcn">Part 9: GitOps with Argo CD</a> </h2> <p><strong>About the Author</strong></p> <p>I built this 10-part series to demonstrate real DevOps thinking for my Proton.ai application. Every tool was introduced only after experiencing the pain it solves.</p> <p><strong>This is how production SaaS is built.</strong></p> <p>If you're hiring for DevOps/Platform roles and want someone who understands infrastructure (not just follows tutorials), let's talk.</p> <ul> <li>GitHub: <a href="https://github.com/daviesbrown" rel="noopener noreferrer">@daviesbrown</a> </li> <li>LinkedIn: <a href="https://linkedin.com/in/nwosu-david" rel="noopener noreferrer">David Nwosu</a> </li> <li>Portfolio: <a href="https://github.com/daviesbrown/sspp" rel="noopener noreferrer">github.com/daviesbrown/sspp</a> </li> </ul> <p><strong>Thank you for reading.</strong></p> <p>If this series helped you, please:</p> <ul> <li>⭐ Star the <a href="https://github.com/daviesbrown/sspp" rel="noopener noreferrer">GitHub repository</a> </li> <li>Share with others learning DevOps</li> <li>Open issues with questions or feedback</li> <li>Consider hiring me if you need this expertise on your team</li> </ul> <p><strong>From manual deployment to production-grade GitOps.</strong> You made it. 🚀</p> kubernetes prometheus argocd devops Part 9: GitOps with Argo CD - When Git Deploys Your App David Nwosu Wed, 31 Dec 2025 01:21:45 +0000 https://dev.to/daviesbrown/part-9-gitops-with-argo-cd-when-git-deploys-your-app-1pcn https://dev.to/daviesbrown/part-9-gitops-with-argo-cd-when-git-deploys-your-app-1pcn <p><strong>Series:</strong> From "Just Put It on a Server" to Production DevOps<br><br> <strong>Reading time:</strong> 18 minutes<br><br> <strong>Level:</strong> Intermediate</p> <h2> The kubectl Apply Problem </h2> <p>Your Kubernetes cluster is running. You update an API deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vim infrastructure/k8s/api.yaml <span class="c"># Change replicas from 3 to 5</span> kubectl apply <span class="nt">-f</span> infrastructure/k8s/api.yaml </code></pre> </div> <p><strong>Two weeks later, a teammate asks:</strong></p> <blockquote> <p>"Hey, why do we have 5 API replicas?"</p> </blockquote> <p><strong>You:</strong> "I changed it two weeks ago."</p> <blockquote> <p>"Where's the change tracked?"</p> </blockquote> <p><strong>You:</strong> "Uh... it's not. I ran kubectl apply locally."</p> <blockquote> <p>"What if we need to rollback?"</p> </blockquote> <p><strong>You:</strong> "I'd have to... remember what it was before?"</p> <p><strong>The problems with manual kubectl apply:</strong></p> <ol> <li>❌ <strong>No audit trail</strong> - Who changed what, when, why?</li> <li>❌ <strong>Configuration drift</strong> - Git says 3 replicas, cluster has 5</li> <li>❌ <strong>No rollback</strong> - Can't revert to previous state</li> <li>❌ <strong>Manual sync</strong> - Someone must run kubectl apply</li> <li>❌ <strong>No approval process</strong> - Anyone with kubectl access can change anything</li> <li>❌ <strong>Hard to debug</strong> - What's the desired state? What's actual state?</li> </ol> <p><strong>What you want:</strong></p> <blockquote> <p>"Git repository is the single source of truth. If it's in Git, it's deployed. If it's not in Git, it shouldn't exist."</p> </blockquote> <p><strong>This is GitOps.</strong></p> <h2> What is GitOps? </h2> <p><strong>GitOps:</strong> Using Git as the single source of truth for declarative infrastructure and applications.</p> <p><strong>Core principles:</strong></p> <ol> <li> <strong>Declarative</strong> - System state described in Git</li> <li> <strong>Versioned</strong> - Git tracks all changes</li> <li> <strong>Immutable</strong> - Git commits are immutable</li> <li> <strong>Pulled automatically</strong> - System continuously syncs from Git</li> </ol> <p><strong>The workflow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer → Git commit → Push to main → ArgoCD detects change → ArgoCD syncs cluster → Deployment updated </code></pre> </div> <p><strong>No kubectl commands. No manual intervention. Just Git.</strong></p> <p><strong>Tools:</strong></p> <ul> <li> <strong>ArgoCD</strong> - GitOps for Kubernetes (we'll use this)</li> <li> <strong>Flux</strong> - Another GitOps operator</li> <li> <strong>Jenkins X</strong> - CI/CD with GitOps</li> </ul> <p><strong>Why ArgoCD?</strong></p> <ul> <li>✅ Best-in-class UI</li> <li>✅ Multi-cluster support</li> <li>✅ Application health monitoring</li> <li>✅ Rollback with one click</li> <li>✅ SSO integration</li> <li>✅ RBAC built-in</li> </ul> <h2> ArgoCD Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────┐ │ Git Repository │ │ infrastructure/k8s/ │ │ ├── api.yaml │ │ ├── worker.yaml │ │ └── postgres.yaml │ └──────────────────┬──────────────────────────────────┘ │ │ ArgoCD continuously polls │ (every 3 minutes by default) │ ▼ ┌─────────────────────────────────────────────────────┐ │ ArgoCD Controller │ │ - Compares Git state with cluster state │ │ - Detects drift │ │ - Syncs automatically (if auto-sync enabled) │ └──────────────────┬──────────────────────────────────┘ │ │ kubectl apply │ ▼ ┌─────────────────────────────────────────────────────┐ │ Kubernetes Cluster │ │ Running applications │ └─────────────────────────────────────────────────────┘ </code></pre> </div> <p><strong>Key components:</strong></p> <ul> <li> <strong>Application Controller</strong> - Monitors Git repos, syncs cluster</li> <li> <strong>Repo Server</strong> - Fetches manifests from Git</li> <li> <strong>API Server</strong> - gRPC/REST API for management</li> <li> <strong>Web UI</strong> - Visual dashboard</li> <li> <strong>Dex</strong> - SSO integration (optional)</li> </ul> <h2> Installing ArgoCD </h2> <h3> Step 1: Install ArgoCD </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create namespace</span> kubectl create namespace argocd <span class="c"># Install ArgoCD</span> kubectl apply <span class="nt">-n</span> argocd <span class="nt">-f</span> https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml <span class="c"># Wait for pods to be ready</span> kubectl <span class="nb">wait</span> <span class="nt">--for</span><span class="o">=</span><span class="nv">condition</span><span class="o">=</span>Ready pods <span class="nt">--all</span> <span class="nt">-n</span> argocd <span class="nt">--timeout</span><span class="o">=</span>5m </code></pre> </div> <p><strong>Check installation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> argocd NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 2m argocd-dex-server-5dd657bd9-xyz 1/1 Running 0 2m argocd-redis-74cb89f466-abc 1/1 Running 0 2m argocd-repo-server-6b8d9f5d4-def 1/1 Running 0 2m argocd-server-7d9f8c5b4-ghi 1/1 Running 0 2m </code></pre> </div> <h3> Step 2: Access ArgoCD UI </h3> <p><strong>Get admin password:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nt">-n</span> argocd get secret argocd-initial-admin-secret <span class="se">\</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.password}"</span> | <span class="nb">base64</span> <span class="nt">-d</span><span class="p">;</span> <span class="nb">echo</span> </code></pre> </div> <p><strong>Port forward to access UI:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl port-forward svc/argocd-server <span class="nt">-n</span> argocd 8080:443 </code></pre> </div> <p><strong>Open browser:</strong> <code>https://localhost:8080</code></p> <p><strong>Login:</strong></p> <ul> <li>Username: <code>admin</code> </li> <li>Password: [from command above]</li> </ul> <p><strong>You should see the ArgoCD dashboard!</strong> 🎉</p> <h3> Step 3: Install ArgoCD CLI </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS</span> brew <span class="nb">install </span>argocd <span class="c"># Linux</span> curl <span class="nt">-sSL</span> <span class="nt">-o</span> /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 <span class="nb">chmod</span> +x /usr/local/bin/argocd <span class="c"># Verify</span> argocd version </code></pre> </div> <p><strong>Login via CLI:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd login localhost:8080 <span class="nt">--username</span> admin <span class="nt">--password</span> <span class="o">[</span>password] <span class="nt">--insecure</span> </code></pre> </div> <h2> Creating Your First ArgoCD Application </h2> <h3> Step 1: Prepare Git Repository </h3> <p><strong>Your repo structure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>davidbrown77/sspp/ ├── infrastructure/ │ └── k8s/ │ ├── namespace.yaml │ ├── api.yaml │ ├── worker.yaml │ ├── postgres.yaml │ ├── redis.yaml │ └── elasticsearch.yaml </code></pre> </div> <p><strong>Push to GitHub:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git add infrastructure/k8s/ git commit <span class="nt">-m</span> <span class="s2">"Add Kubernetes manifests for ArgoCD"</span> git push origin main </code></pre> </div> <h3> Step 2: Create ArgoCD Application </h3> <p><strong>Via UI:</strong></p> <ol> <li>Click "New App"</li> <li>Fill in: <ul> <li> <strong>Application Name:</strong> <code>sspp-prod</code> </li> <li> <strong>Project:</strong> <code>default</code> </li> <li> <strong>Sync Policy:</strong> <code>Manual</code> (we'll enable auto later)</li> <li> <strong>Repository URL:</strong> <code>https://github.com/daviesbrown/sspp.git</code> </li> <li> <strong>Revision:</strong> <code>main</code> </li> <li> <strong>Path:</strong> <code>infrastructure/k8s</code> </li> <li> <strong>Cluster:</strong> <code>https://kubernetes.default.svc</code> </li> <li> <strong>Namespace:</strong> <code>sspp-prod</code> </li> </ul> </li> <li>Click "Create"</li> </ol> <p><strong>Via CLI:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd app create sspp-prod <span class="se">\</span> <span class="nt">--repo</span> https://github.com/daviesbrown/sspp.git <span class="se">\</span> <span class="nt">--path</span> infrastructure/k8s <span class="se">\</span> <span class="nt">--dest-server</span> https://kubernetes.default.svc <span class="se">\</span> <span class="nt">--dest-namespace</span> sspp-prod </code></pre> </div> <p><strong>Via YAML (GitOps way!):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/argocd/sspp-prod-app.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-prod</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/daviesbrown/sspp.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infrastructure/k8s</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-prod</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Delete resources not in Git</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Sync when cluster state drifts</span> <span class="na">allowEmpty</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=true</span> <span class="na">retry</span><span class="pi">:</span> <span class="na">limit</span><span class="pi">:</span> <span class="m">5</span> <span class="na">backoff</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">factor</span><span class="pi">:</span> <span class="m">2</span> <span class="na">maxDuration</span><span class="pi">:</span> <span class="s">3m</span> </code></pre> </div> <p><strong>Apply:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infrastructure/argocd/sspp-prod-app.yaml </code></pre> </div> <h3> Step 3: Sync Application </h3> <p><strong>In UI:</strong></p> <ol> <li>Click on <code>sspp-prod</code> app</li> <li>Click "Sync"</li> <li>Click "Synchronize"</li> </ol> <p><strong>Via CLI:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd app <span class="nb">sync </span>sspp-prod </code></pre> </div> <p><strong>Watch deployment:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd app <span class="nb">wait </span>sspp-prod <span class="nt">--health</span> </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: sspp-prod Project: default Server: https://kubernetes.default.svc Namespace: sspp-prod URL: https://localhost:8080/applications/sspp-prod Repo: https://github.com/daviesbrown/sspp.git Target: main Path: infrastructure/k8s SyncWindow: Sync Allowed Sync Policy: Automated Sync Status: Synced to main (abc1234) Health Status: Healthy GROUP KIND NAMESPACE NAME STATUS HEALTH HOOK Namespace sspp-prod sspp-prod Synced Service sspp-prod api Synced Healthy Service sspp-prod postgres Synced Healthy apps Deployment sspp-prod api Synced Healthy apps Deployment sspp-prod worker Synced Healthy apps Deployment sspp-prod postgres Synced Healthy </code></pre> </div> <p><strong>Your application is deployed via GitOps!</strong> 🚀</p> <h2> Auto-Sync: True GitOps </h2> <p><strong>Enable auto-sync so Git changes deploy automatically:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Delete resources not in Git</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Revert manual kubectl changes</span> </code></pre> </div> <p><strong>Or via CLI:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd app <span class="nb">set </span>sspp-prod <span class="nt">--sync-policy</span> automated <span class="nt">--auto-prune</span> <span class="nt">--self-heal</span> </code></pre> </div> <p><strong>What this does:</strong></p> <ol> <li> <strong>Every 3 minutes</strong>, ArgoCD checks Git for changes</li> <li> <strong>If Git changed</strong>, ArgoCD syncs cluster automatically</li> <li> <strong>If someone runs kubectl apply</strong>, self-heal reverts it</li> <li> <strong>If resource deleted from Git</strong>, prune deletes it from cluster</li> </ol> <p><strong>Test it:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Edit deployment</span> vim infrastructure/k8s/api.yaml <span class="c"># Change replicas: 3 → 5</span> git add infrastructure/k8s/api.yaml git commit <span class="nt">-m</span> <span class="s2">"Scale API to 5 replicas"</span> git push origin main <span class="c"># Wait 3 minutes (or trigger manually)</span> argocd app <span class="nb">sync </span>sspp-prod <span class="c"># Check</span> kubectl get deployment api <span class="nt">-n</span> sspp-prod <span class="c"># DESIRED: 5</span> </code></pre> </div> <p><strong>No kubectl commands. Just Git push.</strong> ✅</p> <h2> ArgoCD UI Features </h2> <h3> Application Health </h3> <p><strong>Health statuses:</strong></p> <ul> <li> <strong>Healthy</strong> - All resources running, ready</li> <li> <strong>Progressing</strong> - Deployment rolling out</li> <li> <strong>Degraded</strong> - Some Pods not ready</li> <li> <strong>Suspended</strong> - Application suspended</li> <li> <strong>Missing</strong> - Resources not found</li> <li> <strong>Unknown</strong> - Health status unknown</li> </ul> <p><strong>Visual indicators:</strong></p> <ul> <li>🟢 Green - Healthy</li> <li>🟡 Yellow - Progressing</li> <li>🔴 Red - Degraded</li> </ul> <h3> Sync Status </h3> <p><strong>Sync statuses:</strong></p> <ul> <li> <strong>Synced</strong> - Git matches cluster</li> <li> <strong>OutOfSync</strong> - Git differs from cluster</li> <li> <strong>Unknown</strong> - Can't determine sync status</li> </ul> <p><strong>Click on resource to see diff:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code><span class="gd">- replicas: 3 </span><span class="gi">+ replicas: 5 </span></code></pre> </div> <h3> Rollback </h3> <p><strong>Click "History and Rollback":</strong></p> <ul> <li>See all previous syncs</li> <li>Click "Rollback" to revert</li> </ul> <p><strong>Via CLI:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List sync history</span> argocd app <span class="nb">history </span>sspp-prod <span class="c"># Rollback to revision 3</span> argocd app rollback sspp-prod 3 </code></pre> </div> <h3> App Diff </h3> <p><strong>Compare Git vs Cluster:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd app diff sspp-prod </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code><span class="gh">===== apps/Deployment sspp-prod/api ====== </span> spec: <span class="gd">- replicas: 3 </span><span class="gi">+ replicas: 5 </span></code></pre> </div> <h2> Multi-Environment Setup </h2> <p><strong>Best practice:</strong> One Git repo, multiple ArgoCD apps for different environments.</p> <h3> Repository Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>davidbrown77/sspp/ ├── infrastructure/ │ └── k8s/ │ ├── base/ # Shared resources │ │ ├── api.yaml │ │ ├── worker.yaml │ │ └── postgres.yaml │ ├── overlays/ │ │ ├── dev/ # Dev-specific │ │ │ ├── kustomization.yaml │ │ │ └── replicas.yaml │ │ ├── staging/ # Staging-specific │ │ │ ├── kustomization.yaml │ │ │ └── replicas.yaml │ │ └── prod/ # Prod-specific │ │ ├── kustomization.yaml │ │ └── replicas.yaml </code></pre> </div> <p><strong>Using Kustomize for environment-specific overrides:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/overlays/prod/kustomization.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-prod</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> <span class="na">replicas</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">count</span><span class="pi">:</span> <span class="m">5</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">count</span><span class="pi">:</span> <span class="m">10</span> <span class="na">images</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api</span> <span class="na">newTag</span><span class="pi">:</span> <span class="s">v2.1.0</span> <span class="na">commonLabels</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> </code></pre> </div> <p><strong>Create ArgoCD apps for each environment:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/argocd/dev-app.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/daviesbrown/sspp.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infrastructure/k8s/overlays/dev</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="c1"># infrastructure/argocd/staging-app.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-staging</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/daviesbrown/sspp.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infrastructure/k8s/overlays/staging</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-staging</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="c1"># infrastructure/argocd/prod-app.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-prod</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/daviesbrown/sspp.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infrastructure/k8s/overlays/prod</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-prod</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=true</span> </code></pre> </div> <p><strong>Deploy all environments:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infrastructure/argocd/ </code></pre> </div> <p><strong>Now you have:</strong></p> <ul> <li>Dev environment (auto-synced from Git)</li> <li>Staging environment (auto-synced from Git)</li> <li>Prod environment (auto-synced from Git)</li> </ul> <p><strong>One Git push → all environments update automatically.</strong></p> <h2> App of Apps Pattern </h2> <p><strong>Problem:</strong> Managing many ArgoCD applications manually.</p> <p><strong>Solution:</strong> ArgoCD application that manages other applications.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/argocd/root-app.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-apps</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/daviesbrown/sspp.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infrastructure/argocd</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p><strong>Apply once:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infrastructure/argocd/root-app.yaml </code></pre> </div> <p><strong>Now:</strong></p> <ul> <li> <code>sspp-apps</code> manages all child applications</li> <li>Add new app → commit to Git → ArgoCD creates it</li> <li>Remove app → delete from Git → ArgoCD removes it</li> </ul> <p><strong>This is GitOps managing GitOps!</strong> 🤯</p> <h2> Progressive Delivery with ArgoCD </h2> <h3> Blue/Green Deployments </h3> <p><strong>Install ArgoCD Rollouts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create namespace argo-rollouts kubectl apply <span class="nt">-n</span> argo-rollouts <span class="nt">-f</span> https://github.com/argoproj/argo-rollouts/releases/latest/download/install.yaml </code></pre> </div> <p><strong>Define Rollout:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/api-rollout.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rollout</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-prod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">revisionHistoryLimit</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api:v2.0.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">blueGreen</span><span class="pi">:</span> <span class="na">activeService</span><span class="pi">:</span> <span class="s">api</span> <span class="na">previewService</span><span class="pi">:</span> <span class="s">api-preview</span> <span class="na">autoPromotionEnabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">scaleDownDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> </code></pre> </div> <p><strong>Services:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-preview</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <p><strong>Deploy new version:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update image tag in Git</span> vim infrastructure/k8s/api-rollout.yaml <span class="c"># Change image: davidbrown77/sspp-api:v2.1.0</span> git commit <span class="nt">-am</span> <span class="s2">"Deploy API v2.1.0"</span> git push <span class="c"># ArgoCD syncs, creates preview environment</span> <span class="c"># Test preview: curl http://api-preview:80</span> <span class="c"># Promote to production</span> kubectl argo rollouts promote api <span class="nt">-n</span> sspp-prod </code></pre> </div> <h3> Canary Deployments </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">strategy</span><span class="pi">:</span> <span class="na">canary</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">10</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{</span><span class="nv">duration</span><span class="pi">:</span> <span class="nv">5m</span><span class="pi">}</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">25</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{</span><span class="nv">duration</span><span class="pi">:</span> <span class="nv">5m</span><span class="pi">}</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">50</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{</span><span class="nv">duration</span><span class="pi">:</span> <span class="nv">5m</span><span class="pi">}</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">75</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{</span><span class="nv">duration</span><span class="pi">:</span> <span class="nv">5m</span><span class="pi">}</span> </code></pre> </div> <p><strong>What this does:</strong></p> <ol> <li>Deploy new version to 10% of Pods</li> <li>Wait 5 minutes</li> <li>If healthy, increase to 25%</li> <li>Continue until 100%</li> </ol> <p><strong>If error rate spikes, rollback automatically.</strong></p> <h2> ArgoCD Notifications </h2> <p><strong>Get notified when deployments happen.</strong></p> <h3> Install ArgoCD Notifications </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-n</span> argocd <span class="nt">-f</span> https://raw.githubusercontent.com/argoproj-labs/argocd-notifications/stable/manifests/install.yaml </code></pre> </div> <h3> Configure Slack Notifications </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/argocd/notifications-cm.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-notifications-cm</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">data</span><span class="pi">:</span> <span class="na">service.slack</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">token: $slack-token</span> <span class="na">template.app-deployed</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">message: |</span> <span class="s">Application {{.app.metadata.name}} deployed!</span> <span class="s">Revision: {{.app.status.sync.revision}}</span> <span class="s">Author: {{.app.status.operationState.operation.initiatedBy.username}}</span> <span class="s">slack:</span> <span class="s">attachments: |</span> <span class="s">[{</span> <span class="s">"title": "{{.app.metadata.name}}",</span> <span class="s">"title_link": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}",</span> <span class="s">"color": "#18be52",</span> <span class="s">"fields": [{</span> <span class="s">"title": "Sync Status",</span> <span class="s">"value": "{{.app.status.sync.status}}",</span> <span class="s">"short": true</span> <span class="s">}, {</span> <span class="s">"title": "Health Status",</span> <span class="s">"value": "{{.app.status.health.status}}",</span> <span class="s">"short": true</span> <span class="s">}]</span> <span class="s">}]</span> <span class="na">trigger.on-deployed</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- when: app.status.operationState.phase in ['Succeeded']</span> <span class="s">send: [app-deployed]</span> </code></pre> </div> <p><strong>Add annotations to applications:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-prod</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">notifications.argoproj.io/subscribe.on-deployed.slack</span><span class="pi">:</span> <span class="s">deployments-channel</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># ... rest of spec</span> </code></pre> </div> <p><strong>Now Slack gets notified on every deployment!</strong> 📢</p> <h2> RBAC for ArgoCD </h2> <p><strong>Control who can deploy what.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/argocd/rbac-cm.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-rbac-cm</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">data</span><span class="pi">:</span> <span class="na">policy.default</span><span class="pi">:</span> <span class="s">role:readonly</span> <span class="na">policy.csv</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Developers can sync dev apps</span> <span class="s">p, role:developer, applications, sync, sspp-dev, allow</span> <span class="s">p, role:developer, applications, get, *, allow</span> <span class="s">g, developers@example.com, role:developer</span> <span class="s"># DevOps can sync all apps</span> <span class="s">p, role:devops, applications, *, *, allow</span> <span class="s">g, devops@example.com, role:devops</span> <span class="s"># Admins can do everything</span> <span class="s">p, role:admin, *, *, *, allow</span> <span class="s">g, admins@example.com, role:admin</span> </code></pre> </div> <p><strong>Now:</strong></p> <ul> <li>Developers can only deploy to dev</li> <li>DevOps can deploy to all environments</li> <li>Admins have full control</li> </ul> <h2> CI/CD Integration </h2> <p><strong>Combine GitHub Actions + ArgoCD:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/api.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">API CI/CD</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">services/api/**'</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push Docker image</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t davidbrown77/sspp-api:${{ github.sha }} services/api</span> <span class="s">docker push davidbrown77/sspp-api:${{ github.sha }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update manifest</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Update image tag in Git</span> <span class="s">sed -i "s|davidbrown77/sspp-api:.*|davidbrown77/sspp-api:${{ github.sha }}|" \</span> <span class="s">infrastructure/k8s/overlays/prod/kustomization.yaml</span> <span class="s">git config user.name "GitHub Actions"</span> <span class="s">git config user.email "actions@github.com"</span> <span class="s">git add infrastructure/k8s/overlays/prod/kustomization.yaml</span> <span class="s">git commit -m "Update API image to ${{ github.sha }}"</span> <span class="s">git push</span> <span class="c1"># ArgoCD detects change and deploys automatically!</span> </code></pre> </div> <p><strong>Flow:</strong></p> <ol> <li>Push code → GitHub Actions</li> <li>GitHub Actions builds Docker image</li> <li>GitHub Actions updates manifest in Git</li> <li>ArgoCD detects Git change</li> <li>ArgoCD deploys new image</li> </ol> <p><strong>Complete automation!</strong> 🚀</p> <h2> Disaster Recovery with ArgoCD </h2> <h3> Backup ArgoCD Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Export all applications</span> argocd app list <span class="nt">-o</span> yaml <span class="o">&gt;</span> argocd-apps-backup.yaml <span class="c"># Export projects</span> kubectl get appprojects <span class="nt">-n</span> argocd <span class="nt">-o</span> yaml <span class="o">&gt;</span> argocd-projects-backup.yaml <span class="c"># Export RBAC</span> kubectl get cm argocd-rbac-cm <span class="nt">-n</span> argocd <span class="nt">-o</span> yaml <span class="o">&gt;</span> argocd-rbac-backup.yaml </code></pre> </div> <h3> Restore ArgoCD </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Reinstall ArgoCD</span> kubectl apply <span class="nt">-n</span> argocd <span class="nt">-f</span> https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml <span class="c"># Restore applications</span> kubectl apply <span class="nt">-f</span> argocd-apps-backup.yaml kubectl apply <span class="nt">-f</span> argocd-projects-backup.yaml kubectl apply <span class="nt">-f</span> argocd-rbac-backup.yaml <span class="c"># ArgoCD syncs everything from Git!</span> </code></pre> </div> <p><strong>Because everything is in Git, recovery is fast.</strong></p> <h2> ArgoCD Best Practices </h2> <h3> 1. Use App of Apps Pattern </h3> <p><strong>One root app manages all child apps.</strong></p> <h3> 2. Enable Auto-Sync + Self-Heal </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p><strong>Git is the source of truth. Period.</strong></p> <h3> 3. Use Kustomize or Helm </h3> <p><strong>Don't duplicate manifests. Use overlays.</strong></p> <h3> 4. Set Up Notifications </h3> <p><strong>Slack/Email alerts for deployments.</strong></p> <h3> 5. Implement RBAC </h3> <p><strong>Restrict who can deploy to production.</strong></p> <h3> 6. Use Projects for Multi-Tenancy </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AppProject</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">team-backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">sourceRepos</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://github.com/daviesbrown/sspp.git</span> <span class="na">destinations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">backend-*'</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> </code></pre> </div> <h3> 7. Monitor ArgoCD Metrics </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl port-forward svc/argocd-metrics <span class="nt">-n</span> argocd 8082:8082 curl http://localhost:8082/metrics </code></pre> </div> <p><strong>Integrate with Prometheus.</strong></p> <h2> What We Solved </h2> <p>✅ <strong>Git as source of truth</strong> - All configs in Git<br><br> ✅ <strong>Automated deployments</strong> - Push → ArgoCD deploys<br><br> ✅ <strong>Self-healing</strong> - Manual changes reverted automatically<br><br> ✅ <strong>Audit trail</strong> - Git history = deployment history<br><br> ✅ <strong>Easy rollback</strong> - One-click revert in UI<br><br> ✅ <strong>Multi-environment</strong> - Dev, staging, prod from same repo<br><br> ✅ <strong>Progressive delivery</strong> - Blue/green, canary deployments<br><br> ✅ <strong>Notifications</strong> - Slack alerts for deployments </p> <h2> What's Next? </h2> <p>We have automated GitOps deployments! But production isn't just about deployment:</p> <p>❌ <strong>No observability</strong> - Can't see what's happening in production<br><br> ❌ <strong>Cost unknown</strong> - Don't know what we're spending<br><br> ❌ <strong>Security gaps</strong> - Secrets in Git, no network policies<br><br> ❌ <strong>No disaster recovery</strong> - What if everything crashes? </p> <p>In <strong>Part 10</strong> (final article), we'll tackle <strong>Production Operations</strong>.</p> <p>You'll learn:</p> <ul> <li>Observability stack (Prometheus, Grafana, Loki)</li> <li>Cost optimization strategies (right-sizing, spot instances)</li> <li>Security hardening (network policies, RBAC, secrets management)</li> <li>Disaster recovery and backup strategies</li> <li>Scaling beyond one cluster (multi-region, multi-cloud)</li> </ul> <p><strong>This is where you transition from "it works" to "it's production-ready."</strong></p> <h2> The Complete DevOps Journey </h2> <p><strong>You've now mastered:</strong></p> <ol> <li> <strong>Manual deployment</strong> (Part 1) - SSH, npm start</li> <li> <strong>Process management</strong> (Part 2) - PM2</li> <li> <strong>Containerization</strong> (Part 3) - Docker</li> <li> <strong>Orchestration</strong> (Part 4) - Docker Compose</li> <li> <strong>Why Kubernetes</strong> (Part 5) - Limitations of Compose</li> <li> <strong>Kubernetes</strong> (Part 6) - Self-healing, scaling</li> <li> <strong>Infrastructure as Code</strong> (Part 7) - Terraform</li> <li> <strong>Helm Packaging</strong> (Part 8) - YAML templating</li> <li> <strong>GitOps</strong> (Part 9) - ArgoCD</li> <li> <strong>Production Operations</strong> (Part 10) - Scaling, security, cost</li> </ol> <p><strong>Almost there. One more article to production-grade DevOps.</strong></p> <h2> Final Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────┐ │ Git Repository │ │ - Application code (services/api, services/worker)│ │ - Kubernetes manifests (infrastructure/k8s) │ │ - Terraform configs (infrastructure/terraform) │ └───────┬─────────────────────────────────────┬───────┘ │ │ │ Push code │ Push manifests │ │ ▼ ▼ ┌──────────────────┐ ┌─────────────────────┐ │ GitHub Actions │ │ ArgoCD │ │ - Test code │ │ - Detects changes │ │ - Build image │ │ - Syncs cluster │ │ - Push to GHCR │ │ - Self-heals │ │ - Update Git │ └─────────┬───────────┘ └──────────────────┘ │ │ kubectl apply │ ┌─────────────────▼──────────────┐ │ Kubernetes Cluster (LKE) │ │ - API (2-10 replicas, HPA) │ │ - Worker (3-15 replicas, HPA) │ │ - PostgreSQL (HA) │ │ - Redis, Elasticsearch │ │ - Observability stack │ └────────────────────────────────┘ │ Managed by Terraform │ ┌─────────▼──────────┐ │ Linode Cloud │ │ - LKE cluster │ │ - NodeBalancer │ │ - Object storage │ │ - DNS │ └────────────────────┘ </code></pre> </div> <p><strong>Everything automated. Everything in Git. Everything production-grade.</strong></p> <h2> Try It Yourself </h2> <p><strong>Final challenge:</strong> Set up complete GitOps workflow:</p> <ol> <li>Install ArgoCD in your cluster</li> <li>Create ArgoCD application pointing to your Git repo</li> <li>Enable auto-sync and self-heal</li> <li>Push a change to Git, watch ArgoCD deploy</li> <li>Manually change a deployment with kubectl, watch self-heal revert it</li> <li>Set up multi-environment (dev, staging, prod)</li> <li>Implement blue/green deployment with Argo Rollouts</li> <li>Add Slack notifications</li> <li>Configure RBAC</li> </ol> <p><strong>Bonus:</strong> Implement app of apps pattern for managing all applications.</p> <h2> Discussion </h2> <p><strong>Do you use ArgoCD? Flux? Manual kubectl?</strong> What's your deployment strategy?</p> <p>Share on <a href="https://github.com/daviesbrown/sspp/discussions" rel="noopener noreferrer">GitHub Discussions</a>.</p> <p><strong>Previous:</strong> <a href="https://dev.to/daviesbrown/part-8-helm-packaging-kubernetes-applications-15jf">Part 8: Helm - Packaging Kubernetes Applications</a> </p> <h2> <strong>Next:</strong> <a href="https://dev.to/daviesbrown/part-10-scaling-failure-operating-like-a-real-company-2h3e">Part 10: Scaling, Failure &amp; Operating Like a Real Company</a> </h2> <h2> About the Author </h2> <p>I built this 12-part series to document my complete DevOps journey from manual server deployment to production-grade, GitOps-powered Kubernetes infrastructure.</p> <p>This series demonstrates:</p> <ul> <li> <strong>Systems thinking</strong> - Understanding why tools exist, not just how to use them</li> <li> <strong>Production experience</strong> - Real code, real failures, real solutions</li> <li> <strong>Teaching ability</strong> - Complex topics explained clearly</li> <li> <strong>DevOps mastery</strong> - CI/CD, IaC, GitOps, observability, security</li> </ul> <p><strong>This is my Proton.ai application.</strong></p> <ul> <li>GitHub: <a href="https://github.com/daviesbrown" rel="noopener noreferrer">@daviesbrown</a> </li> <li>LinkedIn: <a href="https://linkedin.com/in/nwosu-david" rel="noopener noreferrer">David Nwosu Brown</a> </li> <li>Portfolio: <a href="https://github.com/daviesbrown/sspp" rel="noopener noreferrer">Sales Signal Processing Platform</a> </li> </ul> <p><strong>You started by SSH-ing into a server and running <code>npm start</code>.</strong></p> <p><strong>You ended with a production-grade, cloud-native, GitOps-powered SaaS platform.</strong></p> <p><strong>You're ready. Go build something amazing.</strong> 🚀</p> argocd gitops cicd devops Part 8: Helm - Packaging Kubernetes Applications David Nwosu Wed, 31 Dec 2025 01:20:12 +0000 https://dev.to/daviesbrown/part-8-helm-packaging-kubernetes-applications-15jf https://dev.to/daviesbrown/part-8-helm-packaging-kubernetes-applications-15jf <p><strong>Series:</strong> From "Just Put It on a Server" to Production DevOps<br><br> <strong>Reading time:</strong> 15 minutes<br><br> <strong>Level:</strong> Intermediate</p> <h2> The YAML Duplication Problem </h2> <p>In <a href="https://dev.to/daviesbrown/part-6-kubernetes-from-first-principles-no-magic-522c">Part 6</a>, we deployed our SSPP platform to Kubernetes. It works! But look at your <code>k8s/</code> directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>k8s/ ├── api-deployment.yaml ├── api-service.yaml ├── api-configmap.yaml ├── worker-deployment.yaml ├── worker-configmap.yaml ├── redis-deployment.yaml ├── redis-service.yaml ├── postgres-statefulset.yaml ├── postgres-service.yaml └── ... </code></pre> </div> <p><strong>Now your manager says:</strong></p> <blockquote> <p>"We need dev, staging, and prod environments."</p> </blockquote> <p><strong>Your first thought:</strong> Copy-paste all YAML files three times:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>k8s/ ├── dev/ │ ├── api-deployment.yaml # replicas: 1, resources: small │ ├── api-service.yaml │ └── ... ├── staging/ │ ├── api-deployment.yaml # replicas: 2, resources: medium │ ├── api-service.yaml │ └── ... └── prod/ ├── api-deployment.yaml # replicas: 5, resources: large ├── api-service.yaml └── ... </code></pre> </div> <p><strong>What changes between environments?</strong></p> <ul> <li>Replica counts</li> <li>Resource limits</li> <li>Image tags</li> <li>Database URLs</li> <li>Domain names</li> <li>Storage sizes</li> </ul> <p><strong>What stays the same?</strong></p> <ul> <li>Container ports</li> <li>Health check paths</li> <li>Service types</li> <li>Label selectors</li> <li>Volume mount paths</li> </ul> <p><strong>You're copying 80% identical YAML and changing 20%.</strong></p> <p><strong>Then a bug is found:</strong> API health check path should be <code>/health</code> not <code>/healthz</code>.</p> <p><strong>Now you need to update it in 3 places.</strong> And you miss one. Staging is broken. Users are angry.</p> <p><strong>This is the YAML duplication problem.</strong></p> <h2> What is Helm? </h2> <p><strong>Helm</strong> is a package manager for Kubernetes applications.</p> <p><strong>Beginner mental model:</strong></p> <blockquote> <p>Helm is like <strong>apt-get</strong> (Linux) or <strong>Homebrew</strong> (Mac) for Kubernetes apps.</p> </blockquote> <p>Instead of managing 20+ YAML files per environment, you create a <strong>Helm Chart</strong>—a template with variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># templates/deployment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.name</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.replicas</span> <span class="pi">}}</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.image.repository</span> <span class="pi">}}</span><span class="s">:{{ .Values.image.tag }}</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.resources.cpu</span> <span class="pi">}}</span> <span class="na">memory</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.resources.memory</span> <span class="pi">}}</span> </code></pre> </div> <p><strong>Then you have different values files per environment:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># values-dev.yaml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-api</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">dev-latest</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="c1"># values-prod.yaml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-api</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">v1.2.3</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2000m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">4Gi"</span> </code></pre> </div> <p><strong>Deploy with:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Dev</span> helm <span class="nb">install </span>sspp-api ./charts/api <span class="nt">-f</span> values-dev.yaml <span class="c"># Prod</span> helm <span class="nb">install </span>sspp-api ./charts/api <span class="nt">-f</span> values-prod.yaml </code></pre> </div> <p><strong>Same template, different values.</strong> DRY (Don't Repeat Yourself) for Kubernetes.</p> <h2> Helm Concepts </h2> <h3> Charts </h3> <p>A <strong>Helm Chart</strong> is a package of Kubernetes manifests.</p> <p><strong>Structure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>charts/api/ ├── Chart.yaml # Metadata (name, version) ├── values.yaml # Default values ├── templates/ # Templated Kubernetes manifests │ ├── deployment.yaml │ ├── service.yaml │ ├── configmap.yaml │ └── ingress.yaml └── charts/ # Dependencies (sub-charts) </code></pre> </div> <h3> Values </h3> <p><strong>values.yaml</strong> defines default configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">replicaCount</span><span class="pi">:</span> <span class="m">3</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">latest</span> <span class="na">pullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">1000m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">512Mi</span> </code></pre> </div> <p><strong>Override with:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>sspp-api ./charts/api <span class="se">\</span> <span class="nt">--set</span> <span class="nv">replicaCount</span><span class="o">=</span>5 <span class="se">\</span> <span class="nt">--set</span> image.tag<span class="o">=</span>v1.2.3 </code></pre> </div> <p>Or use a values file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>sspp-api ./charts/api <span class="nt">-f</span> prod-values.yaml </code></pre> </div> <h3> Templates </h3> <p>Templates use Go templating syntax:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "api.fullname" .</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "api.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.replicaCount</span> <span class="pi">}}</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "api.selectorLabels" . | nindent 6</span> <span class="pi">}}</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "api.selectorLabels" . | nindent 8</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Chart.Name</span> <span class="pi">}}</span> <span class="na">image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.Values.image.repository</span><span class="nv"> </span><span class="s">}}:{{</span><span class="nv"> </span><span class="s">.Values.image.tag</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.port</span> <span class="pi">}}</span> </code></pre> </div> <p><strong>Template functions:</strong></p> <ul> <li> <code>{{ .Values.replicaCount }}</code> - Access values</li> <li> <code>{{ include "helper" . }}</code> - Reuse templates</li> <li> <code>{{- if .Values.enabled }}</code> - Conditionals</li> <li> <code>{{- range .Values.items }}</code> - Loops</li> </ul> <h2> Creating a Helm Chart for SSPP API </h2> <h3> Initialize Chart </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infrastructure helm create charts/api </code></pre> </div> <p>This generates a basic chart structure.</p> <h3> Define Chart.yaml </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-api</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Sales Signal Processing Platform API</span> <span class="na">type</span><span class="pi">:</span> <span class="s">application</span> <span class="na">version</span><span class="pi">:</span> <span class="s">1.0.0</span> <span class="na">appVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> </code></pre> </div> <h3> Create Templates </h3> <p><strong>templates/deployment.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.name</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.name</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.replicaCount</span> <span class="pi">}}</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.name</span> <span class="pi">}}</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.name</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.image.repository</span> <span class="pi">}}</span><span class="s">:{{ .Values.image.tag }}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DATABASE_URL</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.database.url</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REDIS_URL</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.redis.url</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.env</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- range $key</span><span class="pi">,</span> <span class="nv">$value</span> <span class="pi">:</span><span class="nv">= .Values.env</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$key</span> <span class="pi">}}</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$value | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.resources.limits.cpu</span> <span class="pi">}}</span> <span class="na">memory</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.resources.limits.memory</span> <span class="pi">}}</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.resources.requests.cpu</span> <span class="pi">}}</span> <span class="na">memory</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.resources.requests.memory</span> <span class="pi">}}</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> </code></pre> </div> <p><strong>templates/service.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.name</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.name</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.type</span> <span class="pi">}}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.port</span> <span class="pi">}}</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.name</span> <span class="pi">}}</span> </code></pre> </div> <h3> Define Values </h3> <p><strong>values.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">sspp-api</span> <span class="na">replicaCount</span><span class="pi">:</span> <span class="m">3</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">latest</span> <span class="na">pullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">database</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">postgresql://user:pass@postgres:5432/sspp"</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">redis://redis:6379"</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1000m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1Gi"</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <p><strong>values-dev.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">sspp-api</span> <span class="na">replicaCount</span><span class="pi">:</span> <span class="m">1</span> <span class="na">image</span><span class="pi">:</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">dev-latest</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">250m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> </code></pre> </div> <p><strong>values-prod.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">sspp-api</span> <span class="na">replicaCount</span><span class="pi">:</span> <span class="m">5</span> <span class="na">image</span><span class="pi">:</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">v1.2.3</span> <span class="na">pullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2000m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">4Gi"</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1000m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2Gi"</span> <span class="na">env</span><span class="pi">:</span> <span class="na">LOG_LEVEL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">info"</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s2">"</span><span class="s">production"</span> </code></pre> </div> <h2> Deploying with Helm </h2> <h3> Install </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Dev environment</span> helm <span class="nb">install </span>sspp-api ./charts/api <span class="nt">-f</span> values-dev.yaml <span class="c"># Prod environment (different namespace)</span> helm <span class="nb">install </span>sspp-api ./charts/api <span class="se">\</span> <span class="nt">-f</span> values-prod.yaml <span class="se">\</span> <span class="nt">-n</span> production <span class="se">\</span> <span class="nt">--create-namespace</span> </code></pre> </div> <h3> Upgrade </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update image tag</span> helm upgrade sspp-api ./charts/api <span class="se">\</span> <span class="nt">--set</span> image.tag<span class="o">=</span>v1.3.0 <span class="se">\</span> <span class="nt">--reuse-values</span> </code></pre> </div> <h3> Rollback </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Rollback to previous release</span> helm rollback sspp-api <span class="c"># Rollback to specific revision</span> helm rollback sspp-api 3 </code></pre> </div> <h3> List Releases </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm list helm list <span class="nt">-n</span> production </code></pre> </div> <h3> Get Values </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># See computed values</span> helm get values sspp-api <span class="c"># See all values (including defaults)</span> helm get values sspp-api <span class="nt">--all</span> </code></pre> </div> <h2> Helm for Worker Service </h2> <p>Create a similar chart for the worker:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm create charts/worker </code></pre> </div> <p><strong>Key differences from API:</strong></p> <ul> <li>No Service (worker doesn't expose HTTP)</li> <li>Different environment variables</li> <li>Different resource requirements</li> </ul> <p><strong>values.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">sspp-worker</span> <span class="na">replicaCount</span><span class="pi">:</span> <span class="m">2</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-worker</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">latest</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">redis://redis:6379"</span> <span class="na">database</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">postgresql://user:pass@postgres:5432/sspp"</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1000m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2Gi"</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1Gi"</span> </code></pre> </div> <h2> Benefits of Helm </h2> <p>✅ <strong>DRY Principle:</strong></p> <ul> <li>One template, multiple environments</li> <li>Change once, deploy everywhere</li> </ul> <p>✅ <strong>Version Control:</strong></p> <ul> <li>Track changes to chart versions</li> <li>Rollback to any previous release</li> </ul> <p>✅ <strong>Parameterization:</strong></p> <ul> <li>Override any value at deployment</li> <li>No hardcoded configuration</li> </ul> <p>✅ <strong>Package Management:</strong></p> <ul> <li>Share charts via Helm repositories</li> <li>Reuse community charts (PostgreSQL, Redis, etc.)</li> </ul> <p>✅ <strong>Release Management:</strong></p> <ul> <li>Track deployment history</li> <li>Easy rollbacks</li> </ul> <h2> What's Next? </h2> <p>Helm solved packaging and templating, but we still have deployment problems:</p> <p>❌ <strong>Manual deployments</strong> - Someone must run <code>helm upgrade</code><br><br> ❌ <strong>No Git sync</strong> - Cluster state can drift from Git<br><br> ❌ <strong>No automation</strong> - Still need CI/CD triggers<br><br> ❌ <strong>Configuration drift</strong> - Manual kubectl changes go untracked </p> <p>In <strong>Part 9</strong>, we'll add <strong>GitOps with ArgoCD</strong>.</p> <p>You'll learn:</p> <ul> <li>Git as single source of truth (not your laptop)</li> <li>Automatic sync from Git → Cluster</li> <li>Self-healing (ArgoCD reverts manual changes)</li> <li>One-click rollbacks through UI</li> <li>Deployment history and audit trails</li> <li>Progressive delivery (blue/green, canary)</li> </ul> <p><strong>Spoiler:</strong> Push to Git → ArgoCD deploys automatically. This is GitOps.</p> <h2> Try It Yourself </h2> <p><strong>Create Helm charts for all SSPP services:</strong></p> <ol> <li> <strong>API chart</strong> - Deployment + Service + Ingress</li> <li> <strong>Worker chart</strong> - Deployment only</li> <li> <strong>Redis chart</strong> - Or use bitnami/redis from Helm Hub</li> <li> <strong>PostgreSQL chart</strong> - Or use bitnami/postgresql</li> </ol> <p><strong>Test multi-environment setup:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy dev</span> helm <span class="nb">install </span>sspp ./charts/api <span class="nt">-f</span> values-dev.yaml <span class="nt">-n</span> dev <span class="nt">--create-namespace</span> <span class="c"># Deploy prod</span> helm <span class="nb">install </span>sspp ./charts/api <span class="nt">-f</span> values-prod.yaml <span class="nt">-n</span> production <span class="nt">--create-namespace</span> <span class="c"># Compare</span> kubectl get pods <span class="nt">-n</span> dev kubectl get pods <span class="nt">-n</span> production </code></pre> </div> <p><strong>Bonus:</strong> Package your chart and push to a Helm repository (GitHub Pages, ChartMuseum, or OCI registry).</p> <h2> Next: Automating Deployments </h2> <p>In <a href="//./09-argocd-gitops.md">Part 9</a>, we'll solve the manual deployment problem:</p> <blockquote> <p><strong>"How do we automatically deploy when code is merged to Git?"</strong></p> </blockquote> <p>We'll use <strong>Argo CD</strong> to implement GitOps:</p> <ul> <li>Git becomes the source of truth</li> <li>Changes are automatically synced to cluster</li> <li>Drift is detected and corrected</li> <li>Deployments are auditable and traceable</li> </ul> <p>But spoiler: <strong>GitOps solves deployment automation, but not the full picture.</strong> We'll still need observability and production hardening.</p> <p><strong>Previous:</strong> <a href="https://dev.to/daviesbrown/part-7-terraform-making-infrastructure-repeatable-3f8p">Part 7: Terraform - Making Infrastructure Repeatable</a> </p> <h2> <strong>Next:</strong> <a href="https://dev.to/daviesbrown/part-9-gitops-with-argo-cd-when-git-deploys-your-app-1pcn">Part 9: GitOps with Argo CD</a> </h2> <p><strong>About the Author</strong></p> <p>Building this series to demonstrate real DevOps thinking for my Proton.ai application. If you're hiring for platform engineering roles, let's connect.</p> <ul> <li>GitHub: <a href="https://github.com/daviesbrown" rel="noopener noreferrer">@daviesbrown</a> </li> <li>LinkedIn: <a href="https://linkedin.com/in/nwosu-david" rel="noopener noreferrer">David Nwosu</a> </li> </ul> helm gitops devops Part 7: Terraform - Making Infrastructure Repeatable David Nwosu Mon, 22 Dec 2025 23:35:58 +0000 https://dev.to/daviesbrown/part-7-terraform-making-infrastructure-repeatable-3f8p https://dev.to/daviesbrown/part-7-terraform-making-infrastructure-repeatable-3f8p <p><strong>Series:</strong> From "Just Put It on a Server" to Production DevOps<br><br> <strong>Reading time:</strong> 18 minutes<br><br> <strong>Level:</strong> Intermediate</p> <h2> The ClickOps Problem </h2> <p>Your Kubernetes cluster is running perfectly. Traffic is growing. Your CTO says:</p> <blockquote> <p>"We need a disaster recovery environment in another region."</p> </blockquote> <p><strong>Your thought process:</strong></p> <ol> <li>Log into Linode dashboard</li> <li>Click "Create Cluster"</li> <li>Fill out form (region, node count, instance type)</li> <li>Wait 10 minutes</li> <li>Download kubeconfig</li> <li>Apply all Kubernetes manifests</li> <li>Update DNS</li> <li>Configure monitoring</li> <li>Set up backups</li> <li>Repeat for staging environment</li> <li>Realize you made a typo in production and it's different from staging</li> </ol> <p><strong>Time:</strong> 2-3 hours<br><br> <strong>Error-prone:</strong> ✅ (what settings did I use for production?)<br><br> <strong>Reproducible:</strong> ❌ (did I enable autoscaling? what was the node size?)<br><br> <strong>Documented:</strong> ❌ (it's in my head)</p> <p><strong>Your manager:</strong> "Can you create a dev cluster for the new engineer?"</p> <p><strong>You:</strong> <em>[internal screaming]</em></p> <p><strong>This is called "ClickOps"—managing infrastructure through web UI clicks.</strong></p> <p><strong>Problems:</strong></p> <ul> <li>❌ <strong>Not reproducible</strong> - Can't recreate exact environment</li> <li>❌ <strong>No version control</strong> - No history of changes</li> <li>❌ <strong>No code review</strong> - No approval process</li> <li>❌ <strong>Hard to scale</strong> - Can't manage 10+ environments</li> <li>❌ <strong>No automation</strong> - Manual work for every change</li> </ul> <p><strong>Solution: Infrastructure as Code (IaC)</strong></p> <h2> What is Infrastructure as Code? </h2> <p><strong>Infrastructure as Code (IaC):</strong> Define infrastructure in code files, apply with CLI tools.</p> <p><strong>Instead of clicking:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clicks in Linode dashboard:</span> 1. Create Kubernetes Cluster 2. Choose region: us-east 3. Select nodes: 3x g6-standard-4 4. Enable autoscaling: 3-10 nodes 5. Click <span class="s2">"Create"</span> </code></pre> </div> <p><strong>You write code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/main.tf</span> <span class="nx">resource</span> <span class="s2">"linode_lke_cluster"</span> <span class="s2">"sspp_prod"</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"sspp-prod"</span> <span class="nx">k8s_version</span> <span class="p">=</span> <span class="s2">"1.28"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east"</span> <span class="nx">pool</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"g6-standard-4"</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">autoscaler</span> <span class="p">{</span> <span class="nx">min</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">max</span> <span class="p">=</span> <span class="mi">10</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Then apply:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>✅ <strong>Version controlled</strong> - Git tracks all changes</li> <li>✅ <strong>Reproducible</strong> - Spin up identical environments</li> <li>✅ <strong>Code review</strong> - PRs for infrastructure changes</li> <li>✅ <strong>Automated</strong> - CI/CD can apply changes</li> <li>✅ <strong>Self-documenting</strong> - Code is the documentation</li> </ul> <h2> Why Terraform? </h2> <p><strong>IaC Tools:</strong></p> <ul> <li> <strong>Terraform</strong> (HashiCorp) - Multi-cloud, largest ecosystem</li> <li> <strong>Pulumi</strong> - Use real programming languages (TypeScript, Python)</li> <li> <strong>CloudFormation</strong> - AWS-only, YAML</li> <li> <strong>Ansible</strong> - Configuration management, also does provisioning</li> <li> <strong>CDK</strong> (Cloud Development Kit) - AWS, defines CloudFormation</li> </ul> <p><strong>We're using Terraform because:</strong></p> <ul> <li>✅ Multi-cloud (Linode, AWS, GCP, Azure)</li> <li>✅ Declarative (describe desired state)</li> <li>✅ Large provider ecosystem</li> <li>✅ Industry standard</li> <li>✅ Free and open source</li> </ul> <h2> Terraform Fundamentals </h2> <h3> Core Concepts </h3> <p><strong>1. Providers:</strong> Plugins for cloud platforms<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">linode</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"linode/linode"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.9.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"linode"</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">linode_token</span> <span class="p">}</span> </code></pre> </div> <p><strong>2. Resources:</strong> Infrastructure components<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"linode_instance"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"web-server"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"g6-standard-1"</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"linode/ubuntu22.04"</span> <span class="p">}</span> </code></pre> </div> <p><strong>3. Variables:</strong> Parameterize configuration<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"linode_lke_cluster"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"sspp-${var.environment}"</span> <span class="p">}</span> </code></pre> </div> <p><strong>4. Outputs:</strong> Extract values<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"cluster_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"kubeconfig"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">kubeconfig</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p><strong>5. State:</strong> Terraform tracks what it created<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfstate # Current infrastructure state </code></pre> </div> <h3> Terraform Workflow </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Write configuration</span> vim main.tf <span class="c"># 2. Initialize (download providers)</span> terraform init <span class="c"># 3. Preview changes</span> terraform plan <span class="c"># 4. Apply changes</span> terraform apply <span class="c"># 5. Destroy infrastructure (cleanup)</span> terraform destroy </code></pre> </div> <h2> Building SSPP Infrastructure with Terraform </h2> <h3> Project Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infrastructure/terraform/ ├── main.tf # Main configuration ├── variables.tf # Input variables ├── outputs.tf # Output values ├── versions.tf # Provider versions ├── terraform.tfvars # Variable values (gitignored) ├── backend.tf # Remote state config ├── modules/ │ ├── lke-cluster/ # Kubernetes cluster module │ ├── networking/ # VPC, firewall rules │ └── monitoring/ # Monitoring setup └── environments/ ├── dev/ ├── staging/ └── prod/ </code></pre> </div> <h3> Step 1: Provider Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/versions.tf</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.6.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">linode</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"linode/linode"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.9.0"</span> <span class="p">}</span> <span class="nx">kubernetes</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/kubernetes"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.24.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"linode"</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">linode_token</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">kubeconfig</span><span class="p">)</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">api_endpoints</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">ca_certificate</span><span class="p">)</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">api_endpoints</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">token</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2: Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/variables.tf</span> <span class="nx">variable</span> <span class="s2">"linode_token"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Linode API token"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name (dev, staging, prod)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"prod"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Linode region"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"k8s_version"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Kubernetes version"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"1.28"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"node_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Linode instance type for nodes"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"g6-standard-4"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"node_count"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Initial node count"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"autoscaler_min"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Minimum nodes for autoscaling"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"autoscaler_max"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Maximum nodes for autoscaling"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">10</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"tags"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Tags for resources"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sspp"</span><span class="p">,</span> <span class="s2">"production"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Step 3: LKE Cluster </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/main.tf</span> <span class="nx">resource</span> <span class="s2">"linode_lke_cluster"</span> <span class="s2">"sspp"</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"sspp-${var.environment}"</span> <span class="nx">k8s_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">k8s_version</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="nx">pool</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">node_type</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">node_count</span> <span class="nx">autoscaler</span> <span class="p">{</span> <span class="nx">min</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">autoscaler_min</span> <span class="nx">max</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">autoscaler_max</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">control_plane</span> <span class="p">{</span> <span class="nx">high_availability</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">==</span> <span class="s2">"prod"</span> <span class="err">?</span> <span class="kc">true</span> <span class="err">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Save kubeconfig to file</span> <span class="nx">resource</span> <span class="s2">"local_file"</span> <span class="s2">"kubeconfig"</span> <span class="p">{</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">kubeconfig</span><span class="p">)</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"${path.module}/kubeconfig-${var.environment}"</span> <span class="nx">file_permission</span> <span class="p">=</span> <span class="s2">"0600"</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: NodeBalancer for LoadBalancer Services </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/nodebalancer.tf</span> <span class="nx">resource</span> <span class="s2">"linode_nodebalancer"</span> <span class="s2">"sspp_api"</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"sspp-api-${var.environment}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"linode_nodebalancer_config"</span> <span class="s2">"sspp_api_https"</span> <span class="p">{</span> <span class="nx">nodebalancer_id</span> <span class="p">=</span> <span class="nx">linode_nodebalancer</span><span class="p">.</span><span class="nx">sspp_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"https"</span> <span class="nx">check</span> <span class="p">=</span> <span class="s2">"http"</span> <span class="nx">check_path</span> <span class="p">=</span> <span class="s2">"/api/v1/health"</span> <span class="nx">check_attempts</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">check_timeout</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">ssl_cert</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssl_certificate</span> <span class="nx">ssl_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssl_private_key</span> <span class="p">}</span> <span class="c1"># Output NodeBalancer IP</span> <span class="nx">output</span> <span class="s2">"api_load_balancer_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">linode_nodebalancer</span><span class="p">.</span><span class="nx">sspp_api</span><span class="p">.</span><span class="nx">ipv4</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Load balancer IP for API service"</span> <span class="p">}</span> </code></pre> </div> <h3> Step 5: Object Storage for Backups </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/object-storage.tf</span> <span class="nx">resource</span> <span class="s2">"linode_object_storage_bucket"</span> <span class="s2">"backups"</span> <span class="p">{</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"sspp-backups-${var.environment}"</span> <span class="nx">lifecycle_rule</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">expiration</span> <span class="p">{</span> <span class="nx">days</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"linode_object_storage_key"</span> <span class="s2">"backup_access"</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"sspp-backup-access-${var.environment}"</span> <span class="nx">bucket_access</span> <span class="p">{</span> <span class="nx">bucket_name</span> <span class="p">=</span> <span class="nx">linode_object_storage_bucket</span><span class="p">.</span><span class="nx">backups</span><span class="p">.</span><span class="nx">label</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="nx">linode_object_storage_bucket</span><span class="p">.</span><span class="nx">backups</span><span class="p">.</span><span class="nx">cluster</span> <span class="nx">permissions</span> <span class="p">=</span> <span class="s2">"read_write"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"backup_bucket_url"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"https://${linode_object_storage_bucket.backups.cluster}.linodeobjects.com/${linode_object_storage_bucket.backups.label}"</span> <span class="p">}</span> </code></pre> </div> <h3> Step 6: Firewall Rules </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/firewall.tf</span> <span class="nx">resource</span> <span class="s2">"linode_firewall"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"sspp-cluster-${var.environment}"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="nx">inbound</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"allow-https"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"ACCEPT"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="s2">"443"</span> <span class="nx">ipv4</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">ipv6</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"::/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">inbound</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"allow-http"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"ACCEPT"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="s2">"80"</span> <span class="nx">ipv4</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">ipv6</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"::/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">inbound</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"allow-k8s-api"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"ACCEPT"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="s2">"6443"</span> <span class="nx">ipv4</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">allowed_ip_ranges</span> <span class="p">}</span> <span class="nx">outbound_policy</span> <span class="p">=</span> <span class="s2">"ACCEPT"</span> <span class="nx">linodes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">node</span> <span class="nx">in</span> <span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">pool</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">nodes</span> <span class="err">:</span> <span class="nx">node</span><span class="p">.</span><span class="nx">instance_id</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Step 7: DNS Records </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/dns.tf</span> <span class="nx">resource</span> <span class="s2">"linode_domain"</span> <span class="s2">"sspp"</span> <span class="p">{</span> <span class="nx">domain</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">soa_email</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">admin_email</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"master"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"linode_domain_record"</span> <span class="s2">"api"</span> <span class="p">{</span> <span class="nx">domain_id</span> <span class="p">=</span> <span class="nx">linode_domain</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"api"</span> <span class="nx">record_type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">target</span> <span class="p">=</span> <span class="nx">linode_nodebalancer</span><span class="p">.</span><span class="nx">sspp_api</span><span class="p">.</span><span class="nx">ipv4</span> <span class="nx">ttl_sec</span> <span class="p">=</span> <span class="mi">300</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"linode_domain_record"</span> <span class="s2">"wildcard"</span> <span class="p">{</span> <span class="nx">domain_id</span> <span class="p">=</span> <span class="nx">linode_domain</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">record_type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">target</span> <span class="p">=</span> <span class="nx">linode_nodebalancer</span><span class="p">.</span><span class="nx">sspp_api</span><span class="p">.</span><span class="nx">ipv4</span> <span class="nx">ttl_sec</span> <span class="p">=</span> <span class="mi">300</span> <span class="p">}</span> </code></pre> </div> <h3> Step 8: Outputs </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/outputs.tf</span> <span class="nx">output</span> <span class="s2">"cluster_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"LKE cluster ID"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"cluster_endpoint"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Kubernetes API endpoint"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">api_endpoints</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">endpoint</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"kubeconfig_path"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Path to kubeconfig file"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">local_file</span><span class="p">.</span><span class="nx">kubeconfig</span><span class="p">.</span><span class="nx">filename</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"api_endpoint"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"API public endpoint"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"https://api.${var.domain_name}"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"backup_bucket"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"S3-compatible backup bucket URL"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"https://${linode_object_storage_bucket.backups.cluster}.linodeobjects.com/${linode_object_storage_bucket.backups.label}"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"backup_access_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Backup bucket access key"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">linode_object_storage_key</span><span class="p">.</span><span class="nx">backup_access</span><span class="p">.</span><span class="nx">access_key</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"backup_secret_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Backup bucket secret key"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">linode_object_storage_key</span><span class="p">.</span><span class="nx">backup_access</span><span class="p">.</span><span class="nx">secret_key</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h2> Remote State Management </h2> <p><strong>Problem:</strong> <code>terraform.tfstate</code> is stored locally. If you lose it, Terraform can't manage your infrastructure.</p> <p><strong>Solution:</strong> Store state remotely (S3, Terraform Cloud).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/backend.tf</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"sspp-terraform-state"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"prod/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># State locking with DynamoDB</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"terraform-state-lock"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>✅ Team collaboration (shared state)</li> <li>✅ State locking (prevents concurrent modifications)</li> <li>✅ Encrypted at rest</li> <li>✅ Version history</li> </ul> <p><strong>Alternative: Terraform Cloud</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">cloud</span> <span class="p">{</span> <span class="nx">organization</span> <span class="p">=</span> <span class="s2">"sspp"</span> <span class="nx">workspaces</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"sspp-prod"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Using Terraform </h2> <h3> Initialize </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infrastructure/terraform <span class="c"># Download providers</span> terraform init </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Initializing the backend... Initializing provider plugins... - Finding linode/linode versions matching "~&gt; 2.9.0"... - Installing linode/linode v2.9.3... Terraform has been successfully initialized! </code></pre> </div> <h3> Create Variable File </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># infrastructure/terraform/terraform.tfvars</span> linode_token <span class="o">=</span> <span class="s2">"YOUR_LINODE_API_TOKEN"</span> environment <span class="o">=</span> <span class="s2">"prod"</span> region <span class="o">=</span> <span class="s2">"us-east"</span> domain_name <span class="o">=</span> <span class="s2">"sspp.example.com"</span> admin_email <span class="o">=</span> <span class="s2">"admin@example.com"</span> node_type <span class="o">=</span> <span class="s2">"g6-standard-4"</span> node_count <span class="o">=</span> 3 autoscaler_min <span class="o">=</span> 3 autoscaler_max <span class="o">=</span> 10 tags <span class="o">=</span> <span class="o">[</span><span class="s2">"sspp"</span>, <span class="s2">"production"</span>, <span class="s2">"managed-by-terraform"</span><span class="o">]</span> </code></pre> </div> <p><strong>Add to .gitignore:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"terraform.tfvars"</span> <span class="o">&gt;&gt;</span> .gitignore <span class="nb">echo</span> <span class="s2">"*.tfstate*"</span> <span class="o">&gt;&gt;</span> .gitignore <span class="nb">echo</span> <span class="s2">"kubeconfig-*"</span> <span class="o">&gt;&gt;</span> .gitignore </code></pre> </div> <h3> Plan (Preview Changes) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform will perform the following actions: # linode_lke_cluster.sspp will be created + resource "linode_lke_cluster" "sspp" { + id = (known after apply) + label = "sspp-prod" + k8s_version = "1.28" + region = "us-east" + pool { + count = 3 + type = "g6-standard-4" + autoscaler { + min = 3 + max = 10 } } } # linode_object_storage_bucket.backups will be created + resource "linode_object_storage_bucket" "backups" { + cluster = "us-east-1" + label = "sspp-backups-prod" } Plan: 8 to add, 0 to change, 0 to destroy. </code></pre> </div> <p><strong>Review carefully!</strong> This is your code review checkpoint.</p> <h3> Apply </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p><strong>Terraform asks for confirmation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes </code></pre> </div> <p><strong>Provisioning:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>linode_lke_cluster.sspp: Creating... linode_object_storage_bucket.backups: Creating... linode_lke_cluster.sspp: Still creating... [10s elapsed] linode_lke_cluster.sspp: Still creating... [5m0s elapsed] linode_lke_cluster.sspp: Creation complete after 8m23s Apply complete! Resources: 8 added, 0 changed, 0 destroyed. Outputs: cluster_id = "12345" api_endpoint = "https://api.sspp.example.com" kubeconfig_path = "./kubeconfig-prod" </code></pre> </div> <p><strong>Your infrastructure is now live!</strong> 🎉</p> <h3> Configure kubectl </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">KUBECONFIG</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> kubeconfig_path<span class="si">)</span> kubectl get nodes </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME STATUS ROLES AGE VERSION lke12345-67890-abc123 Ready &lt;none&gt; 5m v1.28.3 lke12345-67890-def456 Ready &lt;none&gt; 5m v1.28.3 lke12345-67890-ghi789 Ready &lt;none&gt; 5m v1.28.3 </code></pre> </div> <h2> Terraform Modules for Reusability </h2> <p><strong>Problem:</strong> Duplicating configuration for dev, staging, prod.</p> <p><strong>Solution:</strong> Create reusable modules.</p> <h3> Module Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infrastructure/terraform/modules/lke-cluster/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <p><strong>Module definition:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/modules/lke-cluster/main.tf</span> <span class="nx">resource</span> <span class="s2">"linode_lke_cluster"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">k8s_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">k8s_version</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="nx">pool</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">node_type</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">node_count</span> <span class="nx">autoscaler</span> <span class="p">{</span> <span class="nx">min</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">autoscaler_min</span> <span class="nx">max</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">autoscaler_max</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">control_plane</span> <span class="p">{</span> <span class="nx">high_availability</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">high_availability</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Using the module:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/environments/prod/main.tf</span> <span class="nx">module</span> <span class="s2">"prod_cluster"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../modules/lke-cluster"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"sspp-prod"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east"</span> <span class="nx">k8s_version</span> <span class="p">=</span> <span class="s2">"1.28"</span> <span class="nx">node_type</span> <span class="p">=</span> <span class="s2">"g6-standard-4"</span> <span class="nx">node_count</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">autoscaler_min</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">autoscaler_max</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">high_availability</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sspp"</span><span class="p">,</span> <span class="s2">"prod"</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># infrastructure/terraform/environments/dev/main.tf</span> <span class="nx">module</span> <span class="s2">"dev_cluster"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../modules/lke-cluster"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"sspp-dev"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east"</span> <span class="nx">k8s_version</span> <span class="p">=</span> <span class="s2">"1.28"</span> <span class="nx">node_type</span> <span class="p">=</span> <span class="s2">"g6-standard-2"</span> <span class="c1"># Smaller nodes</span> <span class="nx">node_count</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">autoscaler_min</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">autoscaler_max</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">high_availability</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Dev doesn't need HA</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sspp"</span><span class="p">,</span> <span class="s2">"dev"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>✅ DRY (Don't Repeat Yourself)</li> <li>✅ Consistent configuration</li> <li>✅ Easy to update (change module, affects all environments)</li> </ul> <h2> Terraform Best Practices </h2> <h3> 1. Use Variables for Everything </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ❌ Bad</span> <span class="nx">resource</span> <span class="s2">"linode_lke_cluster"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"sspp-prod"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east"</span> <span class="p">}</span> <span class="c1"># ✅ Good</span> <span class="nx">resource</span> <span class="s2">"linode_lke_cluster"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">label</span> <span class="p">=</span> <span class="s2">"sspp-${var.environment}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Tag All Resources </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">tags</span> <span class="err">=</span> <span class="p">[</span> <span class="s2">"environment:${var.environment}"</span><span class="p">,</span> <span class="s2">"managed-by:terraform"</span><span class="p">,</span> <span class="s2">"project:sspp"</span><span class="p">,</span> <span class="s2">"owner:devops-team"</span> <span class="p">]</span> </code></pre> </div> <p><strong>Why:</strong> Cost tracking, resource filtering, compliance.</p> <h3> 3. Use Remote State </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Never commit terraform.tfstate to git!</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-state"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"prod/terraform.tfstate"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Lock Provider Versions </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ❌ Bad - Could break with provider updates</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">linode</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"linode/linode"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># ✅ Good - Explicit version</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">linode</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"linode/linode"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.9.0"</span> <span class="c1"># Allow 2.9.x, not 2.10.x</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 5. Use terraform fmt and validate </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Format code</span> terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> <span class="c"># Validate syntax</span> terraform validate <span class="c"># Check for issues</span> tflint </code></pre> </div> <h3> 6. Plan Before Apply </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Always review plan</span> terraform plan <span class="nt">-out</span><span class="o">=</span>tfplan <span class="c"># Review changes</span> less tfplan <span class="c"># Apply only if looks good</span> terraform apply tfplan </code></pre> </div> <h3> 7. Use Workspaces for Environments </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create workspaces</span> terraform workspace new dev terraform workspace new staging terraform workspace new prod <span class="c"># Switch workspace</span> terraform workspace <span class="k">select </span>prod <span class="c"># List workspaces</span> terraform workspace list </code></pre> </div> <p><strong>Different state per workspace.</strong></p> <h2> Terraform in CI/CD </h2> <h3> GitHub Actions Workflow </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/terraform.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Infrastructure</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">infrastructure/terraform/**'</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">infrastructure/terraform/**'</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TF_VERSION</span><span class="pi">:</span> <span class="s">1.6.0</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan &amp; Apply</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">defaults</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">infrastructure/terraform</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">${{ env.TF_VERSION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Format Check</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform fmt -check -recursive</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">env</span><span class="pi">:</span> <span class="na">LINODE_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.LINODE_TOKEN }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform init</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Validate</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform validate</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan</span> <span class="na">env</span><span class="pi">:</span> <span class="na">LINODE_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.LINODE_TOKEN }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform plan -out=tfplan</span> <span class="s">terraform show -no-color tfplan &gt; plan.txt</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Comment PR with Plan</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'pull_request'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/github-script@v7</span> <span class="na">with</span><span class="pi">:</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">const fs = require('fs');</span> <span class="s">const plan = fs.readFileSync('infrastructure/terraform/plan.txt', 'utf8');</span> <span class="s">github.rest.issues.createComment({</span> <span class="s">issue_number: context.issue.number,</span> <span class="s">owner: context.repo.owner,</span> <span class="s">repo: context.repo.repo,</span> <span class="s">body: '```</span> <span class="pi">{</span><span class="err">%</span> <span class="nv">endraw %</span><span class="pi">}</span> <span class="s">terraform\n' + plan + '\n</span> <span class="pi">{</span><span class="err">%</span> <span class="nv">raw %</span><span class="pi">}</span> <span class="err">```</span><span class="s1">'</span> <span class="s">});</span> <span class="s">-</span><span class="nv"> </span><span class="s">name:</span><span class="nv"> </span><span class="s">Terraform</span><span class="nv"> </span><span class="s">Apply</span> <span class="s">if:</span><span class="nv"> </span><span class="s">github.ref</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">'refs/heads/main' &amp;&amp; github.event_name == 'push'</span> <span class="s">env</span><span class="err">:</span> <span class="na">LINODE_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.LINODE_TOKEN }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform apply -auto-approve tfplan</span> </code></pre> </div> <p><strong>Workflow:</strong></p> <ol> <li> <strong>PR:</strong> Runs <code>terraform plan</code>, comments on PR</li> <li> <strong>Merge to main:</strong> Runs <code>terraform apply</code> </li> <li><strong>Infrastructure changes are code-reviewed!</strong></li> </ol> <h2> Managing Kubernetes Resources with Terraform </h2> <p><strong>You can also manage Kubernetes resources with Terraform:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/terraform/kubernetes.tf</span> <span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">api_endpoints</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">endpoint</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">api_endpoints</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">token</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">linode_lke_cluster</span><span class="p">.</span><span class="nx">sspp</span><span class="p">.</span><span class="nx">api_endpoints</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">ca_certificate</span><span class="p">)</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"sspp_prod"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"sspp-prod"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"sspp_secrets"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"sspp-secrets"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">sspp_prod</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">DB_PASSWORD</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_password</span> <span class="nx">JWT_SECRET</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">jwt_secret</span> <span class="p">}</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Opaque"</span> <span class="p">}</span> </code></pre> </div> <p><strong>But should you?</strong></p> <p><strong>Pros:</strong></p> <ul> <li>Everything in one place</li> <li>Terraform manages both cluster and apps</li> </ul> <p><strong>Cons:</strong></p> <ul> <li>Mixing infrastructure and application concerns</li> <li>kubectl is faster for iteration</li> <li>ArgoCD is better for GitOps</li> </ul> <p><strong>Best practice:</strong> Use Terraform for infrastructure (cluster, nodes), use Kubernetes manifests or ArgoCD for applications.</p> <h2> Real-World Example: Multi-Environment Setup </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infrastructure/terraform/ ├── modules/ │ └── lke-cluster/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf ├── environments/ │ ├── dev/ │ │ ├── main.tf │ │ ├── terraform.tfvars │ │ └── backend.tf │ ├── staging/ │ │ ├── main.tf │ │ ├── terraform.tfvars │ │ └── backend.tf │ └── prod/ │ ├── main.tf │ ├── terraform.tfvars │ └── backend.tf </code></pre> </div> <p><strong>Deploy dev:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>environments/dev terraform init terraform apply </code></pre> </div> <p><strong>Deploy staging:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>environments/staging terraform init terraform apply </code></pre> </div> <p><strong>Deploy prod:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>environments/prod terraform init terraform apply </code></pre> </div> <p><strong>Identical configuration, different parameters.</strong></p> <h2> Cost Estimation with Infracost </h2> <p><strong>How much will this cost?</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install Infracost</span> brew <span class="nb">install </span>infracost <span class="c"># Get cost estimate</span> infracost breakdown <span class="nt">--path</span> infrastructure/terraform <span class="c"># Output:</span> <span class="c"># ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓</span> <span class="c"># ┃ Resource ┃ Monthly cost ┃</span> <span class="c"># ┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━┫</span> <span class="c"># ┃ linode_lke_cluster.sspp ┃ ┃</span> <span class="c"># ┃ └─ Node pool (3x g6-4) ┃ $120.00 ┃</span> <span class="c"># ┃ linode_nodebalancer ┃ $10.00 ┃</span> <span class="c"># ┃ object_storage_bucket ┃ $5.00 ┃</span> <span class="c"># ┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━┫</span> <span class="c"># ┃ TOTAL ┃ $135.00 ┃</span> <span class="c"># ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━┛</span> </code></pre> </div> <p><strong>Add to CI/CD:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Cost estimate</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">infracost breakdown --path . --format json &gt; cost.json</span> <span class="s">infracost comment github --path cost.json</span> </code></pre> </div> <p><strong>PR comments show cost changes!</strong></p> <h2> What We Solved </h2> <p>✅ <strong>Reproducible infrastructure</strong> - Code defines everything<br><br> ✅ <strong>Version controlled</strong> - Git tracks all changes<br><br> ✅ <strong>Code reviewed</strong> - PRs for infrastructure changes<br><br> ✅ <strong>Multi-environment</strong> - Dev, staging, prod from same code<br><br> ✅ <strong>Self-documenting</strong> - Terraform files are the docs<br><br> ✅ <strong>Automated</strong> - CI/CD applies changes<br><br> ✅ <strong>Cost visible</strong> - Infracost shows price before apply </p> <h2> What's Next? </h2> <p>We have infrastructure as code with Terraform. But application deployment is still manual:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> k8s/ </code></pre> </div> <p><strong>Problems:</strong></p> <ul> <li>❌ No rollback mechanism</li> <li>❌ No deployment history</li> <li>❌ Manual sync between Git and cluster</li> <li>❌ No automatic sync when manifests change</li> </ul> <p>In <strong>Part 9</strong>, we'll add <strong>GitOps with ArgoCD</strong>:</p> <ul> <li>Git as single source of truth</li> <li>Automatic sync (Git → Cluster)</li> <li>Deployment history and rollback</li> <li>Multi-cluster management</li> <li>Self-service deployments</li> </ul> <p><strong>Push to Git → ArgoCD deploys automatically.</strong></p> <h2> Try It Yourself </h2> <p><strong>Challenge:</strong> Create complete Terraform infrastructure:</p> <ol> <li>Create Linode account (free $100 credit)</li> <li>Get API token</li> <li>Write Terraform configuration for LKE cluster</li> <li>Add NodeBalancer, object storage, firewall</li> <li>Create dev, staging, prod environments</li> <li>Apply with Terraform</li> <li>Deploy SSPP to each environment</li> <li>Add cost estimation with Infracost</li> <li>Set up CI/CD for Terraform</li> </ol> <p><strong>Bonus:</strong> Manage Kubernetes namespaces with Terraform.</p> <h2> Discussion </h2> <p><strong>Do you use Terraform? Pulumi? CloudFormation?</strong> What's your IaC tool of choice?</p> <p>Share on <a href="https://github.com/daviesbrown/sspp/discussions" rel="noopener noreferrer">GitHub Discussions</a>.</p> <p><strong>Previous:</strong> <a href="https://dev.to/daviesbrown/part-6-kubernetes-from-first-principles-no-magic-522c">Part 6: Kubernetes Without Magic</a> </p> <h2> <strong>Next:</strong> <a href="https://dev.to/daviesbrown/part-8-helm-packaging-kubernetes-applications-15jf">Part 8: Helm - Packaging Kubernetes Applications</a> </h2> <p><strong>About the Author</strong></p> <p>Building this series for my Proton.ai application to demonstrate real DevOps thinking.</p> <ul> <li>GitHub: <a href="https://github.com/daviesbrown" rel="noopener noreferrer">@daviesbrown</a> </li> <li>LinkedIn: <a href="https://linkedin.com/in/nwosu-david" rel="noopener noreferrer">David Nwosu</a> </li> </ul> terraform devops githubactions Part 6: Kubernetes from First Principles (No Magic) David Nwosu Mon, 22 Dec 2025 23:30:11 +0000 https://dev.to/daviesbrown/part-6-kubernetes-from-first-principles-no-magic-522c https://dev.to/daviesbrown/part-6-kubernetes-from-first-principles-no-magic-522c <p><strong>Series:</strong> From "Just Put It on a Server" to Production DevOps<br><br> <strong>Reading time:</strong> 15 minutes<br><br> <strong>Level:</strong> Intermediate</p> <h2> The Kubernetes Mindset Shift </h2> <p>In <a href="https://dev.to/daviesbrown/part-5-from-one-server-to-many-the-need-for-orchestration-i3h">Part 5</a>, we broke Docker Compose in creative ways and felt the pain of manual orchestration. Now it's time to fix it.</p> <p>But first, we need a mindset shift.</p> <p><strong>Before Kubernetes:</strong></p> <blockquote> <p>"I have a server. I'll SSH in and run containers on it."</p> </blockquote> <p><strong>With Kubernetes:</strong></p> <blockquote> <p>"I have a cluster. I'll declare what I want running. Kubernetes makes it happen."</p> </blockquote> <p><strong>This is the key insight:</strong> Kubernetes is <strong>declarative</strong>, not imperative.</p> <p>You don't tell it <em>how</em> to do things. You tell it <em>what</em> you want, and it figures out the how.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># You write this</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># Kubernetes does this:</span> <span class="c1"># ✓ Schedules 5 pods across nodes</span> <span class="c1"># ✓ Monitors them continuously</span> <span class="c1"># ✓ Restarts if they crash</span> <span class="c1"># ✓ Redistributes if a node dies</span> <span class="c1"># ✓ Rolls out updates gracefully</span> </code></pre> </div> <p><strong>You describe desired state. Kubernetes maintains it.</strong></p> <h2> Core Concepts (No Jargon) </h2> <h3> Pods: The Smallest Unit </h3> <p>A <strong>Pod</strong> is one or more containers that run together on the same machine.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <p><strong>Think of a Pod as:</strong> A wrapper around containers that share:</p> <ul> <li>Network (same IP address)</li> <li>Storage (can mount same volumes)</li> <li>Lifecycle (started/stopped together)</li> </ul> <p><strong>Why not just use containers directly?</strong> Because you need more control:</p> <ul> <li> <strong>Sidecars:</strong> Add a logging container next to your app</li> <li> <strong>Init containers:</strong> Run setup before main container starts</li> <li> <strong>Shared volumes:</strong> Multiple containers access same files</li> </ul> <p><strong>Real-world analogy:</strong> A Pod is like a house. Containers are the rooms. They share the address (IP), utilities (network), and exist together.</p> <h3> Deployments: Managing Replicas </h3> <p>You almost never create Pods directly. You create a <strong>Deployment</strong>, which manages Pods for you.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api:latest</span> </code></pre> </div> <p><strong>What this creates:</strong></p> <ul> <li>3 identical Pods running your API</li> <li>ReplicaSet managing them</li> <li>Automatic recreation if Pods die</li> <li>Rolling update strategy built-in</li> </ul> <p><strong>The magic:</strong> Kill a Pod, Kubernetes immediately creates a new one. Always maintains 3 replicas.</p> <h3> Services: Stable Networking </h3> <p>Pods are <strong>ephemeral</strong>—they die and get recreated with new IP addresses.</p> <p><strong>Problem:</strong> How do other Pods find your API if its IP keeps changing?</p> <p><strong>Solution:</strong> A <strong>Service</strong> provides a stable DNS name and IP.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> </code></pre> </div> <p><strong>What this does:</strong></p> <ul> <li>Creates a stable DNS name: <code>api.sspp-dev.svc.cluster.local</code> </li> <li>Load balances requests across all Pods with label <code>app: api</code> </li> <li>Exposes externally (type: LoadBalancer) via cloud provider's load balancer</li> </ul> <p><strong>Types of Services:</strong></p> <ul> <li> <strong>ClusterIP:</strong> Internal only (default)</li> <li> <strong>NodePort:</strong> Exposes on each node's IP at a static port</li> <li> <strong>LoadBalancer:</strong> Creates external load balancer (Linode NodeBalancer)</li> </ul> <h3> ConfigMaps &amp; Secrets: Configuration Management </h3> <p><strong>Problem:</strong> Hardcoding environment variables in Deployment YAML is bad:</p> <ul> <li>❌ Can't reuse across environments (dev, staging, prod)</li> <li>❌ Secrets visible in YAML files</li> <li>❌ Config changes require redeploying entire app</li> </ul> <p><strong>Solution:</strong> Separate configuration from application code.</p> <h4> ConfigMaps: Non-Sensitive Configuration </h4> <p>A <strong>ConfigMap</strong> stores configuration data as key-value pairs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-config</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">data</span><span class="pi">:</span> <span class="c1"># Simple values</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s2">"</span><span class="s">production"</span> <span class="na">REDIS_PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">6379"</span> <span class="na">ELASTICSEARCH_URL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://elasticsearch:9200"</span> <span class="na">QUEUE_NAME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sales-events"</span> <span class="c1"># Multi-line config files</span> <span class="na">app.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">log_level=info</span> <span class="s">max_connections=100</span> <span class="s">timeout=30s</span> </code></pre> </div> <p><strong>Use in Deployment:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api:latest</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">configMapRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-config</span> <span class="c1"># Import ALL keys as env vars</span> <span class="c1"># Or selectively:</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">NODE_ENV</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-config</span> <span class="na">key</span><span class="pi">:</span> <span class="s">NODE_ENV</span> </code></pre> </div> <h4> Secrets: Sensitive Data </h4> <p>A <strong>Secret</strong> stores sensitive data (passwords, tokens, keys) with base64 encoding.</p> <p><strong>Create from command line:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># From literal values</span> kubectl create secret generic sspp-secrets <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">DB_PASSWORD</span><span class="o">=</span>sspp_password <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">REDIS_PASSWORD</span><span class="o">=</span>redis_secret <span class="se">\</span> <span class="nt">-n</span> sspp-dev <span class="c"># From files</span> kubectl create secret generic api-tls <span class="se">\</span> <span class="nt">--from-file</span><span class="o">=</span>tls.crt<span class="o">=</span>./cert.pem <span class="se">\</span> <span class="nt">--from-file</span><span class="o">=</span>tls.key<span class="o">=</span>./key.pem <span class="se">\</span> <span class="nt">-n</span> sspp-dev </code></pre> </div> <p><strong>Or define in YAML (base64-encode first):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Encode secrets</span> <span class="nb">echo</span> <span class="nt">-n</span> <span class="s1">'sspp_password'</span> | <span class="nb">base64</span> <span class="c"># Output: c3NwcF9wYXNzd29yZA==</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-secrets</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">data</span><span class="pi">:</span> <span class="na">DB_PASSWORD</span><span class="pi">:</span> <span class="s">c3NwcF9wYXNzd29yZA==</span> <span class="c1"># base64 encoded</span> <span class="na">REDIS_PASSWORD</span><span class="pi">:</span> <span class="s">cmVkaXNfc2VjcmV0==</span> </code></pre> </div> <p><strong>Use in Deployment:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api:latest</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-secrets</span> <span class="na">key</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="c1"># Or mount as files:</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/secrets</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-volume</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">sspp-secrets</span> </code></pre> </div> <p><strong>Access mounted secret:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// In your app</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">/etc/secrets/DB_PASSWORD</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p><strong>Key differences:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>ConfigMap</th> <th>Secret</th> </tr> </thead> <tbody> <tr> <td>Use case</td> <td>Non-sensitive config</td> <td>Passwords, tokens, keys</td> </tr> <tr> <td>Encoding</td> <td>Plain text</td> <td>Base64</td> </tr> <tr> <td>Storage</td> <td>etcd (plain)</td> <td>etcd (can be encrypted)</td> </tr> <tr> <td>Size limit</td> <td>1MB</td> <td>1MB</td> </tr> <tr> <td>Best for</td> <td>URLs, ports, flags</td> <td>Credentials, certificates</td> </tr> </tbody> </table></div> <h2> Setting Up Kubernetes on Linode </h2> <p>We'll use <strong>Linode Kubernetes Engine (LKE)</strong> for production-grade Kubernetes without the setup pain.</p> <h3> Create a Cluster </h3> <ol> <li>Log into <a href="https://cloud.linode.com" rel="noopener noreferrer">Linode Cloud Manager</a> </li> <li>Click "Kubernetes" → "Create Cluster"</li> <li>Configure: <ul> <li> <strong>Cluster Label:</strong> <code>sspp-cluster</code> </li> <li> <strong>Region:</strong> Choose closest to you</li> <li> <strong>Kubernetes Version:</strong> 1.28 (or latest stable)</li> <li> <strong>Node Pools:</strong> <ul> <li>Pool: <code>standard-4gb</code> (2 CPU, 4GB RAM)</li> <li>Count: 3 nodes</li> </ul> </li> </ul> </li> <li>Click "Create Cluster"</li> </ol> <p><strong>Wait 5-10 minutes</strong> for cluster provisioning.</p> <h3> Configure kubectl </h3> <p>Download your kubeconfig:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install kubectl (if not already installed)</span> curl <span class="nt">-LO</span> <span class="s2">"https://dl.k8s.io/release/</span><span class="si">$(</span>curl <span class="nt">-L</span> <span class="nt">-s</span> https://dl.k8s.io/release/stable.txt<span class="si">)</span><span class="s2">/bin/linux/amd64/kubectl"</span> <span class="nb">chmod</span> +x kubectl <span class="nb">sudo mv </span>kubectl /usr/local/bin/ <span class="c"># Download kubeconfig from Linode dashboard</span> <span class="c"># Or use Linode CLI:</span> linode-cli lke kubeconfig-view &lt;cluster-id&gt; <span class="o">&gt;</span> ~/.kube/config <span class="c"># Verify connection</span> kubectl get nodes </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME STATUS ROLES AGE VERSION lke12345-67890-abcdef1234 Ready &lt;none&gt; 5m v1.28.0 lke12345-67890-abcdef5678 Ready &lt;none&gt; 5m v1.28.0 lke12345-67890-abcdef9012 Ready &lt;none&gt; 5m v1.28.0 </code></pre> </div> <p><strong>You now have a 3-node Kubernetes cluster.</strong> 🎉</p> <h2> Deploying SSPP to Kubernetes </h2> <p>Let's deploy our entire stack: PostgreSQL, Redis, Elasticsearch, API, and Worker.</p> <h3> Step 1: Create Namespace </h3> <p>Namespaces isolate resources (dev, staging, prod).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create namespace sspp-dev <span class="c"># Set as default</span> kubectl config set-context <span class="nt">--current</span> <span class="nt">--namespace</span><span class="o">=</span>sspp-dev </code></pre> </div> <h3> Step 2: Deploy PostgreSQL </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/postgres.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-pvc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">linode-block-storage</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:15-alpine</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POSTGRES_DB</span> <span class="na">value</span><span class="pi">:</span> <span class="s">sales_signals</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POSTGRES_USER</span> <span class="na">value</span><span class="pi">:</span> <span class="s">sspp_user</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POSTGRES_PASSWORD</span> <span class="na">value</span><span class="pi">:</span> <span class="s">sspp_password</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-storage</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/var/lib/postgresql/data</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-storage</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">postgres-pvc</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> </code></pre> </div> <p><strong>Key points:</strong></p> <ul> <li> <strong>PersistentVolumeClaim:</strong> Requests 10GB storage (data survives Pod restarts)</li> <li> <strong>Deployment:</strong> 1 replica (databases don't horizontally scale easily)</li> <li> <strong>Service:</strong> ClusterIP (internal only, not exposed externally)</li> </ul> <p><strong>Deploy it:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infrastructure/k8s/postgres.yaml <span class="c"># Check status</span> kubectl get pods kubectl get pvc kubectl get svc </code></pre> </div> <h3> Step 3: Deploy Redis </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/redis.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7-alpine</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">6379</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">6379</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">6379</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> </code></pre> </div> <p><strong>Deploy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infrastructure/k8s/redis.yaml </code></pre> </div> <h3> Step 4: Deploy Elasticsearch </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/elasticsearch.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">elasticsearch</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">elasticsearch</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">elasticsearch</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">elasticsearch</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.elastic.co/elasticsearch/elasticsearch:8.11.0</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">discovery.type</span> <span class="na">value</span><span class="pi">:</span> <span class="s">single-node</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">xpack.security.enabled</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ES_JAVA_OPTS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-Xms512m</span><span class="nv"> </span><span class="s">-Xmx512m"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9200</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9300</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">elasticsearch</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">elasticsearch</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9200</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">9200</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">transport</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9300</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">9300</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> </code></pre> </div> <p><strong>Deploy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infrastructure/k8s/elasticsearch.yaml </code></pre> </div> <h3> Step 5: Deploy API Service </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/api.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">NODE_ENV</span> <span class="na">value</span><span class="pi">:</span> <span class="s">production</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PORT</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3000"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_HOST</span> <span class="na">value</span><span class="pi">:</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_PORT</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">5432"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s">sales_signals</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_USER</span> <span class="na">value</span><span class="pi">:</span> <span class="s">sspp_user</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="na">value</span><span class="pi">:</span> <span class="s">sspp_password</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REDIS_HOST</span> <span class="na">value</span><span class="pi">:</span> <span class="s">redis</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REDIS_PORT</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">6379"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ELASTICSEARCH_URL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">http://elasticsearch:9200</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">200m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/api/v1/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/api/v1/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> </code></pre> </div> <p><strong>Key features:</strong></p> <ul> <li> <strong>2 replicas:</strong> Load balanced automatically</li> <li> <strong>Resource limits:</strong> Prevents resource hogging</li> <li> <strong>Health checks:</strong> Kubernetes won't route traffic to unhealthy Pods</li> <li> <strong>LoadBalancer:</strong> Exposes API publicly via Linode NodeBalancer</li> </ul> <p><strong>Deploy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infrastructure/k8s/api.yaml <span class="c"># Get external IP (takes 1-2 minutes)</span> kubectl get svc api </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE api LoadBalancer 10.128.45.123 45.79.123.45 80:30123/TCP 2m </code></pre> </div> <p><strong>Your API is now publicly accessible at <code>http://45.79.123.45</code>!</strong></p> <h3> Step 6: Deploy Worker Service </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/worker.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">image</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-worker:latest</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">NODE_ENV</span> <span class="na">value</span><span class="pi">:</span> <span class="s">production</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_HOST</span> <span class="na">value</span><span class="pi">:</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_PORT</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">5432"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s">sales_signals</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_USER</span> <span class="na">value</span><span class="pi">:</span> <span class="s">sspp_user</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="na">value</span><span class="pi">:</span> <span class="s">sspp_password</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REDIS_HOST</span> <span class="na">value</span><span class="pi">:</span> <span class="s">redis</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REDIS_PORT</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">6379"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ELASTICSEARCH_URL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">http://elasticsearch:9200</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">QUEUE_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s">sales-events</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">200m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> </code></pre> </div> <p><strong>Deploy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infrastructure/k8s/worker.yaml </code></pre> </div> <h2> Managing Multiple Environments </h2> <p><strong>Real production setup:</strong> You need dev, staging, and production environments.</p> <h3> Strategy 1: Namespaces (Simple) </h3> <p><strong>Separate by namespace:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create namespaces</span> kubectl create namespace sspp-dev kubectl create namespace sspp-staging kubectl create namespace sspp-prod </code></pre> </div> <p><strong>Deploy to each:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Dev</span> kubectl apply <span class="nt">-f</span> infrastructure/k8s/ <span class="nt">-n</span> sspp-dev <span class="c"># Staging</span> kubectl apply <span class="nt">-f</span> infrastructure/k8s/ <span class="nt">-n</span> sspp-staging <span class="c"># Production</span> kubectl apply <span class="nt">-f</span> infrastructure/k8s/ <span class="nt">-n</span> sspp-prod </code></pre> </div> <p><strong>Create environment-specific ConfigMaps:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># config-dev.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-config</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">data</span><span class="pi">:</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s2">"</span><span class="s">development"</span> <span class="na">LOG_LEVEL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">debug"</span> <span class="na">REDIS_HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">redis.sspp-dev"</span> <span class="nn">---</span> <span class="c1"># config-prod.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-config</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-prod</span> <span class="na">data</span><span class="pi">:</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s2">"</span><span class="s">production"</span> <span class="na">LOG_LEVEL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">info"</span> <span class="na">REDIS_HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">redis.sspp-prod"</span> </code></pre> </div> <p><strong>Apply:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> config-dev.yaml kubectl apply <span class="nt">-f</span> config-prod.yaml </code></pre> </div> <h3> Strategy 2: Kustomize (Better) </h3> <p><strong>Kustomize</strong> is built into kubectl and lets you customize YAML without templates.</p> <p><strong>Directory structure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infrastructure/k8s/ ├── base/ │ ├── kustomization.yaml │ ├── deployment.yaml │ ├── service.yaml │ └── configmap.yaml ├── overlays/ │ ├── dev/ │ │ ├── kustomization.yaml │ │ └── patch-replicas.yaml │ ├── staging/ │ │ └── kustomization.yaml │ └── prod/ │ ├── kustomization.yaml │ └── patch-replicas.yaml </code></pre> </div> <p><strong>base/kustomization.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">deployment.yaml</span> <span class="pi">-</span> <span class="s">service.yaml</span> <span class="pi">-</span> <span class="s">configmap.yaml</span> <span class="na">commonLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sspp-api</span> </code></pre> </div> <p><strong>overlays/dev/kustomization.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> <span class="na">patchesStrategicMerge</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">patch-replicas.yaml</span> <span class="na">configMapGenerator</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-config</span> <span class="na">literals</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">NODE_ENV=development</span> <span class="pi">-</span> <span class="s">LOG_LEVEL=debug</span> </code></pre> </div> <p><strong>overlays/dev/patch-replicas.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># Dev only needs 1 replica</span> </code></pre> </div> <p><strong>overlays/prod/kustomization.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-prod</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> <span class="na">patchesStrategicMerge</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">patch-replicas.yaml</span> <span class="na">configMapGenerator</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-config</span> <span class="na">literals</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">NODE_ENV=production</span> <span class="pi">-</span> <span class="s">LOG_LEVEL=info</span> <span class="na">secretGenerator</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-secrets</span> <span class="na">literals</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DB_PASSWORD=actual_prod_password</span> </code></pre> </div> <p><strong>overlays/prod/patch-replicas.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># Production needs 5 replicas</span> </code></pre> </div> <p><strong>Deploy with Kustomize:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Dev</span> kubectl apply <span class="nt">-k</span> infrastructure/k8s/overlays/dev <span class="c"># Staging</span> kubectl apply <span class="nt">-k</span> infrastructure/k8s/overlays/staging <span class="c"># Production</span> kubectl apply <span class="nt">-k</span> infrastructure/k8s/overlays/prod </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>✅ DRY (Don't Repeat Yourself) - base shared across environments</li> <li>✅ Environment-specific overrides</li> <li>✅ No templating language to learn</li> <li>✅ Native kubectl support</li> </ul> <h3> Strategy 3: Separate Clusters (Production-Grade) </h3> <p><strong>For serious production:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────┐ │ Dev Cluster │ - 1-2 nodes, shared resources │ sspp-dev │ - Developers can break things └─────────────────┘ ┌─────────────────┐ │ Staging Cluster │ - Mirrors production size │ sspp-staging │ - Pre-release testing └─────────────────┘ ┌─────────────────┐ │ Prod Cluster │ - High availability (3+ nodes) │ sspp-prod │ - Strict access control └─────────────────┘ </code></pre> </div> <p><strong>Why separate clusters?</strong></p> <ul> <li>🔒 <strong>Security:</strong> Compromised dev can't affect prod</li> <li>💰 <strong>Cost:</strong> Dev uses cheaper spot instances</li> <li>🎯 <strong>Blast radius:</strong> Experiments stay contained</li> <li>📊 <strong>Resource isolation:</strong> Dev load doesn't impact prod</li> </ul> <p><strong>Deploy to multiple clusters:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Switch context</span> kubectl config use-context lke-dev kubectl apply <span class="nt">-k</span> overlays/dev kubectl config use-context lke-staging kubectl apply <span class="nt">-k</span> overlays/staging kubectl config use-context lke-prod kubectl apply <span class="nt">-k</span> overlays/prod </code></pre> </div> <h3> Best Practices for Environment Management </h3> <p>✅ <strong>Never hardcode secrets in YAML</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Bad</span> <span class="nb">env</span>: - name: DB_PASSWORD value: <span class="s2">"password123"</span> <span class="c"># ❌ Visible in Git</span> <span class="c"># Good</span> <span class="nb">env</span>: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secrets key: password <span class="c"># ✅ Stored separately</span> </code></pre> </div> <p>✅ <strong>Use external secret managers for production</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Use AWS Secrets Manager, Vault, or Sealed Secrets</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ExternalSecret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-secrets</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">secretStoreRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-secrets-manager</span> <span class="na">target</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-secrets</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretKey</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="na">remoteRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">prod/sspp/db-password</span> </code></pre> </div> <p>✅ <strong>Namespace quotas prevent resource hogging</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ResourceQuota</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dev-quota</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hard</span><span class="pi">:</span> <span class="na">requests.cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">4"</span> <span class="na">requests.memory</span><span class="pi">:</span> <span class="s">8Gi</span> <span class="na">persistentvolumeclaims</span><span class="pi">:</span> <span class="s2">"</span><span class="s">5"</span> </code></pre> </div> <p>✅ <strong>RBAC for access control</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Developers can deploy to dev, but not prod</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developers</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Group</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developers</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">edit</span> <span class="c1"># Can create/update resources</span> </code></pre> </div> <h2> Refactoring API Deployment with ConfigMaps &amp; Secrets </h2> <p>Let's refactor our API deployment to use proper configuration management:</p> <p><strong>1. Create ConfigMap:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/configmap.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-config</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">data</span><span class="pi">:</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s2">"</span><span class="s">production"</span> <span class="na">PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3000"</span> <span class="na">DB_HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">postgres"</span> <span class="na">DB_PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">5432"</span> <span class="na">DB_NAME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sales_signals"</span> <span class="na">REDIS_HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">redis"</span> <span class="na">REDIS_PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">6379"</span> <span class="na">ELASTICSEARCH_URL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://elasticsearch:9200"</span> </code></pre> </div> <p><strong>2. Create Secret:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic sspp-secrets <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">DB_USER</span><span class="o">=</span>sspp_user <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">DB_PASSWORD</span><span class="o">=</span>sspp_password <span class="se">\</span> <span class="nt">-n</span> sspp-dev </code></pre> </div> <p><strong>3. Update API Deployment:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/k8s/api.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">sspp-dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">configMapRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-config</span> <span class="c1"># Import all non-sensitive config</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_USER</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-secrets</span> <span class="na">key</span><span class="pi">:</span> <span class="s">DB_USER</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sspp-secrets</span> <span class="na">key</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">200m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/api/v1/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/api/v1/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> </code></pre> </div> <p><strong>4. Deploy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infrastructure/k8s/configmap.yaml kubectl apply <span class="nt">-f</span> infrastructure/k8s/api.yaml <span class="c"># Verify</span> kubectl get configmap sspp-config <span class="nt">-n</span> sspp-dev <span class="nt">-o</span> yaml kubectl get secret sspp-secrets <span class="nt">-n</span> sspp-dev </code></pre> </div> <p><strong>Benefits of this approach:</strong></p> <ul> <li>✅ Configuration separate from code</li> <li>✅ Easy to update config without redeploying image</li> <li>✅ Secrets not visible in YAML files</li> <li>✅ Same deployment YAML works across environments (just swap ConfigMap/Secret)</li> </ul> <h2> Testing the Deployment </h2> <h3> Check Everything is Running </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods NAME READY STATUS RESTARTS AGE api-7d8f9c6b5-abc12 1/1 Running 0 5m api-7d8f9c6b5-def34 1/1 Running 0 5m postgres-6c8d7f5b4-ghi56 1/1 Running 0 8m redis-5b7c6d4a3-jkl78 1/1 Running 0 7m elasticsearch-4a6b5c3d2-mno90 1/1 Running 0 7m worker-3c5d4e2f1-pqr12 1/1 Running 0 4m worker-3c5d4e2f1-stu34 1/1 Running 0 4m worker-3c5d4e2f1-vwx56 1/1 Running 0 4m </code></pre> </div> <p><strong>Perfect!</strong> All Pods are Running.</p> <h3> Send an Event </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get external IP</span> <span class="nv">EXTERNAL_IP</span><span class="o">=</span><span class="si">$(</span>kubectl get svc api <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.status.loadBalancer.ingress[0].ip}'</span><span class="si">)</span> <span class="c"># Send event</span> curl <span class="nt">-X</span> POST http://<span class="nv">$EXTERNAL_IP</span>/api/v1/events <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "accountId": "acct_k8s_001", "userId": "user_k8s_001", "eventType": "email_sent", "timestamp": "2025-12-22T15:00:00Z", "metadata": { "campaign": "Kubernetes_Launch" } }'</span> </code></pre> </div> <p><strong>Response:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"accepted"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jobId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Event queued for processing"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Verify Processing </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check worker logs</span> kubectl logs <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>worker <span class="nt">--tail</span><span class="o">=</span>20 <span class="c"># Expected output:</span> <span class="c"># info: Processing job 1 {"accountId":"acct_k8s_001",...}</span> <span class="c"># info: Signal stored in PostgreSQL {"signalId":1}</span> <span class="c"># info: Signal indexed in Elasticsearch {"signalId":1}</span> <span class="c"># info: Job 1 completed successfully</span> </code></pre> </div> <p><strong>End-to-end flow working!</strong> 🎊</p> <h2> Kubernetes Superpowers </h2> <p>Now let's see what Kubernetes can do that Docker Compose can't.</p> <h3> 1. Self-Healing </h3> <p><strong>Kill a Pod:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List pods</span> kubectl get pods <span class="c"># Delete one</span> kubectl delete pod api-7d8f9c6b5-abc12 <span class="c"># Check again immediately</span> kubectl get pods </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME READY STATUS RESTARTS AGE api-7d8f9c6b5-abc12 1/1 Terminating 0 10m api-7d8f9c6b5-xyz99 0/1 ContainerCreating 0 1s api-7d8f9c6b5-def34 1/1 Running 0 10m </code></pre> </div> <p><strong>Kubernetes immediately created a replacement!</strong> No manual intervention.</p> <h3> 2. Horizontal Scaling </h3> <p><strong>Scale up:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl scale deployment api <span class="nt">--replicas</span><span class="o">=</span>5 <span class="c"># Check</span> kubectl get pods <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>api </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME READY STATUS RESTARTS AGE api-7d8f9c6b5-abc12 1/1 Running 0 1m api-7d8f9c6b5-def34 1/1 Running 0 1m api-7d8f9c6b5-ghi56 1/1 Running 0 1m api-7d8f9c6b5-jkl78 1/1 Running 0 10s api-7d8f9c6b5-mno90 1/1 Running 0 10s </code></pre> </div> <p><strong>5 API instances in 10 seconds!</strong> Try doing that with Docker Compose.</p> <p><strong>Scale down:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl scale deployment api <span class="nt">--replicas</span><span class="o">=</span>2 </code></pre> </div> <p>Kubernetes gracefully terminates 3 Pods.</p> <h3> 3. Rolling Updates (Zero Downtime) </h3> <p><strong>Update the image:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">set </span>image deployment/api <span class="nv">api</span><span class="o">=</span>davidbrown77/sspp-api:v2.0.0 <span class="c"># Watch the rollout</span> kubectl rollout status deployment/api </code></pre> </div> <p><strong>What happens:</strong></p> <ol> <li>Kubernetes creates 1 new Pod with v2.0.0</li> <li>Waits for it to be healthy (readiness probe)</li> <li>Terminates 1 old Pod</li> <li>Repeats until all Pods are updated</li> </ol> <p><strong>No downtime.</strong> Traffic always routes to healthy Pods.</p> <h3> 4. Rollback </h3> <p><strong>New version has a bug? Rollback instantly:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl rollout undo deployment/api <span class="c"># Or rollback to specific revision</span> kubectl rollout undo deployment/api <span class="nt">--to-revision</span><span class="o">=</span>2 </code></pre> </div> <p><strong>Rollback time:</strong> 30-60 seconds.</p> <p>Compare to manual deployment: 5-10 minutes (SSH, git pull, rebuild, restart, pray).</p> <h3> 5. Auto-Scaling (HPA) </h3> <p>Create a Horizontal Pod Autoscaler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl autoscale deployment api <span class="se">\</span> <span class="nt">--cpu-percent</span><span class="o">=</span>70 <span class="se">\</span> <span class="nt">--min</span><span class="o">=</span>2 <span class="se">\</span> <span class="nt">--max</span><span class="o">=</span>10 </code></pre> </div> <p><strong>What this does:</strong></p> <ul> <li>Monitors CPU usage</li> <li>If average CPU &gt; 70%, scale up</li> <li>If CPU &lt; 70%, scale down</li> <li>Min 2 Pods, max 10 Pods</li> </ul> <p><strong>Load test it:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate traffic</span> <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..1000<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-X</span> POST http://<span class="nv">$EXTERNAL_IP</span>/api/v1/events <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"accountId":"load_test","userId":"user_'</span><span class="nv">$i</span><span class="s1">'","eventType":"email_sent","timestamp":"2025-12-22T15:00:00Z","metadata":{}}'</span> &amp; <span class="k">done</span> <span class="c"># Watch scaling</span> kubectl get hpa <span class="nt">-w</span> </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE api Deployment/api 85%/70% 2 10 5 2m </code></pre> </div> <p><strong>Kubernetes scaled to 5 Pods automatically!</strong></p> <h2> Essential kubectl Commands </h2> <h3> Pods </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List pods</span> kubectl get pods <span class="c"># Describe pod (detailed info)</span> kubectl describe pod &lt;pod-name&gt; <span class="c"># Logs</span> kubectl logs &lt;pod-name&gt; kubectl logs <span class="nt">-f</span> &lt;pod-name&gt; <span class="c"># Follow</span> <span class="c"># Execute command</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> &lt;pod-name&gt; <span class="nt">--</span> sh <span class="c"># Delete pod</span> kubectl delete pod &lt;pod-name&gt; </code></pre> </div> <h3> Deployments </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List deployments</span> kubectl get deployments <span class="c"># Describe deployment</span> kubectl describe deployment &lt;name&gt; <span class="c"># Scale</span> kubectl scale deployment &lt;name&gt; <span class="nt">--replicas</span><span class="o">=</span>5 <span class="c"># Update image</span> kubectl <span class="nb">set </span>image deployment/&lt;name&gt; &lt;container&gt;<span class="o">=</span>&lt;image&gt; <span class="c"># Rollout status</span> kubectl rollout status deployment/&lt;name&gt; <span class="c"># Rollback</span> kubectl rollout undo deployment/&lt;name&gt; <span class="c"># Delete deployment</span> kubectl delete deployment &lt;name&gt; </code></pre> </div> <h3> Services </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List services</span> kubectl get svc <span class="c"># Describe service</span> kubectl describe svc &lt;name&gt; <span class="c"># Delete service</span> kubectl delete svc &lt;name&gt; </code></pre> </div> <h3> Everything </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List all resources</span> kubectl get all <span class="c"># Delete everything in namespace</span> kubectl delete all <span class="nt">--all</span> </code></pre> </div> <h2> What We Solved </h2> <p>✅ <strong>Self-healing</strong> - Pods restart automatically<br><br> ✅ <strong>Multi-server</strong> - Cluster of nodes, not single server<br><br> ✅ <strong>Load balancing</strong> - Built-in Service resource<br><br> ✅ <strong>Horizontal scaling</strong> - <code>kubectl scale</code> or HPA<br><br> ✅ <strong>Rolling updates</strong> - Zero-downtime deployments<br><br> ✅ <strong>Rollback</strong> - One-command revert<br><br> ✅ <strong>Health checks</strong> - Traffic only to healthy Pods<br><br> ✅ <strong>Declarative</strong> - YAML manifests = desired state</p> <h2> What's Next? </h2> <p>Our Kubernetes deployment works, but we have a critical problem:</p> <p>❌ <strong>Manual infrastructure setup</strong> - We created the cluster by clicking buttons<br><br> ❌ <strong>Not reproducible</strong> - Can't recreate this infrastructure reliably<br><br> ❌ <strong>No version control</strong> - Infrastructure changes aren't tracked<br><br> ❌ <strong>Drift risk</strong> - Production and dev environments diverge over time</p> <p>In <strong>Part 7</strong>, we'll fix this with <strong>Terraform</strong> (Infrastructure as Code).</p> <p>You'll learn:</p> <ul> <li>Define infrastructure in code (not clicks)</li> <li>Version control your entire stack</li> <li>Recreate environments identically</li> <li>Manage multiple environments (dev, staging, prod)</li> <li>Treat infrastructure like application code</li> </ul> <p><strong>Spoiler:</strong> Delete your entire cluster, run <code>terraform apply</code>, and it rebuilds perfectly.</p> <h2> Try It Yourself </h2> <p><strong>Challenge:</strong> Deploy SSPP to Linode Kubernetes Engine:</p> <ol> <li>Create LKE cluster (3 nodes)</li> <li>Deploy all services (postgres, redis, elasticsearch, api, worker)</li> <li>Send 100 events</li> <li>Kill Pods and watch them resurrect</li> <li>Scale API to 10 replicas</li> <li>Roll out a new image version</li> </ol> <p><strong>Bonus:</strong> Set up HPA and load test it.</p> <h2> Discussion </h2> <p><strong>What was your "aha!" moment with Kubernetes?</strong></p> <p>Share on <a href="https://github.com/daviesbrown/sspp/discussions" rel="noopener noreferrer">GitHub Discussions</a>.</p> <p><strong>Previous:</strong> <a href="https://dev.to/daviesbrown/part-5-from-one-server-to-many-the-need-for-orchestration-i3h">Part 5: Why Containers Still Fail in Production</a> </p> <h2> <strong>Next:</strong> <a href="https://dev.to/daviesbrown/part-7-terraform-making-infrastructure-repeatable-3f8p">Part 7: Terraform - Making Infrastructure Repeatable</a> </h2> <p><strong>About the Author</strong></p> <p>Building this series for my Proton.ai application to demonstrate real DevOps thinking.</p> <ul> <li>GitHub: <a href="https://github.com/daviesbrown" rel="noopener noreferrer">@daviesbrown</a> </li> <li>LinkedIn: <a href="https://linkedin.com/in/nwosu-david" rel="noopener noreferrer">David Nwosu</a> </li> </ul> kubernetes docker devops Part 5: From One Server to Many - The Need for Orchestration David Nwosu Mon, 22 Dec 2025 23:26:27 +0000 https://dev.to/daviesbrown/part-5-from-one-server-to-many-the-need-for-orchestration-i3h https://dev.to/daviesbrown/part-5-from-one-server-to-many-the-need-for-orchestration-i3h <p><strong>Series:</strong> From "Just Put It on a Server" to Production DevOps<br><br> <strong>Reading time:</strong> 11 minutes<br><br> <strong>Level:</strong> Intermediate</p> <h2> The Production Reality Check </h2> <p>Your SSPP platform is live! Docker Compose works beautifully on your local machine and even on your single production server.</p> <p>Then Black Friday hits. Traffic spikes 50x.</p> <p><strong>What do you do?</strong></p> <p>You can't just run <code>docker-compose up --scale worker=50</code> because:</p> <ol> <li>One server doesn't have 50x the resources</li> <li>The database would be overwhelmed</li> <li>You'd need multiple servers</li> </ol> <p><strong>So you start manually:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Rent 5 more Linode servers</span> <span class="c"># SSH into each one</span> <span class="c"># Install Docker on each</span> <span class="c"># Copy docker-compose.yml to each</span> <span class="c"># Modify each to avoid port conflicts</span> <span class="c"># Start containers manually</span> <span class="c"># Configure a load balancer somehow</span> <span class="c"># Hope nothing breaks</span> </code></pre> </div> <p><strong>Time to scale:</strong> 3-4 hours (if you're fast and lucky)</p> <p><strong>By the time you're done, Black Friday is over.</strong></p> <h2> Failure Scenario 1: Container Crashes </h2> <p>Let's simulate a production crash:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start your stack</span> docker-compose up <span class="nt">-d</span> <span class="c"># Kill the API container</span> docker <span class="nb">kill </span>sspp-api </code></pre> </div> <p><strong>What happens?</strong></p> <p>The API is dead. Docker Compose doesn't restart it automatically.</p> <p>Check status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose ps NAME STATE sspp-api Exited <span class="o">(</span>137<span class="o">)</span> sspp-worker Up sspp-postgres Up sspp-redis Up </code></pre> </div> <p><strong>Users see 500 errors. Your on-call phone explodes.</strong> 📱💥</p> <p><strong>Manual fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose up <span class="nt">-d</span> api </code></pre> </div> <p><strong>Downtime:</strong> 2-10 minutes (detection + SSH + restart)</p> <p><strong>In a production system, you need automatic recovery.</strong></p> <h2> Failure Scenario 2: Server Crashes </h2> <p>Even worse—the entire server goes down:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Simulate server crash (don't actually run this!)</span> <span class="nb">sudo </span>reboot <span class="nt">-f</span> </code></pre> </div> <p><strong>What happens?</strong></p> <ul> <li>API: Dead</li> <li>Worker: Dead</li> <li>PostgreSQL: Dead (data persisted in volumes, but service down)</li> <li>Redis queue: Empty (all jobs lost)</li> <li>Users: Angry</li> </ul> <p><strong>Manual recovery:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Wait for server to boot (~2 minutes)</span> <span class="c"># SSH in</span> docker-compose up <span class="nt">-d</span> <span class="c"># Wait for services to start (~30 seconds)</span> <span class="c"># Hope data is intact</span> </code></pre> </div> <p><strong>Downtime:</strong> 3-5 minutes minimum</p> <p><strong>Lost data:</strong> All queued jobs</p> <h2> Failure Scenario 3: Rolling Update Gone Wrong </h2> <p>You need to deploy a critical bug fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build new image</span> docker-compose build api <span class="c"># Restart with new image</span> docker-compose up <span class="nt">-d</span> api </code></pre> </div> <p><strong>What happens?</strong></p> <ol> <li>Old API container stops (connections dropped)</li> <li>New API container starts</li> <li> <strong>5-30 seconds of downtime</strong> while it boots</li> <li>If the new version has a bug, you need to manually rollback</li> </ol> <p><strong>The deployment strategy:</strong></p> <ul> <li>No blue/green deployment</li> <li>No canary releases</li> <li>No gradual rollout</li> <li>Just... restart and pray 🙏</li> </ul> <h2> Failure Scenario 4: Manual Scaling Nightmare </h2> <p>Traffic is increasing. You need 5 API instances across 3 servers:</p> <p><strong>Server 1 (<code>docker-compose.yml</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">api</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3000:3000"</span> <span class="c1"># Occupies port 3000</span> </code></pre> </div> <p><strong>Server 2 (<code>docker-compose.yml</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">api</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3000:3000"</span> <span class="c1"># Same port—works because different server</span> </code></pre> </div> <p><strong>But how do users reach them?</strong> You need a load balancer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ┌──────────────┐ │ Load Balancer│ │ (HAProxy?) │ └───────┬──────┘ │ ┌──────────┼──────────┐ ▼ ▼ ▼ Server 1 Server 2 Server 3 API:3000 API:3000 API:3000 </code></pre> </div> <p><strong>Manual steps:</strong></p> <ol> <li>Install HAProxy</li> <li>Configure health checks</li> <li>Add server IPs manually</li> <li>Restart HAProxy when adding/removing servers</li> <li>Handle SSL termination</li> <li>Monitor everything</li> </ol> <p><strong>Time to set up:</strong> 2-4 hours<br><br> <strong>Maintenance burden:</strong> High<br><br> <strong>Error-prone:</strong> Very</p> <h2> Failure Scenario 5: Database Connection Limits </h2> <p>Your PostgreSQL server has a <code>max_connections</code> limit (default: 100).</p> <p>With 10 API instances and 10 Worker instances, each holding 10 connections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10 APIs × 10 connections = 100 10 Workers × 10 connections = 100 Total = 200 connections Max allowed = 100 </code></pre> </div> <p><strong>Result:</strong> Half your containers can't connect to the database.</p> <p><strong>Manual fix:</strong></p> <ol> <li>Configure connection pooling in each service</li> <li>Increase PostgreSQL max_connections</li> <li>Restart everything</li> <li>Hope you calculated correctly</li> </ol> <h2> What You Need (But Don't Have) </h2> <p>At this point, you realize you need:</p> <ol> <li> <strong>Self-healing:</strong> Automatically restart failed containers</li> <li> <strong>Auto-scaling:</strong> Add/remove instances based on load</li> <li> <strong>Load balancing:</strong> Distribute traffic across instances</li> <li> <strong>Service discovery:</strong> Containers find each other dynamically</li> <li> <strong>Rolling updates:</strong> Deploy without downtime</li> <li> <strong>Rollback capability:</strong> Revert bad deploys instantly</li> <li> <strong>Health checks:</strong> Don't route traffic to sick containers</li> <li> <strong>Resource limits:</strong> Prevent one container from starving others</li> <li> <strong>Secrets management:</strong> No passwords in plain text</li> <li> <strong>Multi-server orchestration:</strong> Run across many machines</li> </ol> <p><strong>Docker Compose gives you none of these in production.</strong></p> <h2> The Orchestration Gap </h2> <p>Docker Compose is <strong>great for development</strong>:</p> <ul> <li>Single server</li> <li>Manual starts/stops</li> <li>Simple networking</li> <li>Quick iteration</li> </ul> <p>But <strong>terrible for production</strong>:</p> <ul> <li>No multi-server support</li> <li>No automatic recovery</li> <li>No scaling logic</li> <li>No deployment strategies</li> <li>No resource management</li> <li>No production-grade networking</li> </ul> <p><strong>You've hit the orchestration wall.</strong></p> <h2> The Emotional Journey </h2> <p><strong>Stage 1: Denial</strong><br><br> "Docker Compose works fine. I'll just run it on a big server."</p> <p><strong>Stage 2: Anger</strong><br><br> "Why is this so hard?! I just want to run containers!"</p> <p><strong>Stage 3: Bargaining</strong><br><br> "Maybe I can script this with bash and cron jobs?"</p> <p><strong>Stage 4: Depression</strong><br><br> "I'm spending 80% of my time managing infrastructure, 20% building features."</p> <p><strong>Stage 5: Acceptance</strong><br><br> "I need an orchestrator. I need Kubernetes."</p> <h2> Why Kubernetes Exists </h2> <p>Kubernetes solves all the problems we just experienced:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Docker Compose</th> <th>Kubernetes</th> </tr> </thead> <tbody> <tr> <td><strong>Auto-restart</strong></td> <td>❌ Manual</td> <td>✅ Automatic</td> </tr> <tr> <td><strong>Multi-server</strong></td> <td>❌ Single server</td> <td>✅ Cluster of servers</td> </tr> <tr> <td><strong>Load balancing</strong></td> <td>❌ Manual HAProxy</td> <td>✅ Built-in Service</td> </tr> <tr> <td><strong>Scaling</strong></td> <td>❌ Manual <code>--scale</code> </td> <td>✅ Auto-scaling (HPA)</td> </tr> <tr> <td><strong>Rolling updates</strong></td> <td>❌ Restart (downtime)</td> <td>✅ Zero-downtime</td> </tr> <tr> <td><strong>Rollback</strong></td> <td>❌ Manual</td> <td>✅ One command</td> </tr> <tr> <td><strong>Health checks</strong></td> <td>⚠️ Basic</td> <td>✅ Advanced (liveness, readiness)</td> </tr> <tr> <td><strong>Secrets</strong></td> <td>❌ Plain text</td> <td>✅ Encrypted</td> </tr> <tr> <td><strong>Resource limits</strong></td> <td>⚠️ Basic</td> <td>✅ Fine-grained</td> </tr> <tr> <td><strong>Service discovery</strong></td> <td>⚠️ DNS-based</td> <td>✅ Dynamic</td> </tr> </tbody> </table></div> <p><strong>Kubernetes is Docker Compose for production, multiplied by 1000.</strong></p> <h2> But Why Not Just... [Alternative]? </h2> <h3> "Why not Docker Swarm?" </h3> <p>Docker Swarm is simpler than Kubernetes, but:</p> <ul> <li>Smaller ecosystem</li> <li>Fewer features (no HPA, limited RBAC)</li> <li>Less adoption (most tools target K8s)</li> <li>Docker Inc. de-prioritized it</li> </ul> <p><strong>Use case:</strong> Small teams, simple apps.</p> <h3> "Why not managed services (AWS ECS, Cloud Run)?" </h3> <p>Managed services work great, but:</p> <ul> <li>Vendor lock-in (can't easily move)</li> <li>Limited customization</li> <li>Higher costs at scale</li> <li>Not portable (can't run locally)</li> </ul> <p><strong>Use case:</strong> Fully bought into one cloud provider.</p> <h3> "Why not Nomad?" </h3> <p>HashiCorp Nomad is excellent, but:</p> <ul> <li>Smaller community</li> <li>Fewer integrations</li> <li>Less tooling</li> <li>Harder to hire for</li> </ul> <p><strong>Use case:</strong> Already using HashiCorp stack (Terraform, Vault, Consul).</p> <h3> "Why Kubernetes?" </h3> <ul> <li> <strong>Industry standard</strong> (most jobs require it)</li> <li> <strong>Huge ecosystem</strong> (tools for everything)</li> <li> <strong>Cloud-agnostic</strong> (AWS, GCP, Azure, Linode)</li> <li> <strong>Local development</strong> (k3s, Minikube, Kind)</li> <li> <strong>Portable</strong> (same manifests everywhere)</li> </ul> <p><strong>Kubernetes won the orchestration war.</strong></p> <h2> What You'll Learn in Part 6 </h2> <p>In the next article, we'll deploy SSPP to Kubernetes on Linode.</p> <p><strong>But we won't just throw kubectl commands at you.</strong></p> <p>We'll explain:</p> <ul> <li>What Pods, Deployments, and Services <em>actually</em> are</li> <li>Why Kubernetes seems complicated (and how to think about it)</li> <li>How to run Kubernetes locally (k3s) before going to production</li> <li>Real deployment strategies (rolling updates, blue/green)</li> <li>How our SSPP manifests work</li> </ul> <p><strong>No magic. No copy-paste. Just understanding.</strong></p> <h2> The Mindset Shift </h2> <p>Before Kubernetes, you think:</p> <blockquote> <p>"I have a server. I'll put containers on it."</p> </blockquote> <p>After Kubernetes, you think:</p> <blockquote> <p>"I have a cluster. I'll declare what I want running. Kubernetes makes it happen."</p> </blockquote> <p><strong>It's declarative infrastructure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># You say what you want</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># I want 5 API instances</span> <span class="c1"># Kubernetes makes it happen</span> <span class="c1"># - Schedules 5 pods</span> <span class="c1"># - Distributes across servers</span> <span class="c1"># - Monitors them</span> <span class="c1"># - Restarts if they die</span> <span class="c1"># - Scales up/down dynamically</span> </code></pre> </div> <p><strong>You describe the desired state. Kubernetes maintains it.</strong></p> <h2> Try It Yourself (Before Part 6) </h2> <p><strong>Challenge:</strong> Break Docker Compose in creative ways:</p> <ol> <li>Kill containers—see if they restart (they won't)</li> <li>Overload the API—see if it auto-scales (it won't)</li> <li>Deploy a new version—see if there's downtime (there will be)</li> <li>Simulate high CPU—see if K8s would help (it would)</li> </ol> <p><strong>Write down your frustrations.</strong> They'll make Part 6 more satisfying.</p> <h2> Discussion </h2> <p><strong>What production incident convinced you that you needed orchestration?</strong></p> <p>Share your war stories on <a href="https://github.com/daviesbrown/sspp/discussions" rel="noopener noreferrer">GitHub Discussions</a>.</p> <p><strong>Previous:</strong> <a href="https://dev.to/daviesbrown/part-4-running-multiple-services-locally-with-docker-compose-2n97">Part 4: Running Multiple Services Locally with Docker Compose</a> </p> <h2> <strong>Next:</strong> <a href="https://dev.to/daviesbrown/part-6-kubernetes-from-first-principles-no-magic-522c">Part 6: Kubernetes from First Principles (No Magic)</a> </h2> <p><strong>About the Author</strong></p> <p>Documenting real DevOps journey for Proton.ai application. Connect with me:</p> <ul> <li>GitHub: <a href="https://github.com/daviesbrown" rel="noopener noreferrer">@daviesbrown</a> </li> <li>LinkedIn: <a href="https://linkedin.com/in/nwosu-david" rel="noopener noreferrer">David Nwosu Brown</a> </li> </ul> devops docker Part 4: Running Multiple Services Locally with Docker Compose David Nwosu Mon, 22 Dec 2025 23:21:01 +0000 https://dev.to/daviesbrown/part-4-running-multiple-services-locally-with-docker-compose-2n97 https://dev.to/daviesbrown/part-4-running-multiple-services-locally-with-docker-compose-2n97 <p><strong>Series:</strong> From "Just Put It on a Server" to Production DevOps<br><br> <strong>Reading time:</strong> 12 minutes<br><br> <strong>Level:</strong> Beginner to Intermediate</p> <h2> The Problem: Container Orchestration by Hand </h2> <p>In <a href="//./03-docker-containers.md">Part 3</a>, we containerized our API and Worker services. Success!</p> <p>But to run the full stack, you need to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start PostgreSQL</span> docker run <span class="nt">-d</span> <span class="nt">--name</span> postgres <span class="nt">-e</span> <span class="nv">POSTGRES_PASSWORD</span><span class="o">=</span>pass postgres:15-alpine <span class="c"># Start Redis </span> docker run <span class="nt">-d</span> <span class="nt">--name</span> redis redis:7-alpine <span class="c"># Start Elasticsearch</span> docker run <span class="nt">-d</span> <span class="nt">--name</span> elasticsearch <span class="nt">-e</span> <span class="s2">"discovery.type=single-node"</span> elasticsearch:8.11.0 <span class="c"># Wait for them to be ready (how long? 🤷)</span> <span class="nb">sleep </span>30 <span class="c"># Start API (with 10+ environment variables)</span> docker run <span class="nt">-d</span> <span class="nt">--name</span> api <span class="nt">-p</span> 3000:3000 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_HOST</span><span class="o">=</span>172.17.0.1 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_PORT</span><span class="o">=</span>5432 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">REDIS_HOST</span><span class="o">=</span>172.17.0.1 <span class="se">\</span> <span class="c"># ... 8 more -e flags</span> sspp-api:latest <span class="c"># Start Worker (with another 10+ environment variables)</span> docker run <span class="nt">-d</span> <span class="nt">--name</span> worker <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_HOST</span><span class="o">=</span>172.17.0.1 <span class="se">\</span> <span class="c"># ... more -e flags</span> sspp-worker:latest </code></pre> </div> <p><strong>This is painful:</strong></p> <ul> <li>5 separate <code>docker run</code> commands</li> <li>Manual networking configuration</li> <li>Environment variables repeated everywhere</li> <li>No startup order control</li> <li>Stopping everything requires 5 separate commands</li> </ul> <p><strong>There must be a better way.</strong></p> <h2> Enter Docker Compose </h2> <p>Docker Compose lets you define your entire application stack in a single YAML file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">api</span><span class="pi">:</span> <span class="c1"># ...</span> <span class="na">worker</span><span class="pi">:</span> <span class="c1"># ...</span> <span class="na">postgres</span><span class="pi">:</span> <span class="c1"># ...</span> <span class="na">redis</span><span class="pi">:</span> <span class="c1"># ...</span> <span class="na">elasticsearch</span><span class="pi">:</span> <span class="c1"># ...</span> </code></pre> </div> <p>Then start everything with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose up </code></pre> </div> <p><strong>One command. Entire stack. Magic.</strong></p> <h2> Installing Docker Compose </h2> <p>Docker Compose should already be installed with Docker Desktop (Mac/Windows).</p> <p>On Linux:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install</span> <span class="nb">sudo </span>curl <span class="nt">-L</span> <span class="s2">"https://github.com/docker/compose/releases/latest/download/docker-compose-</span><span class="si">$(</span><span class="nb">uname</span> <span class="nt">-s</span><span class="si">)</span><span class="s2">-</span><span class="si">$(</span><span class="nb">uname</span> <span class="nt">-m</span><span class="si">)</span><span class="s2">"</span> <span class="nt">-o</span> /usr/local/bin/docker-compose <span class="c"># Make executable</span> <span class="nb">sudo chmod</span> +x /usr/local/bin/docker-compose <span class="c"># Verify</span> docker-compose <span class="nt">--version</span> </code></pre> </div> <h2> Creating docker-compose.yml </h2> <p>In your project root (<code>/opt/sspp</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /opt/sspp nano docker-compose.yml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="c1"># PostgreSQL Database</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:15-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">sspp-postgres</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">sales_signals</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">sspp_user</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">sspp_password</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">5432:5432"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres_data:/var/lib/postgresql/data</span> <span class="pi">-</span> <span class="s">./infrastructure/database/init.sql:/docker-entrypoint-initdb.d/init.sql</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">sspp_user</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">sales_signals"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># Redis Queue &amp; Cache</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">sspp-redis</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">6379:6379"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redis_data:/data</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">redis-cli"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">ping"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># Elasticsearch for Search &amp; Analytics</span> <span class="na">elasticsearch</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.elastic.co/elasticsearch/elasticsearch:8.11.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">sspp-elasticsearch</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">discovery.type=single-node</span> <span class="pi">-</span> <span class="s">xpack.security.enabled=false</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ES_JAVA_OPTS=-Xms512m</span><span class="nv"> </span><span class="s">-Xmx512m"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9200:9200"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9300:9300"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">elasticsearch_data:/usr/share/elasticsearch/data</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">curl</span><span class="nv"> </span><span class="s">-f</span><span class="nv"> </span><span class="s">http://localhost:9200/_cluster/health</span><span class="nv"> </span><span class="s">||</span><span class="nv"> </span><span class="s">exit</span><span class="nv"> </span><span class="s">1"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># API Service</span> <span class="na">api</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./services/api</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">image</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-api:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">sspp-api</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3000:3000"</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s">production</span> <span class="na">PORT</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">DB_HOST</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">DB_PORT</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">DB_NAME</span><span class="pi">:</span> <span class="s">sales_signals</span> <span class="na">DB_USER</span><span class="pi">:</span> <span class="s">sspp_user</span> <span class="na">DB_PASSWORD</span><span class="pi">:</span> <span class="s">sspp_password</span> <span class="na">REDIS_HOST</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">REDIS_PORT</span><span class="pi">:</span> <span class="m">6379</span> <span class="na">ELASTICSEARCH_URL</span><span class="pi">:</span> <span class="s">http://elasticsearch:9200</span> <span class="na">QUEUE_NAME</span><span class="pi">:</span> <span class="s">sales-events</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">elasticsearch</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Worker Service</span> <span class="na">worker</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./services/worker</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">image</span><span class="pi">:</span> <span class="s">davidbrown77/sspp-worker:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">sspp-worker</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s">production</span> <span class="na">DB_HOST</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">DB_PORT</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">DB_NAME</span><span class="pi">:</span> <span class="s">sales_signals</span> <span class="na">DB_USER</span><span class="pi">:</span> <span class="s">sspp_user</span> <span class="na">DB_PASSWORD</span><span class="pi">:</span> <span class="s">sspp_password</span> <span class="na">REDIS_HOST</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">REDIS_PORT</span><span class="pi">:</span> <span class="m">6379</span> <span class="na">ELASTICSEARCH_URL</span><span class="pi">:</span> <span class="s">http://elasticsearch:9200</span> <span class="na">QUEUE_NAME</span><span class="pi">:</span> <span class="s">sales-events</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">elasticsearch</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">postgres_data</span><span class="pi">:</span> <span class="na">redis_data</span><span class="pi">:</span> <span class="na">elasticsearch_data</span><span class="pi">:</span> </code></pre> </div> <p><strong>Let's break down the key concepts:</strong></p> <h2> Key Concepts </h2> <h3> 1. Services </h3> <p>Each service is a container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:15-alpine</span> <span class="c1"># ...</span> <span class="na">api</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">./services/api</span> <span class="c1"># ...</span> </code></pre> </div> <p><strong>Two ways to define services:</strong></p> <ul> <li> <code>image</code> = Use pre-built image from Docker Hub</li> <li> <code>build</code> = Build from Dockerfile</li> </ul> <h3> 2. Networking (Automatic!) </h3> <p>Docker Compose creates a <strong>default network</strong> where services can reach each other by name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">environment</span><span class="pi">:</span> <span class="na">DB_HOST</span><span class="pi">:</span> <span class="s">postgres</span> <span class="c1"># Not 172.17.0.1!</span> <span class="na">REDIS_HOST</span><span class="pi">:</span> <span class="s">redis</span> <span class="c1"># Not localhost!</span> </code></pre> </div> <p><strong>Magic:</strong> <code>postgres</code> resolves to the PostgreSQL container's IP automatically.</p> <h3> 3. Volumes (Persistent Data) </h3> <p>Without volumes, data disappears when containers stop:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres_data:/var/lib/postgresql/data</span> </code></pre> </div> <p>This creates a <strong>named volume</strong> that persists between container restarts.</p> <p><strong>Named volumes:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">volumes</span><span class="pi">:</span> <span class="na">postgres_data</span><span class="pi">:</span> <span class="na">redis_data</span><span class="pi">:</span> <span class="na">elasticsearch_data</span><span class="pi">:</span> </code></pre> </div> <p>Docker manages these volumes for you.</p> <h3> 4. Health Checks </h3> <p>Tell Docker Compose to wait for services to be ready:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">sspp_user</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">sales_signals"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> </code></pre> </div> <p><strong>Why this matters:</strong> API won't start until PostgreSQL is accepting connections.</p> <h3> 5. Dependency Order </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">depends_on</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> </code></pre> </div> <p><strong>API starts only after:</strong></p> <ul> <li>PostgreSQL health check passes</li> <li>Redis health check passes</li> <li>Elasticsearch health check passes</li> </ul> <h3> 6. Restart Policies </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> </code></pre> </div> <p>Options:</p> <ul> <li> <code>no</code> = Never restart</li> <li> <code>always</code> = Always restart (even after manual stop)</li> <li> <code>on-failure</code> = Only on error</li> <li> <code>unless-stopped</code> = Always, unless manually stopped</li> </ul> <h3> 7. Environment Variables </h3> <p>Define once, use everywhere:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">environment</span><span class="pi">:</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s">production</span> <span class="na">DB_HOST</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">DB_PORT</span><span class="pi">:</span> <span class="m">5432</span> </code></pre> </div> <p>Or use <code>.env</code> files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">env_file</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.env.production</span> </code></pre> </div> <h2> Running Your Stack </h2> <h3> Start Everything </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose up </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Creating network "sspp_default" with the default driver Creating volume "sspp_postgres_data" with default driver Creating volume "sspp_redis_data" with default driver Creating volume "sspp_elasticsearch_data" with default driver Creating sspp-postgres ... done Creating sspp-redis ... done Creating sspp-elasticsearch ... done Waiting for postgres to be healthy... Waiting for redis to be healthy... Waiting for elasticsearch to be healthy... Creating sspp-api ... done Creating sspp-worker ... done Attaching to sspp-postgres, sspp-redis, sspp-elasticsearch, sspp-api, sspp-worker </code></pre> </div> <p><strong>Watch the logs stream in real-time.</strong> Press <code>Ctrl+C</code> to stop.</p> <h3> Start in Background (Detached) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose up <span class="nt">-d</span> </code></pre> </div> <p><strong>Check status:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose ps </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Name Command State Ports ------------------------------------------------------------------------------------- sspp-api docker-entrypoint.sh pnpm ... Up 0.0.0.0:3000-&gt;3000/tcp sspp-elasticsearch /bin/tini -- /usr/local/b ... Up 0.0.0.0:9200-&gt;9200/tcp sspp-postgres docker-entrypoint.sh postgres Up 0.0.0.0:5432-&gt;5432/tcp sspp-redis docker-entrypoint.sh redis ... Up 0.0.0.0:6379-&gt;6379/tcp sspp-worker docker-entrypoint.sh pnpm ... Up </code></pre> </div> <p><strong>All services running!</strong> 🎉</p> <h2> Testing the Full Stack </h2> <h3> 1. Check API Health </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:3000/api/v1/health </code></pre> </div> <p><strong>Response:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ok"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-12-22T14:00:00.000Z"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 2. Send an Event </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:3000/api/v1/events <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "accountId": "acct_001", "userId": "user_001", "eventType": "email_sent", "timestamp": "2025-12-22T14:00:00Z", "metadata": { "campaign": "Q4_Outreach", "recipientDomain": "acmecorp.com" } }'</span> </code></pre> </div> <p><strong>Response:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"accepted"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jobId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Event queued for processing"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 3. Check Worker Processed It </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose logs worker </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sspp-worker | info: Processing job 1 {"accountId":"acct_001",...} sspp-worker | info: Signal stored in PostgreSQL {"signalId":1} sspp-worker | info: Signal indexed in Elasticsearch {"signalId":1} sspp-worker | info: Job 1 completed successfully </code></pre> </div> <h3> 4. Verify Data in PostgreSQL </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose <span class="nb">exec </span>postgres psql <span class="nt">-U</span> sspp_user <span class="nt">-d</span> sales_signals <span class="nt">-c</span> <span class="s2">"SELECT * FROM sales_signals;"</span> </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> id | account_id | user_id | event_type | signal_type | signal_score | ... ----+------------+----------+------------+-------------+--------------+----- 1 | acct_001 | user_001 | email_sent | outreach | 0.10 | ... </code></pre> </div> <p><strong>Complete end-to-end flow verified!</strong> 🎊</p> <h2> Docker Compose Commands </h2> <h3> Start/Stop </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start all services</span> docker-compose up <span class="c"># Start in background</span> docker-compose up <span class="nt">-d</span> <span class="c"># Stop all services</span> docker-compose down <span class="c"># Stop and remove volumes (delete data!)</span> docker-compose down <span class="nt">-v</span> <span class="c"># Restart all services</span> docker-compose restart <span class="c"># Restart specific service</span> docker-compose restart api </code></pre> </div> <h3> Logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View all logs</span> docker-compose logs <span class="c"># Follow logs (live tail)</span> docker-compose logs <span class="nt">-f</span> <span class="c"># Specific service</span> docker-compose logs api <span class="c"># Last 50 lines</span> docker-compose logs <span class="nt">--tail</span> 50 api </code></pre> </div> <h3> Build </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build all images</span> docker-compose build <span class="c"># Build specific service</span> docker-compose build api <span class="c"># Force rebuild (no cache)</span> docker-compose build <span class="nt">--no-cache</span> <span class="c"># Build and start</span> docker-compose up <span class="nt">--build</span> </code></pre> </div> <h3> Exec (Run Commands in Containers) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Open shell in API container</span> docker-compose <span class="nb">exec </span>api sh <span class="c"># Run one-off command</span> docker-compose <span class="nb">exec </span>postgres psql <span class="nt">-U</span> sspp_user <span class="nt">-d</span> sales_signals <span class="c"># Run command in new container (not running)</span> docker-compose run <span class="nt">--rm</span> api pnpm <span class="nb">test</span> </code></pre> </div> <h3> Scale Services </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run 3 worker instances</span> docker-compose up <span class="nt">--scale</span> <span class="nv">worker</span><span class="o">=</span>3 <span class="c"># Check it</span> docker-compose ps </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sspp_worker_1 Up sspp_worker_2 Up sspp_worker_3 Up </code></pre> </div> <p><strong>Parallel event processing!</strong></p> <h2> Advanced: Multiple Compose Files </h2> <p>You can have different configurations for different environments.</p> <p><strong>Base config (<code>docker-compose.yml</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">api</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">./services/api</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s">${NODE_ENV:-production}</span> </code></pre> </div> <p><strong>Development overrides (<code>docker-compose.dev.yml</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">api</span><span class="pi">:</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./services/api:/app</span> <span class="c1"># Live code reload</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s">development</span> <span class="na">command</span><span class="pi">:</span> <span class="s">pnpm run start:dev</span> </code></pre> </div> <p><strong>Run with override:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose <span class="nt">-f</span> docker-compose.yml <span class="nt">-f</span> docker-compose.dev.yml up </code></pre> </div> <p><strong>Or create an alias:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">alias </span>dc-dev<span class="o">=</span><span class="s1">'docker-compose -f docker-compose.yml -f docker-compose.dev.yml'</span> dc-dev up </code></pre> </div> <h2> Environment Variables </h2> <h3> Method 1: Inline in docker-compose.yml </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">environment</span><span class="pi">:</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s">production</span> <span class="na">PORT</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <h3> Method 2: .env File </h3> <p>Create <code>.env</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">NODE_ENV</span><span class="o">=</span>production <span class="nv">PORT</span><span class="o">=</span>3000 <span class="nv">DB_PASSWORD</span><span class="o">=</span>supersecret </code></pre> </div> <p>Reference in <code>docker-compose.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">environment</span><span class="pi">:</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s">${NODE_ENV}</span> <span class="na">PORT</span><span class="pi">:</span> <span class="s">${PORT}</span> <span class="na">DB_PASSWORD</span><span class="pi">:</span> <span class="s">${DB_PASSWORD}</span> </code></pre> </div> <h3> Method 3: env_file </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">api</span><span class="pi">:</span> <span class="na">env_file</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.env</span> <span class="pi">-</span> <span class="s">.env.local</span> </code></pre> </div> <p><strong>Precedence:</strong> Later files override earlier ones.</p> <h2> Real-World Tips </h2> <h3> 1. Use Named Volumes for Data </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">volumes</span><span class="pi">:</span> <span class="na">postgres_data</span><span class="pi">:</span> <span class="c1"># Named volume (Docker-managed)</span> <span class="pi">-</span> <span class="s">./logs:/logs</span> <span class="c1"># Bind mount (host directory)</span> </code></pre> </div> <p><strong>Named volumes are portable.</strong> Bind mounts are machine-specific.</p> <h3> 2. Always Set Health Checks </h3> <p>Don't use <code>depends_on</code> without health checks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ❌ Bad (starts immediately, might not be ready)</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="c1"># ✅ Good (waits for health check)</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> </code></pre> </div> <h3> 3. Pin Image Versions </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ❌ Don't do this</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:latest</span> <span class="c1"># ✅ Do this</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:15.5-alpine</span> </code></pre> </div> <h3> 4. Use Multi-Stage Builds </h3> <p>We already do this in our Dockerfiles (builder + production stages).</p> <h3> 5. .dockerignore Everything Unnecessary </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> .dockerignore <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> node_modules .git .env* *.log dist coverage .vscode .idea </span><span class="no">EOF </span></code></pre> </div> <h2> What We Solved </h2> <p>✅ <strong>One-command startup</strong> - <code>docker-compose up</code><br><br> ✅ <strong>Automatic networking</strong> - Services find each other by name<br><br> ✅ <strong>Startup ordering</strong> - Health checks ensure readiness<br><br> ✅ <strong>Environment management</strong> - Centralized config<br><br> ✅ <strong>Volume persistence</strong> - Data survives container restarts<br><br> ✅ <strong>Easy scaling</strong> - <code>--scale worker=5</code><br><br> ✅ <strong>Local-prod parity</strong> - Same stack, same behavior</p> <h2> What We Didn't Solve </h2> <p>❌ <strong>Production orchestration</strong> - Compose is for dev/local, not production at scale<br><br> ❌ <strong>Multi-server deployment</strong> - Compose runs on one machine<br><br> ❌ <strong>Auto-scaling</strong> - Manual <code>--scale</code> isn't dynamic<br><br> ❌ <strong>Self-healing</strong> - If a container dies, it won't restart automatically (in production)<br><br> ❌ <strong>Load balancing</strong> - No built-in request distribution<br><br> ❌ <strong>Zero-downtime deploys</strong> - Restart = brief downtime</p> <p><strong>Docker Compose is amazing for local development.</strong> But production needs more power.</p> <h2> What's Next? </h2> <p>We've mastered Docker Compose for local development. But how do you run this in production?</p> <p>In <strong>Part 5</strong>, we'll expose the limitations of Docker Compose and simulate production failures to understand why we need <strong>orchestration</strong>.</p> <p>You'll learn:</p> <ul> <li>What happens when containers die in production</li> <li>Manual scaling nightmares</li> <li>Why deployment strategies matter</li> <li>The emotional journey to accepting Kubernetes</li> </ul> <p><strong>Spoiler:</strong> You'll want orchestration. Badly.</p> <h2> Try It Yourself </h2> <p><strong>Challenge:</strong> Get the full SSPP stack running with Docker Compose:</p> <ol> <li>Create <code>docker-compose.yml</code> with all 5 services</li> <li>Start it with <code>docker-compose up -d</code> </li> <li>Send 10 events via the API</li> <li>Scale workers to 3 instances</li> <li>Verify all events processed in PostgreSQL</li> </ol> <p><strong>Bonus:</strong> Create a <code>docker-compose.dev.yml</code> with live reload.</p> <h2> Discussion </h2> <p><strong>How do you structure your Docker Compose files? Single file or multi-file?</strong></p> <p>Join the conversation on <a href="https://github.com/daviesbrown/sspp/discussions" rel="noopener noreferrer">GitHub Discussions</a>.</p> <p><strong>Previous:</strong> <a href="https://dev.to/daviesbrown/part-3-dependency-hell-why-docker-exists-27b5">Part 3: Dependency Hell - Why Docker Exists</a> </p> <h2> <strong>Next:</strong> <a href="//./05-orchestration-need.md">Part 5: From One Server to Many - The Need for Orchestration</a> </h2> <p><strong>About the Author</strong></p> <p>Writing this series to demonstrate production infrastructure thinking for my Proton.ai application.</p> <ul> <li>GitHub: <a href="https://github.com/daviesbrown" rel="noopener noreferrer">@daviesbrown</a> </li> <li>LinkedIn: <a href="https://linkedin.com/in/nwosu-david" rel="noopener noreferrer">David Nwosu Brown</a> </li> </ul> docker microservices devops Part 3: Dependency Hell - Why Docker Exists David Nwosu Mon, 22 Dec 2025 23:15:36 +0000 https://dev.to/daviesbrown/part-3-dependency-hell-why-docker-exists-27b5 https://dev.to/daviesbrown/part-3-dependency-hell-why-docker-exists-27b5 <p><strong>Series:</strong> From "Just Put It on a Server" to Production DevOps<br><br> <strong>Reading time:</strong> 14 minutes<br><br> <strong>Level:</strong> Beginner to Intermediate</p> <h2> The "Works on My Machine" Problem </h2> <p>It's Monday morning. Your coworker tries to deploy a critical bug fix to production.</p> <p>They SSH into the server, pull the latest code, and restart the app with PM2.</p> <p><strong>The app crashes.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Cannot find module 'pg' </code></pre> </div> <p>"That's weird," they say. "It works on my machine."</p> <p>They run <code>npm install</code>. Still crashes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: The module '/opt/sspp/node_modules/bcrypt/...' was compiled against a different Node.js version </code></pre> </div> <p>Now they're rebuilding native modules. Still failing.</p> <p>After 90 minutes of debugging, they discover:</p> <ul> <li> <strong>Production has Node 16.x</strong> (they have 18.x)</li> <li> <strong>Production has different OpenSSL version</strong> (native module incompatibility)</li> <li> <strong>Production PostgreSQL is 14</strong>, code uses 15 features</li> <li> <strong>Someone manually edited files on the server</strong> (never committed to git)</li> </ul> <p><strong>The bug fix still isn't deployed. Users are angry.</strong></p> <p>This is <strong>dependency hell</strong>—and it kills productivity.</p> <h2> What Are Containers? </h2> <p>Containers solve the "works on my machine" problem by packaging your entire runtime environment:</p> <ul> <li><strong>Your code</strong></li> <li> <strong>All dependencies</strong> (node_modules, system libraries)</li> <li> <strong>The exact runtime</strong> (specific Node.js version)</li> <li> <strong>System tools</strong> (curl, git, whatever you need)</li> </ul> <p><strong>Everything your app needs to run</strong>, bundled into a single, portable package called a <strong>container image</strong>.</p> <h3> Containers vs Virtual Machines </h3> <p><strong>Virtual Machines:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────┐ │ Application │ ├─────────────────────────────────┤ │ Node.js + Dependencies │ ├─────────────────────────────────┤ │ Guest OS (Ubuntu) │ ← Full OS copy ├─────────────────────────────────┤ │ Hypervisor │ ← Virtualization layer ├─────────────────────────────────┤ │ Host OS (Linux) │ ├─────────────────────────────────┤ │ Hardware │ └─────────────────────────────────┘ </code></pre> </div> <p><strong>Containers:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────┐ │ Application │ ├─────────────────────────────────┤ │ Node.js + Dependencies │ ├─────────────────────────────────┤ │ Container Runtime (Docker) │ ← Lightweight isolation ├─────────────────────────────────┤ │ Host OS (Linux) │ ├─────────────────────────────────┤ │ Hardware │ └─────────────────────────────────┘ </code></pre> </div> <p><strong>Key Differences:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>Virtual Machine</th> <th>Container</th> </tr> </thead> <tbody> <tr> <td><strong>Size</strong></td> <td>GBs (full OS)</td> <td>MBs (just your app)</td> </tr> <tr> <td><strong>Startup</strong></td> <td>Minutes</td> <td>Seconds</td> </tr> <tr> <td><strong>Isolation</strong></td> <td>Strong (separate kernel)</td> <td>Process-level</td> </tr> <tr> <td><strong>Overhead</strong></td> <td>High (full OS per VM)</td> <td>Minimal</td> </tr> <tr> <td><strong>Portability</strong></td> <td>Moderate</td> <td>High</td> </tr> </tbody> </table></div> <p><strong>The magic:</strong> Containers share the host OS kernel but isolate everything else.</p> <h2> Installing Docker </h2> <p>On your Linode server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update packages</span> apt update <span class="c"># Install prerequisites</span> apt <span class="nb">install</span> <span class="nt">-y</span> apt-transport-https ca-certificates curl software-properties-common <span class="c"># Add Docker's official GPG key</span> curl <span class="nt">-fsSL</span> https://download.docker.com/linux/ubuntu/gpg | apt-key add - <span class="c"># Add Docker repository</span> add-apt-repository <span class="s2">"deb [arch=amd64] https://download.docker.com/linux/ubuntu </span><span class="si">$(</span>lsb_release <span class="nt">-cs</span><span class="si">)</span><span class="s2"> stable"</span> <span class="c"># Install Docker</span> apt update apt <span class="nb">install</span> <span class="nt">-y</span> docker-ce docker-ce-cli containerd.io <span class="c"># Start Docker</span> systemctl start docker systemctl <span class="nb">enable </span>docker <span class="c"># Verify</span> docker <span class="nt">--version</span> docker run hello-world </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hello from Docker! This message shows that your installation appears to be working correctly. </code></pre> </div> <h2> Building Our First Container: The API Service </h2> <h3> Step 1: Create a Dockerfile </h3> <p>A <strong>Dockerfile</strong> is a recipe for building a container image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /opt/sspp/services/api nano Dockerfile </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Stage 1: Builder</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:18-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="c"># Enable pnpm</span> <span class="k">RUN </span>corepack <span class="nb">enable</span> <span class="o">&amp;&amp;</span> corepack prepare pnpm@latest <span class="nt">--activate</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy dependency files</span> <span class="k">COPY</span><span class="s"> package.json pnpm-lock.yaml* ./</span> <span class="c"># Install dependencies</span> <span class="k">RUN </span>pnpm <span class="nb">install</span> <span class="nt">--frozen-lockfile</span> <span class="c"># Copy source code</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Build TypeScript to JavaScript</span> <span class="k">RUN </span>pnpm run build <span class="c"># Stage 2: Production</span> <span class="k">FROM</span><span class="s"> node:18-alpine</span> <span class="c"># Enable pnpm</span> <span class="k">RUN </span>corepack <span class="nb">enable</span> <span class="o">&amp;&amp;</span> corepack prepare pnpm@latest <span class="nt">--activate</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy dependency files</span> <span class="k">COPY</span><span class="s"> package.json pnpm-lock.yaml* ./</span> <span class="c"># Install ONLY production dependencies</span> <span class="k">RUN </span>pnpm <span class="nb">install</span> <span class="nt">--prod</span> <span class="nt">--frozen-lockfile</span> <span class="c"># Copy built application from builder stage</span> <span class="k">COPY</span><span class="s"> --from=builder /app/dist ./dist</span> <span class="c"># Expose port</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="c"># Run the app</span> <span class="k">CMD</span><span class="s"> ["pnpm", "run", "start:prod"]</span> </code></pre> </div> <p><strong>Let's break this down:</strong></p> <h4> Multi-Stage Build </h4> <p>We use <strong>two stages</strong> to keep the final image small:</p> <ol> <li> <strong>Builder stage:</strong> Has dev dependencies, compiles TypeScript</li> <li> <strong>Production stage:</strong> Only runtime dependencies, no build tools</li> </ol> <p><strong>Why?</strong> The final image is 50-70% smaller.</p> <h4> Base Image: <code>node:18-alpine</code> </h4> <ul> <li> <code>node:18</code> = Node.js version 18</li> <li> <code>alpine</code> = Minimal Linux distro (~5MB vs ~100MB for Ubuntu-based)</li> </ul> <h4> WORKDIR </h4> <p>Sets the working directory inside the container to <code>/app</code>.</p> <h4> COPY </h4> <p>Copies files from your local filesystem into the image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">COPY</span><span class="s"> package.json pnpm-lock.yaml* ./</span> </code></pre> </div> <p>The <code>*</code> makes <code>pnpm-lock.yaml</code> optional (if it doesn't exist, no error).</p> <h4> RUN </h4> <p>Executes commands <strong>during image build</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">RUN </span>pnpm <span class="nb">install</span> <span class="nt">--frozen-lockfile</span> </code></pre> </div> <p><code>--frozen-lockfile</code> ensures exact dependency versions (reproducible builds).</p> <h4> EXPOSE </h4> <p>Documents that the container listens on port 3000 (doesn't actually publish it).</p> <h4> CMD </h4> <p>The command to run when the container <strong>starts</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">CMD</span><span class="s"> ["pnpm", "run", "start:prod"]</span> </code></pre> </div> <h3> Step 2: Build the Image </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> sspp-api:latest <span class="nb">.</span> </code></pre> </div> <p><strong>What happens:</strong></p> <ol> <li>Docker reads the Dockerfile</li> <li>Pulls the <code>node:18-alpine</code> base image (if not cached)</li> <li>Runs each instruction (RUN, COPY, etc.)</li> <li>Creates layers (each instruction = one layer)</li> <li>Tags the final image as <code>sspp-api:latest</code> </li> </ol> <p><strong>This takes 2-5 minutes the first time.</strong> Subsequent builds are faster (cached layers).</p> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[+] Building 123.4s (17/17) FINISHED =&gt; [internal] load build definition from Dockerfile =&gt; [internal] load .dockerignore =&gt; [builder 1/6] FROM docker.io/library/node:18-alpine =&gt; [builder 2/6] RUN corepack enable &amp;&amp; corepack prepare pnpm@latest --activate =&gt; [builder 3/6] COPY package.json pnpm-lock.yaml* ./ =&gt; [builder 4/6] RUN pnpm install --frozen-lockfile =&gt; [builder 5/6] COPY . . =&gt; [builder 6/6] RUN pnpm run build =&gt; [stage-1 2/5] RUN corepack enable &amp;&amp; corepack prepare pnpm@latest --activate =&gt; [stage-1 3/5] COPY package.json pnpm-lock.yaml* ./ =&gt; [stage-1 4/5] RUN pnpm install --prod --frozen-lockfile =&gt; [stage-1 5/5] COPY --from=builder /app/dist ./dist =&gt; exporting to image =&gt; =&gt; naming to docker.io/library/sspp-api:latest </code></pre> </div> <p><strong>Verify the image:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker images REPOSITORY TAG IMAGE ID CREATED SIZE sspp-api latest a1b2c3d4e5f6 30 seconds ago 185MB </code></pre> </div> <h3> Step 3: Run the Container </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> sspp-api <span class="se">\</span> <span class="nt">-p</span> 3000:3000 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">NODE_ENV</span><span class="o">=</span>production <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_HOST</span><span class="o">=</span>172.17.0.1 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_PORT</span><span class="o">=</span>5432 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_NAME</span><span class="o">=</span>sales_signals <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_USER</span><span class="o">=</span>sspp_user <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_PASSWORD</span><span class="o">=</span>sspp_password <span class="se">\</span> <span class="nt">-e</span> <span class="nv">REDIS_HOST</span><span class="o">=</span>172.17.0.1 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">REDIS_PORT</span><span class="o">=</span>6379 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">ELASTICSEARCH_URL</span><span class="o">=</span>http://172.17.0.1:9200 <span class="se">\</span> sspp-api:latest </code></pre> </div> <p><strong>Flags explained:</strong></p> <ul> <li> <code>-d</code> = Detached (run in background)</li> <li> <code>--name sspp-api</code> = Container name (for easy reference)</li> <li> <code>-p 3000:3000</code> = Port mapping (host:container)</li> <li> <code>-e KEY=value</code> = Environment variables</li> <li> <code>sspp-api:latest</code> = Image to run</li> </ul> <p><strong>What's <code>172.17.0.1</code>?</strong> That's the Docker bridge network gateway—how containers reach the host machine's services (PostgreSQL, Redis).</p> <p><strong>Check if it's running:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f8a9b1c2d3e4 sspp-api:latest <span class="s2">"docker-entrypoint..."</span> 10 seconds ago Up 9 seconds 0.0.0.0:3000-&gt;3000/tcp sspp-api </code></pre> </div> <p><strong>Test it:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:3000/api/v1/health </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ok"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-12-22T12:00:00.000Z"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>🎉 <strong>Your containerized API is running!</strong></p> <h3> Step 4: View Logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker logs sspp-api <span class="c"># Live tail</span> docker logs <span class="nt">-f</span> sspp-api <span class="c"># Last 50 lines</span> docker logs <span class="nt">--tail</span> 50 sspp-api </code></pre> </div> <h2> Building the Worker Container </h2> <p>Same process for the worker service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /opt/sspp/services/worker nano Dockerfile </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">node:18-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">RUN </span>corepack <span class="nb">enable</span> <span class="o">&amp;&amp;</span> corepack prepare pnpm@latest <span class="nt">--activate</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package.json pnpm-lock.yaml* ./</span> <span class="k">RUN </span>pnpm <span class="nb">install</span> <span class="nt">--frozen-lockfile</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span>pnpm run build <span class="k">FROM</span><span class="s"> node:18-alpine</span> <span class="k">RUN </span>corepack <span class="nb">enable</span> <span class="o">&amp;&amp;</span> corepack prepare pnpm@latest <span class="nt">--activate</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package.json pnpm-lock.yaml* ./</span> <span class="k">RUN </span>pnpm <span class="nb">install</span> <span class="nt">--prod</span> <span class="nt">--frozen-lockfile</span> <span class="k">COPY</span><span class="s"> --from=builder /app/dist ./dist</span> <span class="k">CMD</span><span class="s"> ["pnpm", "start"]</span> </code></pre> </div> <p><strong>Build and run:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> sspp-worker:latest <span class="nb">.</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> sspp-worker <span class="se">\</span> <span class="nt">-e</span> <span class="nv">NODE_ENV</span><span class="o">=</span>production <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_HOST</span><span class="o">=</span>172.17.0.1 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_PORT</span><span class="o">=</span>5432 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_NAME</span><span class="o">=</span>sales_signals <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_USER</span><span class="o">=</span>sspp_user <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_PASSWORD</span><span class="o">=</span>sspp_password <span class="se">\</span> <span class="nt">-e</span> <span class="nv">REDIS_HOST</span><span class="o">=</span>172.17.0.1 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">REDIS_PORT</span><span class="o">=</span>6379 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">ELASTICSEARCH_URL</span><span class="o">=</span>http://172.17.0.1:9200 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">QUEUE_NAME</span><span class="o">=</span>sales-events <span class="se">\</span> sspp-worker:latest </code></pre> </div> <p><strong>Check status:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f8a9b1c2d3e4 sspp-api:latest <span class="s2">"..."</span> 5 minutes ago Up 5 minutes 0.0.0.0:3000-&gt;3000/tcp sspp-api a1b2c3d4e5f6 sspp-worker:latest <span class="s2">"..."</span> 10 seconds ago Up 9 seconds sspp-worker </code></pre> </div> <h2> What We Just Accomplished </h2> <h3> 1. Reproducible Builds </h3> <p>Anyone can build the exact same image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/daviesbrown/sspp <span class="nb">cd </span>sspp/services/api docker build <span class="nt">-t</span> sspp-api:latest <span class="nb">.</span> </code></pre> </div> <p><strong>Same code + same Dockerfile = same image.</strong> Always.</p> <h3> 2. Isolated Dependencies </h3> <p>Each container has its own:</p> <ul> <li>Node.js version</li> <li>npm/pnpm version</li> <li>System libraries</li> <li>Environment variables</li> </ul> <p><strong>No more version conflicts.</strong></p> <h3> 3. Portable </h3> <p>Build on your Mac, run on Linux. Build on dev, run on prod. <strong>It's the same image.</strong></p> <h3> 4. Lightweight </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker images REPOSITORY TAG SIZE sspp-api latest 185MB sspp-worker latest 178MB </code></pre> </div> <p>Compare to a full Ubuntu VM: 2-5GB.</p> <h2> Docker Layer Caching </h2> <p>Docker is smart about rebuilding. Each instruction creates a <strong>layer</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:18-alpine # Layer 1 (cached if unchanged)</span> <span class="k">COPY</span><span class="s"> package.json ./ # Layer 2 (cached if files unchanged)</span> <span class="k">RUN </span>pnpm <span class="nb">install</span> <span class="c"># Layer 3 (cached if layer 2 unchanged)</span> <span class="k">COPY</span><span class="s"> . . # Layer 4 (cached if files unchanged)</span> <span class="k">RUN </span>pnpm build <span class="c"># Layer 5 (cached if layer 4 unchanged)</span> </code></pre> </div> <p><strong>Order matters!</strong> Put frequently-changing files (source code) <strong>after</strong> rarely-changing files (dependencies).</p> <p><strong>Good:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">COPY</span><span class="s"> package.json ./ # Changes rarely</span> <span class="k">RUN </span>pnpm <span class="nb">install</span> <span class="c"># Cached most of the time</span> <span class="k">COPY</span><span class="s"> . . # Changes often</span> </code></pre> </div> <p><strong>Bad:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">COPY</span><span class="s"> . . # Changes often</span> <span class="k">RUN </span>pnpm <span class="nb">install</span> <span class="c"># Runs every time (slow!)</span> </code></pre> </div> <h2> Common Docker Commands </h2> <h3> Images </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List images</span> docker images <span class="c"># Remove image</span> docker rmi sspp-api:latest <span class="c"># Remove unused images</span> docker image prune <span class="c"># Remove ALL images</span> docker rmi <span class="si">$(</span>docker images <span class="nt">-q</span><span class="si">)</span> </code></pre> </div> <h3> Containers </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List running containers</span> docker ps <span class="c"># List all containers (including stopped)</span> docker ps <span class="nt">-a</span> <span class="c"># Stop container</span> docker stop sspp-api <span class="c"># Start stopped container</span> docker start sspp-api <span class="c"># Restart container</span> docker restart sspp-api <span class="c"># Remove container</span> docker <span class="nb">rm </span>sspp-api <span class="c"># Force remove (even if running)</span> docker <span class="nb">rm</span> <span class="nt">-f</span> sspp-api <span class="c"># Remove all stopped containers</span> docker container prune </code></pre> </div> <h3> Logs &amp; Debugging </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View logs</span> docker logs sspp-api <span class="c"># Execute command in running container</span> docker <span class="nb">exec</span> <span class="nt">-it</span> sspp-api sh <span class="c"># Inspect container details</span> docker inspect sspp-api <span class="c"># View resource usage</span> docker stats sspp-api </code></pre> </div> <h2> What We Solved </h2> <p>✅ <strong>"Works on my machine"</strong> - Same environment everywhere<br><br> ✅ <strong>Dependency conflicts</strong> - Each container is isolated<br><br> ✅ <strong>Version management</strong> - Exact Node.js, system libs<br><br> ✅ <strong>Reproducible builds</strong> - Same Dockerfile = same image<br><br> ✅ <strong>Portability</strong> - Run anywhere Docker runs<br><br> ✅ <strong>Lightweight</strong> - Much smaller than VMs</p> <h2> What We Didn't Solve </h2> <p>❌ <strong>Multi-container coordination</strong> - Manual networking, port management<br><br> ❌ <strong>Service discovery</strong> - How does API find Redis? Hard-coded IPs<br><br> ❌ <strong>Volume management</strong> - What about database data persistence?<br><br> ❌ <strong>Environment variables</strong> - Still passing 10+ <code>-e</code> flags per container<br><br> ❌ <strong>Startup order</strong> - What if PostgreSQL isn't ready yet?<br><br> ❌ <strong>Scaling</strong> - Running multiple workers is manual</p> <p><strong>We're running containers, but managing them is still tedious.</strong></p> <h2> Real-World Docker Tips </h2> <h3> 1. Use <code>.dockerignore</code> </h3> <p>Prevent copying unnecessary files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> .dockerignore <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> node_modules .git .env *.log dist coverage </span><span class="no">EOF </span></code></pre> </div> <h3> 2. Don't Run as Root </h3> <p>Security best practice:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Create non-root user</span> <span class="k">RUN </span>addgroup <span class="nt">-S</span> appgroup <span class="o">&amp;&amp;</span> adduser <span class="nt">-S</span> appuser <span class="nt">-G</span> appgroup <span class="c"># Switch to that user</span> <span class="k">USER</span><span class="s"> appuser</span> </code></pre> </div> <h3> 3. Use Specific Tags </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># ❌ Don't use 'latest'</span> <span class="k">FROM</span><span class="s"> node:latest</span> <span class="c"># ✅ Use specific version</span> <span class="k">FROM</span><span class="s"> node:18.19.0-alpine3.19</span> </code></pre> </div> <h3> 4. Health Checks </h3> <p>Tell Docker how to check if your app is healthy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s --start-period=40s \</span> CMD node -e "require('http').get('http://localhost:3000/health', (r) =&gt; process.exit(r.statusCode === 200 ? 0 : 1))" </code></pre> </div> <h3> 5. Multi-Stage Builds Always </h3> <p>Keep final images small by separating build and runtime stages.</p> <h2> What's Next? </h2> <p>We've containerized our services! But running them individually with <code>docker run</code> doesn't scale.</p> <p>In <strong>Part 4</strong>, we'll use <strong>Docker Compose</strong> to:</p> <ul> <li>Manage multiple containers together</li> <li>Define networking automatically</li> <li>Set environment variables in one place</li> <li>Control startup order</li> <li>Run the entire stack with one command</li> </ul> <p><strong>Spoiler:</strong> <code>docker-compose up</code> and your entire system (API, Worker, PostgreSQL, Redis, Elasticsearch) starts in perfect harmony.</p> <h2> Try It Yourself </h2> <p><strong>Challenge:</strong> Containerize both API and Worker services, then:</p> <ol> <li>Build images for both</li> <li>Run them with proper environment variables</li> <li>Send an event to the API</li> <li>Watch the Worker process it (check logs)</li> <li>Verify data in PostgreSQL</li> </ol> <p><strong>Bonus:</strong> Modify the Dockerfile to add a health check endpoint.</p> <h2> Discussion </h2> <p><strong>What's your Docker horror story? Or success story?</strong></p> <p>Share on <a href="https://github.com/daviesbrown/sspp/discussions" rel="noopener noreferrer">GitHub Discussions</a>.</p> <p><strong>Previous:</strong> <a href="https://dev.to/daviesbrown/part-2-process-managers-keeping-your-app-alive-with-pm2-4knl">Part 2: Process Managers - Keeping Your App Alive with PM2</a> </p> <h2> <strong>Next:</strong> <a href="https://dev.to/daviesbrown/part-4-running-multiple-services-locally-with-docker-compose-2n97">Part 4: Running Multiple Services Locally with Docker Compose</a> </h2> <p><strong>About the Author</strong></p> <p>Documenting real DevOps infrastructure for my Proton.ai application. Hiring? Let's connect.</p> <ul> <li>GitHub: <a href="https://github.com/daviesbrown" rel="noopener noreferrer">@daviesbrown</a> </li> <li>LinkedIn: <a href="https://linkedin.com/in/nwosu-david" rel="noopener noreferrer">David Nwosu</a> </li> </ul> devops docker api Part 2: Process Managers - Keeping Your App Alive with PM2 David Nwosu Mon, 22 Dec 2025 23:11:19 +0000 https://dev.to/daviesbrown/part-2-process-managers-keeping-your-app-alive-with-pm2-4knl https://dev.to/daviesbrown/part-2-process-managers-keeping-your-app-alive-with-pm2-4knl <p><strong>Series:</strong> From "Just Put It on a Server" to Production DevOps<br><br> <strong>Reading time:</strong> 10 minutes<br><br> <strong>Level:</strong> Beginner-friendly</p> <h2> Quick Recap </h2> <p>In <a href="https://dev.to/daviesbrown/part-1-the-default-way-putting-an-app-on-a-server-and-why-it-breaks-2a5j">Part 1</a>, we deployed our Sales Signal Processing Platform to a Linode server the manual way. It worked... until:</p> <ul> <li>We closed our SSH session (app died)</li> <li>The app crashed (stayed dead)</li> <li>The server rebooted (app didn't restart)</li> </ul> <p><strong>Today's mission:</strong> Keep the app alive without babysitting it.</p> <h2> The Problem: Processes Are Fragile </h2> <p>Let's simulate what happens in production.</p> <p>SSH into your server and start the API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /opt/sspp/services/api npm start &amp; </code></pre> </div> <p>Now <strong>kill it</strong> on purpose:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Find the process ID</span> ps aux | <span class="nb">grep </span>node <span class="c"># Kill it</span> <span class="nb">kill</span> <span class="nt">-9</span> &lt;pid&gt; </code></pre> </div> <p>Test the API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:3000/api/v1/health </code></pre> </div> <p><strong>Dead.</strong> And it's not coming back.</p> <p>In production, processes die for many reasons:</p> <ul> <li>Unhandled exceptions</li> <li>Memory leaks (OOM killer strikes)</li> <li>Dependency failures (database connection lost)</li> <li>Random cosmic rays (yes, really)</li> </ul> <p><strong>You need something that automatically restarts your app.</strong></p> <h2> Enter PM2: Process Manager 2 </h2> <p>PM2 is a production-grade process manager for Node.js applications. Think of it as a babysitter that:</p> <ol> <li> <strong>Keeps your app running</strong> - Restarts on crash</li> <li> <strong>Survives reboots</strong> - Starts on system boot</li> <li> <strong>Manages logs</strong> - Aggregates stdout/stderr</li> <li> <strong>Monitors resources</strong> - CPU, memory usage</li> <li> <strong>Zero-downtime reloads</strong> - Update without dropping connections</li> </ol> <p><strong>Why PM2?</strong> It's battle-tested, actively maintained, and used by thousands of companies in production.</p> <h2> Installation </h2> <p>SSH into your server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install PM2 globally</span> npm <span class="nb">install</span> <span class="nt">-g</span> pm2 <span class="c"># Verify</span> pm2 <span class="nt">--version</span> </code></pre> </div> <p>Simple. Now let's use it.</p> <h2> Running Your App with PM2 </h2> <h3> Basic Usage </h3> <p>Instead of <code>npm start</code>, use PM2:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /opt/sspp/services/api <span class="c"># Start the app</span> pm2 start npm <span class="nt">--name</span> <span class="s2">"sspp-api"</span> <span class="nt">--</span> start <span class="c"># Check status</span> pm2 status </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────┬──────────────┬─────────┬──────┬───────┬────────┬─────────┬────────┬──────┬───────────┬──────────┐ │ id │ name │ mode │ ↺ │ status│ cpu │ memory │ ├─────┼──────────────┼─────────┼──────┼───────┼────────┼─────────┤ │ 0 │ sspp-api │ fork │ 0 │ online│ 0% │ 45.2mb │ └─────┴──────────────┴─────────┴──────┴───────┴────────┴─────────┘ </code></pre> </div> <p><strong>Your app is now:</strong></p> <ul> <li>Named (no more anonymous PIDs)</li> <li>Monitored (PM2 watches it)</li> <li>Managed (can be controlled by name)</li> </ul> <h3> Better: Use an Ecosystem File </h3> <p>Create a PM2 configuration file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /opt/sspp <span class="nb">cat</span> <span class="o">&gt;</span> ecosystem.config.js <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' module.exports = { apps: [ { name: 'sspp-api', cwd: '/opt/sspp/services/api', script: 'npm', args: 'start', instances: 1, autorestart: true, watch: false, max_memory_restart: '500M', env: { NODE_ENV: 'production', PORT: 3000, DB_HOST: 'localhost', DB_PORT: 5432, DB_NAME: 'sales_signals', DB_USER: 'sspp_user', DB_PASSWORD: 'sspp_password', REDIS_HOST: 'localhost', REDIS_PORT: 6379, ELASTICSEARCH_URL: 'http://localhost:9200', }, error_file: '/var/log/sspp/api-error.log', out_file: '/var/log/sspp/api-out.log', time: true, }, { name: 'sspp-worker', cwd: '/opt/sspp/services/worker', script: 'npm', args: 'start', instances: 2, autorestart: true, watch: false, max_memory_restart: '500M', env: { NODE_ENV: 'production', DB_HOST: 'localhost', DB_PORT: 5432, DB_NAME: 'sales_signals', DB_USER: 'sspp_user', DB_PASSWORD: 'sspp_password', REDIS_HOST: 'localhost', REDIS_PORT: 6379, ELASTICSEARCH_URL: 'http://localhost:9200', QUEUE_NAME: 'sales-events', }, error_file: '/var/log/sspp/worker-error.log', out_file: '/var/log/sspp/worker-out.log', time: true, }, ], }; </span><span class="no">EOF </span></code></pre> </div> <p><strong>What this does:</strong></p> <ul> <li> <strong>Defines both services</strong> (API + Worker) in one place</li> <li> <strong>Sets environment variables</strong> (no more <code>.env</code> files to manage)</li> <li> <strong>Configures resources</strong> (max memory before restart)</li> <li> <strong>Organizes logs</strong> (separate files for each service)</li> <li> <strong>Runs multiple workers</strong> (2 worker instances for parallel processing)</li> </ul> <p>Create log directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> /var/log/sspp </code></pre> </div> <p>Start everything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pm2 start ecosystem.config.js <span class="c"># Check status</span> pm2 status </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────┬──────────────┬─────────┬──────┬───────┬────────┬─────────┐ │ id │ name │ mode │ ↺ │ status│ cpu │ memory │ ├─────┼──────────────┼─────────┼──────┼───────┼────────┼─────────┤ │ 0 │ sspp-api │ fork │ 0 │ online│ 1.2% │ 48.3mb │ │ 1 │ sspp-worker │ fork │ 0 │ online│ 0.8% │ 42.1mb │ │ 2 │ sspp-worker │ fork │ 0 │ online│ 0.7% │ 41.8mb │ └─────┴──────────────┴─────────┴──────┴───────┴────────┴─────────┘ </code></pre> </div> <p><strong>Now you have:</strong></p> <ul> <li>1 API instance</li> <li>2 Worker instances (for parallel event processing)</li> <li>All managed by PM2</li> </ul> <h2> Testing Auto-Restart </h2> <p>Let's intentionally crash the API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Find the process ID</span> pm2 list <span class="c"># Kill the API process</span> pm2 delete sspp-api pm2 start ecosystem.config.js <span class="nt">--only</span> sspp-api <span class="c"># Now kill it brutally</span> <span class="nb">kill</span> <span class="nt">-9</span> <span class="si">$(</span>pgrep <span class="nt">-f</span> <span class="s2">"sspp-api"</span><span class="si">)</span> </code></pre> </div> <p>Wait 1 second, then check:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pm2 status </code></pre> </div> <p><strong>The ↺ (restart count) increases!</strong> PM2 automatically restarted it.</p> <p>Test the API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:3000/api/v1/health </code></pre> </div> <p><strong>Still alive.</strong> 🎉</p> <h2> Startup Script: Survive Reboots </h2> <p>The app survives crashes now. But what about server reboots?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate startup script</span> pm2 startup systemd <span class="c"># Follow the command it prints (looks like):</span> <span class="c"># sudo env PATH=$PATH:/usr/bin pm2 startup systemd -u root --hp /root</span> </code></pre> </div> <p>Run that <code>sudo</code> command it generates.</p> <p><strong>Save the current PM2 process list:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pm2 save </code></pre> </div> <p>This creates <code>/root/.pm2/dump.pm2</code> with your process configuration.</p> <p><strong>Test it:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Reboot the server</span> <span class="nb">sudo </span>reboot </code></pre> </div> <p>Wait 30 seconds, SSH back in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pm2 status </code></pre> </div> <p><strong>Your apps are running!</strong> Without you doing anything.</p> <h2> Managing Your Apps </h2> <h3> View Logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># All logs (combined)</span> pm2 logs <span class="c"># Specific app</span> pm2 logs sspp-api <span class="c"># Last 100 lines</span> pm2 logs sspp-api <span class="nt">--lines</span> 100 <span class="c"># Live tail</span> pm2 logs sspp-worker <span class="nt">--lines</span> 0 </code></pre> </div> <h3> Monitor Resources </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pm2 monit </code></pre> </div> <p>This opens an interactive dashboard showing:</p> <ul> <li>CPU usage</li> <li>Memory usage</li> <li>Logs (live stream)</li> </ul> <p>Press <code>Ctrl+C</code> to exit.</p> <h3> Restart/Reload </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Restart (kills and starts)</span> pm2 restart sspp-api <span class="c"># Reload (zero-downtime, only works for cluster mode)</span> pm2 reload sspp-api <span class="c"># Restart all</span> pm2 restart all </code></pre> </div> <h3> Stop/Delete </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Stop (keeps in PM2 list)</span> pm2 stop sspp-api <span class="c"># Delete (removes from PM2 list)</span> pm2 delete sspp-api <span class="c"># Stop all</span> pm2 stop all <span class="c"># Delete all</span> pm2 delete all </code></pre> </div> <h2> Cluster Mode (Bonus: Load Balancing) </h2> <p>PM2 can run multiple instances of your app and load-balance between them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// In ecosystem.config.js</span> <span class="p">{</span> <span class="nl">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sspp-api</span><span class="dl">'</span><span class="p">,</span> <span class="nx">script</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./dist/main.js</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Direct script, not npm</span> <span class="nx">instances</span><span class="p">:</span> <span class="mi">4</span><span class="p">,</span> <span class="c1">// Or 'max' for CPU count</span> <span class="nx">exec_mode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">cluster</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Enable cluster mode</span> <span class="c1">// ... rest of config</span> <span class="p">}</span> </code></pre> </div> <p><strong>Restart PM2:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pm2 delete all pm2 start ecosystem.config.js </code></pre> </div> <p>Now you have <strong>4 API instances</strong> behind PM2's built-in load balancer.</p> <p><strong>Why this matters:</strong></p> <ul> <li>Utilizes all CPU cores</li> <li>Automatic load distribution</li> <li>Zero-downtime reloads (one instance at a time)</li> </ul> <h2> What We Solved </h2> <p>With PM2, we fixed:</p> <p>✅ <strong>Automatic restart on crash</strong> - App crashes are now recoverable<br><br> ✅ <strong>Startup on boot</strong> - Server reboots don't kill your service<br><br> ✅ <strong>Log management</strong> - Centralized, timestamped logs<br><br> ✅ <strong>Resource monitoring</strong> - Know when memory leaks happen<br><br> ✅ <strong>Process naming</strong> - No more searching for PIDs<br><br> ✅ <strong>Multi-instance management</strong> - Run workers in parallel</p> <h2> What We Didn't Solve </h2> <p>PM2 is great, but it doesn't solve:</p> <p>❌ <strong>"Works on my machine"</strong> - Still manual dependency installation<br><br> ❌ <strong>Environment consistency</strong> - Different Node versions, OS differences<br><br> ❌ <strong>Multi-server scaling</strong> - PM2 is single-server only<br><br> ❌ <strong>Deployment strategy</strong> - Still manual <code>git pull</code>, restart<br><br> ❌ <strong>Rollback capability</strong> - No version management<br><br> ❌ <strong>Network complexity</strong> - How do API and Worker discover services?<br><br> ❌ <strong>Resource isolation</strong> - Apps can steal CPU/memory from each other </p> <p><strong>PM2 is a massive improvement over raw processes.</strong> But we're still managing dependencies manually, and we can't easily scale to multiple servers.</p> <h2> Real-World PM2 Tips </h2> <h3> 1. Always Use Ecosystem Files </h3> <p>Don't run <code>pm2 start</code> with inline arguments. Use <code>ecosystem.config.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ❌ Don't do this</span> pm2 start npm <span class="nt">--name</span> api <span class="nt">--</span> start <span class="c"># ✅ Do this</span> pm2 start ecosystem.config.js </code></pre> </div> <h3> 2. Set Memory Limits </h3> <p>Prevent runaway processes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">{</span> <span class="nl">max_memory_restart</span><span class="p">:</span> <span class="dl">'</span><span class="s1">500M</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Restart if memory exceeds 500MB</span> <span class="p">}</span> </code></pre> </div> <h3> 3. Use Absolute Paths </h3> <p>Relative paths break when PM2 restarts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">{</span> <span class="nl">cwd</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/opt/sspp/services/api</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Absolute path</span> <span class="nx">script</span><span class="p">:</span> <span class="dl">'</span><span class="s1">npm</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Not '../../../node_modules/...'</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Separate Logs </h3> <p>Don't dump everything to one file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">{</span> <span class="nl">error_file</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/var/log/sspp/api-error.log</span><span class="dl">'</span><span class="p">,</span> <span class="nx">out_file</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/var/log/sspp/api-out.log</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h3> 5. Use Log Rotation </h3> <p>Logs grow forever. Set up rotation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pm2 <span class="nb">install </span>pm2-logrotate pm2 <span class="nb">set </span>pm2-logrotate:max_size 10M pm2 <span class="nb">set </span>pm2-logrotate:retain 7 </code></pre> </div> <h2> Production Checklist </h2> <p>Before going live with PM2:</p> <ul> <li>[ ] Ecosystem file configured</li> <li>[ ] Startup script installed (<code>pm2 startup</code>)</li> <li>[ ] Process list saved (<code>pm2 save</code>)</li> <li>[ ] Memory limits set</li> <li>[ ] Log rotation enabled</li> <li>[ ] Monitoring alerts configured (e.g., PM2 Plus)</li> </ul> <h2> What's Next? </h2> <p>PM2 solves the "keep it running" problem beautifully. But we're still stuck with:</p> <ul> <li> <strong>Manual dependency management</strong> (Node, PostgreSQL, Redis, Elasticsearch)</li> <li> <strong>"Works on my machine" syndrome</strong> (different environments)</li> <li> <strong>Single-server limitations</strong> (can't easily scale horizontally)</li> </ul> <p>In <strong>Part 3</strong>, we'll tackle these by introducing <strong>Docker</strong>—containers that package your entire application environment.</p> <h2> What PM2 Does NOT Fix </h2> <p>PM2 solves process management, but let's be honest about what's still broken:</p> <p>✅ <strong>What PM2 fixes:</strong></p> <ul> <li>Auto-restarts on crash</li> <li>Survives SSH disconnects</li> <li>Starts on server boot</li> <li>Basic logging and monitoring</li> </ul> <p>❌ <strong>What PM2 does NOT fix:</strong></p> <ul> <li> <strong>Environment consistency</strong> - Still manually installing Node, PostgreSQL, Redis</li> <li> <strong>Infrastructure drift</strong> - Every server is a unique snowflake</li> <li> <strong>Scaling</strong> - Can't easily add more servers</li> <li> <strong>Dependency conflicts</strong> - Node v16 on this server, v18 on that one</li> <li> <strong>Reproducibility</strong> - "Works on my machine" still exists (just less obviously)</li> <li> <strong>Onboarding</strong> - New devs still need 2+ hours of setup</li> <li> <strong>Rollbacks</strong> - No easy way to undo deployments</li> </ul> <p><strong>The hidden danger:</strong></p> <blockquote> <p>PM2 makes things <em>feel</em> professional, which can hide deeper problems.</p> </blockquote> <h2> Try It Yourself </h2> <p><strong>Experience what breaks next:</strong></p> <ol> <li>Set up PM2 for both API and Worker services</li> <li>Enable startup script: <code>pm2 startup &amp;&amp; pm2 save</code> </li> <li>Now try to set up a <strong>second server</strong> identically</li> <li>Notice how many steps you have to remember</li> <li>Notice how easy it is to have version mismatches</li> </ol> <p><strong>This pain is important.</strong> It's <em>why</em> Docker exists.</p> <h2> Next: Making Environments Consistent </h2> <p>In <a href="https://dev.to/daviesbrown/part-3-dependency-hell-why-docker-exists-27b5">Part 3</a>, we'll solve the "works on my machine" problem:</p> <blockquote> <p><strong>"How do I package my app so it runs the same everywhere?"</strong></p> </blockquote> <p>We'll use <strong>Docker</strong> to:</p> <ul> <li>Freeze dependencies in time</li> <li>Eliminate environment drift</li> <li>Make onboarding instant</li> <li>Enable reliable rollbacks</li> </ul> <p>But spoiler: <strong>Docker solves packaging, not operations.</strong> We'll discover what breaks when you have multiple containers.</p> <p><strong>Previous:</strong> <a href="https://dev.to/daviesbrown/part-1-the-default-way-putting-an-app-on-a-server-and-why-it-breaks-2a5j">Part 1: The Default Way - Putting an App on a Server</a> </p> <h2> <strong>Next:</strong> <a href="https://dev.to/daviesbrown/part-3-dependency-hell-why-docker-exists-27b5">Part 3: Docker - Freezing the Application in Time</a> </h2> <p><strong>About the Author</strong></p> <p>Building this series to demonstrate real DevOps thinking for my Proton.ai application. If you're hiring for platform engineering roles, let's connect.</p> <ul> <li>GitHub: <a href="https://github.com/daviesbrown" rel="noopener noreferrer">@daviesbrown</a> </li> <li>LinkedIn: <a href="https://linkedin.com/in/daviesbrown" rel="noopener noreferrer">David Nwosu</a> </li> </ul> devops node tutorial beginners Part 1: The Default Way - Putting an App on a Server (And Why It Breaks) David Nwosu Mon, 22 Dec 2025 23:09:33 +0000 https://dev.to/daviesbrown/part-1-the-default-way-putting-an-app-on-a-server-and-why-it-breaks-2a5j https://dev.to/daviesbrown/part-1-the-default-way-putting-an-app-on-a-server-and-why-it-breaks-2a5j <p><strong>Series:</strong> From "Just Put It on a Server" to Production DevOps<br><br> <strong>Reading time:</strong> 12 minutes<br><br> <strong>Level:</strong> Beginner-friendly</p> <h2> Introduction </h2> <p>Every developer has a moment where they think: <em>"I've built this amazing app locally. Now I just need to put it on a server somewhere."</em></p> <p>Sounds simple, right?</p> <p>You rent a server, upload your code, run <code>npm start</code>, and boom—you're live.</p> <p><strong>This article is about what happens next.</strong></p> <p>We're going to deploy a real application—the Sales Signal Processing Platform (SSPP)—the old-school way. No Docker. No Kubernetes. No CI/CD magic. Just you, a Linux server, and SSH.</p> <p>By the end, you'll understand <em>why</em> modern DevOps tools exist—not because someone said they're "best practices," but because you'll <em>feel</em> the pain they solve.</p> <h2> What We're Building </h2> <p>The <strong>Sales Signal Processing Platform</strong> is an event-driven system that:</p> <ol> <li> <strong>Accepts events</strong> via REST API (email sent, page viewed, meeting booked)</li> <li> <strong>Queues them</strong> in Redis for async processing</li> <li> <strong>Calculates signal scores</strong> (how "hot" a sales lead is)</li> <li> <strong>Stores data</strong> in PostgreSQL</li> <li> <strong>Indexes</strong> in Elasticsearch for search/analytics</li> </ol> <p><strong>Why this project?</strong><br><br> It's not a toy. It's a real-world SaaS pattern used by companies like Segment, Mixpanel, and sales intelligence platforms.</p> <p><strong>Architecture (Simple Version):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ Client │─────▶│ API Service │─────▶│ Redis Queue│ │ (HTTP POST) │ │ (NestJS) │ │ │ └─────────────┘ └─────────────┘ └──────┬──────┘ │ ▼ ┌─────────────┐ │ Worker │ │ (Node.js) │ └──────┬──────┘ │ ┌──────────────────┼───────────────┐ ▼ ▼ ▼ ┌──────────┐ ┌──────────┐ ┌─────────────┐ │PostgreSQL│ │ Redis │ │Elasticsearch│ └──────────┘ └──────────┘ └─────────────┘ </code></pre> </div> <p><strong>Tech Stack:</strong></p> <ul> <li> <strong>API:</strong> NestJS (TypeScript)</li> <li> <strong>Worker:</strong> Node.js (TypeScript)</li> <li> <strong>Databases:</strong> PostgreSQL 15, Redis 7, Elasticsearch 8</li> </ul> <h2> Step 1: Rent a Server (The Easy Part) </h2> <p>We're using <strong>Linode</strong> (now Akamai Cloud) because:</p> <ul> <li>Simple pricing ($5-$10/month gets you started)</li> <li>No vendor lock-in (real VMs, not proprietary services)</li> <li>Shows you understand infrastructure fundamentals</li> </ul> <p><strong>Create a Linode Instance:</strong></p> <ol> <li>Sign up at <a href="https://www.linode.com" rel="noopener noreferrer">linode.com</a> </li> <li> <p>Create a new Linode:</p> <ul> <li> <strong>Distribution:</strong> Ubuntu 22.04 LTS</li> <li> <strong>Plan:</strong> Shared CPU - Nanode 1GB ($5/mo)</li> <li> <strong>Region:</strong> Choose closest to you</li> <li> <strong>Label:</strong> <code>sspp-server-01</code> </li> </ul> </li> <li><p>Set a root password (save it somewhere secure)</p></li> <li><p>Boot it up</p></li> </ol> <p><strong>What you just got:</strong></p> <ul> <li>A real computer running Linux somewhere in a datacenter</li> <li>A public IP address (e.g., <code>45.79.123.45</code>)</li> <li>SSH access via port 22</li> </ul> <h2> Step 2: SSH Into Your Server </h2> <p>SSH (Secure Shell) is how you control remote servers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh root@45.79.123.45 </code></pre> </div> <p><strong>First time?</strong> You'll see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>The authenticity of host '45.79.123.45' can't be established. ED25519 key fingerprint is SHA256:... Are you sure you want to continue connecting (yes/no)? </code></pre> </div> <p>Type <code>yes</code>. This saves the server's "fingerprint" so you know it's the same server next time.</p> <p><strong>You're now controlling a computer 500+ miles away.</strong></p> <p>Type <code>pwd</code> (print working directory):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/root </code></pre> </div> <p>You're in the home directory of the <code>root</code> user—the superuser who can do anything.</p> <h2> Step 3: Install Dependencies (The Manual Way) </h2> <p>Our app needs:</p> <ul> <li> <strong>Node.js</strong> (runtime for our JavaScript/TypeScript)</li> <li> <strong>PostgreSQL</strong> (database)</li> <li> <strong>Redis</strong> (queue and cache)</li> <li> <strong>Elasticsearch</strong> (search/analytics)</li> </ul> <h3> Install Node.js </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update package list</span> apt update <span class="c"># Install Node.js 18.x</span> curl <span class="nt">-fsSL</span> https://deb.nodesource.com/setup_18.x | bash - apt <span class="nb">install</span> <span class="nt">-y</span> nodejs <span class="c"># Verify</span> node <span class="nt">--version</span> <span class="c"># Should show v18.x.x</span> npm <span class="nt">--version</span> <span class="c"># Should show v9.x.x</span> </code></pre> </div> <h3> Install PostgreSQL </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install PostgreSQL</span> apt <span class="nb">install</span> <span class="nt">-y</span> postgresql postgresql-contrib <span class="c"># Start the service</span> systemctl start postgresql systemctl <span class="nb">enable </span>postgresql <span class="c"># Auto-start on boot</span> <span class="c"># Create database and user</span> <span class="nb">sudo</span> <span class="nt">-u</span> postgres psql <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> CREATE DATABASE sales_signals; CREATE USER sspp_user WITH PASSWORD 'sspp_password'; GRANT ALL PRIVILEGES ON DATABASE sales_signals TO sspp_user; </span><span class="se">\q</span><span class="sh"> </span><span class="no">EOF </span></code></pre> </div> <h3> Install Redis </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install Redis</span> apt <span class="nb">install</span> <span class="nt">-y</span> redis-server <span class="c"># Start it</span> systemctl start redis-server systemctl <span class="nb">enable </span>redis-server <span class="c"># Test</span> redis-cli ping <span class="c"># Should return "PONG"</span> </code></pre> </div> <h3> Install Elasticsearch </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install dependencies</span> apt <span class="nb">install</span> <span class="nt">-y</span> apt-transport-https <span class="c"># Add Elasticsearch GPG key</span> wget <span class="nt">-qO</span> - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - <span class="c"># Add repository</span> <span class="nb">echo</span> <span class="s2">"deb https://artifacts.elastic.co/packages/8.x/apt stable main"</span> <span class="o">&gt;</span> /etc/apt/sources.list.d/elastic-8.x.list <span class="c"># Install</span> apt update apt <span class="nb">install</span> <span class="nt">-y</span> elasticsearch <span class="c"># Start it</span> systemctl start elasticsearch systemctl <span class="nb">enable </span>elasticsearch <span class="c"># Test (wait 30 seconds for startup)</span> curl localhost:9200 </code></pre> </div> <p><strong>How long did this take?</strong> Probably 15-20 minutes.</p> <p><strong>What happens if you need to do this again?</strong> You repeat every command. Manually.</p> <h2> Step 4: Deploy Your Application </h2> <p>Now let's get our code onto the server.</p> <h3> Clone the Repository </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /opt git clone https://github.com/daviesbrown/sspp.git <span class="nb">cd </span>sspp </code></pre> </div> <h3> Install API Dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /opt/sspp/services/api npm <span class="nb">install</span> </code></pre> </div> <p><strong>This takes 2-5 minutes.</strong> Watch the terminal spam scroll by.</p> <h3> Build the API </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run build </code></pre> </div> <p>TypeScript compiles to JavaScript in the <code>dist/</code> folder.</p> <h3> Create Environment Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> .env <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> NODE_ENV=production PORT=3000 DB_HOST=localhost DB_PORT=5432 DB_NAME=sales_signals DB_USER=sspp_user DB_PASSWORD=sspp_password REDIS_HOST=localhost REDIS_PORT=6379 ELASTICSEARCH_URL=http://localhost:9200 </span><span class="no">EOF </span></code></pre> </div> <h3> Run the API </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm start </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Nest] 12345 - 12/22/2025, 10:30:15 AM LOG [NestFactory] Starting Nest application... [Nest] 12345 - 12/22/2025, 10:30:15 AM LOG [InstanceLoader] AppModule dependencies initialized [Nest] 12345 - 12/22/2025, 10:30:16 AM LOG [RoutesResolver] EventsController {/api/v1/events} [Nest] 12345 - 12/22/2025, 10:30:16 AM LOG [NestApplication] Nest application successfully started [Nest] 12345 - 12/22/2025, 10:30:16 AM LOG API listening on port 3000 </code></pre> </div> <p><strong>🎉 Your app is running!</strong></p> <h2> Step 5: Test It </h2> <p>Open another terminal on your <strong>local machine</strong> (not the server):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test the API</span> curl http://45.79.123.45:3000/api/v1/health <span class="c"># Expected response:</span> <span class="o">{</span> <span class="s2">"status"</span>: <span class="s2">"ok"</span>, <span class="s2">"timestamp"</span>: <span class="s2">"2025-12-22T10:31:00.000Z"</span> <span class="o">}</span> </code></pre> </div> <p><strong>Send an event:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://45.79.123.45:3000/api/v1/events <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "accountId": "acct_001", "userId": "user_001", "eventType": "email_sent", "timestamp": "2025-12-22T10:00:00Z", "metadata": { "campaign": "Q4_Outreach" } }'</span> <span class="c"># Response:</span> <span class="o">{</span> <span class="s2">"status"</span>: <span class="s2">"accepted"</span>, <span class="s2">"jobId"</span>: <span class="s2">"1"</span>, <span class="s2">"message"</span>: <span class="s2">"Event queued for processing"</span> <span class="o">}</span> </code></pre> </div> <p><strong>IT WORKS!</strong> 🎊</p> <p>You're a full-stack DevOps engineer now, right?</p> <h2> Step 6: Reality Hits </h2> <p>Go back to your SSH session and press <strong>Ctrl+C</strong> to stop the app.</p> <p>Now try accessing the API again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://45.79.123.45:3000/api/v1/health </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl: (7) Failed to connect to 45.79.123.45 port 3000: Connection refused </code></pre> </div> <p><strong>Your app is dead.</strong></p> <h3> Why? </h3> <p>When you run <code>npm start</code> in your SSH session:</p> <ol> <li>It starts a <strong>foreground process</strong> </li> <li>That process is attached to your SSH session</li> <li>When you stop it (Ctrl+C) or disconnect, the process dies</li> </ol> <p><strong>Let's try running it in the background:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm start &amp; </code></pre> </div> <p>The <code>&amp;</code> runs it in the background. You get your terminal back.</p> <p>Now <strong>close your SSH session</strong> (disconnect).</p> <p>Wait 10 seconds, then test again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://45.79.123.45:3000/api/v1/health </code></pre> </div> <p><strong>Still dead.</strong></p> <h3> Why? </h3> <p>When you disconnect from SSH, the shell sends a <code>SIGHUP</code> (hangup signal) to all child processes, which kills them.</p> <h2> Step 7: The "Just Keep It Running" Attempts </h2> <h3> Attempt 1: Use <code>nohup</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">nohup </span>npm start &amp; </code></pre> </div> <p><code>nohup</code> (no hangup) ignores the SIGHUP signal.</p> <p><strong>This works!</strong> But:</p> <ul> <li>No automatic restart if it crashes</li> <li>No logs management (they dump to <code>nohup.out</code>)</li> <li>No process monitoring</li> </ul> <h3> Attempt 2: Use <code>screen</code> or <code>tmux</code> </h3> <p>These create persistent terminal sessions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>screen <span class="nt">-S</span> api npm start <span class="c"># Press Ctrl+A, then D to detach</span> </code></pre> </div> <p><strong>Better!</strong> But:</p> <ul> <li>Still manual</li> <li>No restart on crash</li> <li>No resource limits</li> <li>You have to remember screen commands</li> </ul> <h2> Step 8: The Real Problems </h2> <p>Let's say you got it "working" with <code>nohup</code> or <code>screen</code>. Here are the problems you'll hit in production:</p> <h3> Problem 1: No Automatic Restart </h3> <p>Your app crashes (memory leak, unhandled exception). It's just... down. Until you SSH in and restart it manually.</p> <h3> Problem 2: No Startup on Reboot </h3> <p>Server reboots (Linode maintenance, kernel update). Your app doesn't start automatically.</p> <h3> Problem 3: "Works on My Machine" </h3> <p>Your coworker tries to deploy. They have Node 16 installed, you have Node 18. Different npm versions. Different PostgreSQL versions. <strong>It breaks.</strong></p> <h3> Problem 4: Manual Scaling </h3> <p>You get featured on Product Hunt. Traffic spikes 50x. You need to:</p> <ol> <li>Rent 5 more servers</li> <li>SSH into each one</li> <li>Repeat all the installation steps</li> <li>Set up a load balancer manually</li> <li>Pray nothing goes wrong</li> </ol> <p><strong>Time to scale:</strong> 2-4 hours (if you're fast)</p> <h3> Problem 5: Zero Deployment Strategy </h3> <p>You need to deploy a bug fix. To avoid downtime:</p> <ol> <li>Deploy to a new server</li> <li>Switch DNS/load balancer</li> <li>Drain old connections</li> <li>Hope nothing broke</li> </ol> <p><strong>Or</strong> you just restart the app and accept 5-30 seconds of downtime.</p> <h3> Problem 6: No Rollback </h3> <p>The new version has a critical bug. To rollback:</p> <ol> <li>SSH in</li> <li> <code>git checkout</code> old commit</li> <li> <code>npm install</code> (hope dependencies didn't change)</li> <li>Restart</li> </ol> <p><strong>Time to rollback:</strong> 5-10 minutes (plus panic time)</p> <h3> Problem 7: Configuration Management </h3> <p>You have 3 environments: dev, staging, production.</p> <p>Each needs different:</p> <ul> <li>Database credentials</li> <li>API keys</li> <li>Feature flags</li> <li>Resource limits</li> </ul> <p><strong>Your solution:</strong> <code>.env</code> files, <code>config.dev.json</code>, <code>config.prod.json</code>, remembering which is which.</p> <h3> Problem 8: Security </h3> <p>Your server is wide open:</p> <ul> <li>PostgreSQL accepting connections from anywhere</li> <li>No firewall rules</li> <li>Root SSH access enabled</li> <li>Passwords in plaintext <code>.env</code> files</li> <li>No SSL certificates</li> </ul> <h2> What We Learned </h2> <p>We successfully deployed an app to a server <strong>the manual way</strong>. And we discovered:</p> <ol> <li> <strong>Process management is hard</strong> - Apps need to survive crashes and reboots</li> <li> <strong>Environment consistency is critical</strong> - "Works on my machine" kills teams</li> <li> <strong>Scaling is manual</strong> - Copying setup to multiple servers doesn't scale</li> <li> <strong>Deployments are risky</strong> - No safety net, no rollback strategy</li> <li> <strong>Security is an afterthought</strong> - When you're fighting fires, security waits</li> </ol> <p><strong>This is why DevOps exists.</strong></p> <p>Every tool you've heard of—Docker, Kubernetes, CI/CD, Infrastructure as Code—solves one of these problems.</p> <p>But you can't appreciate the solution until you've felt the pain.</p> <h2> What's Next? </h2> <p>In <strong>Part 2</strong>, we'll solve the first problem: <strong>keeping your app alive</strong>.</p> <p>We'll use <strong>PM2</strong> (Process Manager 2) to:</p> <ul> <li>Automatically restart crashed processes</li> <li>Start apps on server reboot</li> <li>Manage logs properly</li> <li>Monitor resource usage</li> </ul> <p>This will make our deployment <em>slightly</em> better. But it won't solve the deeper problems.</p> <p><strong>Spoiler:</strong> We'll eventually replace all of this with Docker and Kubernetes. But first, we need to understand what life was like before containers.</p> <h2> Try It Yourself </h2> <p><strong>Don't just read—do it:</strong></p> <ol> <li>Spin up a Linode (or DigitalOcean Droplet, AWS EC2, etc.)</li> <li>Follow this guide exactly</li> <li>Get the app running</li> <li>Try to kill it in creative ways: <ul> <li><code>kill -9 &lt;pid&gt;</code></li> <li>Disconnect SSH</li> <li>Reboot the server</li> </ul> </li> <li>Notice how often it stays dead</li> </ol> <p><strong>Bonus challenge:</strong> Try to deploy the Worker service too (hint: it's even harder because it's a background service with no HTTP endpoint).</p> <h2> Discussion </h2> <p><strong>What have your "just put it on a server" horror stories been?</strong></p> <p>Drop a comment or open an issue on <a href="https://github.com/daviesbrown/sspp/issues" rel="noopener noreferrer">GitHub</a>.</p> <p><strong>Next:</strong> <a href="https://dev.to/daviesbrown/part-2-process-managers-keeping-your-app-alive-with-pm2-4knl">Part 2: Process Managers - Keeping Your App Alive with PM2</a></p> <p><strong>About the Author</strong></p> <p>I'm building this series to show real-world DevOps thinking for my Proton.ai application. If you're hiring for DevOps/Platform roles and want someone who <em>understands</em> infrastructure (not just follows tutorials), let's talk.</p> <ul> <li>GitHub: <a href="https://github.com/daviesbrown" rel="noopener noreferrer">@daviesbrown</a> </li> <li>LinkedIn: <a href="https://linkedin.com/in/nwosu-david" rel="noopener noreferrer">David Nwosu</a> </li> </ul> webdev devops ec2