ministryofjustice · EarthlingDavey · Jan 17, 2025 · Jan 17, 2025
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -26,3 +26,13 @@ jobs:
       environment: development
       registry: ${{ needs.image.outputs.registry }}
     secrets: inherit
+
+  deploy_staging:
+    name: "Staging"
+    if: github.event.ref == 'refs/heads/main'
+    uses: ./.github/workflows/deploy.yml
+    needs: [image, deploy_dev]
+    with:
+      environment: staging
+      registry: ${{ needs.image.outputs.registry }}
+    secrets: inherit
diff --git a/deploy/staging/config.yml b/deploy/staging/config.yml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: intranet-archive-staging-config
+  namespace: intranet-archive-staging
+data:
+  ALLOWED_AGENCIES: ""
+  SNAPSHOT_SCHEDULE: ""
diff --git a/deploy/staging/secret.tpl.yml b/deploy/staging/secret.tpl.yml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: intranet-archive-staging-secrets
+type: Opaque
+stringData:
+  INTRANET_JWT: "${INTRANET_JWT}"
+  INTRANET_ARCHIVE_SHARED_SECRET: "${INTRANET_ARCHIVE_SHARED_SECRET}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: intranet-archive-staging-base64-secrets
+type: Opaque
+data:
+  AWS_CLOUDFRONT_PRIVATE_KEY: "${AWS_CLOUDFRONT_PRIVATE_KEY_BASE64}"
+  AWS_CLOUDFRONT_PUBLIC_KEY: "${AWS_CLOUDFRONT_PUBLIC_KEY_BASE64}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudfront-input
+type: Opaque
+data:
+  AWS_CLOUDFRONT_PUBLIC_KEY: "${AWS_CLOUDFRONT_PUBLIC_KEY_BASE64}"
+  # AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING: "${AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING_BASE64}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth-secret
+type: Opaque
+data:
+  auth: "${BASIC_AUTH_BASE64}"
diff --git a/deploy/staging/service.yml b/deploy/staging/service.yml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: intranet-archive-service
+  labels:
+    app: intranet-archive
+spec:
+  ports:
+  - port: 80
+    name: http
+    targetPort: 8080
+  selector:
+    app: intranet-archive
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: intranet-archive-headless-service
+  labels:
+    app: intranet-archive
+spec:
+  ports:
+  - port: 80
+    name: http
+    targetPort: 8080
+  clusterIP: None # Headless service setting
+  selector:
+    app: intranet-archive
diff --git a/deploy/staging/stateful-set.tpl.yml b/deploy/staging/stateful-set.tpl.yml
@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: ${KUBE_NAMESPACE}
+spec:
+  replicas: 1
+  revisionHistoryLimit: 5
+  selector:
+    matchLabels:
+      app: intranet-archive
+  serviceName: intranet-archive-headless-service
+  template:
+    metadata:
+      labels:
+        app: intranet-archive
+    spec:
+      serviceAccountName: ${KUBE_NAMESPACE}-service
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: "RuntimeDefault"
+      containers:
+      - name: intranet-archive
+        image: ${ECR_URL}:${IMAGE_TAG}
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1001
+          runAsGroup: 1001
+          capabilities: 
+            drop: ["ALL"]
+        resources:
+          limits:
+            cpu: 500m
+            memory: 250Mi
+          requests:
+            cpu: 500m
+            memory: 250Mi
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: snapshots
+          mountPath: "/tmp/snapshots"
+        env:
+          - name: S3_BUCKET_NAME
+            valueFrom:
+              secretKeyRef:
+                name: s3-bucket-output
+                key: bucket_name
+          - name: AWS_CLOUDFRONT_PUBLIC_KEYS_OBJECT
+            valueFrom:
+              secretKeyRef:
+                name: cloudfront-output
+                key: cloudfront_public_keys
+          - name: ORDINAL_NUMBER
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.labels['apps.kubernetes.io/pod-index']
+        envFrom:
+          - configMapRef:
+              name: ${KUBE_NAMESPACE}-config
+          - secretRef:
+              name: ${KUBE_NAMESPACE}-secrets
+          - secretRef:
+              name: ${KUBE_NAMESPACE}-base64-secrets
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+          initialDelaySeconds: 10
+          periodSeconds: 15
+  volumeClaimTemplates:
+  - metadata:
+      name: snapshots
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      storageClassName: "gp2-expand" # StorageClass name used to create PV
+      resources:
+        requests:
+          storage: 100Gi # Storage resource request size