EclipseFdn · manpreetkaur-arch · Jan 21, 2026 · Jan 23, 2026 · Jan 26, 2026 · Jan 26, 2026
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -20,6 +20,19 @@ pipeline {
             - mountPath: "/home/default/.kube"
               name: "dot-kube"
               readOnly: false
+          - name: eks
+            image: eclipsefdn/aws:alpine-latest
+            command:
+            - cat
+            tty: true
+            resources:
+              limits:
+                cpu: 1
+                memory: 1Gi
+            volumeMounts:
+            - mountPath: "/home/default/.kube"
+              name: "dot-kube"
+              readOnly: false
           - name: jnlp
             resources:
               limits:
@@ -79,6 +92,24 @@ pipeline {
       }
     }
 
+    stage('Deploy to EKS staging environment') { 
+      when {
+        anyOf {
+        expression { return env.BRANCH_NAME.startsWith('feature') }
+        branch 'eks-main'
+      }
+      }
+      steps {
+        container('eks') {
+          withKubeConfig([credentialsId: 'ci-bot-eks-staging-token', serverUrl: 'https://5CF0970816FA7A7C340E6BEF8575A8D4.gr7.eu-central-1.eks.amazonaws.com']) {
+            sh '''
+              ./kubernetes/helm-deploy.sh aws-staging "${IMAGE_TAG}"
+            '''
+          }
+        }
+      }
+    }
+
     stage('Deploy test') {
       when {
         branch 'test'

diff --git a/charts/openvsx/Chart.lock b/charts/openvsx/Chart.lock
@@ -2,5 +2,11 @@ dependencies:
 - name: alloy
   repository: https://grafana.github.io/helm-charts
   version: 1.1.2
-digest: sha256:66403884b7f293e86e2a61d0d822fd0878a6b4a64e5e88f181b93022bc4f9bcd
-generated: "2025-08-20T12:51:18.346537659+03:00"
+- name: postgresql-ha
+  repository: https://charts.bitnami.com/bitnami
+  version: 16.3.2
+- name: aws-load-balancer-controller
+  repository: https://aws.github.io/eks-charts
+  version: 1.14.0
+digest: sha256:e2c6dcf71280bba07adec1bf48d16ede03c8e30b5075a1899e460a6c393eaf16
+generated: "2026-03-21T12:01:49.110601-04:00"
diff --git a/charts/openvsx/Chart.yaml b/charts/openvsx/Chart.yaml
@@ -8,3 +8,11 @@ dependencies:
   - name: alloy
     version: 1.1.2
     repository: https://grafana.github.io/helm-charts
+  - name: postgresql-ha
+    version: 16.3.2
+    repository: https://charts.bitnami.com/bitnami
+    condition: eks.enabled
+  - name: aws-load-balancer-controller
+    version: 1.14.0
+    repository: https://aws.github.io/eks-charts
+    condition: eks.enabled
diff --git a/charts/openvsx/crds/service-monitor.yaml b/charts/openvsx/crds/service-monitor.yaml
diff --git a/charts/openvsx/templates/deployment.yaml b/charts/openvsx/templates/deployment.yaml
@@ -8,8 +8,9 @@ metadata:
   namespace: {{ .Values.namespace }}
 spec:
   progressDeadlineSeconds: 3600
-  revisionHistoryLimit: 1
+  {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
+  {{- end }}
   selector:
     matchLabels:
       app: {{ .Values.name }}

diff --git a/charts/openvsx/templates/hpa-openvsx-app.yaml b/charts/openvsx/templates/hpa-openvsx-app.yaml
@@ -0,0 +1,42 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ .Values.name }}-{{ .Values.environment }}-hpa
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ .Values.name }}-{{ .Values.environment }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+  behavior:
+    scaleDown:
+      # Look at the last 10 minutes and pick the HIGHEST replica count recommended. 
+      # This ensures we don't scale down during a brief 1-minute dip in traffic.
+      stabilizationWindowSeconds: {{ .Values.autoscaling.scaleDownWindow | default 600 }}
+      policies:
+      - type: Percent
+        value: 10
+        periodSeconds: 60  # Only remove 10% of pods per minute
+    scaleUp:
+      # Scale up almost immediately (0-15s) to handle spikes quickly.
+      stabilizationWindowSeconds: 0 
+      policies:
+      - type: Percent
+        value: 100
+        periodSeconds: 15  # Double the fleet size every 15s if needed
+{{- end }}
diff --git a/charts/openvsx/templates/hpa-postgresql.yaml b/charts/openvsx/templates/hpa-postgresql.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: postgresql-{{ .Values.environment }}-hpa
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/name: postgresql-ha
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    # Matches your 'staging-postgresql-ha-postgresql' naming logic
+    name: {{ .Values.environment }}-postgresql-ha-postgresql
+  minReplicas: 3
+  maxReplicas: 9
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 60
+{{- end }}
diff --git a/charts/openvsx/templates/ingress.yaml b/charts/openvsx/templates/ingress.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.eks.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  labels:
+    app: {{ .Values.name }}
+    environment: {{ .Values.environment }}
+  name: {{ .Values.name }}-{{ .Values.environment }}
+  namespace: {{ .Values.namespace }}
+  annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
+    alb.ingress.kubernetes.io/target-type: ip 
+    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=60
+    alb.ingress.kubernetes.io/certificate-arn: {{ .Values.ingress.certArn }}
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
+    alb.ingress.kubernetes.io/ssl-redirect: "443"
+    alb.ingress.kubernetes.io/actions.forward-cors: >
+      {"type":"fixed-response","fixedResponseConfig":{"contentType":"text/plain","statusCode":"204"}}
+    alb.ingress.kubernetes.io/conditions.forward-cors: >
+      [{"field":"http-request-method","httpRequestMethodConfig":{"values":["OPTIONS"]}}]
+    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=65,client_keep_alive.seconds=65
+spec:
+ ingressClassName: alb
+ rules:
+  - host: {{ .Values.host }}
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: forward-cors
+            port:
+              name: use-annotation
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+           name: {{ .Values.name }}-{{ .Values.environment }}
+           port:
+            number: {{ .Values.service.port }}
+{{- end }}
diff --git a/charts/openvsx/templates/kube-state-metrics-monitor.yaml b/charts/openvsx/templates/kube-state-metrics-monitor.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.eks.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: kube-state-metrics-monitor
+  namespace: open-vsx-org-staging
+  labels:
+    app: open-vsx-org
+    environment: staging
+spec:
+  namespaceSelector:
+    matchNames:
+      - kube-state-metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-state-metrics
+  endpoints:
+    - path: /metrics
+      interval: 60s
+      targetPort: 8080
+{{- end }}
diff --git a/charts/openvsx/templates/node-exporter-service-monitor.yaml b/charts/openvsx/templates/node-exporter-service-monitor.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.eks.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: node-exporter-monitor
+  namespace: open-vsx-org-staging
+  labels:
+    app: open-vsx-org
+    environment: staging
+spec:
+  namespaceSelector:
+    matchNames:
+      - prometheus-node-exporter
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus-node-exporter
+  endpoints:
+    - path: /metrics
+      interval: 60s
+      targetPort: 9100
+{{- end }}
diff --git a/charts/openvsx/templates/route.yaml b/charts/openvsx/templates/route.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.eks.enabled }}
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
@@ -47,3 +48,4 @@ spec:
     name: {{ .Values.name }}-{{ .Values.environment }}
     weight: 100
 {{- end }}
+{{- end }}
diff --git a/charts/openvsx/templates/yara-rest/deployment.yaml b/charts/openvsx/templates/yara-rest/deployment.yaml
@@ -28,6 +28,13 @@ spec:
         - name: {{ .Values.yara.name }}-{{ .Values.environment }}
           image: "{{ .Values.yara.image.repository }}:{{ .Values.yara.image.tag }}"
           imagePullPolicy: {{ .Values.yara.image.pullPolicy }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
           ports:
             - name: http
               containerPort: {{ .Values.yara.service.port }}
@@ -71,11 +78,4 @@ spec:
           claimName: yara-rules
       - name: tmp-scans
         emptyDir: {}
-      securityContext:
-        allowPrivilegeEscalation: false
-        readOnlyRootFilesystem: true
-        runAsNonRoot: true
-        capabilities:
-          drop:
-            - ALL
 {{- end }}