From 1b8ea63541a37d32563ecc1ebedab595b75bf4cd Mon Sep 17 00:00:00 2001 From: Will Anderson Date: Fri, 17 Apr 2026 09:43:23 -0500 Subject: [PATCH] feat(neuron): add stage and prod k8s manifests + Argo CD apps Completes the three-env setup (dev was added previously). Each env has deployments, services, ingress, PVC, ConfigMap, and ExternalSecret pulling from Vault. Prod has larger resource limits and 10Gi PVC. Vault secret at secret/neuron-technologies/prod seeded separately. --- servers/legion/apps/neuron-prod.yaml | 20 +++++++ servers/legion/apps/neuron-stage.yaml | 20 +++++++ .../neuron-technologies/prod/configmap.yaml | 12 ++++ .../prod/externalsecret.yaml | 18 ++++++ .../k8s/neuron-technologies/prod/ingress.yaml | 43 ++++++++++++++ .../prod/kustomization.yaml | 10 ++++ .../prod/mcp-deployment.yaml | 59 +++++++++++++++++++ .../k8s/neuron-technologies/prod/pvc.yaml | 12 ++++ .../prod/rest-deployment.yaml | 59 +++++++++++++++++++ .../neuron-technologies/prod/services.yaml | 31 ++++++++++ .../neuron-technologies/stage/configmap.yaml | 12 ++++ .../stage/externalsecret.yaml | 18 ++++++ .../neuron-technologies/stage/ingress.yaml | 32 ++++++++++ .../stage/kustomization.yaml | 10 ++++ .../stage/mcp-deployment.yaml | 59 +++++++++++++++++++ .../k8s/neuron-technologies/stage/pvc.yaml | 12 ++++ .../stage/rest-deployment.yaml | 59 +++++++++++++++++++ .../neuron-technologies/stage/services.yaml | 31 ++++++++++ 18 files changed, 517 insertions(+) create mode 100644 servers/legion/apps/neuron-prod.yaml create mode 100644 servers/legion/apps/neuron-stage.yaml create mode 100644 servers/legion/k8s/neuron-technologies/prod/configmap.yaml create mode 100644 servers/legion/k8s/neuron-technologies/prod/externalsecret.yaml create mode 100644 servers/legion/k8s/neuron-technologies/prod/ingress.yaml create mode 100644 servers/legion/k8s/neuron-technologies/prod/kustomization.yaml create mode 100644 servers/legion/k8s/neuron-technologies/prod/mcp-deployment.yaml create mode 100644 servers/legion/k8s/neuron-technologies/prod/pvc.yaml create mode 100644 servers/legion/k8s/neuron-technologies/prod/rest-deployment.yaml create mode 100644 servers/legion/k8s/neuron-technologies/prod/services.yaml create mode 100644 servers/legion/k8s/neuron-technologies/stage/configmap.yaml create mode 100644 servers/legion/k8s/neuron-technologies/stage/externalsecret.yaml create mode 100644 servers/legion/k8s/neuron-technologies/stage/ingress.yaml create mode 100644 servers/legion/k8s/neuron-technologies/stage/kustomization.yaml create mode 100644 servers/legion/k8s/neuron-technologies/stage/mcp-deployment.yaml create mode 100644 servers/legion/k8s/neuron-technologies/stage/pvc.yaml create mode 100644 servers/legion/k8s/neuron-technologies/stage/rest-deployment.yaml create mode 100644 servers/legion/k8s/neuron-technologies/stage/services.yaml diff --git a/servers/legion/apps/neuron-prod.yaml b/servers/legion/apps/neuron-prod.yaml new file mode 100644 index 0000000..40b9a1b --- /dev/null +++ b/servers/legion/apps/neuron-prod.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: neuron-prod + namespace: argocd +spec: + project: default + source: + repoURL: http://10.43.1.53:3000/will/infrastructure.git + targetRevision: main + path: servers/legion/k8s/neuron-technologies/prod + destination: + server: https://kubernetes.default.svc + namespace: neuron-prod + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=false diff --git a/servers/legion/apps/neuron-stage.yaml b/servers/legion/apps/neuron-stage.yaml new file mode 100644 index 0000000..ef6fbf6 --- /dev/null +++ b/servers/legion/apps/neuron-stage.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: neuron-stage + namespace: argocd +spec: + project: default + source: + repoURL: http://10.43.1.53:3000/will/infrastructure.git + targetRevision: main + path: servers/legion/k8s/neuron-technologies/stage + destination: + server: https://kubernetes.default.svc + namespace: neuron-stage + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=false diff --git a/servers/legion/k8s/neuron-technologies/prod/configmap.yaml b/servers/legion/k8s/neuron-technologies/prod/configmap.yaml new file mode 100644 index 0000000..fe4fbb3 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/prod/configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: neuron-prod-config + namespace: neuron-prod +data: + SPRING_PROFILES_ACTIVE: "prod" + NEURON_DB_PATH: "/data/neuron-prod.db" + NEURON_STORAGE_PATH: "/data" + SERVER_TOMCAT_ACCESSLOG_ENABLED: "true" + MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE: "health,info,metrics" + MANAGEMENT_ENDPOINT_HEALTH_SHOW_DETAILS: "always" diff --git a/servers/legion/k8s/neuron-technologies/prod/externalsecret.yaml b/servers/legion/k8s/neuron-technologies/prod/externalsecret.yaml new file mode 100644 index 0000000..960c44a --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/prod/externalsecret.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: neuron-prod-secrets + namespace: neuron-prod +spec: + refreshInterval: 1h + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: neuron-prod-secrets + creationPolicy: Owner + data: + - secretKey: NEURON_WEBHOOK_SECRET + remoteRef: + key: secret/data/neuron-technologies/prod + property: gitea_webhook_secret diff --git a/servers/legion/k8s/neuron-technologies/prod/ingress.yaml b/servers/legion/k8s/neuron-technologies/prod/ingress.yaml new file mode 100644 index 0000000..9d23e97 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/prod/ingress.yaml @@ -0,0 +1,43 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuron-prod + namespace: neuron-prod + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + ingressClassName: traefik + tls: + - secretName: neuron-prod-tls + hosts: + - neurontechnologies.ai + - www.neurontechnologies.ai + rules: + - host: neurontechnologies.ai + http: + paths: + - path: /mcp + pathType: Prefix + backend: + service: + name: neuron-mcp + port: + number: 8080 + - path: / + pathType: Prefix + backend: + service: + name: neuron-rest + port: + number: 8081 + - host: www.neurontechnologies.ai + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: neuron-rest + port: + number: 8081 diff --git a/servers/legion/k8s/neuron-technologies/prod/kustomization.yaml b/servers/legion/k8s/neuron-technologies/prod/kustomization.yaml new file mode 100644 index 0000000..4ea8ac1 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/prod/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - configmap.yaml + - pvc.yaml + - externalsecret.yaml + - mcp-deployment.yaml + - rest-deployment.yaml + - services.yaml + - ingress.yaml diff --git a/servers/legion/k8s/neuron-technologies/prod/mcp-deployment.yaml b/servers/legion/k8s/neuron-technologies/prod/mcp-deployment.yaml new file mode 100644 index 0000000..b2adf6e --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/prod/mcp-deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: neuron-mcp + namespace: neuron-prod + labels: + app: neuron-mcp + env: prod +spec: + replicas: 1 + selector: + matchLabels: + app: neuron-mcp + template: + metadata: + labels: + app: neuron-mcp + env: prod + spec: + containers: + - name: neuron-mcp + image: registry.neuralplatform.ai/neuron-technologies/neuron-mcp:latest + imagePullPolicy: Always + ports: + - name: http + containerPort: 8080 + envFrom: + - configMapRef: + name: neuron-prod-config + - secretRef: + name: neuron-prod-secrets + volumeMounts: + - name: data + mountPath: /data + resources: + requests: + cpu: 250m + memory: 512Mi + limits: + cpu: 1000m + memory: 1Gi + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: http + initialDelaySeconds: 15 + periodSeconds: 10 + failureThreshold: 3 + volumes: + - name: data + persistentVolumeClaim: + claimName: neuron-prod-data diff --git a/servers/legion/k8s/neuron-technologies/prod/pvc.yaml b/servers/legion/k8s/neuron-technologies/prod/pvc.yaml new file mode 100644 index 0000000..edce326 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/prod/pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: neuron-prod-data + namespace: neuron-prod +spec: + storageClassName: local-path + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/servers/legion/k8s/neuron-technologies/prod/rest-deployment.yaml b/servers/legion/k8s/neuron-technologies/prod/rest-deployment.yaml new file mode 100644 index 0000000..6fd407d --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/prod/rest-deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: neuron-rest + namespace: neuron-prod + labels: + app: neuron-rest + env: prod +spec: + replicas: 1 + selector: + matchLabels: + app: neuron-rest + template: + metadata: + labels: + app: neuron-rest + env: prod + spec: + containers: + - name: neuron-rest + image: registry.neuralplatform.ai/neuron-technologies/neuron-rest:latest + imagePullPolicy: Always + ports: + - name: http + containerPort: 8081 + envFrom: + - configMapRef: + name: neuron-prod-config + - secretRef: + name: neuron-prod-secrets + volumeMounts: + - name: data + mountPath: /data + resources: + requests: + cpu: 250m + memory: 512Mi + limits: + cpu: 1000m + memory: 1Gi + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: http + initialDelaySeconds: 15 + periodSeconds: 10 + failureThreshold: 3 + volumes: + - name: data + persistentVolumeClaim: + claimName: neuron-prod-data diff --git a/servers/legion/k8s/neuron-technologies/prod/services.yaml b/servers/legion/k8s/neuron-technologies/prod/services.yaml new file mode 100644 index 0000000..571c92a --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/prod/services.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Service +metadata: + name: neuron-mcp + namespace: neuron-prod + labels: + app: neuron-mcp +spec: + selector: + app: neuron-mcp + ports: + - name: http + port: 8080 + targetPort: 8080 + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: neuron-rest + namespace: neuron-prod + labels: + app: neuron-rest +spec: + selector: + app: neuron-rest + ports: + - name: http + port: 8081 + targetPort: 8081 + type: ClusterIP diff --git a/servers/legion/k8s/neuron-technologies/stage/configmap.yaml b/servers/legion/k8s/neuron-technologies/stage/configmap.yaml new file mode 100644 index 0000000..a83d141 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/stage/configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: neuron-stage-config + namespace: neuron-stage +data: + SPRING_PROFILES_ACTIVE: "stage" + NEURON_DB_PATH: "/data/neuron-stage.db" + NEURON_STORAGE_PATH: "/data" + SERVER_TOMCAT_ACCESSLOG_ENABLED: "true" + MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE: "health,info,metrics" + MANAGEMENT_ENDPOINT_HEALTH_SHOW_DETAILS: "always" diff --git a/servers/legion/k8s/neuron-technologies/stage/externalsecret.yaml b/servers/legion/k8s/neuron-technologies/stage/externalsecret.yaml new file mode 100644 index 0000000..583f938 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/stage/externalsecret.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: neuron-stage-secrets + namespace: neuron-stage +spec: + refreshInterval: 1h + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: neuron-stage-secrets + creationPolicy: Owner + data: + - secretKey: NEURON_WEBHOOK_SECRET + remoteRef: + key: secret/data/neuron-technologies/stage + property: gitea_webhook_secret diff --git a/servers/legion/k8s/neuron-technologies/stage/ingress.yaml b/servers/legion/k8s/neuron-technologies/stage/ingress.yaml new file mode 100644 index 0000000..d39607d --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/stage/ingress.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuron-stage + namespace: neuron-stage + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + ingressClassName: traefik + tls: + - secretName: neuron-stage-tls + hosts: + - stage.neurontechnologies.ai + rules: + - host: stage.neurontechnologies.ai + http: + paths: + - path: /mcp + pathType: Prefix + backend: + service: + name: neuron-mcp + port: + number: 8080 + - path: / + pathType: Prefix + backend: + service: + name: neuron-rest + port: + number: 8081 diff --git a/servers/legion/k8s/neuron-technologies/stage/kustomization.yaml b/servers/legion/k8s/neuron-technologies/stage/kustomization.yaml new file mode 100644 index 0000000..4ea8ac1 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/stage/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - configmap.yaml + - pvc.yaml + - externalsecret.yaml + - mcp-deployment.yaml + - rest-deployment.yaml + - services.yaml + - ingress.yaml diff --git a/servers/legion/k8s/neuron-technologies/stage/mcp-deployment.yaml b/servers/legion/k8s/neuron-technologies/stage/mcp-deployment.yaml new file mode 100644 index 0000000..9589ef9 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/stage/mcp-deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: neuron-mcp + namespace: neuron-stage + labels: + app: neuron-mcp + env: stage +spec: + replicas: 1 + selector: + matchLabels: + app: neuron-mcp + template: + metadata: + labels: + app: neuron-mcp + env: stage + spec: + containers: + - name: neuron-mcp + image: registry.neuralplatform.ai/neuron-technologies/neuron-mcp:stage-latest + imagePullPolicy: Always + ports: + - name: http + containerPort: 8080 + envFrom: + - configMapRef: + name: neuron-stage-config + - secretRef: + name: neuron-stage-secrets + volumeMounts: + - name: data + mountPath: /data + resources: + requests: + cpu: 100m + memory: 384Mi + limits: + cpu: 500m + memory: 768Mi + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: http + initialDelaySeconds: 15 + periodSeconds: 10 + failureThreshold: 3 + volumes: + - name: data + persistentVolumeClaim: + claimName: neuron-stage-data diff --git a/servers/legion/k8s/neuron-technologies/stage/pvc.yaml b/servers/legion/k8s/neuron-technologies/stage/pvc.yaml new file mode 100644 index 0000000..3e5501e --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/stage/pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: neuron-stage-data + namespace: neuron-stage +spec: + storageClassName: local-path + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/servers/legion/k8s/neuron-technologies/stage/rest-deployment.yaml b/servers/legion/k8s/neuron-technologies/stage/rest-deployment.yaml new file mode 100644 index 0000000..baad0ac --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/stage/rest-deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: neuron-rest + namespace: neuron-stage + labels: + app: neuron-rest + env: stage +spec: + replicas: 1 + selector: + matchLabels: + app: neuron-rest + template: + metadata: + labels: + app: neuron-rest + env: stage + spec: + containers: + - name: neuron-rest + image: registry.neuralplatform.ai/neuron-technologies/neuron-rest:stage-latest + imagePullPolicy: Always + ports: + - name: http + containerPort: 8081 + envFrom: + - configMapRef: + name: neuron-stage-config + - secretRef: + name: neuron-stage-secrets + volumeMounts: + - name: data + mountPath: /data + resources: + requests: + cpu: 100m + memory: 384Mi + limits: + cpu: 500m + memory: 768Mi + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: http + initialDelaySeconds: 15 + periodSeconds: 10 + failureThreshold: 3 + volumes: + - name: data + persistentVolumeClaim: + claimName: neuron-stage-data diff --git a/servers/legion/k8s/neuron-technologies/stage/services.yaml b/servers/legion/k8s/neuron-technologies/stage/services.yaml new file mode 100644 index 0000000..3ab2353 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/stage/services.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Service +metadata: + name: neuron-mcp + namespace: neuron-stage + labels: + app: neuron-mcp +spec: + selector: + app: neuron-mcp + ports: + - name: http + port: 8080 + targetPort: 8080 + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: neuron-rest + namespace: neuron-stage + labels: + app: neuron-rest +spec: + selector: + app: neuron-rest + ports: + - name: http + port: 8081 + targetPort: 8081 + type: ClusterIP