forgedev 1.3.0 → 1.4.1

package/templates/infra/k8s/k8s/deployment.yml.template

@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{PROJECT_NAME}}
+  labels:
+    app: {{PROJECT_NAME}}
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: {{PROJECT_NAME}}
+  template:
+    metadata:
+      labels:
+        app: {{PROJECT_NAME}}
+    spec:
+      automountServiceAccountToken: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 1000
+      containers:
+        - name: {{PROJECT_NAME}}
+          image: {{PROJECT_NAME}}:{{IMAGE_TAG}}  # Update to match your CI-built image tag
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: {{APP_PORT}}
+          env:
+            - name: PORT
+              value: "{{APP_PORT}}"
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: {{PROJECT_NAME}}-secrets
+                  key: database-url
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: ["ALL"]
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: {{APP_PORT}}
+            initialDelaySeconds: 10
+            periodSeconds: 15
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: {{APP_PORT}}
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+      volumes:
+        - name: tmp
+          emptyDir: {}
+      terminationGracePeriodSeconds: 30

package/templates/infra/k8s/k8s/hpa.yml.template

@@ -0,0 +1,24 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{PROJECT_NAME}}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{PROJECT_NAME}}
+  minReplicas: 2
+  maxReplicas: 10
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 70
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: 80

package/templates/infra/k8s/k8s/ingress.yml.template

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{PROJECT_NAME}}
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+    nginx.ingress.kubernetes.io/limit-rps: "10"
+    nginx.ingress.kubernetes.io/limit-connections: "5"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: {{PROJECT_NAME}}.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{PROJECT_NAME}}
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - {{PROJECT_NAME}}.example.com
+      secretName: {{PROJECT_NAME}}-tls

package/templates/infra/k8s/k8s/kustomization.yml.template

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: {{PROJECT_NAME}}
+
+resources:
+  - namespace.yml
+  - deployment.yml
+  - service.yml
+  - ingress.yml
+  - secrets.yml
+  - hpa.yml
+  - networkpolicy.yml

package/templates/infra/k8s/k8s/namespace.yml.template

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{PROJECT_NAME}}

package/templates/infra/k8s/k8s/networkpolicy.yml.template

@@ -0,0 +1,41 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{PROJECT_NAME}}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{PROJECT_NAME}}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx
+      ports:
+        - port: {{APP_PORT}}
+  egress:
+    # Database
+    - to:
+        - podSelector:
+            matchLabels:
+              app: postgres
+      ports:
+        - port: 5432
+    # DNS (UDP + TCP for large responses)
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    # Uncomment to allow outbound HTTPS (external APIs, OAuth, webhooks)
+    # - to: []
+    #   ports:
+    #     - port: 443
+    #       protocol: TCP

package/templates/infra/k8s/k8s/secrets.yml.template

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{PROJECT_NAME}}-secrets
+type: Opaque
+stringData:
+  # IMPORTANT: Replace these placeholder values before deploying.
+  # In production, use sealed-secrets, external-secrets, or your cloud provider's secret manager.
+  # Do NOT commit real credentials to version control.
+  database-url: "postgresql://USER:CHANGE_ME_BEFORE_DEPLOY@postgres:5432/{{PROJECT_NAME_SNAKE}}?sslmode=require"

package/templates/infra/k8s/k8s/service.yml.template

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{PROJECT_NAME}}
+  labels:
+    app: {{PROJECT_NAME}}
+spec:
+  type: ClusterIP
+  selector:
+    app: {{PROJECT_NAME}}
+  ports:
+    - name: http
+      port: 80
+      targetPort: {{APP_PORT}}
+      protocol: TCP

package/templates/testing/load/k6/README.md.template

@@ -0,0 +1,48 @@
+# Load Testing — {{PROJECT_NAME_PASCAL}}
+
+Uses [k6](https://k6.io/) for load testing.
+
+## Setup
+
+```bash
+# macOS
+brew install k6
+
+# Windows (scoop)
+scoop install k6
+
+# Docker (no install)
+docker run --rm -i grafana/k6 run - <load-test.js
+```
+
+## Run
+
+```bash
+# Smoke test (quick, single request)
+k6 run --vus 1 --iterations 1 k6/load-test.js
+
+# Full load test against local server
+k6 run k6/load-test.js
+
+# Against staging
+k6 run -e BASE_URL=https://staging.example.com k6/load-test.js
+```
+
+## Thresholds
+
+| Metric | Threshold | Meaning |
+|--------|-----------|---------|
+| `http_req_duration p(95)` | < 500ms | 95th percentile response time |
+| `http_req_duration p(99)` | < 1.5s | 99th percentile response time |
+| `http_req_failed` | < 1% | Error rate |
+| `checks` | > 99% | Assertion pass rate |
+
+## CI Integration
+
+Add to your CI pipeline after deployment:
+
+```yaml
+- name: Load test
+  run: |
+    k6 run -e BASE_URL=${{ secrets.STAGING_URL }} k6/load-test.js
+```

package/templates/testing/load/k6/load-test.js.template

@@ -0,0 +1,57 @@
+import http from 'k6/http';
+import { check, sleep } from 'k6';
+
+// ─── Configuration ──────────────────────────────────────────────────
+// Override via environment: k6 run -e BASE_URL=https://staging.example.com load-test.js
+
+const BASE_URL = __ENV.BASE_URL || 'http://localhost:{{APP_PORT}}';
+
+export const options = {
+  // Ramp-up pattern: smoke → load → stress → recovery
+  stages: [
+    { duration: '30s', target: 10 },   // smoke: 10 users
+    { duration: '1m',  target: 50 },   // load: ramp to 50
+    { duration: '2m',  target: 50 },   // load: hold at 50
+    { duration: '30s', target: 100 },  // stress: ramp to 100
+    { duration: '1m',  target: 100 },  // stress: hold at 100
+    { duration: '30s', target: 0 },    // recovery: ramp down
+  ],
+  thresholds: {
+    http_req_duration: ['p(95)<500', 'p(99)<1500'],  // 95th < 500ms, 99th < 1.5s
+    http_req_failed: ['rate<0.01'],                    // <1% error rate
+    checks: ['rate>0.99'],                             // >99% checks pass
+  },
+};
+
+// ─── Health check ───────────────────────────────────────────────────
+
+export default function () {
+  // Liveness probe
+  const health = http.get(`${BASE_URL}/health`);
+  check(health, {
+    'health: status 200': (r) => r.status === 200,
+    'health: status ok': (r) => {
+      try { return JSON.parse(r.body).status === 'ok'; } catch { return false; }
+    },
+    'health: response < 200ms': (r) => r.timings.duration < 200,
+  });
+
+  // Readiness probe
+  const healthz = http.get(`${BASE_URL}/healthz`);
+  check(healthz, {
+    'healthz: status 200': (r) => r.status === 200,
+  });
+
+  sleep(1);
+}
+
+// ─── Smoke test (quick validation) ─────────────────────────────────
+// Run with: k6 run --exec smoke load-test.js
+
+export function smoke() {
+  const res = http.get(`${BASE_URL}/health`);
+  check(res, {
+    'smoke: status 200': (r) => r.status === 200,
+    'smoke: response < 100ms': (r) => r.timings.duration < 100,
+  });
+}