Elasticsearch endpoint set up

terraform/environments/eks/k8s-manifests-prod/app-deployment.yaml

@@ -46,7 +46,7 @@ spec:
                 name: main-app-config
           resources:
             requests:
-              cpu: "500m"
+              cpu: "128m"
               memory: "512Mi"
             limits:
               cpu: "1500m"

terraform/environments/eks/k8s-manifests-prod/app-hpa.yaml

@@ -8,34 +8,18 @@ spec:
     apiVersion: apps/v1
     kind: Deployment
     name: main-app
-  minReplicas: 2
-  maxReplicas: 6
+  minReplicas: 1
+  maxReplicas: 5
   metrics:
     - type: Resource
       resource:
         name: cpu
         target:
           type: Utilization
-          averageUtilization: 70
-
----
-apiVersion: autoscaling/v2
-kind: HorizontalPodAutoscaler
-metadata:
-  name: worker-app
-  namespace: credreg-prod
-spec:
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: worker-app
-  minReplicas: 2
-  maxReplicas: 10
-  metrics:
+          averageUtilization: 90
     - type: Resource
       resource:
-        name: cpu
+        name: memory
         target:
           type: Utilization
-          averageUtilization: 70
-
+          averageUtilization: 95

terraform/environments/eks/k8s-manifests-prod/certificate.yaml

@@ -10,6 +10,7 @@ spec:
     kind: ClusterIssuer
   dnsNames:
     - registry-prod.credentialengineregistry.org
+    - es.registry-prod.credentialengineregistry.org
 
 ---
 apiVersion: cert-manager.io/v1
@@ -23,4 +24,4 @@ spec:
     name: letsencrypt-prod
     kind: ClusterIssuer
   dnsNames:
-    - credentialengineregistry.org
+    - credentialengineregistry.org

terraform/environments/eks/k8s-manifests-prod/elasticsearch-basic-auth-externalsecret.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: es-basic-auth
+  namespace: credreg-prod
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: aws-secret-manager
+    kind: ClusterSecretStore
+  target:
+    name: es-basic-auth
+    creationPolicy: Owner
+  data:
+    - secretKey: auth
+      remoteRef:
+        key: credreg-es-basic-auth-prod
+        property: auth

terraform/environments/eks/k8s-manifests-prod/elasticsearch-ingress.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: elasticsearch
+  namespace: credreg-prod
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    nginx.ingress.kubernetes.io/auth-type: "basic"
+    nginx.ingress.kubernetes.io/auth-secret: "es-basic-auth"
+    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "67.40.27.250/32,98.13.197.1/32,98.193.126.147/32"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - es.registry-prod.credentialengineregistry.org
+      secretName: registry-tls-temp
+  rules:
+    - host: es.registry-prod.credentialengineregistry.org
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: elasticsearch
+                port:
+                  number: 9200

terraform/environments/eks/k8s-manifests-prod/redis-deployment.yaml

@@ -18,11 +18,11 @@ spec:
     spec:
       priorityClassName: prod-high
       nodeSelector:
-        env: sandbox
+        env: production
       tolerations:
         - key: "env"
           operator: "Equal"
-          value: "sandbox"
+          value: "production"
           effect: "NoSchedule"
       containers:
         - name: redis

terraform/environments/eks/k8s-manifests-prod/worker-deployment.yaml

@@ -53,9 +53,9 @@ spec:
                 name: main-app-config
           resources:
             requests:
-              cpu: "300m"
-              memory: "512Mi"
+              cpu: "1000m"
+              memory: "6Gi"
             limits:
-              cpu: "1500m"
-              memory: "1536Mi"
+              cpu: "2000m"
+              memory: "6Gi"
 

terraform/environments/eks/k8s-manifests-sandbox/app-configmap.yaml

@@ -2,20 +2,20 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: main-app-config
+  namespace: credreg-sandbox
 data:
   POSTGRESQL_DATABASE: credential_registry_sandbox
   POSTGRESQL_USERNAME: credential_registry_sandbox
   RACK_ENV: sandbox
   DOCKER_ENV: "true"
-  ENVELOPE_GRAPHS_BUCKET: cer-envelope-graphs-sandbox
+  ENVELOPE_GRAPHS_BUCKET: cer-envelope-graphs-sandb
   ENVELOPE_DOWNLOADS_BUCKET: cer-envelope-downloads
   IAM_COMMUNITY_ROLE_ADMIN: ROLE_ADMINISTRATOR
-  IAM_COMMUNITY_ROLE_READEE: ROLE_READER
+  IAM_COMMUNITY_ROLE_READER: ROLE_READER
   IAM_COMMUNITY_ROLE_PUBLISHER: ROLE_PUBLISHER
   IAM_COMMUNITY_CLAIM_NAME: community_name
   IAM_CLIENT_ID: RegistryAPI
-  IAM_URL: https://test-ce-kc-002.credentialengine.org/realms/CE-Test
-  IAM_CLIENT: TestsandboxRegistryAPI
+  IAM_URL: https://login.sandbox.credentialengine.org/realms/CE-Sandbox
   AIRBRAKE_PROJECT_ID: '270205'
   SIDEKIQ_CONCURRENCY: '10'
   API_KEY_VALIDATION_ENDPOINT: https://sandbox.credentialengine.org/accountsAPI/Organization/ValidateCommunityAccess

terraform/environments/eks/k8s-manifests-sandbox/app-deployment.yaml

@@ -47,8 +47,8 @@ spec:
                 name: main-app-config
           resources:
             requests:
-              cpu: "500m"
-              memory: "256Mi"
+              cpu: "128m"
+              memory: "512Mi"
             limits:
               cpu: "1000m"
               memory: "1024Mi"

terraform/environments/eks/k8s-manifests-sandbox/app-hpa.yaml

@@ -18,10 +18,10 @@ spec:
         name: cpu
         target:
           type: Utilization
-          averageUtilization: 60
+          averageUtilization: 90
     - type: Resource
       resource:
         name: memory
         target:
           type: Utilization
-          averageUtilization: 70
+          averageUtilization: 95

terraform/environments/eks/k8s-manifests-sandbox/certificate.yaml

@@ -7,6 +7,7 @@ spec:
     secretName: sandbox-credentialengineregistry-org-tls
     dnsNames:
       - sandbox.credentialengineregistry.org
+      - es.sandbox.credentialengineregistry.org
     issuerRef:
       name: letsencrypt-prod
-      kind: ClusterIssuer
+      kind: ClusterIssuer

terraform/environments/eks/k8s-manifests-sandbox/elasticsearch-basic-auth-externalsecret.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: es-basic-auth
+  namespace: credreg-sandbox
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: aws-secret-manager
+    kind: ClusterSecretStore
+  target:
+    name: es-basic-auth
+    creationPolicy: Owner
+  data:
+    - secretKey: auth
+      remoteRef:
+        key: credreg-es-basic-auth-sandbox
+        property: auth

terraform/environments/eks/k8s-manifests-sandbox/elasticsearch-ingress.yaml

@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: elasticsearch
+  namespace: credreg-sandbox
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    nginx.ingress.kubernetes.io/auth-type: "basic"
+    nginx.ingress.kubernetes.io/auth-secret: "es-basic-auth"
+    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "98.97.134.132/32,71.212.64.155/32,98.13.197.1/32,98.193.126.147/32"
+     # 71.212.64.155  – Rohit
+     # 98.13.197.1  – Jenna
+     # 98.193.126.147 – Mike P.
+     # 98.97.134.132/32 - Ariel
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - es.sandbox.credentialengineregistry.org
+      secretName: sandbox-credentialengineregistry-org-tls
+  rules:
+    - host: es.sandbox.credentialengineregistry.org
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: elasticsearch
+                port:
+                  number: 9200

terraform/environments/eks/k8s-manifests-sandbox/worker-deployment.yaml

@@ -53,8 +53,8 @@ spec:
                 name: main-app-config
           resources:
             requests:
-              cpu: "200m"
-              memory: "256Mi"
+              cpu: "256m"
+              memory: "2Gi"            
             limits:
               cpu: "1000m"
-              memory: "1024Mi"
+              memory: "2Gi"

terraform/environments/eks/k8s-manifests-staging/app-deployment.yaml

@@ -47,7 +47,7 @@ spec:
                 name: main-app-config
           resources:
             requests:
-              cpu: "500m"
+              cpu: "128m"
               memory: "256Mi"
             limits:
               cpu: "1000m"

terraform/environments/eks/k8s-manifests-staging/app-hpa.yaml

@@ -18,10 +18,10 @@ spec:
         name: cpu
         target:
           type: Utilization
-          averageUtilization: 60
+          averageUtilization: 90
     - type: Resource
       resource:
         name: memory
         target:
           type: Utilization
-          averageUtilization: 70
+          averageUtilization: 95

terraform/environments/eks/k8s-manifests-staging/certificate.yaml

@@ -7,6 +7,7 @@ spec:
     secretName: staging-credentialengineregistry-org-tls
     dnsNames:
       - staging.credentialengineregistry.org
+      - es.staging.credentialengineregistry.org
     issuerRef:
       name: letsencrypt-prod
-      kind: ClusterIssuer
+      kind: ClusterIssuer