feat: add Phase 5 K3s production manifests and deploy script

- Add k8s/ directory with 21 manifest files
- Namespaces: linkedin-prod, monitoring, logging
- Databases: PostgreSQL, Neo4j, Redis (StatefulSets with PVCs)
- Messaging: Kafka (KRaft mode), Kafbat UI
- Infrastructure: config-server, discovery-server
- Microservices: 6 services with HPA (min:2, max:10), rolling updates
- Observability: Zipkin, OpenSearch, OpenSearch Dashboards
- Network policy for api-gateway zero-trust egress
- Deploy script (k8s/deploy.sh) for ordered deployment
- Update prod-ci-cd.yml with configmap apply step
- Whitelist k8s/deploy.sh in .gitignore

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: premtsd-code

.github/workflows/prod-ci-cd.yml

@@ -108,6 +108,8 @@ jobs:
           mkdir -p ~/.kube
           echo "${{ secrets.KUBECONFIG }}" > ~/.kube/config
           chmod 600 ~/.kube/config
+      - name: Update configmap
+        run: kubectl apply -f k8s/configmap.yaml
       - name: Deploy changed services
         run: |
           for service in api-gateway user-service post-service connections-service notification-service uploader-service config-server discovery-server; do

.gitignore

@@ -48,6 +48,7 @@ build/
 prem-portfolio/
 *.ps1
 *.sh
+!k8s/deploy.sh
 
 # -------------------------
 # Node.js & Angular (if any)

k8s/configmap.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: linkedin-config
+  namespace: linkedin-prod
+data:
+  SPRING_PROFILES_ACTIVE: "prod"
+  EUREKA_URL: "http://discovery-server:8761/eureka"
+  KAFKA_SERVERS: "kafka:9092"
+  REDIS_HOST: "redis"
+  REDIS_PORT: "6379"
+  ZIPKIN_URL: "http://zipkin:9411"
+  CONFIG_SERVER_URL: "http://config-server:8888"
+  OPENSEARCH_HOST: "opensearch"
+  OPENSEARCH_PORT: "9200"
+  DB_URL: "jdbc:postgresql://postgres:5432/linkedinDB"
+  DB_USER: "linkedin_user"
+  NEO4J_URI: "bolt://neo4j:7687"
+  NEO4J_USER: "neo4j"

k8s/databases/neo4j.yaml

@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: neo4j
+  namespace: linkedin-prod
+spec:
+  serviceName: neo4j
+  replicas: 1
+  selector:
+    matchLabels:
+      app: neo4j
+  template:
+    metadata:
+      labels:
+        app: neo4j
+    spec:
+      containers:
+      - name: neo4j
+        image: neo4j:5
+        ports:
+        - containerPort: 7474
+          name: browser
+        - containerPort: 7687
+          name: bolt
+        env:
+        - name: NEO4J_AUTH
+          valueFrom:
+            secretKeyRef:
+              name: linkedin-secrets
+              key: NEO4J_PASSWORD
+        resources:
+          requests:
+            memory: "512Mi"
+            cpu: "500m"
+          limits:
+            memory: "2Gi"
+            cpu: "1000m"
+        volumeMounts:
+        - name: neo4j-data
+          mountPath: /data
+  volumeClaimTemplates:
+  - metadata:
+      name: neo4j-data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 5Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: neo4j
+  namespace: linkedin-prod
+spec:
+  type: NodePort
+  selector:
+    app: neo4j
+  ports:
+  - name: browser
+    port: 7474
+    targetPort: 7474
+    nodePort: 32101
+  - name: bolt
+    port: 7687
+    targetPort: 7687
+    nodePort: 32102

k8s/databases/postgres.yaml

@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  namespace: linkedin-prod
+spec:
+  serviceName: postgres
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+      - name: postgres
+        image: postgres:15
+        ports:
+        - containerPort: 5432
+        env:
+        - name: POSTGRES_DB
+          value: linkedinDB
+        - name: POSTGRES_USER
+          value: linkedin_user
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: linkedin-secrets
+              key: DB_PASSWORD
+        resources:
+          requests:
+            memory: "512Mi"
+            cpu: "500m"
+          limits:
+            memory: "1Gi"
+            cpu: "1000m"
+        volumeMounts:
+        - name: postgres-data
+          mountPath: /var/lib/postgresql/data
+        livenessProbe:
+          exec:
+            command:
+            - pg_isready
+            - -U
+            - linkedin_user
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          exec:
+            command:
+            - pg_isready
+            - -U
+            - linkedin_user
+          initialDelaySeconds: 10
+          periodSeconds: 5
+  volumeClaimTemplates:
+  - metadata:
+      name: postgres-data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: linkedin-prod
+spec:
+  type: NodePort
+  selector:
+    app: postgres
+  ports:
+  - port: 5432
+    targetPort: 5432
+    nodePort: 32100

k8s/databases/redis.yaml

@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+  namespace: linkedin-prod
+spec:
+  serviceName: redis
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+      - name: redis
+        image: bitnami/redis:latest
+        ports:
+        - containerPort: 6379
+        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: linkedin-secrets
+              key: REDIS_PASSWORD
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "250m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        volumeMounts:
+        - name: redis-data
+          mountPath: /bitnami/redis/data
+  volumeClaimTemplates:
+  - metadata:
+      name: redis-data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 2Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: linkedin-prod
+spec:
+  type: NodePort
+  selector:
+    app: redis
+  ports:
+  - port: 6379
+    targetPort: 6379
+    nodePort: 32103

k8s/deploy.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+set -e
+
+echo "Deploying LinkedIn to K3s Production..."
+
+echo "Creating namespaces..."
+kubectl apply -f k8s/namespace.yaml
+
+echo "Creating configmap and secrets..."
+kubectl apply -f k8s/configmap.yaml
+kubectl apply -f k8s/secrets.yaml
+
+echo "Deploying databases..."
+kubectl apply -f k8s/databases/postgres.yaml
+kubectl apply -f k8s/databases/neo4j.yaml
+kubectl apply -f k8s/databases/redis.yaml
+
+echo "Waiting for databases..."
+kubectl rollout status statefulset/postgres -n linkedin-prod --timeout=3m
+kubectl rollout status statefulset/redis -n linkedin-prod --timeout=3m
+
+echo "Deploying messaging..."
+kubectl apply -f k8s/messaging/kafka.yaml
+sleep 30
+kubectl apply -f k8s/messaging/kafbat-ui.yaml
+
+echo "Deploying infrastructure..."
+kubectl apply -f k8s/infrastructure/config-server.yaml
+kubectl rollout status deployment/config-server -n linkedin-prod --timeout=3m
+
+kubectl apply -f k8s/infrastructure/discovery-server.yaml
+kubectl rollout status deployment/discovery-server -n linkedin-prod --timeout=3m
+
+echo "Deploying microservices..."
+kubectl apply -f k8s/microservices/
+kubectl rollout status deployment/api-gateway -n linkedin-prod --timeout=5m
+kubectl rollout status deployment/user-service -n linkedin-prod --timeout=5m
+kubectl rollout status deployment/post-service -n linkedin-prod --timeout=5m
+
+echo "Deploying observability..."
+kubectl apply -f k8s/observability/
+
+echo "Applying network policies..."
+kubectl apply -f k8s/network-policy.yaml
+
+echo ""
+echo "Deployment complete!"
+echo ""
+kubectl get pods -n linkedin-prod
+echo ""
+kubectl get services -n linkedin-prod

k8s/infrastructure/config-server.yaml

@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: config-server
+  namespace: linkedin-prod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: config-server
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: config-server
+    spec:
+      containers:
+      - name: config-server
+        image: premtsd18/config-server:amd64
+        ports:
+        - containerPort: 8888
+        envFrom:
+        - configMapRef:
+            name: linkedin-config
+        - secretRef:
+            name: linkedin-secrets
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "250m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        livenessProbe:
+          httpGet:
+            path: /actuator/health/liveness
+            port: 8888
+          initialDelaySeconds: 60
+          periodSeconds: 10
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /actuator/health/readiness
+            port: 8888
+          initialDelaySeconds: 40
+          periodSeconds: 5
+          failureThreshold: 3
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: config-server
+  namespace: linkedin-prod
+spec:
+  selector:
+    app: config-server
+  ports:
+  - port: 8888
+    targetPort: 8888