16 – Kubernetes
Version : 4.0.0 Date : 2025-12-09
1. Introduction
Guide de déploiement du Socle V4 sur Kubernetes.
2. Image Docker
2.1 Dockerfile
FROM eclipse-temurin:21-jre-alpine
LABEL maintainer="your-team@company.com"
LABEL version="4.0.0"
WORKDIR /app
# Non-root user
RUN addgroup -S socle && adduser -S socle -G socle
USER socle
# Copy application
COPY --chown=socle:socle target/socle-v004-4.0.0.jar app.jar
# Health check
HEALTHCHECK --interval=30s --timeout=10s --retries=3 \
CMD wget -qO- http://localhost:8080/admin/health/live || exit 1
# Default environment
ENV JAVA_OPTS="-XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0"
EXPOSE 8080
ENTRYPOINT ["sh", "-c", "java $JAVA_OPTS -jar app.jar"]
2.2 Build et Push
# Build
docker build -t gcr.io/my-project/socle-v4:4.0.0 .
# Push
docker push gcr.io/my-project/socle-v4:4.0.0
3. Manifests Kubernetes
3.1 Namespace
apiVersion: v1
kind: Namespace
metadata:
name: socle
labels:
name: socle
3.2 ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: socle-config
namespace: socle
data:
APP_NAME: "socle-v4"
ENV_NAME: "PROD"
REGION: "europe-west1"
HTTP_PORT: "8080"
KVBUS_MODE: "redis"
REDIS_HOST: "redis-master.redis.svc.cluster.local"
TECHDB_ENABLED: "true"
LOG_FORWARDER_ENABLED: "true"
LOG_TRANSPORT_MODE: "http"
SCHEDULER_ENABLED: "true"
ADMIN_ENABLED: "true"
ADMIN_AUTH_ENABLED: "true"
3.3 Secret
apiVersion: v1
kind: Secret
metadata:
name: socle-secrets
namespace: socle
type: Opaque
stringData:
REDIS_PASSWORD: "your-redis-password"
ADMIN_PASSWORD: "your-admin-password"
API_KEY: "your-api-key"
TECHDB_PASSWORD: "your-techdb-password"
3.4 Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: socle-v4
namespace: socle
labels:
app: socle-v4
version: "4.0.0"
spec:
replicas: 2
selector:
matchLabels:
app: socle-v4
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
app: socle-v4
version: "4.0.0"
annotations:
prometheus.io/scrape: "true"
prometheus.io/path: "/actuator/prometheus"
prometheus.io/port: "8080"
spec:
serviceAccountName: socle-sa
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: socle
image: gcr.io/my-project/socle-v4:4.0.0
imagePullPolicy: Always
ports:
- name: http
containerPort: 8080
protocol: TCP
envFrom:
- configMapRef:
name: socle-config
- secretRef:
name: socle-secrets
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: EXEC_ID
value: "$(POD_NAME)"
resources:
requests:
cpu: "250m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1Gi"
livenessProbe:
httpGet:
path: /admin/health/live
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /admin/health/ready
port: 8080
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
volumeMounts:
- name: data
mountPath: /app/data
- name: logs
mountPath: /app/logs
volumes:
- name: data
emptyDir: {}
- name: logs
emptyDir: {}
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app: socle-v4
topologyKey: kubernetes.io/hostname
3.5 Service
apiVersion: v1
kind: Service
metadata:
name: socle-v4
namespace: socle
labels:
app: socle-v4
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: 8080
protocol: TCP
selector:
app: socle-v4
3.6 Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: socle-v4
namespace: socle
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- socle.example.com
secretName: socle-tls
rules:
- host: socle.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: socle-v4
port:
number: 80
3.7 HorizontalPodAutoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: socle-v4
namespace: socle
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: socle-v4
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
3.8 PodDisruptionBudget
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: socle-v4
namespace: socle
spec:
minAvailable: 1
selector:
matchLabels:
app: socle-v4
3.9 ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: socle-sa
namespace: socle
4. Persistence avec PVC
4.1 PersistentVolumeClaim
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: socle-data
namespace: socle
spec:
accessModes:
- ReadWriteOnce
storageClassName: standard
resources:
requests:
storage: 10Gi
4.2 Deployment avec PVC
# Dans le Deployment
spec:
template:
spec:
containers:
- name: socle
volumeMounts:
- name: data
mountPath: /app/data
volumes:
- name: data
persistentVolumeClaim:
claimName: socle-data
5. Network Policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: socle-network-policy
namespace: socle
spec:
podSelector:
matchLabels:
app: socle-v4
policyTypes:
- Ingress
- Egress
ingress:
# Allow from ingress controller
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- port: 8080
# Allow from Prometheus
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- port: 8080
egress:
# Allow to Redis
- to:
- namespaceSelector:
matchLabels:
name: redis
ports:
- port: 6379
# Allow to DNS
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: UDP
6. Helm Chart
6.1 Chart.yaml
apiVersion: v2
name: socle-v4
description: Socle V4 Framework
version: 4.0.0
appVersion: "4.0.0"
6.2 values.yaml
replicaCount: 2
image:
repository: gcr.io/my-project/socle-v4
tag: "4.0.0"
pullPolicy: Always
service:
type: ClusterIP
port: 80
ingress:
enabled: true
className: nginx
hosts:
- host: socle.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: socle-tls
hosts:
- socle.example.com
resources:
requests:
cpu: 250m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 70
config:
APP_NAME: socle-v4
ENV_NAME: PROD
KVBUS_MODE: redis
secrets:
REDIS_PASSWORD: ""
ADMIN_PASSWORD: ""
API_KEY: ""
6.3 Installation
# Install
helm install socle-v4 ./socle-v4-chart -n socle --create-namespace -f values-prod.yaml
# Upgrade
helm upgrade socle-v4 ./socle-v4-chart -n socle -f values-prod.yaml
# Uninstall
helm uninstall socle-v4 -n socle
7. Observability
7.1 ServiceMonitor (Prometheus Operator)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: socle-v4
namespace: socle
labels:
release: prometheus
spec:
selector:
matchLabels:
app: socle-v4
endpoints:
- port: http
path: /actuator/prometheus
interval: 15s
7.2 PrometheusRule
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: socle-v4-alerts
namespace: socle
spec:
groups:
- name: socle-v4
rules:
- alert: SocleHighErrorRate
expr: rate(socle_errors_total[5m]) > 0.1
for: 5m
labels:
severity: warning
annotations:
summary: High error rate
8. Déploiement Multi-région
8.1 Structure
clusters/
├── europe-west1/
│ ├── kustomization.yaml
│ └── config-patch.yaml
├── us-central1/
│ ├── kustomization.yaml
│ └── config-patch.yaml
└── base/
├── kustomization.yaml
├── deployment.yaml
├── service.yaml
└── configmap.yaml
8.2 Kustomize overlay
# clusters/europe-west1/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
bases:
- ../../base
patchesStrategicMerge:
- config-patch.yaml
configMapGenerator:
- name: socle-config
behavior: merge
literals:
- REGION=europe-west1
9. Troubleshooting
Commandes utiles
# Logs
kubectl logs -f deployment/socle-v4 -n socle
# Describe pod
kubectl describe pod -l app=socle-v4 -n socle
# Port forward
kubectl port-forward svc/socle-v4 8080:80 -n socle
# Exec into pod
kubectl exec -it deployment/socle-v4 -n socle -- sh
# Check events
kubectl get events -n socle --sort-by='.lastTimestamp'
10. Références
- 15-METRICS – Métriques Prometheus
- 13-TLS-HTTPS – Configuration TLS
- Kubernetes Documentation
Laisser un commentaire