Kubernetes Deployment

Consul Guardian'ı Kubernetes'te Deployment olarak çalıştırabilirsin. Tek replika yeterlidir -- birden fazla instance aynı Consul prefix'ini izlerse duplike commit oluşur.

Deployment YAML

apiVersion: apps/v1
kind: Deployment
metadata:
  name: consul-guardian
  namespace: consul
  labels:
    app: consul-guardian
spec:
  replicas: 1    # Tek replika yeterli
  selector:
    matchLabels:
      app: consul-guardian
  template:
    metadata:
      labels:
        app: consul-guardian
    spec:
      serviceAccountName: consul-guardian
      containers:
        - name: guardian
          image: ghcr.io/consul-guardian/consul-guardian:latest
          args:
            - "dashboard"
            - "--prefix"
            - "config/,env/,feature-flags/"
            - "--listen"
            - ":9090"
          ports:
            - name: http
              containerPort: 9090
              protocol: TCP
          env:
            - name: CONSUL_GUARDIAN_CONSUL_ADDRESS
              value: "http://consul-server.consul.svc.cluster.local:8500"
            - name: CONSUL_GUARDIAN_CONSUL_TOKEN
              valueFrom:
                secretKeyRef:
                  name: consul-guardian-secrets
                  key: consul-token
            - name: CONSUL_GUARDIAN_LOG_LEVEL
              value: "info"
            - name: CONSUL_GUARDIAN_LOG_FORMAT
              value: "json"
            - name: CONSUL_GUARDIAN_SNAPSHOT_ENABLED
              value: "true"
            - name: CONSUL_GUARDIAN_SNAPSHOT_SCHEDULE
              value: "0 */6 * * *"
            - name: CONSUL_GUARDIAN_SNAPSHOT_STORAGE_TYPE
              value: "s3"
            - name: CONSUL_GUARDIAN_SNAPSHOT_STORAGE_BUCKET
              value: "consul-backups"
            - name: AWS_REGION
              value: "eu-west-1"
          volumeMounts:
            - name: backup-repo
              mountPath: /home/guardian/repo
            - name: ssh-key
              mountPath: /home/guardian/.ssh
              readOnly: true
          resources:
            requests:
              memory: "64Mi"
              cpu: "100m"
            limits:
              memory: "256Mi"
              cpu: "500m"
          livenessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 10
            periodSeconds: 30
          readinessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 5
            periodSeconds: 10
      volumes:
        - name: backup-repo
          persistentVolumeClaim:
            claimName: consul-guardian-pvc
        - name: ssh-key
          secret:
            secretName: consul-guardian-ssh
            defaultMode: 0400

PersistentVolumeClaim

Git repo'su için kalıcı depolama gerekli. Container yeniden başladığında geçmişin kaybolmaması için PVC kullan:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: consul-guardian-pvc
  namespace: consul
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: gp3         # AWS EBS için; ortamına göre değiştir
  resources:
    requests:
      storage: 5Gi              # 10K key için 5Gi fazlasıyla yeterli

Secret

Consul ACL token ve SSH key'i Kubernetes Secret olarak sakla:

apiVersion: v1
kind: Secret
metadata:
  name: consul-guardian-secrets
  namespace: consul
type: Opaque
stringData:
  consul-token: "your-consul-acl-token"
---
apiVersion: v1
kind: Secret
metadata:
  name: consul-guardian-ssh
  namespace: consul
type: Opaque
data:
  id_rsa: <base64-encoded-ssh-private-key>
  known_hosts: <base64-encoded-known-hosts>

uyarı

Secret'ları YAML dosyasında hardcode etme. Sealed Secrets, External Secrets Operator veya Vault kullan.

Service

Dashboard'a cluster içinden veya dışarıdan erişmek için:

apiVersion: v1
kind: Service
metadata:
  name: consul-guardian
  namespace: consul
spec:
  selector:
    app: consul-guardian
  ports:
    - name: http
      port: 9090
      targetPort: http
  type: ClusterIP
---
# Dışarıdan erişim için Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: consul-guardian
  namespace: consul
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: guardian-basic-auth
spec:
  rules:
    - host: guardian.internal.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: consul-guardian
                port:
                  number: 9090

Sağlık Kontrolleri

Deployment YAML'deki livenessProbe ve readinessProbe Guardian'ın sağlığını kontrol eder:

• Liveness: Guardian process'i canlıysa /healthz endpoint'i 200 döndürür. Aksi halde Kubernetes pod'u yeniden başlatır.
• Readiness: Guardian Consul'a bağlanıp hazır duruma geçtiğinde trafik almaya başlar.

S3 Erişimi için IRSA (IAM Roles for Service Accounts)

Snapshot'ları S3'e kaydetmek için AWS access key yerine IRSA kullanmanı öneririm:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: consul-guardian
  namespace: consul
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/consul-guardian-s3

IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::consul-backups",
        "arn:aws:s3:::consul-backups/*"
      ]
    }
  ]
}

Gerçek Senaryo: EKS Üzerinde Production

# Namespace oluştur
kubectl create namespace consul

# Secret'ları ekle (örnek - gerçekte Sealed Secrets kullan)
kubectl create secret generic consul-guardian-secrets \
  --from-literal=consul-token="$CONSUL_TOKEN" \
  -n consul

# SSH key ekle
kubectl create secret generic consul-guardian-ssh \
  --from-file=id_rsa=~/.ssh/guardian_deploy_key \
  --from-file=known_hosts=~/.ssh/known_hosts \
  -n consul

# Deploy
kubectl apply -f consul-guardian/ -n consul

# Log'ları kontrol et
kubectl logs -f deployment/consul-guardian -n consul