Kubernetes

This guide walks you through deploying Alien Giraffe to your Kubernetes cluster using our official Helm chart, enabling you to run the service in your own cloud infrastructure.

Prerequisites

• Kubernetes cluster (1.24+) running in your cloud provider
• Helm 3.8+ installed on your local machine
• kubectl configured to access your cluster
• Appropriate RBAC permissions to create deployments, services, and secrets

Quick Start

1. Add the Alien Giraffe Helm Repository

# Add the Alien Giraffe Helm repository
helm repo add alien-giraffe https://helm.aliengiraffe.com

# Update your local Helm chart repository cache
helm repo update

2. Create a Values File

Create a values.yaml file with your configuration:

values.yaml

replicaCount: 3

image:
  repository: aliengiraffe/alien-giraffe
  tag: latest
  pullPolicy: IfNotPresent

# License key for your deployment
license:
  key: "${ALIEN_GIRAFFE_LICENSE_KEY}"

# Resource allocation
resources:
  requests:
    memory: "2Gi"
    cpu: "1"
  limits:
    memory: "4Gi"
    cpu: "2"

# Service configuration
service:
  type: ClusterIP
  port: 8080
  targetPort: 8080

# Ingress configuration (optional)
ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: alien-giraffe.your-domain.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: alien-giraffe-tls
      hosts:
        - alien-giraffe.your-domain.com

# Data source configurations
datasources:
  postgres:
    - name: "analytics"
      host: "postgres.your-cloud.com"
      port: 5432
      database: "analytics_db"
      username: "alien_giraffe_reader"
      passwordSecret: "postgres-credentials"
      passwordKey: "password"

  s3:
    - name: "data-lake"
      region: "us-west-2"
      bucket: "company-data-lake"
      credentialsSecret: "aws-credentials"

# Security configuration
security:
  enableNetworkPolicies: true
  podSecurityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
  containerSecurityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL

# Persistent storage for cache and temporary data
persistence:
  enabled: true
  storageClass: "fast-ssd"
  accessMode: ReadWriteOnce
  size: 20Gi

# Monitoring and observability
monitoring:
  enabled: true
  serviceMonitor:
    enabled: true
    interval: 30s
  prometheusOperator:
    enabled: true

# Auto-scaling configuration
autoscaling:
  enabled: true
  minReplicas: 3
  maxReplicas: 10
  targetCPUUtilizationPercentage: 70
  targetMemoryUtilizationPercentage: 80

3. Create Kubernetes Secrets

Before deploying, create the necessary secrets for your data sources:

# Create PostgreSQL credentials
kubectl create secret generic postgres-credentials \
  --from-literal=password='your-postgres-password' \
  -n alien-giraffe

# Create AWS credentials for S3 access
kubectl create secret generic aws-credentials \
  --from-literal=access-key-id='your-access-key' \
  --from-literal=secret-access-key='your-secret-key' \
  -n alien-giraffe

# Create license key secret
kubectl create secret generic alien-giraffe-license \
  --from-literal=key='your-license-key' \
  -n alien-giraffe

4. Deploy Using Helm

# Create namespace
kubectl create namespace alien-giraffe

# Deploy Alien Giraffe
helm install alien-giraffe alien-giraffe/alien-giraffe \
  --namespace alien-giraffe \
  --values values.yaml

Cloud Provider Specific Configurations

AWS EKS

For AWS EKS deployments, use IAM roles for service accounts:

values-eks.yaml

serviceAccount:
  create: true
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789:role/alien-giraffe-role

# Use IRSA instead of static credentials
datasources:
  s3:
    - name: "data-lake"
      region: "us-west-2"
      bucket: "company-data-lake"
      useIRSA: true  # Uses IAM role instead of credentials

Google GKE

For GKE deployments with Workload Identity:

values-gke.yaml

serviceAccount:
  create: true
  annotations:
    iam.gke.io/gcp-service-account: alien-giraffe@your-project.iam.gserviceaccount.com

# Use GKE Workload Identity
datasources:
  bigquery:
    - name: "analytics"
      project: "your-gcp-project"
      dataset: "analytics_dataset"
      useWorkloadIdentity: true

Azure AKS

For AKS deployments with managed identity:

values-aks.yaml

podIdentity:
  enabled: true
  identityId: "/subscriptions/xxx/resourcegroups/xxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alien-giraffe"

datasources:
  azureBlob:
    - name: "data-lake"
      storageAccount: "yourstorageaccount"
      container: "data"
      useManagedIdentity: true

Advanced Configuration

High Availability Setup

For production deployments requiring high availability:

values-ha.yaml

replicaCount: 5

# Pod disruption budget
podDisruptionBudget:
  enabled: true
  minAvailable: 2

# Anti-affinity rules to spread pods across nodes
affinity:
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
            - key: app.kubernetes.io/name
              operator: In
              values:
                - alien-giraffe
        topologyKey: kubernetes.io/hostname

# Multi-zone deployment
topologySpreadConstraints:
  - maxSkew: 1
    topologyKey: topology.kubernetes.io/zone
    whenUnsatisfiable: DoNotSchedule
    labelSelector:
      matchLabels:
        app.kubernetes.io/name: alien-giraffe

Private Registry

If using a private container registry:

values-private-registry.yaml

image:
  repository: your-registry.com/alien-giraffe
  pullPolicy: Always

imagePullSecrets:
  - name: regcred

# Create the registry secret
# kubectl create secret docker-registry regcred \
#   --docker-server=your-registry.com \
#   --docker-username=your-username \
#   --docker-password=your-password \
#   -n alien-giraffe

Custom Security Policies

For environments with strict security requirements:

values-security.yaml

# Network policies
networkPolicy:
  enabled: true
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: frontend
        - podSelector:
            matchLabels:
              app: api-gateway
      ports:
        - protocol: TCP
          port: 8080

# Pod Security Standards
podSecurityPolicy:
  enabled: true
  spec:
    privileged: false
    allowPrivilegeEscalation: false
    requiredDropCapabilities:
      - ALL
    volumes:
      - 'configMap'
      - 'emptyDir'
      - 'projected'
      - 'secret'
      - 'persistentVolumeClaim'
    runAsUser:
      rule: 'MustRunAsNonRoot'
    seLinux:
      rule: 'RunAsAny'
    fsGroup:
      rule: 'RunAsAny'

Monitoring and Observability

Prometheus Integration

The Helm chart includes Prometheus ServiceMonitor for metrics collection:

# Prometheus will automatically discover and scrape metrics
monitoring:
  enabled: true
  serviceMonitor:
    enabled: true
    namespace: monitoring
    labels:
      prometheus: kube-prometheus
    interval: 30s
    path: /metrics

Grafana Dashboard

Import our official Grafana dashboard for monitoring:

# Dashboard ID: 18274
# Available at: https://grafana.com/grafana/dashboards/18274

Key metrics to monitor:

• Query response times
• Data source connection health
• Security rule violations
• Resource utilization
• Cache hit rates

Upgrading

To upgrade your Alien Giraffe deployment:

# Update the Helm repository
helm repo update

# Check for new versions
helm search repo alien-giraffe/alien-giraffe --versions

# Upgrade to a new version
helm upgrade alien-giraffe alien-giraffe/alien-giraffe \
  --namespace alien-giraffe \
  --values values.yaml \
  --version 2.0.0

Backup and Disaster Recovery

Backing Up Configuration

# Export current Helm values
helm get values alien-giraffe -n alien-giraffe > backup-values.yaml

# Backup Kubernetes secrets
kubectl get secrets -n alien-giraffe -o yaml > backup-secrets.yaml

Disaster Recovery

In case of cluster failure:

# Restore secrets
kubectl apply -f backup-secrets.yaml

# Redeploy using backed up values
helm install alien-giraffe alien-giraffe/alien-giraffe \
  --namespace alien-giraffe \
  --values backup-values.yaml

Troubleshooting

Common Issues

1. Pods not starting

   # Check pod status
   kubectl get pods -n alien-giraffe
   
   # View pod logs
   kubectl logs -n alien-giraffe deployment/alien-giraffe
   
   # Describe pod for events
   kubectl describe pod -n alien-giraffe <pod-name>

2. Connection issues to data sources

   # Verify secrets are created
   kubectl get secrets -n alien-giraffe
   
   # Test network connectivity from pod
   kubectl exec -n alien-giraffe deployment/alien-giraffe -- nc -zv postgres.your-cloud.com 5432

3. Performance issues

   # Check resource usage
   kubectl top pods -n alien-giraffe
   
   # View HPA status
   kubectl get hpa -n alien-giraffe

Security Best Practices

1. Use Network Policies - Restrict traffic to only necessary connections
2. Enable RBAC - Use minimal permissions for service accounts
3. Encrypt Secrets - Use sealed-secrets or external secret managers
4. Regular Updates - Keep the Helm chart and container images updated
5. Audit Logging - Enable Kubernetes audit logs for compliance

Next Steps

• Configure Data Source Security
• Set up Monitoring and Alerts
• Learn about Performance Tuning