veles: promote managed app deployments

2026-06-09 15:47:33 -03:00 · 2026-06-09 15:47:33 -03:00 · 531bc440d5
commit 531bc440d5
parent 0d8571b7a6
3 changed files with 60 additions and 9 deletions
--- a/services/veles/backend-deployment.yaml
+++ b/services/veles/backend-deployment.yaml
@ -7,7 +7,7 @@ metadata:
  labels:
    app: veles-backend
 spec:
-  replicas: 0
+  replicas: 1
  revisionHistoryLimit: 2
  selector:
    matchLabels:
@ -27,7 +27,8 @@ spec:
          value: "true"
          effect: NoSchedule
      securityContext:
-        fsGroup: 1000
+        fsGroup: 10001
+        fsGroupChangePolicy: OnRootMismatch
        seccompProfile:
          type: RuntimeDefault
      containers:
@ -38,6 +39,18 @@ spec:
            - name: http
              containerPort: 8796
              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /api/v1/ready
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /api/v1/live
+              port: http
+            initialDelaySeconds: 20
+            periodSeconds: 20
          envFrom:
            - configMapRef:
                name: veles-app-config
@ -52,8 +65,8 @@ spec:
              memory: 4Gi
          securityContext:
            runAsNonRoot: true
-            runAsUser: 1000
-            runAsGroup: 1000
+            runAsUser: 10001
+            runAsGroup: 10001
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
--- a/services/veles/configmap.yaml
+++ b/services/veles/configmap.yaml
@ -6,12 +6,19 @@ metadata:
  namespace: veles
 data:
  VELES_ENV: alpha
+  VELES_PROFILE: cluster
+  VELES_AUTH_MODE: oidc
+  VELES_SIM_RUNNER: kubernetes-job
+  VELES_PUBLIC_URL: https://veles.bstein.dev
  VELES_PUBLIC_BASE_URL: https://veles.bstein.dev
  VELES_BACKEND_HTTP_PORT: "8796"
  VELES_FRONTEND_HTTP_PORT: "8080"
+  VELES_OIDC_ISSUER_URL: https://sso.bstein.dev/realms/veles
  VELES_OIDC_ISSUER: https://sso.bstein.dev/realms/veles
  VELES_OIDC_CLIENT_ID: veles-web
+  VELES_OIDC_ALLOWED_GROUPS: alpha,admin
  VELES_OIDC_REQUIRED_GROUPS: alpha,admin
+  VELES_OIDC_ADMIN_GROUPS: admin
  VELES_OIDC_GROUPS_CLAIM: groups
  VELES_OIDC_ROLES_CLAIM: realm_access.roles
  VELES_DATABASE_HOST: veles-postgres.veles.svc.cluster.local
@ -19,12 +26,30 @@ data:
  VELES_DATABASE_NAME: veles
  VELES_ARTIFACTS_PATH: /data/veles-artifacts
  VELES_ARTIFACTS_MODE: rwo-backend-owned
+  VELES_LOG_ROOT: /data/veles-artifacts/logs
+  VELES_REPORT_ROOT: /data/veles-artifacts/reports
+  VELES_ARTIFACT_ROOT: /data/veles-artifacts/artifacts
+  VELES_RETENTION_DAYS: "30"
  VELES_SIM_NAMESPACE: veles
+  VELES_NAMESPACE: veles
+  VELES_SIM_IMAGE: registry.bstein.dev/veles/veles-sim-worker:0.1.0-0 # {"$imagepolicy": "veles:veles-sim-worker"}
  VELES_SIM_SERVICE_ACCOUNT: veles-sim
  VELES_SIM_PRIORITY_CLASS: veles-sim
-  VELES_SIM_NODE_SELECTOR: veles.bstein.dev/simulation=true
+  VELES_SIM_NODE_SELECTOR: veles.bstein.dev/node-pool=oceanus,kubernetes.io/arch=amd64
+  VELES_SIM_TOLERATIONS: veles.bstein.dev/simulation=true:NoSchedule
  VELES_SIM_TOLERATION_KEY: veles.bstein.dev/simulation
  VELES_SIM_TOLERATION_VALUE: "true"
+  VELES_SIM_ACTIVE_DEADLINE_SECONDS: "7200"
+  VELES_SIM_TTL_SECONDS: "3600"
+  VELES_SIM_CPU_REQUEST: 500m
+  VELES_SIM_CPU_LIMIT: "2"
+  VELES_SIM_MEMORY_REQUEST: 1Gi
+  VELES_SIM_MEMORY_LIMIT: 4Gi
+  VELES_SIM_ARTIFACT_PVC: veles-artifacts
+  VELES_SIM_ARTIFACT_MOUNT_PATH: /data/veles-artifacts
+  VELES_SIM_FS_GROUP: "10001"
+  VELES_MAX_ACTIVE_SIMS_PER_USER: "1"
+  VELES_MAX_ACTIVE_SIMS_GLOBAL: "4"
  VELES_RETENTION_NODE_SELECTOR: veles.bstein.dev/simulation=true
  VELES_RETENTION_TOLERATION_KEY: veles.bstein.dev/simulation
  VELES_RETENTION_TOLERATION_VALUE: "true"
--- a/services/veles/frontend-deployment.yaml
+++ b/services/veles/frontend-deployment.yaml
@ -7,7 +7,7 @@ metadata:
  labels:
    app: veles-frontend
 spec:
-  replicas: 0
+  replicas: 2
  revisionHistoryLimit: 2
  selector:
    matchLabels:
@ -42,7 +42,8 @@ spec:
                    operator: In
                    values: ["rpi5"]
      securityContext:
-        fsGroup: 1000
+        fsGroup: 101
+        fsGroupChangePolicy: OnRootMismatch
        seccompProfile:
          type: RuntimeDefault
      containers:
@ -53,6 +54,18 @@ spec:
            - name: http
              containerPort: 8080
              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 20
+            periodSeconds: 20
          envFrom:
            - configMapRef:
                name: veles-app-config
@ -65,8 +78,8 @@ spec:
              memory: 512Mi
          securityContext:
            runAsNonRoot: true
-            runAsUser: 1000
-            runAsGroup: 1000
+            runAsUser: 101
+            runAsGroup: 101
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]