feat(helm): add Go runtime tuning, startup probe, upgrade to Helm 4

- Set GOMAXPROCS and GOMEMLIMIT from cgroup limits to prevent thread oversubscription and unbounded GC memory growth - Add startup probe (60s budget) to gate liveness/readiness during connection pool initialization - Increase liveness failureThreshold to 5 to avoid restarts on transient issues - Remove initialDelaySeconds (startup probe replaces this) - Upgrade CI from alpine/helm:3.17 to alpine/helm:4.1 - Replace deprecated --atomic with --rollback-on-failure + --wait=watcher
2026-04-01 00:07:01 +02:00
parent 74ee825039
commit 482fcd180a
2 changed files with 19 additions and 4 deletions
--- a/backend/.woodpecker.yml
+++ b/backend/.woodpecker.yml
@@ -40,7 +40,7 @@ steps:

  # Deploy via Helm using the exact SHA tag just pushed
  deploy:
-    image: alpine/helm:3.17
+    image: alpine/helm:4.1
    environment:
      KUBECONFIG_DATA:
        from_secret: kubeconfig
@@ -70,7 +70,8 @@ steps:
          --set ai.apiKey="$AI_API_KEY" \
          --set ai.agentSimple="$AI_AGENT_SIMPLE" \
          --set turnstile.secretKey="$TURNSTILE_SECRET_KEY" \
-          --atomic \
+          --rollback-on-failure \
+          --wait=watcher \
          --timeout 5m
    when:
      - event: push
--- a/backend/deploy/helm/templates/deployment.yaml
+++ b/backend/deploy/helm/templates/deployment.yaml
@@ -55,6 +55,15 @@ spec:
                name: {{ include "marktvogt-backend.fullname" . }}-ci-secrets
            {{- end }}
          env:
+            # Go runtime tuning — match cgroup limits, not node CPU/memory
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
            # DB credentials from CNPG-managed secret
            - name: DB_HOST
              valueFrom:
@@ -81,18 +90,23 @@ spec:
                secretKeyRef:
                  name: {{ include "marktvogt-backend.pgAppSecret" . }}
                  key: dbname
+          startupProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            failureThreshold: 30
+            periodSeconds: 2
          livenessProbe:
            httpGet:
              path: /healthz
              port: http
-            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 3
+            failureThreshold: 5
          readinessProbe:
            httpGet:
              path: /readyz
              port: http
-            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 3
          resources: