edgi-govdata-archiving · Oct 30, 2018
diff --git a/‎.gitignore
+7 b/‎.gitignore
+7
diff --git a/‎README.md
+456 b/‎README.md
+456
diff --git a/‎components.md
+111 b/‎components.md
+111
diff --git a/‎create-db.jq
+12 b/‎create-db.jq
+12
diff --git a/‎create-ingress-alias.jq
+33 b/‎create-ingress-alias.jq
+33
diff --git a/‎examples/services.yaml
+55 b/‎examples/services.yaml
+55
diff --git a/‎incidents/2018-10-09--staging-reboot-loop.md
+57 b/‎incidents/2018-10-09--staging-reboot-loop.md
+57
diff --git a/‎incidents/2018-10-10--differ-locked-cluster.md
+134 b/‎incidents/2018-10-10--differ-locked-cluster.md
+134
diff --git a/‎templates/kube-system/fluentd/fluentd.cloudwatch.yaml
+104 b/‎templates/kube-system/fluentd/fluentd.cloudwatch.yaml
+104
diff --git a/‎templates/kube-system/fluentd/fluentd.configmap.yaml
+24 b/‎templates/kube-system/fluentd/fluentd.configmap.yaml
+24
diff --git a/‎templates/kube-system/metrics-server/auth-delegator.yaml
+13 b/‎templates/kube-system/metrics-server/auth-delegator.yaml
+13
diff --git a/‎templates/kube-system/metrics-server/auth-reader.yaml
+14 b/‎templates/kube-system/metrics-server/auth-reader.yaml
+14
diff --git a/‎templates/kube-system/metrics-server/metrics-apiservice.yaml
+14 b/‎templates/kube-system/metrics-server/metrics-apiservice.yaml
+14
diff --git a/‎templates/kube-system/metrics-server/metrics-server-deployment.yaml
+41 b/‎templates/kube-system/metrics-server/metrics-server-deployment.yaml
+41
diff --git a/‎templates/kube-system/metrics-server/metrics-server-service.yaml
+15 b/‎templates/kube-system/metrics-server/metrics-server-service.yaml
+15
diff --git a/‎templates/kube-system/metrics-server/resource-reader.yaml
+38 b/‎templates/kube-system/metrics-server/resource-reader.yaml
+38
diff --git a/‎templates/production/api-deployment.yaml
+116 b/‎templates/production/api-deployment.yaml
+116
diff --git a/‎templates/production/diffing-deployment.yaml
+40 b/‎templates/production/diffing-deployment.yaml
+40
diff --git a/‎templates/production/diffing-service.yaml
+14 b/‎templates/production/diffing-service.yaml
+14
diff --git a/‎templates/production/import-worker-deployment.yaml
+110 b/‎templates/production/import-worker-deployment.yaml
+110
diff --git a/‎templates/production/redis-master-deployment.yaml
+23 b/‎templates/production/redis-master-deployment.yaml
+23
diff --git a/‎templates/production/redis-master-service.yaml
+17 b/‎templates/production/redis-master-service.yaml
+17
diff --git a/‎templates/production/redis-slave-deployment.yaml
+31 b/‎templates/production/redis-slave-deployment.yaml
+31
diff --git a/‎templates/production/redis-slave-service.yaml
+16 b/‎templates/production/redis-slave-service.yaml
+16
diff --git a/‎templates/production/ui-deployment.yaml
+69 b/‎templates/production/ui-deployment.yaml
+69
diff --git a/‎templates/staging/api-deployment.yaml
+113 b/‎templates/staging/api-deployment.yaml
+113
diff --git a/‎templates/staging/diffing-deployment.yaml
+40 b/‎templates/staging/diffing-deployment.yaml
+40
diff --git a/‎templates/staging/diffing-service.yaml
+14 b/‎templates/staging/diffing-service.yaml
+14
diff --git a/‎templates/staging/import-worker-deployment.yaml
+105 b/‎templates/staging/import-worker-deployment.yaml
+105
diff --git a/‎templates/staging/redis-master-deployment.yaml
+23 b/‎templates/staging/redis-master-deployment.yaml
+23
diff --git a/‎templates/staging/redis-master-service.yaml
+17 b/‎templates/staging/redis-master-service.yaml
+17
diff --git a/‎templates/staging/redis-slave-deployment.yaml
+31 b/‎templates/staging/redis-slave-deployment.yaml
+31
diff --git a/‎templates/staging/redis-slave-service.yaml
+16 b/‎templates/staging/redis-slave-service.yaml
+16
diff --git a/‎templates/staging/ui-deployment.yaml
+69 b/‎templates/staging/ui-deployment.yaml
+69
diff --git a/‎validate-certs.jq
+34 b/‎validate-certs.jq
+34
@@ -0,0 +1,7 @@
+templates/secrets.yaml
+templates/secrets.*.yaml
+templates/ui-secrets.yaml
+templates/ui-secrets.*.yaml
+*secrets*
+services.yaml
+!examples/services.yaml
@@ -0,0 +1,111 @@
+# Components
+
+In the section, you will install and configure all the components necessary to
+connect to and modify EDGI's Kubernetes cluster.
+
+## This Repository
+
+This repository contains templates that specify the configuration of the
+cluster. You will need a local copy.
+
+```sh
+git clone https://github.com/edgi-govdata-archiving/web-monitoring-kube
+cd web-monitoring-kube
+```
+
+## The Kubernetes Client, ``kubectl``
+
+To operate on the cluster, we use ``kubectl``, a commandline program that runs
+on your local machine, connects to the cluster, and issues commands to the
+cluster.
+
+The cluster is running version 1.10.3. Install a compatible version of the
+client (>= 1.10.2, <= 1.10.4).
+
+[Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
+
+## Keybase
+
+To share secret files containing authentication keys and other sensitive
+configuration, the development team uses Keybase.
+
+[Install Keybase](https://keybase.io/download)
+
+If you do not have an account, you will be prompted to create one when you start
+to use keybase. Ask a member of the development team to invite you to the
+``edgi_wm_kube`` team.
+
+## Kubernetes configuration
+
+To connect to the cluster, you will need a configuration file that includes the
+address of the cluster and secret authentication information. Because this file
+contains secrets, it is not stored in this repository but rather shared via
+Keybase.
+
+If you are not using Kubernetes to manage any other clusters, you can simply
+copy the file from Keybase:
+
+```sh
+mkdir ~/.kube
+cp /keybase/team/edgi_wm_kube/kube_config.yaml ~/.kube/config
+```
+
+If you have other clusters to manage, you will have to manually merge the
+contents of that file with your existing ``~/.kube/config``.
+
+Set the context and verify that it worked:
+
+```sh
+kubectl config set-context kube.monitoring.envirodatagov.org
+kubectl config current-context
+```
+
+The output should be ``kube.monitoring.envirodatagov.org``.
+
+## Try communicating with the cluster
+
+```sh
+kubectl get nodes
+```
+
+The output should something look like:
+
+```
+NAME                                          STATUS    ROLES     AGE       VERSION
+ip-172-20-63-114.us-west-2.compute.internal   Ready     node      32d       v1.10.3
+ip-172-20-63-2.us-west-2.compute.internal     Ready     master    32d       v1.10.3
+ip-172-20-81-52.us-west-2.compute.internal    Ready     node      32d       v1.10.3
+```
+
+## Secrets
+
+Templates containing secret configuration parameters are stored in Keybase as
+well. Copy them into your checkout of ``web-monitoring-kube`` like so:
+
+```sh
+cp /keybase/team/edgi_wm_kube/secrets.production.yaml templates/production
+cp /keybase/team/edgi_wm_kube/secrets.staging.yaml templates/staging
+cp /keybase/team/edgi_wm_kube/ui-secrets.production.yaml templates/production
+cp /keybase/team/edgi_wm_kube/ui-secrets.staging.yaml templates/staging
+```
+
+## Services
+
+Services provide the network endpoints to access running pods. While most services contain no sensitive information (and are therefore in version control) a few web-monitoring services require sensitive information. Templates containing our local service configuration parameters are stored in Keybase as well. Copy them into your checkout of ``web-monitoring-kube`` like so:
+
+```sh
+cp /keybase/team/edgi_wm_kube/services.production.yaml templates/production
+cp /keybase/team/edgi_wm_kube/services.staging.yaml templates/staging
+```
+
+## Getting Oriented
+
+In ``templates/``, there are separate directories corresponding to the
+*namespaces* in the Kubernetes cluster.
+
+* ``kube-system`` -- cluter-wide objects related to capturing logs
+* ``production`` -- objects deployed to the production namespace
+* ``staging`` -- objects deployed to the staging namespace
+
+The contents of the templates in ``production/`` and ``staging/`` differ only by
+their ``namespace: ...`` parameter and the values of the secrets.
@@ -0,0 +1,12 @@
+{
+    DBName: "web_monitoring_db",
+    AllocatedStorage: 20,
+    DBInstanceClass: "db.t2.medium",
+    Engine: "postgres",
+    MasterUserPassword: env.DB_PASSWORD,
+    DBInstanceIdentifier: env.DB_INSTANCE_IDENTIFIER,
+    MasterUsername: "master",
+    PubliclyAccessible: true,
+    VpcSecurityGroupIds: [env.NODES_SEC_GROUP],
+    DBSubnetGroupName: "web-monitoring-db-subnet"
+}
@@ -0,0 +1,33 @@
+{
+HostedZoneId: env.KUBE_ZONE,
+ChangeBatch:
+    {
+    Comment: "create subdomains for rails server and ui",
+    Changes: [
+            {
+            Action: "UPSERT",
+            ResourceRecordSet: {
+                Name: env.API_DNS_NAME,
+                Type: "A",
+                AliasTarget: {
+                    DNSName: env.API_TARGET,
+                    EvaluateTargetHealth: false,
+                    HostedZoneId: env.ELB_ZONE
+                    }
+                }
+            },
+            {
+            Action: "UPSERT",
+            ResourceRecordSet: {
+                Name: env.UI_DNS_NAME,
+                Type: "A",
+                AliasTarget: {
+                    DNSName: env.UI_TARGET,
+                    EvaluateTargetHealth: false,
+                    HostedZoneId: env.ELB_ZONE
+                    }
+                }
+            }
+        ]
+    }
+}
@@ -0,0 +1,55 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rds
+  namespace: example
+spec:
+  type: ExternalName
+  externalName: postgres.db.server.example.com
+  ports:
+  - port: 5432
+    targetPort: 5432
+    protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: api
+  namespace: example
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
+spec:
+  selector:
+    app: api
+  ports:
+  - name: https
+    port: 443
+    targetPort: 3000
+  - name: http
+    port: 80
+    targetPort: 3000
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ui
+  namespace: example
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
+spec:
+  selector:
+    app: ui
+  ports:
+  - name: https
+    port: 443
+    targetPort: 3001
+  - name: http
+    port: 80
+    targetPort: 3001
+  type: LoadBalancer
@@ -0,0 +1,57 @@
+# 2018-10-09: API & Import Worker Infinitely Rebooting on Staging
+
+## Summary
+
+After updating the `api` and `import-worker` deployments, Kubernetes was stuck in a loop infinitely rebooting them. It turns out that this was caused by a badly base64-encoded secret. Specifically `cache-date-differ` ended with a newline character.
+
+Updating the secrets to have a correct value and then replacing `api-deployment.yaml` and `import-worker-deployment.yaml` (by updating the `INCREMENTAL_UPDATE` env var) resolved the issue. It appears this happened because we pushed new secrets to staging *after* all the other deployment configs, so the issue didn’t crop up until the the next deployment change that used those secrets.
+
+
+## Timeline
+
+All times in PDT.
+
+### 2018-10-09 17:15
+
+@Mr0grog pushed new deploy configurations to the cluster for both staging and production. Staging immediately started rebooting repeatedly; production was fine.
+
+### 2018-10-09 17:20
+
+@Mr0grog tried deleting the rebooting pods (rookie move, me!), which just made more rebooting pods.
+
+### 2018-10-09 17:25
+
+@Mr0grog checking the logs reveals only one log line, which is cryptic:
+
+```
+starting container process caused "process_linux.go:295: setting oom score for ready process caused write /proc/3002/oom_score_adj: invalid argument
+```
+
+Luckily, stackoverflow [gave us a good lead](https://stackoverflow.com/questions/49296359/kubernetes-secret-in-google-container-engine-fails-setting-oom-score-for-read) that the problem might be in decoding secrets. We checked all the secrets and noted that `cache-date-differ`, when decoded, ended with a newline, which seemed wrong. Re-encoding the correct value, replacing the secrets in the cluster, then replacing the deployment configs immediately resolved the issue.
+
+### 2018-10-09 17:30
+
+Incident resolved.
+
+
+## Lessons
+
+### What Went Well
+
+Kubernetes did its job swimmingly — although we were having problems, the staging environment was up and available the whole time (it never replaced one of the pods because the others were still restarting). At first, @Mr0grog was freaking out, but he quickly realized the staging service was still available the whole time. This was a huge relief.
+
+### What Went Wrong
+
+That is one cryptic and unhelpful error message. It’s also still unclear what the *real* issue was. The secrets value in question decoded fine; it just ended with a newline. Was Kubernetes choking on the newline? Or was the server crashing when it booted and tried to parse the string as a date, but Kubernetes swallowed what would have been a useful error log line and threw out the confusing error instead?
+
+
+## Action Items
+
+
+- We should only use the binary Data field where it is useful to have base64-encoded values. Examples could include actual binary data, or string data that would require some of its characters to be escaped. @jsnshrmn will stringify our secrets where convenient so that we can avoid the error-prone process of manually base64-encoding every secret.
+- Determine if additional measures, such as a script or system for validating our secrets files, are necessary.
+
+
+## Responders
+
+- @Mr0grog
@@ -0,0 +1,134 @@
+# 2018-10-10: Diff Service Locked Up the Whole Cluster
+
+## Summary
+
+The diffing service consumed all resources in all cluster nodes, locking up not only itself but also all our other services (API, Import Worker, UI, Redis). This appears to have happened as a result of the new automated analysis job (see https://github.com/edgi-govdata-archiving/web-monitoring-db/pull/406) requesting a source code diff of a PDF and an HTML page, specifically the change:
+
+```
+0c2f9d24-df8e-48b4-919b-7d1eca02d3c4..7c9904f4-c090-4f0d-8c3f-ba3dc4fade25
+```
+
+
+## Timeline
+
+All times in PDT.
+
+### 2018-10-10 15:30
+
+@Mr0grog pushed the new analysis code to production (https://github.com/danielballan/web-monitoring-kube/commit/22450e3120f80b53d753b46988e6085f88ed707d) and queued a day’s worth of analysis jobs. He watched the first ~350 work successfully, then headed to a meeting.
+
+### 2018-10-10 16:45
+
+@Mr0grog checked in on the analysis progress between meetings (Web Monitoring Analyst meeting was at 17:00) only to find that the cluster had spun up about 9 pods for each type of deployment, with each being listed as unknown status.
+
+@Mr0grog posted the situation in Slack and proceeded to try and delete some pods and to look at the flood of errors starting on Sentry. Errors make it clear that the analysis job is hitting problems, so it appears this is another instance of the diff service running amok.
+
+### 2018-10-10 17:12
+
+@jsnshrmn signs on to help. Now that we have an idea of cause and two people, @jsnshrmn works on addressing Kubernetes, @Mr0grog works on patching code to avoid triggering the problem.
+
+### 2018-10-10 17:28
+
+@jsnshrmn clears out testing resources of all types (`kubectl --namespace=testing delete all --all`) since they are of only ocassional value, but were still consuming some resources. The remaining resources were forcibly removed (`kubectl --namespace=staging delete pods --all --force --grace-period=0` because they were stuck in an "Unknown" state.
+
+@jsnshrmn clears out the cluster’s production resources by deleting each deployment (`kubectl delete deployment.apps/<appname>`) which should have deleted all pods. This tooks several minutes per deployment because many pods were in an "Unknown" state, and could not be gracefully evicted, eventually timing out. @jsnshrmn tries to gracefully shut down the remain pods which were all in an "Unknown" state (`kubectl --namespace=production delete pods --all`) and (`kubectl --namespace=production delete pod/<podname>`), but without success. 
+
+@jsnshrmn forcefully deleted all remaining pods (`kubectl --namespace=staging delete pods --all --force --grace-period=0`). This quiets things down. We think it is safe to start services again since we won’t have saved the state of any queues, so no more analysis jobs will be queued.
+
+### 2018-10-10 17:34
+
+@Mr0grog finishes writing a hotfix (https://github.com/edgi-govdata-archiving/web-monitoring-db/commit/6ea87de05d52d823f989e531dc1a600e25edab25) that basically causes the analysis job to check the URL for any file extensions that might indicate non-HTML content.
+
+### 2018-10-10 17:42
+
+@jsnshrmn also clears out all staging resources (we noticed that staging was still stuck, probably because everything is sharing just a couple nodes).
+
+### 2018-10-10 17:45
+
+Hotfix image is published.
+
+### 2018-10-10 17:50
+
+All services and deployments are recreated in staging and production (with the hotfix).
+
+### 2018-10-10 17:55
+
+Kubectl reports that all pods are stuck in a pending state.
+
+### 2018-10-10 18:02
+
+@jsnshrmn hard restarts one of the cluster nodes from the AWS console. That seems to give Kubernetes a nice kick in the pants and the pods start coming up.
+
+### 2018-10-10 18:15
+
+All nodes have been restarted, all pods in staging and production appear to be up and operational. Incident appears to be resolved.
+
+### 2018-10-10 22:40
+
+Issue recurs. @Mr0grog writes another hotfix that simply stops the problematic behavior (optimistically trying a diff if we aren’t sure that it won’t work): https://github.com/edgi-govdata-archiving/web-monitoring-db/commit/0a46db02b78d8332f974b86eafff067a09eb3ac2
+
+### 2018-10-10 22:50
+
+Pods still seem stuck. @Mr0grog attempts to stop one of the nodes; instead the node winds up terminated (not actually sure what happened here; it seems like Kubernetes did this itself when stopping ocurred; it looks like we should have been more careful to delete all services and pods first) and Kubernetes auto-created a new node.
+
+### 2018-10-10 22:58
+
+New node comes online and services are accessible, but clearly not stable. Sentry reports lots of odd connectivity errors and `kubectl` still reports lots of unknown status pods. @Mr0grog decides to give it a break for 30 minutes until imports complete before doing anything more damaging.
+
+### 2018-10-10 23:35
+
+Sentry errors seem to have stopped, all the parts of the cluster can communicate, and bad pods are no longer reported. It probably just took some time for everything to settle out after Kubernetes terminated and recreated a whole node.
+
+@Mr0grog starts long Versionista archive job to recover data lost from 15:00 through now.
+
+### 2018-10-10 23:55
+
+Versionista jobs complete without major problems. Incident appears to be over.
+
+### 2018-10-11 07:26
+
+@jsnshrmn determines that implementing resource limits in a verifiable way requires core metrics, a set of services that are deployed by default in Kubernetes, but not in our KOPS deployment. Builtin diagnostic tools like `kubectl top <pods|nodes>` aren't working. @jsnshrmn notices that a previously deployed metrics gathering framework based on Prometheus and Grafana is broken.
+
+### 2018-10-11 08:01
+
+@jsnshrmn gets verification from @dallan that the old metrics framework can be deleted and does so (`kubectl --namespace=monitoring delete all --all; kubectl delete namespaces monitoring`).
+
+### 2018-10-11 08:28
+
+While checking the `kube-system` namespace (where core metrics would be deployed), @jsnshrmn discovered that pods related to proxy and logging are not functioning correctly. 
+
+### 2018-10-11 08:40
+
+@jsnshrmn Performs `kubectl --namespace=kube-system inspect|logs` on pod, deployments, and consistently show various communication errors in various layers of the stack.
+
+### 2018-10-11 09:07
+
+@jsnshrmn notices that one of the errors shown in the proxy logs on this node is related to the dns pod that should be providing services for the node. @jsnshrmn deletes the dns node, and performs `kubectl --namespace=kube-system logs pods/<dnspodname>` and finds `Error response from daemon: grpc: the connection is unavailable`, yet another network error, this time from a pod that reported it was working before deletion. @jsnshrmn stops/starts the node via the EC2 console.
+
+### 2018-10-11 11:35
+
+Basic troubleshooting tools now work. Incident resolved.
+
+
+## Lessons
+
+### What Went Well
+
+Since we didn't configure the Kubernetes master node as a cluster node too, it stayed up; meaning that the cluster could be communicated with via kubectl. Our data, which is stored in an external database and AWS S3 buckets, was not lost. The Kubernetes scheduler behaved as documented.
+
+### What Went Wrong
+
+There is no magic in the Kubernetes scheduler. If it hasn't been given any specifications regarding the resources that may normally be consumed by a container, it assumes the container will consume *no resources at all* and may attempt to deploy infinite containers to a node. Additionally, if no resource limits are set, a single container is allowed to consume more than 100% of the resources on a node, potentially knocking it offline. We supplied the scheduler with no information about how many containers should be running simultanously on a single node nor resource limits for any of our containers. Because of this, the problematic diffing containers overwhelmed one node (which they were all deployed to) causing it to become unavailable. The scheduler dilligently noted that the specified number of container replicas were no longer available, and redeployed to the remaining cluster node to come into compliance with the replica count specified. Once the diffing pod was operational again, it then knocked the only remaining cluster node offline, leaving us with an outage.
+
+
+## Action Items
+
+- Look into ways to set resource limits or node affinity ([processing#154](https://github.com/edgi-govdata-archiving/web-monitoring-processing/issues/154))
+- Clean up the ugly hotfix code ([db#411](https://github.com/edgi-govdata-archiving/web-monitoring-db/issues/411))
+- Protect `html_text_dmp` and `html_source_dmp` with content-type checking and sniffing ([processing#287](https://github.com/edgi-govdata-archiving/web-monitoring-processing/issues/287))
+
+
+## Responders
+
+- @Mr0grog
+- @jsnshrmn
@@ -0,0 +1,104 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fluentd
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: fluentd
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: fluentd
+roleRef:
+  kind: ClusterRole
+  name: fluentd
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: fluentd
+  namespace: kube-system
+
+---
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: fluentd
+  namespace: kube-system
+  labels:
+    k8s-app: fluentd-logging
+    version: v1
+    kubernetes.io/cluster-service: "true"
+spec:
+  template:
+    metadata:
+      annotations:
+        iam.amazonaws.com/role: us-west-2a.staging.kubernetes.ruist.io-service-role
+      labels:
+        k8s-app: fluentd-logging
+        version: v1
+        kubernetes.io/cluster-service: "true"
+    spec:
+      serviceAccount: fluentd
+      serviceAccountName: fluentd
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      containers:
+      - name: fluentd
+        image: fluent/fluentd-kubernetes-daemonset:cloudwatch
+        env:
+          - name: LOG_GROUP_NAME
+            value: "k8s"
+          - name: AWS_REGION
+            value: "us-west-2"
+          - name: FLUENT_UID
+            value: "0"
+          - name: FLUENTD_CONF
+            value: web-monitoring/fluent.conf
+          - name: K8S_NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+        resources:
+          limits:
+            memory: 200Mi
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        volumeMounts:
+        - name: varlog
+          mountPath: /var/log
+        - name: varlibdockercontainers
+          mountPath: /var/lib/docker/containers
+          readOnly: true
+        - name: config-vol
+          mountPath: /fluentd/etc/web-monitoring
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: varlog
+        hostPath:
+          path: /var/log
+      - name: varlibdockercontainers
+        hostPath:
+          path: /var/lib/docker/containers
+      - name: config-vol
+        configMap:
+          name: fluentd-config
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fluentd-config
+  namespace: kube-system
+data:
+  fluent.conf: |
+    @include /fluentd/etc/kubernetes.conf
+    # Amend tags before the cloudwatch_logs plugin picks them up. Modifies
+    # the name of the destination AWS cloudwatch log stream..
+    <match kubernetes.var.log.containers.*.log>
+      @type record_reformer
+      renew_record false
+      enable_ruby true
+      tag ${record['kubernetes']['namespace_name']}.${record['kubernetes']['labels']['app']||record['kubernetes']['labels']['k8s-app']}.${record['kubernetes']['container_name']}.log
+    </match>
+    <match **>
+      @type cloudwatch_logs
+      @id out_cloudwatch_logs
+      log_group_name "#{ENV['LOG_GROUP_NAME']}"
+      auto_create_stream true
+      use_tag_as_stream true
+    </match>
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: metrics-server:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: metrics-server-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
@@ -0,0 +1,14 @@
+---
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+  name: v1beta1.metrics.k8s.io
+spec:
+  service:
+    name: metrics-server
+    namespace: kube-system
+  group: metrics.k8s.io
+  version: v1beta1
+  insecureSkipTLSVerify: true
+  groupPriorityMinimum: 100
+  versionPriority: 100
@@ -0,0 +1,41 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: metrics-server
+  namespace: kube-system
+  labels:
+    k8s-app: metrics-server
+spec:
+  selector:
+    matchLabels:
+      k8s-app: metrics-server
+  template:
+    metadata:
+      name: metrics-server
+      labels:
+        k8s-app: metrics-server
+    spec:
+      serviceAccountName: metrics-server
+      volumes:
+      # mount in tmp so we can safely use from-scratch images and/or read-only containers
+      - name: tmp-dir
+        emptyDir: {}
+      containers:
+      - name: metrics-server
+        image: k8s.gcr.io/metrics-server-amd64:v0.3.0
+        imagePullPolicy: Always
+        # @TODO: properly configure TLS.
+        command:
+          - /metrics-server
+          - --kubelet-insecure-tls
+        volumeMounts:
+        - name: tmp-dir
+          mountPath: /tmp
+
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: metrics-server
+  namespace: kube-system
+  labels:
+    kubernetes.io/name: "Metrics-server"
+spec:
+  selector:
+    k8s-app: metrics-server
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 443
@@ -0,0 +1,38 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:metrics-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  - nodes/stats
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "extensions"
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:metrics-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
@@ -0,0 +1,116 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: api
+  namespace: production
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: api
+    spec:
+      containers:
+      - name:  rails-server
+        image: envirodgi/db-rails-server:629266d0d8fb87260343ed7a763de37653108efc
+        imagePullPolicy: Always
+        ports: 
+        - containerPort: 3000
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "1024Mi"
+            cpu: "1500m"
+        readinessProbe:
+          tcpSocket:
+            port: 3000
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          tcpSocket:
+            port: 3000
+          initialDelaySeconds: 5
+        env:
+        - name: ALLOWED_ARCHIVE_HOSTS
+          value: "https://edgi-wm-versionista.s3.amazonaws.com/ https://edgi-wm-versionista.s3-us-west-2.amazonaws.com/ https://s3-us-west-2.amazonaws.com/edgi-wm-versionista/ https://edgi-versionista-archive.s3.amazonaws.com/ https://edgi-versionista-archive.s3.amazonaws.com/edgi-versionista-archive/"
+        - name: AUTO_ANNOTATION_USER
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: auto_annotation_user
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: aws_access_key_id
+        - name: AWS_ARCHIVE_BUCKET
+          value: edgi-wm-archive
+        - name: AWS_REGION
+          value: us-west-2
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: aws_secret_access_key
+        - name: AWS_WORKING_BUCKET
+          value: edgi-wm-db-internal
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: database_rds
+        - name: DIFFER_DEFAULT
+          value: http://diffing:80
+        - name: CACHE_DATE_DIFFER
+          value: "2018-10-23T07:00:00Z"
+        # TODO: consider making this not a secret
+        - name: HOST_URL
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: host_url
+        - name: LANG
+          value: en_US.UTF-8
+        - name: MAIL_SENDER
+          value: website.monitoring@envirodatagov.org
+        - name: MAX_COLLECTION_PAGE_SIZE
+          value: "1000"
+        # FIXME: We don't have a New Relic account that isn't tied in with
+        # Heroku. We can't really afford it and it's not doing us much good
+        # right now anyway, so we should just remove all the config for it.
+        - name: NEW_RELIC_AGENT_ENABLED
+          value: "false"
+        - name: POSTMARK_API_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: postmark_api_token
+        - name: RACK_ENV
+          value: production
+        - name: RAILS_ENV
+          value: production
+        - name: RAILS_LOG_TO_STDOUT
+          value: enabled
+        - name: RAILS_SERVE_STATIC_FILES
+          value: enabled
+        - name: REDIS_URL
+          value: redis://redis-master:6379
+        - name: SECRET_KEY_BASE
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: secret_key_base
+        - name: SENTRY_DSN
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: sentry_dsn
+        - name: TOKEN_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: token_private_key
+        - name: INCREMENTAL_UPDATE
+          value: "3"
@@ -0,0 +1,40 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: diffing
+  namespace: production
+spec:
+  replicas: 4
+  template:
+    metadata:
+      labels:
+        app: diffing-server
+    spec:
+      containers:
+      - name: processing
+        image: envirodgi/processing:ce708709d66daa02a6c2811ee5b4d38f9543536a
+        imagePullPolicy: Always
+        ports: 
+        - containerPort: 80
+        resources:
+          requests:
+            memory: "265Mi"
+            cpu: "100m"
+          limits:
+            memory: "1024Mi"
+            cpu: "500m"
+        readinessProbe:
+          tcpSocket:
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          tcpSocket:
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        env:
+        - name: DIFFER_COLOR_INSERTION
+          value: "#a1d76a"
+        - name: DIFFER_COLOR_DELETION
+          value: "#e8a4c8"
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: diffing
+  namespace: production
+spec:
+  selector:
+    app: diffing-server
+  ports:
+  - name: http
+    protocol: TCP
+    port: 80
+    targetPort: 80
+  type: ClusterIP
@@ -0,0 +1,110 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: import-worker
+  namespace: production
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: import-worker
+    spec:
+      containers:
+      - name: db-import-worker
+        image: envirodgi/db-import-worker:629266d0d8fb87260343ed7a763de37653108efc
+        imagePullPolicy: Always
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "1024Mi"
+            cpu: "1500m"
+        env:
+        - name: ALLOWED_ARCHIVE_HOSTS
+          value: "https://edgi-wm-versionista.s3.amazonaws.com/ https://edgi-wm-versionista.s3-us-west-2.amazonaws.com/ https://s3-us-west-2.amazonaws.com/edgi-wm-versionista/ https://edgi-versionista-archive.s3.amazonaws.com/ https://edgi-versionista-archive.s3.amazonaws.com/edgi-versionista-archive/"
+        # Set to "true" to be safe/conservative on what kinds of diffs to try
+        # If we suddenly see the diff server going nuts, maybe uncomment this.
+        # - name: ANALYSIS_REQUIRE_MEDIA_TYPE
+        #   value: "true"
+        - name: AUTO_ANNOTATION_USER
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: auto_annotation_user
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: aws_access_key_id
+        - name: AWS_ARCHIVE_BUCKET
+          value: edgi-wm-archive
+        - name: AWS_REGION
+          value: us-west-2
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: aws_secret_access_key
+        - name: AWS_WORKING_BUCKET
+          value: edgi-wm-db-internal
+        - name: CACHE_DATE_DIFFER
+          value: "2018-10-23T07:00:00Z"
+        - name: DATABASE_RDS
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: database_rds
+        - name: DIFFER_DEFAULT
+          value: http://diffing:80
+        - name: HOST_URL
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: host_url
+        - name: LANG
+          value: en_US.UTF-8
+        - name: MAIL_SENDER
+          value: website.monitoring@envirodatagov.org
+        - name: MAX_COLLECTION_PAGE_SIZE
+          value: "1000"
+        - name: NEW_RELIC_AGENT_ENABLED
+          value: "false"
+        - name: POSTMARK_API_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: postmark_api_token
+        - name: RACK_ENV
+          value: production
+        - name: RAILS_ENV
+          value: production
+        - name: RAILS_LOG_TO_STDOUT
+          value: enabled
+        - name: RAILS_SERVE_STATIC_FILES
+          value: enabled
+        - name: REDIS_URL
+          value: redis://redis-master:6379
+        - name: REDIS_CACHE_URL
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: redis_cache_url
+        - name: SECRET_KEY_BASE
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: secret_key_base
+        - name: SENTRY_DSN
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: sentry_dsn
+        - name: TOKEN_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: token_private_key
+        - name: INCREMENTAL_UPDATE
+          value: "3"
@@ -0,0 +1,23 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: redis-master
+  namespace: production
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: redis
+        role: master
+        tier: backend
+    spec:
+      containers:
+      - name: master
+        image: gcr.io/google_containers/redis:e2e  # or just image: redis
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        ports:
+        - containerPort: 6379
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-master
+  namespace: production
+  labels:
+    app: redis
+    role: master
+    tier: backend
+spec:
+  ports:
+  - port: 6379
+    targetPort: 6379
+  selector:
+    app: redis
+    role: master
+    tier: backend
@@ -0,0 +1,31 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: redis-slave
+  namespace: production
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: redis
+        role: slave
+        tier: backend
+    spec:
+      containers:
+      - name: slave
+        image: gcr.io/google_samples/gb-redisslave:v1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        env:
+        - name: GET_HOSTS_FROM
+          value: dns
+          # If your cluster config does not include a dns service, then to
+          # instead access an environment variable to find the master
+          # service's host, comment out the 'value: dns' line above, and
+          # uncomment the line below:
+          # value: env
+        ports:
+        - containerPort: 6379
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-slave
+  namespace: production
+  labels:
+    app: redis
+    role: slave
+    tier: backend
+spec:
+  ports:
+  - port: 6379
+  selector:
+    app: redis
+    role: slave
+    tier: backend
@@ -0,0 +1,69 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: ui
+  namespace: production
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: ui
+    spec:
+      containers:
+      - name: ui 
+        image: envirodgi/ui:fd12f43b6818e06994aab358fc52ad3e74b5c6c4
+        imagePullPolicy: Always
+        ports: 
+        - containerPort: 3001
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "1024Mi"
+            cpu: "500m"
+        readinessProbe:
+          tcpSocket:
+            port: 3001
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          tcpSocket:
+            port: 3001
+          initialDelaySeconds: 5
+        env:
+        - name: FORCE_SSL
+          value: "true"
+        - name: GOOGLE_DICTIONARY_SHEET_ID
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key: google_dictionary_sheet_id
+        - name: GOOGLE_IMPORTANT_CHANGE_SHEET_ID
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key: google_important_change_sheet_id
+        - name: GOOGLE_SERVICE_CLIENT_EMAIL
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key: google_service_client_email
+        - name: GOOGLE_SHEETS_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key: google_sheets_private_key
+        - name: GOOGLE_TASK_SHEET_ID
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key:  google_task_sheet_id
+        - name: WEB_MONITORING_DB_URL
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key:  web_monitoring_db_url
+        - name: INCREMENTAL_UPDATE
+          value: "1"
@@ -0,0 +1,113 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: api
+  namespace: staging
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: api
+    spec:
+      containers:
+      - name:  rails-server
+        image: envirodgi/db-rails-server:629266d0d8fb87260343ed7a763de37653108efc
+        imagePullPolicy: Always
+        ports: 
+        - containerPort: 3000
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "1024Mi"
+            cpu: "1500m"
+        readinessProbe:
+          tcpSocket:
+            port: 3000
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          tcpSocket:
+            port: 3000
+          initialDelaySeconds: 5
+        env:
+        - name: ALLOWED_ARCHIVE_HOSTS
+          value: "https://edgi-wm-versionista.s3.amazonaws.com/ https://edgi-wm-versionista.s3-us-west-2.amazonaws.com/ https://s3-us-west-2.amazonaws.com/edgi-wm-versionista/ https://edgi-versionista-archive.s3.amazonaws.com/ https://edgi-versionista-archive.s3.amazonaws.com/edgi-versionista-archive/"
+        - name: AUTO_ANNOTATION_USER
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: auto_annotation_user
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: aws_access_key_id
+        - name: AWS_ARCHIVE_BUCKET
+          value: edgi-wm-archive-staging
+        - name: AWS_REGION
+          value: us-west-2
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: aws_secret_access_key
+        - name: AWS_WORKING_BUCKET
+          value: edgi-wm-db-internal-staging
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: database_rds
+        - name: DIFFER_DEFAULT
+          value: http://diffing:80
+        - name: CACHE_DATE_DIFFER
+          value: "2018-10-23T07:00:00Z"
+        # TODO: consider making this not a secret
+        - name: HOST_URL
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: host_url
+        - name: LANG
+          value: en_US.UTF-8
+        - name: MAIL_SENDER
+          value: website.monitoring@envirodatagov.org
+        - name: MAX_COLLECTION_PAGE_SIZE
+          value: "1000"
+        - name: NEW_RELIC_AGENT_ENABLED
+          value: "false"
+        - name: POSTMARK_API_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: postmark_api_token
+        - name: RACK_ENV
+          value: production
+        - name: RAILS_ENV
+          value: production
+        - name: RAILS_LOG_TO_STDOUT
+          value: enabled
+        - name: RAILS_SERVE_STATIC_FILES
+          value: enabled
+        - name: REDIS_URL
+          value: redis://redis-master:6379
+        - name: SECRET_KEY_BASE
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: secret_key_base
+        - name: SENTRY_DSN
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: sentry_dsn
+        - name: TOKEN_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: token_private_key
+        - name: INCREMENTAL_UPDATE
+          value: "4"
@@ -0,0 +1,40 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: diffing
+  namespace: staging
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: diffing-server
+    spec:
+      containers:
+      - name: processing
+        image: envirodgi/processing:ce708709d66daa02a6c2811ee5b4d38f9543536a
+        imagePullPolicy: Always
+        ports: 
+        - containerPort: 80
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "1024Mi"
+            cpu: "500m"
+        readinessProbe:
+          tcpSocket:
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          tcpSocket:
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        env:
+        - name: DIFFER_COLOR_INSERTION
+          value: "#a1d76a"
+        - name: DIFFER_COLOR_DELETION
+          value: "#e8a4c8"
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: diffing
+  namespace: staging
+spec:
+  selector:
+    app: diffing-server
+  ports:
+  - name: http
+    protocol: TCP
+    port: 80
+    targetPort: 80
+  type: ClusterIP
@@ -0,0 +1,105 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: import-worker
+  namespace: staging
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: import-worker
+    spec:
+      containers:
+      - name: db-import-worker
+        image: envirodgi/db-import-worker:629266d0d8fb87260343ed7a763de37653108efc
+        imagePullPolicy: Always
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "1024Mi"
+            cpu: "1500m"
+        env:
+        - name: ALLOWED_ARCHIVE_HOSTS
+          value: "https://edgi-wm-versionista.s3.amazonaws.com/ https://edgi-wm-versionista.s3-us-west-2.amazonaws.com/ https://s3-us-west-2.amazonaws.com/edgi-wm-versionista/ https://edgi-versionista-archive.s3.amazonaws.com/ https://edgi-versionista-archive.s3.amazonaws.com/edgi-versionista-archive/"
+        # Set to "true" to be safe/conservative on what kinds of diffs to try
+        # If we suddenly see the diff server going nuts, maybe uncomment this.
+        # - name: ANALYSIS_REQUIRE_MEDIA_TYPE
+        #   value: "true"
+        - name: AUTO_ANNOTATION_USER
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: auto_annotation_user
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: aws_access_key_id
+        - name: AWS_ARCHIVE_BUCKET
+          value: edgi-wm-archive-staging
+        - name: AWS_REGION
+          value: us-west-2
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: aws_secret_access_key
+        - name: AWS_WORKING_BUCKET
+          value: edgi-wm-db-internal-staging
+        - name: CACHE_DATE_DIFFER
+          value: "2018-10-23T07:00:00Z"
+        - name: DATABASE_RDS
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: database_rds
+        - name: DIFFER_DEFAULT
+          value: http://diffing:80
+        - name: HOST_URL
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: host_url
+        - name: LANG
+          value: en_US.UTF-8
+        - name: MAIL_SENDER
+          value: website.monitoring@envirodatagov.org
+        - name: MAX_COLLECTION_PAGE_SIZE
+          value: "1000"
+        - name: NEW_RELIC_AGENT_ENABLED
+          value: "false"
+        - name: POSTMARK_API_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: postmark_api_token
+        - name: RACK_ENV
+          value: production
+        - name: RAILS_ENV
+          value: production
+        - name: RAILS_LOG_TO_STDOUT
+          value: enabled
+        - name: RAILS_SERVE_STATIC_FILES
+          value: enabled
+        - name: REDIS_URL
+          value: redis://redis-master:6379
+        - name: SECRET_KEY_BASE
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: secret_key_base
+        - name: SENTRY_DSN
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: sentry_dsn
+        - name: TOKEN_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: app-secrets
+              key: token_private_key
+        - name: INCREMENTAL_UPDATE
+          value: "4"
@@ -0,0 +1,23 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: redis-master
+  namespace: staging
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: redis
+        role: master
+        tier: backend
+    spec:
+      containers:
+      - name: master
+        image: gcr.io/google_containers/redis:e2e  # or just image: redis
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        ports:
+        - containerPort: 6379
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-master
+  namespace: staging
+  labels:
+    app: redis
+    role: master
+    tier: backend
+spec:
+  ports:
+  - port: 6379
+    targetPort: 6379
+  selector:
+    app: redis
+    role: master
+    tier: backend
@@ -0,0 +1,31 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: redis-slave
+  namespace: staging
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: redis
+        role: slave
+        tier: backend
+    spec:
+      containers:
+      - name: slave
+        image: gcr.io/google_samples/gb-redisslave:v1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        env:
+        - name: GET_HOSTS_FROM
+          value: dns
+          # If your cluster config does not include a dns service, then to
+          # instead access an environment variable to find the master
+          # service's host, comment out the 'value: dns' line above, and
+          # uncomment the line below:
+          # value: env
+        ports:
+        - containerPort: 6379
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-slave
+  namespace: staging
+  labels:
+    app: redis
+    role: slave
+    tier: backend
+spec:
+  ports:
+  - port: 6379
+  selector:
+    app: redis
+    role: slave
+    tier: backend
@@ -0,0 +1,69 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: ui
+  namespace: staging
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: ui
+    spec:
+      containers:
+      - name: ui 
+        image: envirodgi/ui:fd12f43b6818e06994aab358fc52ad3e74b5c6c4
+        imagePullPolicy: Always
+        ports: 
+        - containerPort: 3001
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "1024Mi"
+            cpu: "500m"
+        readinessProbe:
+          tcpSocket:
+            port: 3001
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          tcpSocket:
+            port: 3001
+          initialDelaySeconds: 5
+        env:
+        - name: FORCE_SSL
+          value: "true"
+        - name: GOOGLE_DICTIONARY_SHEET_ID
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key: google_dictionary_sheet_id
+        - name: GOOGLE_IMPORTANT_CHANGE_SHEET_ID
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key: google_important_change_sheet_id
+        - name: GOOGLE_SERVICE_CLIENT_EMAIL
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key: google_service_client_email
+        - name: GOOGLE_SHEETS_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key: google_sheets_private_key
+        - name: GOOGLE_TASK_SHEET_ID
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key:  google_task_sheet_id
+        - name: WEB_MONITORING_DB_URL
+          valueFrom:
+            secretKeyRef:
+              name: ui-secrets
+              key:  web_monitoring_db_url
+        - name: INCREMENTAL_UPDATE
+          value: "1"
@@ -0,0 +1,34 @@
+{
+    "HostedZoneId": env.KUBE_ZONE,
+    "ChangeBatch": {
+        "Comment": "validate certificates for rails server and ui",
+        "Changes": [
+            {
+                "Action": "CREATE",
+                "ResourceRecordSet": {
+                    "Name": env.API_VALIDATE_NAME,
+                    "Type": "CNAME",
+                    "TTL": 300,
+                    "ResourceRecords": [
+                        {
+                            "Value": env.API_VALIDATE_VALUE
+                        }
+                    ],
+                }
+            },
+            {
+                "Action": "CREATE",
+                "ResourceRecordSet": {
+                    "Name": env.UI_VALIDATE_NAME,
+                    "Type": "CNAME",
+                    "TTL": 300,
+                    "ResourceRecords": [
+                        {
+                            "Value": env.UI_VALIDATE_VALUE
+                        }
+                    ],
+                }
+            }
+        ]
+    }
+}