feat(EM-35): Configure Kubernetes Deployment Automation and Environment Promotion

[devin-ai-integration]

feat(EM-35): Kubernetes Deployment Automation and Environment Promotion

Summary

Adds Kustomize-based Kubernetes deployment manifests for all 4 FTGO microservices and a GitHub Actions workflow for deploying to dev → staging → production environments.

New files (33 total):

• infrastructure/k8s/base/ — Base Kustomize manifests per service (deployment, service, serviceaccount)
• infrastructure/k8s/overlays/{dev,staging,production}/ — Environment-specific overlays with patched replicas, resource limits, configmaps, and namespaces
• infrastructure/k8s/overlays/production/pdb.yaml — PodDisruptionBudgets for production
• .github/workflows/deploy.yml — Deployment workflow with manual dispatch, dry-run support, rollout monitoring, and promotion guidance
• infrastructure/k8s/README.md — Deployment and promotion documentation

Environment differences:

	Dev	Staging	Production
Replicas	1	2	3
Memory	128–256Mi	256–512Mi	512Mi–1Gi
CPU	100–250m	250–500m	500–1000m
Log level	DEBUG	INFO	WARN
PDB	No	No	Yes

All manifests were validated locally with kustomize build for all 3 overlays + base.

Review & Testing Checklist for Human

⚠️ Risk level: YELLOW — Manifests validated but not tested on real cluster

• Verify PodDisruptionBudget selectors — Production PDBs use matchLabels: app.kubernetes.io/name: <service>. Confirm these match the actual pod labels after namePrefix: prod- transformation is applied. (The base kustomization sets includeSelectors: true for these labels, so they should propagate correctly to pod selectors.)
• Test deploy workflow end-to-end — Requires setting up KUBECONFIG secret in GitHub and a real K8s cluster. Recommend testing with dry_run: true first, then deploying to dev environment.
• Verify probe endpoints — All services use /actuator/health/liveness and /actuator/health/readiness. Confirm these endpoints exist in the actual Spring Boot services (they should if Spring Boot Actuator is configured).
• Check resource limits — JVM memory limits (256Mi dev, 512Mi staging, 1Gi prod) should be validated against actual service memory usage. The JAVA_OPTS sets -XX:MaxRAMPercentage=75.0 which should work with these limits.
• Create service secrets — Deployments reference <service>-secrets (marked optional). If services need DB credentials or other secrets, create these manually in each namespace before deploying.

Test Plan

1. Set up KUBECONFIG secret in GitHub repo settings (base64-encoded kubeconfig)
2. Trigger workflow: Actions → Deploy: Kubernetes → Run workflow
3. Select: environment=dev, service=all, image_tag=latest, dry_run=true
4. Verify dry-run succeeds and manifests look correct
5. Re-run with dry_run=false to actually deploy
6. Check pods: kubectl get pods -n ftgo-dev
7. Verify health: kubectl get pods -n ftgo-dev -o wide and check readiness
8. Test promotion: Deploy same image tag to staging, then production

Notes

• Orphaned file: infrastructure/k8s/base/namespace.yaml exists but is not referenced in base/kustomization.yaml (removed to fix overlay namespace conflicts). Consider deleting it to avoid confusion.
• Workflow push trigger: Validates manifests on pushes to main but never auto-deploys (deploy job only runs on workflow_dispatch).
• No autoscaling: Static replica counts per environment. HPA can be added later if needed.

---

Link to Devin run: https://app.devin.ai/sessions/b767ee84591a4c1584d113ac969c5408
Requested by: @abj453demo

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring