BTHLABS-0000: development workflow

Co-authored-by: Tomek Wójcik <labs@tomekwojcik.pl>
Co-committed-by: Tomek Wójcik <labs@tomekwojcik.pl>

.gitea/actions/get-build-options/action.yaml

@@ -0,0 +1,26 @@
+name: "Get Build Options"
+description: "Sanitizies and unifies the environment into build options"
+outputs:
+  short-sha:
+    description: "Shortened hash if the current commit"
+  build-arch:
+    description: "Docker-compatible representation of build arch"
+  build-platform:
+    description: "Docker-compatible representation of build platform"
+runs:
+  using: "composite"
+  steps:
+    - name: "Compute Build Options"
+      shell: "bash"
+      run: |
+        set -x
+        SHORT_SHA="${GITHUB_SHA::8}"
+        BUILD_ARCH="amd64"
+        BUILD_PLATFORM="linux/amd64"
+        if [ "${RUNNER_ARCH}" = "ARM64" ];then
+          BUILD_ARCH="arm64"
+          BUILD_PLATFORM="linux/arm64"
+        fi
+        echo "short-sha=$SHORT_SHA" >> $GITHUB_OUTPUT
+        echo "build-arch=$BUILD_ARCH" >> $GITHUB_OUTPUT
+        echo "build-platform=$BUILD_PLATFORM" >> $GITHUB_OUTPUT

.gitea/actions/get-run-info/action.yaml

@@ -0,0 +1,17 @@
+name: "Get Run Info"
+description: "Sanitizies and unifies the environment into run info"
+inputs:
+  compose-project-base:
+    description: "Base for the Compose project"
+    required: true
+outputs:
+  compose-project:
+    description: "Compose project name"
+runs:
+  using: "composite"
+  steps:
+    - name: "Compute Run Info"
+      shell: "bash"
+      run: |
+        set -x
+        echo "compose-project=${{ inputs.compose-project-base }}-${GITHUB_RUN_NUMBER}" >> $GITHUB_OUTPUT

.gitea/actions/get-service-version/action.yaml

@@ -0,0 +1,27 @@
+name: "Get Run Info"
+description: "Sanitizies and unifies the environment into run info"
+inputs:
+  service:
+    description: "The service to work on"
+    required: true
+outputs:
+  version:
+    description: "Service version"
+  build-number:
+    description: "Build number"
+runs:
+  using: "composite"
+  steps:
+    - name: "Compute Service Version"
+      shell: "bash"
+      run: |
+        set -x
+        if [[ ! -z "${GITHUB_HEAD_REF}" || "${GITHUB_REF_NAME}" = "development" ]]; then
+          VERSION="${GITHUB_SHA::8}"
+          BUILD="${GITHUB_RUN_NUMBER}"
+        else
+          VERSION="v$(grep -Po '(?<=^version\s=\s")[^"]+' services/${{ inputs.service }}/pyproject.toml)"
+          BUILD="01"
+        fi
+        echo "version=$VERSION" >> $GITHUB_OUTPUT
+        echo "build-number=$BUILD" >> $GITHUB_OUTPUT

.gitea/actions/setup-k8s/action.yaml

@@ -0,0 +1,32 @@
+name: "Set up k8s"
+description: "Downloads and installs k8s tools"
+inputs:
+  arch:
+    description: "Architecture"
+    required: true
+  kubectl-version:
+    description: "kubectl version to install"
+    required: false
+    default: "1.33.4"
+  kustomize-version:
+    description: "kustomize version to install"
+    required: false
+    default: "5.7.1"
+runs:
+  using: "composite"
+  steps:
+    - name: "Install k8s tools"
+      shell: "bash"
+      run: |
+        set -x
+        mkdir -p /opt/k8s/bin /opt/k8s/etc /opt/k8s/src
+
+        wget -O /opt/k8s/src/kubectl "https://nexus.bthlabs.pl/repository/ops-tools/k8s/kubectl-${{ inputs.kubectl-version }}-linux-${{ inputs.arch }}"
+        chmod a+x /opt/k8s/src/kubectl
+        mv /opt/k8s/src/kubectl /opt/k8s/bin
+
+        wget -O /opt/k8s/src/kustomize "https://nexus.bthlabs.pl/repository/ops-tools/k8s/kustomize-${{ inputs.kustomize-version }}-linux-${{ inputs.arch }}"
+        chmod a+x /opt/k8s/src/kustomize
+        mv /opt/k8s/src/kustomize /opt/k8s/bin
+
+        rm -rf /opt/k8s/src/

.gitea/workflows/ci.yaml

@@ -19,23 +19,12 @@ jobs:
         uses: "actions/checkout@v2"
       - name: "Get run info"
         id: "get-run-info"
-        run: |
-          set -x
-          echo "COMPOSE_PROJECT=${{ vars.COMPOSE_PROJECT_BASE }}-${GITHUB_RUN_NUMBER}" >> $GITHUB_OUTPUT
+        uses: "./.gitea/actions/get-run-info"
+        with:
+          compose-project-base: "${{ vars.COMPOSE_PROJECT_BASE }}"
       - name: "Get build options"
         id: "get-build-options"
-        run: |
-          set -x
-          SHORT_SHA="${GITHUB_SHA::8}"
-          BUILD_ARCH="amd64"
-          BUILD_PLATFORM="linux/amd64"
-          if [ "${RUNNER_ARCH}" = "ARM64" ];then
-            BUILD_ARCH="arm64"
-            BUILD_PLATFORM="linux/arm64"
-          fi
-          echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_OUTPUT
-          echo "BUILD_ARCH=$BUILD_ARCH" >> $GITHUB_OUTPUT
-          echo "BUILD_PLATFORM=$BUILD_PLATFORM" >> $GITHUB_OUTPUT
+        uses: "./.gitea/actions/get-build-options"
       - name: "Set up Docker Buildx"
         id: "setup-docker-buildx"
         uses: "docker/setup-buildx-action@v3"
@@ -53,8 +42,8 @@ jobs:
           context: "services/"
           push: false
           load: true
-          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/postgres:15.13-${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
-          platforms: "${{ steps.get-build-options.outputs.BUILD_PLATFORM }}"
+          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/postgres:15.13-${{ steps.get-run-info.outputs.compose-project }}"
+          platforms: "${{ steps.get-build-options.outputs.build-platform }}"
           cache-from: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket"
           cache-to: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket,mode=max"
       - name: "Build `keycloak` image"
@@ -64,8 +53,8 @@ jobs:
           context: "services/"
           push: false
           load: true
-          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/keycloak:22.0.3-${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
-          platforms: "${{ steps.get-build-options.outputs.BUILD_PLATFORM }}"
+          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/keycloak:22.0.3-${{ steps.get-run-info.outputs.compose-project }}"
+          platforms: "${{ steps.get-build-options.outputs.build-platform }}"
           cache-from: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket"
           cache-to: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket,mode=max"
       - name: "Build `rabbitmq` image"
@@ -75,8 +64,8 @@ jobs:
           context: "services/"
           push: false
           load: true
-          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/rabbitmq:3.10.8-${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
-          platforms: "${{ steps.get-build-options.outputs.BUILD_PLATFORM }}"
+          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/rabbitmq:3.10.8-${{ steps.get-run-info.outputs.compose-project }}"
+          platforms: "${{ steps.get-build-options.outputs.build-platform }}"
           cache-from: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket"
           cache-to: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket,mode=max"
       - name: "Build `backend-ci` image"
@@ -87,8 +76,8 @@ jobs:
           target: "ci"
           push: false
           load: true
-          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/backend:ci-${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
-          platforms: "${{ steps.get-build-options.outputs.BUILD_PLATFORM }}"
+          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/backend:ci-${{ steps.get-run-info.outputs.compose-project }}"
+          platforms: "${{ steps.get-build-options.outputs.build-platform }}"
           cache-from: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket"
           cache-to: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket,mode=max"
       - name: "Build `packages-ci` image"
@@ -99,8 +88,8 @@ jobs:
           target: "ci"
           push: false
           load: true
-          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/packages:ci-${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
-          platforms: "${{ steps.get-build-options.outputs.BUILD_PLATFORM }}"
+          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/packages:ci-${{ steps.get-run-info.outputs.compose-project }}"
+          platforms: "${{ steps.get-build-options.outputs.build-platform }}"
           cache-from: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket"
           cache-to: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket,mode=max"
       - name: "Build `extension-ci` image"
@@ -111,8 +100,8 @@ jobs:
           target: "ci"
           push: false
           load: true
-          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/extension:ci-${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
-          platforms: "${{ steps.get-build-options.outputs.BUILD_PLATFORM }}"
+          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/extension:ci-${{ steps.get-run-info.outputs.compose-project }}"
+          platforms: "${{ steps.get-build-options.outputs.build-platform }}"
           cache-from: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket"
           cache-to: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket,mode=max"
       - name: "Build `apple-ci` image"
@@ -123,21 +112,21 @@ jobs:
           target: "ci"
           push: false
           load: true
-          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/apple:ci-${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
-          platforms: "${{ steps.get-build-options.outputs.BUILD_PLATFORM }}"
+          tags: "docker-hosted.nexus.bthlabs.pl/hotpocket/apple:ci-${{ steps.get-run-info.outputs.compose-project }}"
+          platforms: "${{ steps.get-build-options.outputs.build-platform }}"
           cache-from: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket"
           cache-to: "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket,mode=max"
       - name: "Prepare the build"
         id: "prepare"
         env:
-          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
+          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.compose-project }}"
         run: |
           set -x
           ./.gitea/tools/render-docker-compose-ci.sh
       - name: "Run `backend` checks"
         if: "steps.prepare.conclusion == 'success'"
         env:
-          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
+          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.compose-project }}"
         run: |
           set -x
           docker compose \
@@ -150,7 +139,7 @@ jobs:
       - name: "Run `packages` checks"
         if: "steps.prepare.conclusion == 'success'"
         env:
-          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
+          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.compose-project }}"
         run: |
           set -x
           docker compose \
@@ -163,7 +152,7 @@ jobs:
       - name: "Run `extension` checks"
         if: "steps.prepare.conclusion == 'success'"
         env:
-          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
+          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.compose-project }}"
         run: |
           set -x
           docker compose \
@@ -176,7 +165,7 @@ jobs:
       - name: "Run `apple` checks"
         if: "steps.prepare.conclusion == 'success'"
         env:
-          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
+          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.compose-project }}"
         run: |
           set -x
           docker compose \
@@ -189,7 +178,7 @@ jobs:
       - name: "Clean up"
         if: always()
         env:
-          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.COMPOSE_PROJECT }}"
+          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.compose-project }}"
         run: |
           set -x
           docker compose \

.gitea/workflows/development.yaml

@@ -0,0 +1,163 @@
+name: "Deploy to development"
+
+on:
+  push:
+    branches:
+      - "development"
+
+jobs:
+  build-deployment-images:
+    name: "Build deployment images"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Checkout the code"
+        uses: "actions/checkout@v2"
+      - name: "Get build options"
+        id: "get-build-options"
+        uses: "./.gitea/actions/get-build-options"
+      - name: "Get `backend` version"
+        id: "get-backend-version"
+        uses: "./.gitea/actions/get-service-version"
+        with:
+          service: "backend"
+      - name: "Import Secrets"
+        id: "import-secrets"
+        uses: "hashicorp/vault-action@v2"
+        with:
+          url: "https://vault.bthlabs.pl/"
+          method: "approle"
+          roleId: "${{ secrets.VAULT_ROLE_ID }}"
+          secretId: "${{ secrets.VAULT_SECRET_ID }}"
+          secrets: |
+            gitea/data/docker-hosted.nexus.bthlabs.pl username | DOCKER_USERNAME ;
+            gitea/data/docker-hosted.nexus.bthlabs.pl password | DOCKER_PASSWORD
+      - name: "Set up Docker Buildx"
+        id: "setup-docker-buildx"
+        uses: "docker/setup-buildx-action@v3"
+        with:
+          driver: "remote"
+          endpoint: "tcp://builder-01.bthlab:2375"
+          platforms: "linux/amd64"
+          append: |
+            - endpoint: "tcp://builder-mac-01.bthlab:2375"
+              platforms: "linux/arm64"
+      - name: "Login to Docket Registry"
+        uses: "docker/login-action@v3"
+        with:
+          registry: "docker-hosted.nexus.bthlabs.pl"
+          username: "${{ steps.import-secrets.outputs.DOCKER_USERNAME }}"
+          password: "${{ steps.import-secrets.outputs.DOCKER_PASSWORD }}"
+      - name: "Build `backend-deployment` image"
+        env:
+          SHORT_SHA: "${{ steps.get-build-options.outputs.short-sha }}"
+          VERSION: "${{ steps.get-backend-version.outputs.version }}"
+          BUILD: "${{ steps.get-backend-version.outputs.build-number }}"
+        run: |
+          set -x
+          docker buildx build \
+            --cache-from "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket" \
+            --cache-to "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket,mode=max" \
+            --push \
+            --platform linux/amd64,linux/arm64 \
+            --build-arg IMAGE_ID="deployment.${SHORT_SHA}" \
+            -f services/backend/Dockerfile \
+            --target deployment \
+            -t "docker-hosted.nexus.bthlabs.pl/hotpocket/backend:deployment-${VERSION}-${BUILD}" \
+            services/
+      - name: "Build `backend-aio` image"
+        env:
+          SHORT_SHA: "${{ steps.get-build-options.outputs.short-sha }}"
+          VERSION: "${{ steps.get-backend-version.outputs.version }}"
+          BUILD: "${{ steps.get-backend-version.outputs.build-number }}"
+        run: |
+          set -x
+          docker buildx build \
+            --cache-from "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket" \
+            --cache-to "type=registry,ref=nexus.bthlab.bthlabs.net:8001/hotpocket,mode=max" \
+            --push \
+            --platform linux/amd64,linux/arm64 \
+            --build-arg IMAGE_ID="aio.${SHORT_SHA}" \
+            -f services/backend/Dockerfile \
+            --target aio \
+            -t "docker-hosted.nexus.bthlabs.pl/hotpocket/backend:aio-${VERSION}-${BUILD}" \
+            services/
+
+  deploy:
+    name: "Deploy"
+    runs-on: "ubuntu-latest"
+    needs:
+      - "build-deployment-images"
+    env:
+      KUBERNETES_NAMESPACE: "hotpocket-development"
+      KUBERNETES_CLUSTER: "k8s.bthlab"
+    steps:
+      - name: "Checkout the code"
+        uses: "actions/checkout@v2"
+      - name: "Get run info"
+        id: "get-run-info"
+        uses: "./.gitea/actions/get-run-info"
+        with:
+          compose-project-base: "${{ vars.COMPOSE_PROJECT_BASE }}"
+      - name: "Get build options"
+        id: "get-build-options"
+        uses: "./.gitea/actions/get-build-options"
+      - name: "Get `backend` version"
+        id: "get-backend-version"
+        uses: "./.gitea/actions/get-service-version"
+        with:
+          service: "backend"
+      - name: "Setup k8s"
+        uses: "./.gitea/actions/setup-k8s"
+        with:
+          arch: "${{ steps.get-build-options.outputs.build-arch }}"
+      - name: "Import Secrets"
+        id: "import-secrets"
+        uses: "hashicorp/vault-action@v2"
+        with:
+          url: "https://vault.bthlabs.pl/"
+          method: "approle"
+          roleId: "${{ secrets.VAULT_ROLE_ID }}"
+          secretId: "${{ secrets.VAULT_SECRET_ID }}"
+          secrets: |
+            gitea/data/k8s.bthlab config | KUBECONFIG_PAYLOAD
+      - name: "Set up kubeconfig"
+        env:
+          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.compose-project }}"
+          KUBECONFIG_PAYLOAD: "${{ steps.import-secrets.outputs.KUBECONFIG_PAYLOAD }}"
+        run: |
+          set -x
+
+          echo ${KUBECONFIG_PAYLOAD} | base64 -d >"/opt/k8s/etc/kubeconfig"
+          export KUBECONFIG="/opt/k8s/etc/kubeconfig"
+          
+          /opt/k8s/bin/kubectl config use-context ${KUBERNETES_CLUSTER}
+          /opt/k8s/bin/kubectl get node
+      - name: "Run `backend` Django migrations"
+        env:
+          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.compose-project }}"
+          BACKEND_TAG: "deployment-${{ steps.get-backend-version.outputs.version }}-${{ steps.get-backend-version.outputs.build-number }}"
+        run: |
+          set -x
+
+          (
+            cd deployment/hotpocket.bthlab ;
+            export KUBECONFIG="/opt/k8s/etc/kubeconfig" ;
+            /opt/k8s/bin/kubectl config use-context ${KUBERNETES_CLUSTER} ;
+            /opt/k8s/bin/kubectl -n ${KUBERNETES_NAMESPACE} set image cronjobs/backend-job-migrations migrations=docker-hosted.nexus.bthlabs.pl/hotpocket/backend:${BACKEND_TAG} ;
+            /opt/k8s/bin/kubectl -n ${KUBERNETES_NAMESPACE} delete jobs --ignore-not-found=true backend-job-migrations ;
+            /opt/k8s/bin/kubectl -n ${KUBERNETES_NAMESPACE} create job backend-job-migrations --from=cronjob/backend-job-migrations ;
+            /opt/k8s/bin/kubectl -n ${KUBERNETES_NAMESPACE} wait --for=condition=complete --timeout=300s job/backend-job-migrations
+          )
+      - name: "Deploy"
+        env:
+          COMPOSE_PROJECT: "${{ steps.get-run-info.outputs.compose-project }}"
+          BACKEND_TAG: "deployment-${{ steps.get-backend-version.outputs.version }}-${{ steps.get-backend-version.outputs.build-number }}"
+        run: |
+          set -x
+          (
+            cd deployment/hotpocket.bthlab ;
+            export KUBECONFIG="/opt/k8s/etc/kubeconfig" ;
+            /opt/k8s/bin/kubectl config use-context ${KUBERNETES_CLUSTER} ;
+            /opt/k8s/bin/kustomize edit set image hotpocket-backend=docker-hosted.nexus.bthlabs.pl/hotpocket/backend:${BACKEND_TAG} ;
+            /opt/k8s/bin/kustomize build . | /opt/k8s/bin/kubectl apply -f -
+          )

.gitignore

@@ -1,3 +1,4 @@
+.ci/
 .envrc*
 .ipythonhome/
 /docker-compose-ci-*.yaml

deployment/hotpocket.bthlab/configs/backend/admin

@@ -0,0 +1,5 @@
+DJANGO_SETTINGS_MODULE=hotpocket_backend.settings.deployment.admin
+HOTPOCKET_BACKEND_GUNICORN_WORKERS=2
+HOTPOCKET_BACKEND_APP=admin
+HOTPOCKET_BACKEND_SECRET_KEY=thisissecret
+HOTPOCKET_BACKEND_ALLOWED_HOSTS=thisissecret

deployment/hotpocket.bthlab/configs/backend/base

@@ -0,0 +1,8 @@
+HOTPOCKET_BACKEND_ENV=deployment
+HOTPOCKET_BACKEND_DATABASE_NAME=hotpocket_development_backend
+HOTPOCKET_BACKEND_DATABASE_USER=thisissecret
+HOTPOCKET_BACKEND_DATABASE_PASSWORD=thisissecret
+HOTPOCKET_BACKEND_DATABASE_HOST=databases.bthlab
+HOTPOCKET_BACKEND_CELERY_BROKER_URL=thisissecret
+HOTPOCKET_BACKEND_CELERY_RESULT_BACKEND=thisissecret
+HOTPOCKET_BACKEND_MODEL_AUTH_IS_DISABLED=false

deployment/hotpocket.bthlab/configs/backend/webapp

@@ -0,0 +1,7 @@
+DJANGO_SETTINGS_MODULE=hotpocket_backend.settings.deployment.webapp
+HOTPOCKET_BACKEND_GUNICORN_WORKERS=2
+HOTPOCKET_BACKEND_APP=webapp
+HOTPOCKET_BACKEND_SECRET_KEY=thisissecret
+HOTPOCKET_BACKEND_ALLOWED_HOSTS=thisissecret
+HOTPOCKET_BACKEND_SAVES_SAVE_ADAPTER=hotpocket_backend.apps.saves.adapters.postgres:PostgresSaveAdapter
+HOTPOCKET_BACKEND_SAVES_ASSOCIATION_ADAPTER=hotpocket_backend.apps.saves.adapters.postgres:PostgresAssociationAdapter

deployment/hotpocket.bthlab/kustomization.yaml

@@ -0,0 +1,39 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - resources/namespace.yaml
+  - resources/volumes.yaml
+  - resources/backend/job-migrations.yaml
+  - resources/backend/webapp.yaml
+  - resources/backend/webapp-service.yaml
+  - resources/backend/webapp-ingress.yaml
+  - resources/backend/admin.yaml
+  - resources/backend/admin-service.yaml
+  - resources/backend/admin-ingress.yaml
+  - resources/backend/celery-worker.yaml
+  - resources/backend/celery-beat.yaml
+
+configMapGenerator:
+  - behavior: create
+    namespace: hotpocket-development
+    envs:
+      - configs/backend/base
+    name: backend-base-config
+  - behavior: create
+    namespace: hotpocket-development
+    envs:
+      - configs/backend/webapp
+    name: backend-webapp-config
+  - behavior: create
+    namespace: hotpocket-development
+    envs:
+      - configs/backend/admin
+    name: backend-admin-config
+
+patches: []
+
+images:
+  - name: hotpocket-backend
+    newName: docker-hosted.nexus.bthlabs.pl/hotpocket/backend
+    newTag: deployment-v25.10.4-01

deployment/hotpocket.bthlab/resources/backend/admin-ingress.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: backend-admin-ingress
+  namespace: hotpocket-development
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: "web"
+spec:
+  rules:
+  - host: admin.hotpocket.bthlab.bthlabs.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: backend-admin-service
+            port:
+              name: http

deployment/hotpocket.bthlab/resources/backend/admin-service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend-admin-service
+  namespace: hotpocket-development
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/app: backend-admin
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8000
+      targetPort: http

deployment/hotpocket.bthlab/resources/backend/admin.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend-admin
+  namespace: hotpocket-development
+  labels:
+    app.kubernetes.io/app: backend-admin
+spec:
+  minReadySeconds: 30
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 1
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/app: backend-admin
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/app: backend-admin
+    spec:
+      containers:
+        - name: app
+          image: hotpocket-backend:latest
+          command:
+            - "/srv/venv/bin/gunicorn"
+            - "-c"
+            - "/srv/lib/gunicorn.conf.py"
+            - "hotpocket_backend.wsgi:application"
+          envFrom:
+            - configMapRef:
+                name: backend-base-config
+            - configMapRef:
+                name: backend-admin-config
+          env:
+            - name: HOTPOCKET_BACKEND_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: backend-admin
+                  key: secret_key
+            - name: HOTPOCKET_BACKEND_ALLOWED_HOSTS
+              valueFrom:
+                secretKeyRef:
+                  name: backend-admin
+                  key: allowed_hosts
+            - name: HOTPOCKET_BACKEND_DATABASE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: backend-postgres
+                  key: username
+            - name: HOTPOCKET_BACKEND_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: backend-postgres
+                  key: password
+            - name: HOTPOCKET_BACKEND_CELERY_BROKER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: backend-celery
+                  key: broker_url
+            - name: HOTPOCKET_BACKEND_CELERY_RESULT_BACKEND
+              valueFrom:
+                secretKeyRef:
+                  name: backend-celery
+                  key: result_backend
+          ports:
+            - containerPort: 8000
+              name: http
+              protocol: TCP
+            - containerPort: 8001
+              name: healthcheck
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: "/"
+              port: 8001
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 8001
+            initialDelaySeconds: 2
+            periodSeconds: 5
+          volumeMounts:
+            - mountPath: /dev/shm
+              name: shm
+            - mountPath: /srv/run
+              name: backend-admin-srv-run
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      volumes:
+        - name: shm
+          emptyDir:
+            medium: Memory
+        - name: backend-admin-srv-run
+          emptyDir: {}

deployment/hotpocket.bthlab/resources/backend/celery-beat.yaml

@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: backend-celery-beat
+  namespace: hotpocket-development
+  labels:
+    app.kubernetes.io/app: backend-celery-beat
+spec:
+  minReadySeconds: 30
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/app: backend-celery-beat
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/app: backend-celery-beat
+    spec:
+      containers:
+        - name: app
+          image: hotpocket-backend:latest
+          command:
+            - "/srv/venv/bin/celery"
+            - "-A"
+            - "hotpocket_backend.celery:app"
+            - "beat"
+            - "-l"
+            - "INFO"
+            - "-s"
+            - "/srv/run/celery-beat-schedule"
+          envFrom:
+            - configMapRef:
+                name: backend-base-config
+            - configMapRef:
+                name: backend-webapp-config
+          env:
+            - name: HOTPOCKET_BACKEND_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: backend-webapp
+                  key: secret_key
+            - name: HOTPOCKET_BACKEND_ALLOWED_HOSTS
+              valueFrom:
+                secretKeyRef:
+                  name: backend-webapp
+                  key: allowed_hosts
+            - name: HOTPOCKET_BACKEND_DATABASE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: backend-postgres
+                  key: username
+            - name: HOTPOCKET_BACKEND_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: backend-postgres
+                  key: password
+            - name: HOTPOCKET_BACKEND_CELERY_BROKER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: backend-celery
+                  key: broker_url
+            - name: HOTPOCKET_BACKEND_CELERY_RESULT_BACKEND
+              valueFrom:
+                secretKeyRef:
+                  name: backend-celery
+                  key: result_backend
+          volumeMounts:
+            - mountPath: /dev/shm
+              name: shm
+            - mountPath: /srv/run
+              name: backend-celery-beat-srv-run
+            - mountPath: /srv/uploads
+              name: backend-celery-beat-srv-uploads
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      volumes:
+        - name: shm
+          emptyDir:
+            medium: Memory
+        - name: backend-celery-beat-srv-run
+          persistentVolumeClaim:
+            claimName: backend-celery-beat-run
+        - name: backend-celery-beat-srv-uploads
+          emptyDir: {}

deployment/hotpocket.bthlab/resources/backend/celery-worker.yaml

@@ -0,0 +1,93 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend-celery-worker
+  namespace: hotpocket-development
+  labels:
+    app.kubernetes.io/app: backend-celery-worker
+spec:
+  minReadySeconds: 30
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 1
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/app: backend-celery-worker
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/app: backend-celery-worker
+    spec:
+      containers:
+        - name: app
+          image: hotpocket-backend:latest
+          command:
+            - "/srv/venv/bin/celery"
+            - "-A"
+            - "hotpocket_backend.celery:app"
+            - "worker"
+            - "-l"
+            - "INFO"
+            - "-Q"
+            - "celery,webapp"
+            - "-c"
+            - "2"
+          envFrom:
+            - configMapRef:
+                name: backend-base-config
+            - configMapRef:
+                name: backend-webapp-config
+          env:
+            - name: HOTPOCKET_BACKEND_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: backend-webapp
+                  key: secret_key
+            - name: HOTPOCKET_BACKEND_ALLOWED_HOSTS
+              valueFrom:
+                secretKeyRef:
+                  name: backend-webapp
+                  key: allowed_hosts
+            - name: HOTPOCKET_BACKEND_DATABASE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: backend-postgres
+                  key: username
+            - name: HOTPOCKET_BACKEND_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: backend-postgres
+                  key: password
+            - name: HOTPOCKET_BACKEND_CELERY_BROKER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: backend-celery
+                  key: broker_url
+            - name: HOTPOCKET_BACKEND_CELERY_RESULT_BACKEND
+              valueFrom:
+                secretKeyRef:
+                  name: backend-celery
+                  key: result_backend
+          volumeMounts:
+            - mountPath: /dev/shm
+              name: shm
+            - mountPath: /srv/run
+              name: backend-celery-worker-srv-run
+            - mountPath: /srv/uploads
+              name: backend-celery-worker-srv-uploads
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      volumes:
+        - name: shm
+          emptyDir:
+            medium: Memory
+        - name: backend-celery-worker-srv-run
+          emptyDir: {}
+        - name: backend-celery-worker-srv-uploads
+          persistentVolumeClaim:
+            claimName: backend-uploads

deployment/hotpocket.bthlab/resources/backend/job-migrations.yaml

@@ -0,0 +1,80 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backend-job-migrations
+  namespace: hotpocket-development
+  labels:
+    app.kubernetes.io/app: backend-job-migrations
+spec:
+  concurrencyPolicy: "Forbid"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  startingDeadlineSeconds: 180
+  schedule: "* * * * *"
+  suspend: true
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      completions: 1
+      parallelism: 1
+      template:
+        spec:
+          containers:
+            - name: migrations
+              image: hotpocket-backend:latest
+              command:
+                - "./manage.py"
+                - "migrate"
+              envFrom:
+                - configMapRef:
+                    name: backend-base-config
+                - configMapRef:
+                    name: backend-webapp-config
+              env:
+                - name: HOTPOCKET_BACKEND_SECRET_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: backend-webapp
+                      key: secret_key
+                - name: HOTPOCKET_BACKEND_ALLOWED_HOSTS
+                  valueFrom:
+                    secretKeyRef:
+                      name: backend-webapp
+                      key: allowed_hosts
+                - name: HOTPOCKET_BACKEND_DATABASE_USER
+                  valueFrom:
+                    secretKeyRef:
+                      name: backend-postgres
+                      key: username
+                - name: HOTPOCKET_BACKEND_DATABASE_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: backend-postgres
+                      key: password
+                - name: HOTPOCKET_BACKEND_CELERY_BROKER_URL
+                  valueFrom:
+                    secretKeyRef:
+                      name: backend-celery
+                      key: broker_url
+                - name: HOTPOCKET_BACKEND_CELERY_RESULT_BACKEND
+                  valueFrom:
+                    secretKeyRef:
+                      name: backend-celery
+                      key: result_backend
+              volumeMounts:
+                - mountPath: /dev/shm
+                  name: shm
+                - mountPath: /srv/run
+                  name: backend-webapp-srv-run
+                - mountPath: /srv/uploads
+                  name: backend-webapp-srv-uploads
+          dnsPolicy: ClusterFirst
+          restartPolicy: Never
+          volumes:
+            - name: shm
+              emptyDir:
+                medium: Memory
+            - name: backend-webapp-srv-run
+              emptyDir: {}
+            - name: backend-webapp-srv-uploads
+              emptyDir: {}

deployment/hotpocket.bthlab/resources/backend/webapp-ingress.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: backend-webapp-ingress
+  namespace: hotpocket-development
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: "web"
+spec:
+  rules:
+  - host: app.hotpocket.bthlab.bthlabs.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: backend-webapp-service
+            port:
+              name: http

deployment/hotpocket.bthlab/resources/backend/webapp-service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend-webapp-service
+  namespace: hotpocket-development
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/app: backend-webapp
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8000
+      targetPort: http

deployment/hotpocket.bthlab/resources/backend/webapp.yaml

@@ -0,0 +1,106 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend-webapp
+  namespace: hotpocket-development
+  labels:
+    app.kubernetes.io/app: backend-webapp
+spec:
+  minReadySeconds: 30
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 1
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/app: backend-webapp
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/app: backend-webapp
+    spec:
+      containers:
+        - name: app
+          image: hotpocket-backend:latest
+          command:
+            - "/srv/venv/bin/gunicorn"
+            - "-c"
+            - "/srv/lib/gunicorn.conf.py"
+            - "hotpocket_backend.wsgi:application"
+          envFrom:
+            - configMapRef:
+                name: backend-base-config
+            - configMapRef:
+                name: backend-webapp-config
+          env:
+            - name: HOTPOCKET_BACKEND_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: backend-webapp
+                  key: secret_key
+            - name: HOTPOCKET_BACKEND_ALLOWED_HOSTS
+              valueFrom:
+                secretKeyRef:
+                  name: backend-webapp
+                  key: allowed_hosts
+            - name: HOTPOCKET_BACKEND_DATABASE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: backend-postgres
+                  key: username
+            - name: HOTPOCKET_BACKEND_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: backend-postgres
+                  key: password
+            - name: HOTPOCKET_BACKEND_CELERY_BROKER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: backend-celery
+                  key: broker_url
+            - name: HOTPOCKET_BACKEND_CELERY_RESULT_BACKEND
+              valueFrom:
+                secretKeyRef:
+                  name: backend-celery
+                  key: result_backend
+          ports:
+            - containerPort: 8000
+              name: http
+              protocol: TCP
+            - containerPort: 8001
+              name: healthcheck
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: "/"
+              port: 8001
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 8001
+            initialDelaySeconds: 2
+            periodSeconds: 5
+          volumeMounts:
+            - mountPath: /dev/shm
+              name: shm
+            - mountPath: /srv/run
+              name: backend-webapp-srv-run
+            - mountPath: /srv/uploads
+              name: backend-webapp-srv-uploads
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      volumes:
+        - name: shm
+          emptyDir:
+            medium: Memory
+        - name: backend-webapp-srv-run
+          emptyDir: {}
+        - name: backend-webapp-srv-uploads
+          persistentVolumeClaim:
+            claimName: backend-uploads

deployment/hotpocket.bthlab/resources/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: hotpocket-development

deployment/hotpocket.bthlab/resources/volumes.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: backend-uploads
+  namespace: hotpocket-development
+spec:
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: "1Gi"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: backend-celery-beat-run
+  namespace: hotpocket-development
+spec:
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: "1Gi"