Kubernetes Deployment Guide

Deploy AuthentiVoice on Kubernetes for highly available, scalable production deployments.

Prerequisites

Kubernetes Cluster

Kubernetes 1.24+ with RBAC enabled

kubectl

kubectl CLI configured for your cluster

Helm

Helm 3.8+ for package management

Storage Class

Persistent storage provisioner

Quick Start with Helm

1

Add Helm Repository

helm repo add authentivoice https://charts.authentivoice.com
helm repo update
2

Create Namespace

kubectl create namespace authentivoice
3

Configure Values

# Download default values
helm show values authentivoice/authentivoice > values.yaml

# Edit configuration
nano values.yaml
4

Deploy Application

helm install authentivoice authentivoice/authentivoice \
  --namespace authentivoice \
  --values values.yaml

Architecture Overview

Component Diagram

Deployment Manifests

Namespace and ConfigMap

apiVersion: v1
kind: Namespace
metadata:
  name: authentivoice
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: authentivoice-config
  namespace: authentivoice
data:
  API_BASE_URL: "https://api.authentivoice.com"
  ENVIRONMENT: "production"
  LOG_LEVEL: "info"

Frontend Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: frontend
  namespace: authentivoice
spec:
  replicas: 3
  selector:
    matchLabels:
      app: frontend
  template:
    metadata:
      labels:
        app: frontend
    spec:
      containers:
      - name: frontend
        image: authentivoice/frontend:latest
        ports:
        - containerPort: 80
        env:
        - name: VITE_API_BASE_URL
          valueFrom:
            configMapKeyRef:
              name: authentivoice-config
              key: API_BASE_URL
        resources:
          requests:
            memory: "128Mi"
            cpu: "100m"
          limits:
            memory: "256Mi"
            cpu: "200m"
        livenessProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
  name: frontend
  namespace: authentivoice
spec:
  selector:
    app: frontend
  ports:
  - port: 80
    targetPort: 80

Backend Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: backend
  namespace: authentivoice
spec:
  replicas: 3
  selector:
    matchLabels:
      app: backend
  template:
    metadata:
      labels:
        app: backend
    spec:
      containers:
      - name: backend
        image: authentivoice/backend:latest
        ports:
        - containerPort: 8000
        env:
        - name: DATABASE_URL
          valueFrom:
            secretKeyRef:
              name: authentivoice-secrets
              key: database-url
        - name: REDIS_URL
          value: "redis://redis:6379"
        - name: S3_ENDPOINT
          valueFrom:
            secretKeyRef:
              name: authentivoice-secrets
              key: s3-endpoint
        resources:
          requests:
            memory: "512Mi"
            cpu: "250m"
          limits:
            memory: "1Gi"
            cpu: "500m"
        livenessProbe:
          httpGet:
            path: /health
            port: 8000
          initialDelaySeconds: 60
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /ready
            port: 8000
          initialDelaySeconds: 10
          periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
  name: backend
  namespace: authentivoice
spec:
  selector:
    app: backend
  ports:
  - port: 8000
    targetPort: 8000

Database Deployment

  • PostgreSQL StatefulSet
  • Cloud Database
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgresql
  namespace: authentivoice
spec:
  serviceName: postgresql
  replicas: 1
  selector:
    matchLabels:
      app: postgresql
  template:
    metadata:
      labels:
        app: postgresql
    spec:
      containers:
      - name: postgresql
        image: postgres:15-alpine
        ports:
        - containerPort: 5432
        env:
        - name: POSTGRES_DB
          value: authentivoice
        - name: POSTGRES_USER
          value: authentivoice
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: authentivoice-secrets
              key: postgres-password
        volumeMounts:
        - name: postgres-storage
          mountPath: /var/lib/postgresql/data
        resources:
          requests:
            memory: "512Mi"
            cpu: "250m"
          limits:
            memory: "1Gi"
            cpu: "500m"
  volumeClaimTemplates:
  - metadata:
      name: postgres-storage
    spec:
      accessModes: ["ReadWriteOnce"]
      storageClassName: fast-ssd
      resources:
        requests:
          storage: 50Gi

Ingress Configuration

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: authentivoice
  namespace: authentivoice
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
spec:
  tls:
  - hosts:
    - authentivoice.com
    - api.authentivoice.com
    secretName: authentivoice-tls
  rules:
  - host: authentivoice.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: frontend
            port:
              number: 80
  - host: api.authentivoice.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: backend
            port:
              number: 8000

Helm Chart Configuration

values.yaml Example

# Global settings
global:
  domain: authentivoice.com
  environment: production
  
# Frontend configuration
frontend:
  replicaCount: 3
  image:
    repository: authentivoice/frontend
    tag: latest
    pullPolicy: Always
  service:
    type: ClusterIP
    port: 80
  resources:
    requests:
      memory: "128Mi"
      cpu: "100m"
    limits:
      memory: "256Mi"
      cpu: "200m"
  autoscaling:
    enabled: true
    minReplicas: 3
    maxReplicas: 10
    targetCPUUtilizationPercentage: 70
    
# Backend configuration
backend:
  replicaCount: 3
  image:
    repository: authentivoice/backend
    tag: latest
    pullPolicy: Always
  service:
    type: ClusterIP
    port: 8000
  resources:
    requests:
      memory: "512Mi"
      cpu: "250m"
    limits:
      memory: "1Gi"
      cpu: "500m"
  autoscaling:
    enabled: true
    minReplicas: 3
    maxReplicas: 20
    targetCPUUtilizationPercentage: 70
    
# Database configuration
postgresql:
  enabled: true
  auth:
    database: authentivoice
    username: authentivoice
    existingSecret: authentivoice-secrets
  primary:
    persistence:
      enabled: true
      size: 50Gi
      storageClass: fast-ssd
      
# Redis configuration
redis:
  enabled: true
  auth:
    enabled: true
    existingSecret: authentivoice-secrets
  master:
    persistence:
      enabled: true
      size: 10Gi
      
# Ingress configuration
ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: authentivoice.com
      paths:
        - path: /
          pathType: Prefix
    - host: api.authentivoice.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: authentivoice-tls
      hosts:
        - authentivoice.com
        - api.authentivoice.com

Security Configuration

Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend-netpol
  namespace: authentivoice
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    - podSelector:
        matchLabels:
          app: nginx-ingress
    ports:
    - protocol: TCP
      port: 8000
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: postgresql
    ports:
    - protocol: TCP
      port: 5432
  - to:
    - podSelector:
        matchLabels:
          app: redis
    ports:
    - protocol: TCP
      port: 6379

Pod Security Policies

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: authentivoice-psp
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: true

Monitoring and Observability

Prometheus ServiceMonitor

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: authentivoice
  namespace: authentivoice
spec:
  selector:
    matchLabels:
      app: backend
  endpoints:
  - port: metrics
    interval: 30s
    path: /metrics

Grafana Dashboard

Import dashboard ID 14314 for Kubernetes application monitoring or use our custom AuthentiVoice dashboard.

Scaling Strategies

Horizontal Pod Autoscaling

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: backend-hpa
  namespace: authentivoice
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: backend
  minReplicas: 3
  maxReplicas: 20
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80
  behavior:
    scaleUp:
      stabilizationWindowSeconds: 60
      policies:
      - type: Percent
        value: 100
        periodSeconds: 60
    scaleDown:
      stabilizationWindowSeconds: 300
      policies:
      - type: Percent
        value: 50
        periodSeconds: 60

Vertical Pod Autoscaling

apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: backend-vpa
  namespace: authentivoice
spec:
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: backend
  updatePolicy:
    updateMode: "Auto"
  resourcePolicy:
    containerPolicies:
    - containerName: backend
      maxAllowed:
        cpu: 2
        memory: 4Gi

Backup and Disaster Recovery

Database Backup CronJob

apiVersion: batch/v1
kind: CronJob
metadata:
  name: postgres-backup
  namespace: authentivoice
spec:
  schedule: "0 2 * * *"  # Daily at 2 AM
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: postgres-backup
            image: postgres:15-alpine
            command:
            - /bin/sh
            - -c
            - |
              DATE=$(date +%Y%m%d_%H%M%S)
              pg_dump -h postgresql -U authentivoice authentivoice | \
              aws s3 cp - s3://authentivoice-backups/postgres-$DATE.sql
            env:
            - name: PGPASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentivoice-secrets
                  key: postgres-password
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: backup-credentials
                  key: access-key
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: backup-credentials
                  key: secret-key
          restartPolicy: OnFailure

Production Best Practices

  • Set appropriate resource requests and limits
  • Use node affinity for database pods
  • Implement pod disruption budgets
  • Use priority classes for critical pods
  • Deploy across multiple availability zones
  • Use anti-affinity rules to spread pods
  • Implement readiness and liveness probes
  • Configure proper rolling update strategies
  • Enable RBAC with minimal permissions
  • Use network policies to restrict traffic
  • Implement pod security standards
  • Scan images for vulnerabilities
  • Use secrets management solutions
  • Export metrics to Prometheus
  • Centralize logs with Elasticsearch
  • Implement distributed tracing
  • Set up alerting rules
  • Create runbooks for incidents

Troubleshooting

Common issues and their solutions:
# Check pod status
kubectl get pods -n authentivoice

# Describe problematic pod
kubectl describe pod <pod-name> -n authentivoice

# Check logs
kubectl logs <pod-name> -n authentivoice

# Test database connectivity
kubectl run -it --rm debug --image=postgres:15-alpine --restart=Never -- psql -h postgresql -U authentivoice

# Check service endpoints
kubectl get endpoints -n authentivoice

# Check ingress status
kubectl describe ingress authentivoice -n authentivoice

# Verify certificate
kubectl get certificate -n authentivoice

# Check ingress controller logs
kubectl logs -n ingress-nginx deployment/ingress-nginx-controller

Next Steps

1

Prepare Cluster

Ensure your Kubernetes cluster meets all requirements
2

Configure Secrets

Create all necessary secrets before deployment
3

Deploy Infrastructure

Deploy database and cache services first
4

Deploy Application

Deploy backend, then frontend services
5

Configure Monitoring

Set up Prometheus and Grafana dashboards
6

Test Deployment

Verify all components are working correctly