================================================================================ KUBERNETES DEPLOYMENT MANIFESTS - AUTHENTICATION SERVICE Created: 2025-12-01 Status: Complete - Ready for Deployment ================================================================================ OVERVIEW -------- Complete Kubernetes deployment manifests for the Authentication Service following the policy service pattern with Cloud SQL Proxy sidecar. All files created/updated in: /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/ ================================================================================ KUBERNETES MANIFESTS (k8s/base/) ================================================================================ 1. namespace.yaml ✓ Creates 'authentication' namespace ✓ Environment: production ✓ Labels: team=platform, service=authentication 2. service-account.yaml ✓ Service Account: auth-service-sa ✓ Workload Identity annotation for GCP SA binding ✓ GCP SA: auth-service@archie-v3-build.iam.gserviceaccount.com 3. auth-api-deployment.yaml [PRODUCTION SETTINGS] ✓ Replicas: 2 (minimum) ✓ Image: us-central1-docker.pkg.dev/archie-v3-build/authentication-service/api:latest ✓ Port: 8000 (NOT 8080) ✓ ENVIRONMENT: production (changed from dev) ✓ DEBUG: False (changed from True) Environment Variables: - DATABASE_URL: postgresql+asyncpg://auth_service_user@localhost:5432/auth_db - REDIS_URL: redis://10.61.176.5:6378 (shared Memorystore) - NATS_URL: nats://nats.nats:4222 - ENVIRONMENT: production - DEBUG: False Secrets (from auth-service-secrets): - WORKOS_API_KEY (key: workos-api-key) - WORKOS_CLIENT_ID (key: workos-client-id) - JWT_SECRET_KEY (key: jwt-secret-key) Resources: - Requests: 250m CPU, 512Mi memory - Limits: 1000m CPU, 1Gi memory Health Checks: - Liveness: /health, 30s delay, 10s period - Readiness: /health, 10s delay, 5s period Cloud SQL Proxy Sidecar: - Image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 - Instance: archie-v3-build:us-central1:archie-postgres-dev (SHARED) - Port: 5432 (localhost) - Resources: 100m-200m CPU, 128Mi-256Mi memory 4. auth-api-service.yaml ✓ Type: ClusterIP ✓ Port: 8000 ✓ Selector: app=auth-api 5. hpa.yaml ✓ Min replicas: 2 ✓ Max replicas: 10 ✓ Target CPU: 70% ✓ Target Memory: 80% 6. kustomization.yaml ✓ Includes all resources ✓ Common labels for tracking ✓ Namespace: authentication ================================================================================ DOCKER BUILD (Dockerfile) ================================================================================ ✓ Multi-stage build for optimized image size ✓ Base: python:3.11-slim ✓ Non-root user: authuser (uid: 1000) ✓ Port: 8000 ✓ Health check enabled ✓ Uvicorn with 4 workers ✓ Security: Runs as non-root user ================================================================================ CLOUD BUILD (cloudbuild.yaml) ================================================================================ ✓ Machine type: N1_HIGHCPU_8 ✓ BuildKit caching enabled ✓ Two tags: latest and SHORT_SHA ✓ Timeout: 1200s (20 minutes) ✓ Structured logging Image Repository: us-central1-docker.pkg.dev/archie-v3-build/authentication-service/api ================================================================================ DEPLOYMENT SCRIPTS (scripts/) ================================================================================ 1. deploy-to-gke.sh ✓ Verifies kubectl context ✓ Builds and pushes Docker image via Cloud Build ✓ Applies Kubernetes manifests ✓ Waits for rollout completion ✓ Tests health endpoint ✓ Shows logs and status ✓ Color-coded output for easy reading Usage: ./apps/authentication-service/scripts/deploy-to-gke.sh 2. run-tests-in-cluster.sh ✓ Creates test pod with Cloud SQL Proxy sidecar ✓ Runs pytest with database access ✓ Streams test output ✓ Shows Cloud SQL Proxy logs on failure ✓ Automatic cleanup Usage: ./apps/authentication-service/scripts/run-tests-in-cluster.sh 3. verify-deployment.sh ✓ Verifies namespace exists ✓ Checks deployment status ✓ Validates pod health ✓ Tests service connectivity ✓ Checks HPA status ✓ Tests health endpoint ✓ Verifies database connectivity ✓ Shows recent logs ✓ Checks for errors Usage: ./apps/authentication-service/scripts/verify-deployment.sh ================================================================================ CRITICAL CONFIGURATION CHANGES ================================================================================ 1. PRODUCTION ENVIRONMENT - ENVIRONMENT: "production" (was "dev") - DEBUG: "False" (was "True") 2. SECRET CONSOLIDATION - All secrets from single source: auth-service-secrets - WORKOS_API_KEY (key: workos-api-key) - WORKOS_CLIENT_ID (key: workos-client-id) - JWT_SECRET_KEY (key: jwt-secret-key) NOTE: Changed from JWT_PRIVATE_KEY/JWT_PUBLIC_KEY to JWT_SECRET_KEY as specified in requirements 3. SHARED INFRASTRUCTURE - Database: archie-v3-build:us-central1:archie-postgres-dev (SHARED) - Database Name: auth_db - Database User: auth_service_user - Redis: 10.61.176.5:6378 (shared Memorystore) ================================================================================ DEPLOYMENT PREREQUISITES ================================================================================ Before deploying, ensure: 1. GKE Cluster Access gcloud container clusters get-credentials archie-v3-dev-gke \ --region us-central1 --project archie-v3-build 2. Kubernetes Secret Created The following secret must exist in the authentication namespace: kubectl create secret generic auth-service-secrets \ --from-literal=workos-api-key= \ --from-literal=workos-client-id= \ --from-literal=jwt-secret-key= \ -n authentication 3. Workload Identity Binding Ensure the GCP service account is bound to the Kubernetes service account: gcloud iam service-accounts add-iam-policy-binding \ auth-service@archie-v3-build.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:archie-v3-build.svc.id.goog[authentication/auth-service-sa]" 4. Database Setup - Database 'auth_db' exists in archie-postgres-dev - User 'auth_service_user' has appropriate permissions - Migrations run: alembic upgrade head ================================================================================ DEPLOYMENT WORKFLOW ================================================================================ Step 1: Create Kubernetes Secret kubectl create secret generic auth-service-secrets \ --from-literal=workos-api-key= \ --from-literal=workos-client-id= \ --from-literal=jwt-secret-key= \ -n authentication Step 2: Deploy to GKE ./apps/authentication-service/scripts/deploy-to-gke.sh Step 3: Verify Deployment ./apps/authentication-service/scripts/verify-deployment.sh Step 4: Run Tests (Optional) ./apps/authentication-service/scripts/run-tests-in-cluster.sh ================================================================================ MONITORING & TROUBLESHOOTING ================================================================================ View Logs: kubectl logs -n authentication -l app=auth-api -f View Pod Status: kubectl get pods -n authentication -l app=auth-api -o wide Describe Pod: kubectl describe pod -n authentication View Events: kubectl get events -n authentication --sort-by='.lastTimestamp' Port Forward: kubectl port-forward -n authentication svc/auth-api 8000:8000 Scale Deployment: kubectl scale deployment/auth-api -n authentication --replicas=N Restart Deployment: kubectl rollout restart deployment/auth-api -n authentication View HPA Status: kubectl get hpa -n authentication Delete Deployment: kubectl delete -k apps/authentication-service/k8s/base/ ================================================================================ FILE PATHS SUMMARY ================================================================================ Kubernetes Manifests: /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/k8s/base/namespace.yaml /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/k8s/base/service-account.yaml /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/k8s/base/auth-api-deployment.yaml /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/k8s/base/auth-api-service.yaml /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/k8s/base/hpa.yaml /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/k8s/base/kustomization.yaml Docker & Build: /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/Dockerfile /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/cloudbuild.yaml Deployment Scripts (executable): /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/scripts/deploy-to-gke.sh /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/scripts/run-tests-in-cluster.sh /mnt/data-disk1/archie-platform-v3-worktrees/authentication-service-implementation/apps/authentication-service/scripts/verify-deployment.sh ================================================================================ NEXT STEPS ================================================================================ 1. Review all manifest files for correctness 2. Create the auth-service-secrets Kubernetes secret 3. Verify Workload Identity binding 4. Run deployment script: ./apps/authentication-service/scripts/deploy-to-gke.sh 5. Verify deployment: ./apps/authentication-service/scripts/verify-deployment.sh 6. Run tests: ./apps/authentication-service/scripts/run-tests-in-cluster.sh 7. Monitor logs and metrics 8. Set up alerts and monitoring dashboards ================================================================================ STATUS: READY FOR DEPLOYMENT ================================================================================