Modernize Kubernetes Deployment Strategy for SmartEM

[vredchenko]

Description

The current deployment strategy for smartem-http-api and smartem-frontend uses several "legacy" patterns that can be improved for better maintainability, security, and reliability. This issue tracks the transition from the current Nginx-heavy/LoadBalancer-per-service approach to a more modern Kubernetes architecture.

🔍 Current State Analysis

1. Nginx vs. Modern Standards

• The "EOL" Rumor: To clarify, Nginx is not EOL in Kubernetes. However, the standard Ingress API is being succeeded by the Kubernetes Gateway API.
• Redundant Configs: smartem-http-api.yaml contains an nginx-config volume that is defined but never mounted.

2. Networking and Service Exposure

• LoadBalancer Proliferation: Both the frontend and backend are currently using type: LoadBalancer. This is expensive in cloud environments and unnecessary on-prem if an Ingress Controller is available.
• Hardcoded IP addresses: The frontend uses a hardcoded IP for REACT_APP_ENDPOINT, which makes the deployment brittle.

Proposed Modernization Strategy

1. Move to "Proxy-Pass" Architecture

Instead of the frontend reaching out to a public IP for the API, we should use the Nginx/Caddy server to proxy /api requests to the internal service name. This removes the need for CORS and hardcoded IPs.

2. Clean up Resource Definitions

• Switch internal services to type: ClusterIP.
• Consolidate environment variables using envFrom.
• Remove unused volumes and secrets.

3. Consider Caddy for the SPA

Evaluate switching from Nginx to Caddy for serving the SPA static files. Caddy offers a much simpler "Single Page App" configuration:

# Caddyfile example
example.com {
    root * /usr/share/caddy
    file_server
    try_files {path} /index.html
    reverse_proxy /api/* smartem-http-api-service:8000
}

Proposed Changes: smartem-http-api.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: smartem-http-api
  namespace: em
  labels:
    app: smartem-http-api
spec:
  replicas: 1
  selector:
    matchLabels:
      app: smartem-http-api
  template:
    metadata:
      labels:
        app: smartem-http-api
    spec:
      imagePullSecrets:
      - name: k8s-em-gitlab-secret
      containers:
      - name: smartem-http-api
        image: gitlab.diamond.ac.uk:5050/scisoft/cryoem/cryoem-deployments/smartem-decisions:dev
        ports:
        - containerPort: 8000
        envFrom:
        - secretRef:
            name: smartem-secrets
        env:
        - name: ROLE
          value: "api"
        - name: SMARTEM_BACKEND_CONFIG
          value: /app/appconfig.yml
        volumeMounts:
        - name: app-config
          mountPath: /app/
        - name: dls
          mountPath: /dls
          readOnly: true
      volumes:
      - name: app-config
        configMap:
          name: smartem-decisions-app-config
      - name: dls
        hostPath:
          path: /dls
          type: Directory

---
apiVersion: v1
kind: Service
metadata:
  name: smartem-http-api-service
  namespace: em
spec:
  selector:
    app: smartem-http-api
  ports:
  - port: 8000
    targetPort: 8000
  type: ClusterIP # Internal only, accessible via Frontend Proxy or Ingress

Next Steps

• Refactor smartem-frontend.yaml to remove type: LoadBalancer.
• Implement internal proxying in the Frontend container.
• Test connectivity using internal service DNS names.