Skip to content

Production deployment documentation #3712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Production deployment documentation #3712

wants to merge 1 commit into from

Conversation

@mjudeikis
Copy link
Contributor

@mjudeikis mjudeikis commented Nov 11, 2025

Summary

This PR adds detailed deployment documentation on how to deploy kcp in a production configuration.
/kind documentation

What Type of PR Is This?

Related Issue(s)

Fixes #

Release Notes

Production deployment documentation

@kcp-ci-bot kcp-ci-bot added kind/documentation Categorizes issue or PR as related to documentation. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has signed the DCO. labels Nov 11, 2025
@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Nov 11, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from mjudeikis. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Nov 11, 2025
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
contrib/production/kcp-comer/etcd-druid-alpha.yaml
Comment on lines +40 to +43
garbageCollectionPolicy: Exponential
garbageCollectionPeriod: 43200s
deltaSnapshotPeriod: 300s
deltaSnapshotMemoryLimit: 1Gi
Copy link
Member

@xmudrii xmudrii Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not much important because this is about backups, but maybe it would be useful to have a comment why are these values chosen (e.g. if they're default, changed because it's better in prod this way, etc).

Copy link
Contributor Author

@mjudeikis mjudeikis Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was taken from etcd-druid docs. would be good if they could comment on this. Never teted this myself :/

xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
contrib/production/kcp-comer/certificate-etcd.yaml
- "*.alpha-peer.kcp-comer.svc"
- "*.alpha-peer.kcp-comer.svc.cluster.local"
issuerRef:
name: etcd-ca
Copy link
Member

@xmudrii xmudrii Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this not using etcd-ca from the kcp-comer namespace, similar to etcd-tls-ca?

Copy link
Contributor Author

@mjudeikis mjudeikis Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be miskate. Need to test before I change it. TBH re-testing this means rebuilding everything. So will take a note and once I do next rebuild - will check.

Copy link
Contributor Author

@mjudeikis mjudeikis Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will leave it for now, and will creat follow-up issue to test this again.

xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
contrib/production/cert-manager/certificate-example.yaml
Copy link
Member

@xmudrii xmudrii Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense that we put comments such as # CHANGE ME for fields that should be changed (e.g. dnsNames)? That way, people can easier find it, and we can say in docs search for CHANGE ME and change those values.

Copy link
Contributor Author

@mjudeikis mjudeikis Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change me confuses too. When you see #Change me. Its not always clear what it should be? Root url, shard url, workspace URL?

All this should be used as a reference, not "as is". So having real values gives more context that changes me and explanations. In general, this is a start, and once we get feedback, we can iterate.

xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
xmudrii
xmudrii reviewed Nov 12, 2025
View reviewed changes
@mjudeikis mjudeikis force-pushed the mjudeikis/production.readiness branch from 269d3b4 to c2befd5 Compare November 14, 2025 13:15
@mjudeikis
Add production deployment documentation
8311dd9 
Signed-off-by: Mangirdas Judeikis <[email protected]>
On-behalf-of: @SAP [email protected]
@mjudeikis mjudeikis force-pushed the mjudeikis/production.readiness branch from c2befd5 to 8311dd9 Compare November 14, 2025 13:19
xmudrii
xmudrii requested changes Nov 14, 2025
View reviewed changes
Copy link
Member

@xmudrii xmudrii left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some final nits as of now. I would say, after these are fixed, we merge this PR and iterate as needed.

contrib/production/cert-manager/certificate-example.yaml

# Reference to the ClusterIssuer
issuerRef:
name: kcp-comerletsencrypt-prod
Copy link
Member

@xmudrii xmudrii Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is referenced in other places as letsencrypt-prod

contrib/production/oidc-dex/certificate-dns.yaml
spec:
secretName: dex-tls
issuerRef:
name: kcp-comerletsencrypt-prod
Copy link
Member

@xmudrii xmudrii Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is referenced in other places as letsencrypt-prod

docs/content/setup/production/index.md

### [kcp-vespucci](kcp-vespucci.md) - External Certificates
- **Best for**: Production environments requiring trusted certificates
- **Certificate approach**: Let's Encrypt for front-proxy with public shard access
Copy link
Member

@xmudrii xmudrii Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this be correct?

Suggested change
- **Certificate approach**: Let's Encrypt for front-proxy with public shard access
- **Certificate approach**: Let's Encrypt for front-proxy, self-signed certificates for shards

docs/content/setup/production/kcp-comer.md
# For other platforms, see: https://github.com/int128/kubelogin
```

**Solution**: Use OIDC authentication for external access.
Copy link
Member

@xmudrii xmudrii Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Solution: here looks weird to me, sounds like an incomplete sentence.

docs/content/setup/production/kcp-dekker.md
# For other platforms, see: https://github.com/int128/kubelogin
```

### Configure OIDC Credentials
Copy link
Member

@xmudrii xmudrii Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should have a test step like for kcp-dekker here, to make sure it works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xmudrii xmudrii xmudrii requested changes

Assignees

@xmudrii xmudrii

Labels

dco-signoff: yes Indicates the PR's author has signed the DCO. kind/documentation Categorizes issue or PR as related to documentation. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mjudeikis @kcp-ci-bot @xmudrii