Skip to content

Deploy releases/k8s-manifests 83564aa#149

Merged
themightychris merged 4 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests
May 27, 2026
Merged

Deploy releases/k8s-manifests 83564aa#149
themightychris merged 4 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests

Conversation

@github-actions
Copy link
Copy Markdown

@github-actions github-actions Bot commented May 27, 2026

kubectl diff reports that applying 83564aa will change:

diff -uN /tmp/LIVE-3010664923/apps.v1.Deployment.choose-native-plants.choose-native-plants /tmp/MERGED-512043109/apps.v1.Deployment.choose-native-plants.choose-native-plants
--- /tmp/LIVE-3010664923/apps.v1.Deployment.choose-native-plants.choose-native-plants	2026-05-27 23:02:48.871197789 +0000
+++ /tmp/MERGED-512043109/apps.v1.Deployment.choose-native-plants.choose-native-plants	2026-05-27 23:02:48.887198141 +0000
@@ -7,8 +7,8 @@
     app.kubernetes.io/instance: choose-native-plants
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: choose-native-plants
-    app.kubernetes.io/version: 2.1.5
-    helm.sh/chart: choose-native-plants-2.0.7
+    app.kubernetes.io/version: 2.2.8
+    helm.sh/chart: choose-native-plants-2.0.8
   name: choose-native-plants
   namespace: choose-native-plants
 spec:
@@ -176,7 +176,7 @@
               name: linode-storage
               optional: false
         - name: NODE_OPTIONS
-          value: --openssl-legacy-provider --max-old-space-size=768
+          value: --openssl-legacy-provider --max-old-space-size=3072
         envFrom:
         - configMapRef:
             name: app-config
@@ -192,7 +192,7 @@
         image: ghcr.io/codeforphilly/pa-wildflower-selector/app:2.2.8
         imagePullPolicy: Always
         livenessProbe:
-          failureThreshold: 3
+          failureThreshold: 5
           httpGet:
             path: /
             port: http
@@ -200,7 +200,7 @@
           initialDelaySeconds: 60
           periodSeconds: 30
           successThreshold: 1
-          timeoutSeconds: 10
+          timeoutSeconds: 30
         name: choose-native-plants-app
         ports:
         - containerPort: 3000
@@ -208,9 +208,9 @@
           protocol: TCP
         resources:
           limits:
-            memory: 1Gi
+            memory: 4Gi
           requests:
-            memory: 512Mi
+            memory: 1Gi
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         volumeMounts:
diff -uN /tmp/LIVE-3010664923/networking.k8s.io.v1.Ingress.choose-native-plants.choose-native-plants /tmp/MERGED-512043109/networking.k8s.io.v1.Ingress.choose-native-plants.choose-native-plants
--- /tmp/LIVE-3010664923/networking.k8s.io.v1.Ingress.choose-native-plants.choose-native-plants	2026-05-27 23:02:48.878197943 +0000
+++ /tmp/MERGED-512043109/networking.k8s.io.v1.Ingress.choose-native-plants.choose-native-plants	2026-05-27 23:02:48.894198295 +0000
@@ -4,12 +4,14 @@
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/limit-connections: "20"
+    nginx.ingress.kubernetes.io/limit-rps: "20"
   labels:
     app.kubernetes.io/instance: choose-native-plants
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: choose-native-plants
-    app.kubernetes.io/version: 2.1.5
-    helm.sh/chart: choose-native-plants-2.0.7
+    app.kubernetes.io/version: 2.2.8
+    helm.sh/chart: choose-native-plants-2.0.8
   name: choose-native-plants
   namespace: choose-native-plants
 spec:
diff -uN /tmp/LIVE-3010664923/v1.ConfigMap.choose-native-plants.app-config /tmp/MERGED-512043109/v1.ConfigMap.choose-native-plants.app-config
--- /tmp/LIVE-3010664923/v1.ConfigMap.choose-native-plants.app-config	2026-05-27 23:02:48.880197987 +0000
+++ /tmp/MERGED-512043109/v1.ConfigMap.choose-native-plants.app-config	2026-05-27 23:02:48.895198317 +0000
@@ -7,7 +7,7 @@
     app.kubernetes.io/instance: choose-native-plants
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: choose-native-plants
-    app.kubernetes.io/version: 2.1.5
-    helm.sh/chart: choose-native-plants-2.0.7
+    app.kubernetes.io/version: 2.2.8
+    helm.sh/chart: choose-native-plants-2.0.8
   name: app-config
   namespace: choose-native-plants
diff -uN /tmp/LIVE-3010664923/v1.Service.choose-native-plants.choose-native-plants /tmp/MERGED-512043109/v1.Service.choose-native-plants.choose-native-plants
--- /tmp/LIVE-3010664923/v1.Service.choose-native-plants.choose-native-plants	2026-05-27 23:02:48.884198075 +0000
+++ /tmp/MERGED-512043109/v1.Service.choose-native-plants.choose-native-plants	2026-05-27 23:02:48.898198383 +0000
@@ -5,8 +5,8 @@
     app.kubernetes.io/instance: choose-native-plants
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: choose-native-plants
-    app.kubernetes.io/version: 2.1.5
-    helm.sh/chart: choose-native-plants-2.0.7
+    app.kubernetes.io/version: 2.2.8
+    helm.sh/chart: choose-native-plants-2.0.8
   name: choose-native-plants
   namespace: choose-native-plants
 spec:
diff -uN /tmp/LIVE-2281097975/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen /tmp/MERGED-3908833024/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen
--- /tmp/LIVE-2281097975/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-27 23:02:51.260250373 +0000
+++ /tmp/MERGED-3908833024/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-27 23:02:51.271250615 +0000
@@ -1 +1,70 @@
-{}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install, pre-upgrade
+  labels:
+    app.kubernetes.io/instance: envoy-gateway
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: gateway-helm
+    app.kubernetes.io/version: v1.7.3
+    helm.sh/chart: gateway-helm-v1.7.3
+  name: envoy-gateway-gateway-helm-certgen
+  namespace: envoy-gateway-system
+spec:
+  backoffLimit: 1
+  completionMode: NonIndexed
+  completions: 1
+  manualSelector: false
+  parallelism: 1
+  podReplacementPolicy: TerminatingOrFailed
+  selector:
+    matchLabels:
+      batch.kubernetes.io/controller-uid: e385b4e6-5f94-426f-95d8-ca3a5c04addc
+  suspend: false
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: certgen
+        batch.kubernetes.io/controller-uid: e385b4e6-5f94-426f-95d8-ca3a5c04addc
+        batch.kubernetes.io/job-name: envoy-gateway-gateway-helm-certgen
+        controller-uid: e385b4e6-5f94-426f-95d8-ca3a5c04addc
+        job-name: envoy-gateway-gateway-helm-certgen
+    spec:
+      containers:
+      - command:
+        - envoy-gateway
+        - certgen
+        env:
+        - name: ENVOY_GATEWAY_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: cluster.local
+        image: docker.io/envoyproxy/gateway:v1.7.3
+        imagePullPolicy: IfNotPresent
+        name: envoy-gateway-certgen
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      serviceAccount: envoy-gateway-gateway-helm-certgen
+      serviceAccountName: envoy-gateway-gateway-helm-certgen
+      terminationGracePeriodSeconds: 30
+  ttlSecondsAfterFinished: 30

ZacharyLeahan and others added 4 commits May 27, 2026 17:37
@ZacharyLeahan @claude
fix(choose-native-plants): increase memory limits and add rate limiting
c53e09f 
App v2.2.8 added ML embeddings for semantic plant search, requiring
significantly more heap than the old v2.0.7 config. Brings resource
settings in line with cfp-sandbox-cluster which has been validated.

- NODE_OPTIONS: max-old-space-size 768 → 3072
- memory limit: 1Gi → 4Gi
- memory request: 512Mi → 1Gi
- Add nginx rate limiting (20 rps/connections per IP) to mitigate bot
  scanner traffic that causes liveness probe timeouts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ZacharyLeahan @claude
chore(choose-native-plants): bump chart source to v2.2.9
ce72975 
Picks up the liveness probe fix (timeoutSeconds 10→30, failureThreshold
3→5) from pa-wildflower-selector v2.2.9. No app code changes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@themightychris
Merge pull request #148 from ZacharyLeahan/chore/bump-choose-native-p…
0d14a8b 
…lants-v2.2.9

chore(choose-native-plants): bump chart source to v2.2.9
@themightychris
☀ projected k8s-manifests-github from 0d14a8b
83564aa 
Source-holobranch: k8s-manifests-github
Source-commit: 0d14a8b
Source: 0d14a8b
@themightychris themightychris merged commit d24df4b into deploys/k8s-manifests May 27, 2026
1 check passed
@github-actions
Copy link
Copy Markdown
Author

github-actions Bot commented May 27, 2026

kubectl apply output (excluding unchanged) for d24df4b was:

customresourcedefinition.apiextensions.k8s.io/backends.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtlspolicies.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clienttrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyextensionpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoypatchpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyproxies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutefilters.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/listenersets.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/sealedsecrets.bitnami.com serverside-applied
customresourcedefinition.apiextensions.k8s.io/securitypolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io serverside-applied
clusterrole.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-envoy-gateway-role configured
clusterrole.rbac.authorization.k8s.io/grafana-clusterrole configured
clusterrole.rbac.authorization.k8s.io/prometheus-alertmanager configured
clusterrole.rbac.authorization.k8s.io/prometheus-pushgateway configured
clusterrolebinding.rbac.authorization.k8s.io/sealed-secrets configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/envoy-gateway-topology-injector.envoy-gateway-system configured
validatingadmissionpolicy.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingadmissionpolicybinding.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission configured
gateway.gateway.networking.k8s.io/balancer configured
httproute.gateway.networking.k8s.io/balancer configured
gateway.gateway.networking.k8s.io/browserless-chrome configured
httproute.gateway.networking.k8s.io/browserless-chrome configured
gateway.gateway.networking.k8s.io/chime configured
httproute.gateway.networking.k8s.io/chime configured
configmap/app-config configured
deployment.apps/choose-native-plants configured
gateway.gateway.networking.k8s.io/choose-native-plants configured
httproute.gateway.networking.k8s.io/choose-native-plants configured
ingress.networking.k8s.io/choose-native-plants configured
service/choose-native-plants configured
deployment.apps/code-for-philly configured
gateway.gateway.networking.k8s.io/code-for-philly configured
httproute.gateway.networking.k8s.io/code-for-philly configured
gateway.gateway.networking.k8s.io/echo-http configured
httproute.gateway.networking.k8s.io/echo-http configured
deployment.apps/envoy-gateway configured
httproute.gateway.networking.k8s.io/http-redirect configured
job.batch/envoy-gateway-gateway-helm-certgen created
configmap/grafana-dashboards-default configured
deployment.apps/grafana configured
gateway.gateway.networking.k8s.io/grafana configured
httproute.gateway.networking.k8s.io/grafana configured
deployment.apps/ingress-nginx-controller configured
deployment.apps/metrics-server configured
secret/promtail configured
statefulset.apps/loki configured
deployment.apps/prometheus-alertmanager configured
deployment.apps/prometheus-kube-state-metrics configured
deployment.apps/prometheus-pushgateway configured
deployment.apps/prometheus-server configured
serviceaccount/prometheus-kube-state-metrics configured
deployment.apps/sealed-secrets configured
gateway.gateway.networking.k8s.io/sealed-secrets configured
httproute.gateway.networking.k8s.io/sealed-secrets configured
rolebinding.rbac.authorization.k8s.io/sealed-secrets-key-admin configured
service/sealed-secrets configured
gateway.gateway.networking.k8s.io/third-places configured
httproute.gateway.networking.k8s.io/third-places configured
statefulset.apps/third-places-postgresql configured
gateway.gateway.networking.k8s.io/vaultwarden configured
httproute.gateway.networking.k8s.io/vaultwarden configured
statefulset.apps/vaultwarden-postgresql configured

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@themightychris @ZacharyLeahan