EclipseFdn · manpreetkaur-arch · Jan 21, 2026 · Jan 23, 2026 · Jan 26, 2026 · Jan 26, 2026
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
-ARG SERVER_VERSION=v0.34.2
-ARG SERVER_VERSION_STRING=v0.34.2
+ARG SERVER_VERSION=v0.34.5
+ARG SERVER_VERSION_STRING=v0.34.5
 
 # Builder image to compile the website
 FROM ubuntu:24.04 AS builder

diff --git a/Jenkinsfile b/Jenkinsfile
@@ -20,6 +20,19 @@ pipeline {
             - mountPath: "/home/default/.kube"
               name: "dot-kube"
               readOnly: false
+          - name: eks
+            image: eclipsefdn/aws:alpine-latest
+            command:
+            - cat
+            tty: true
+            resources:
+              limits:
+                cpu: 1
+                memory: 1Gi
+            volumeMounts:
+            - mountPath: "/home/default/.kube"
+              name: "dot-kube"
+              readOnly: false
           - name: jnlp
             resources:
               limits:
@@ -79,6 +92,24 @@ pipeline {
       }
     }
 
+    stage('Deploy to EKS staging environment') {
+      when {
+        anyOf {
+        expression { return env.BRANCH_NAME.startsWith('feature') }
+        branch 'eks-main'
+      }
+      }
+      steps {
+        container('eks') {
+          withKubeConfig([credentialsId: 'ci-bot-eks-staging-token', serverUrl: 'https://5CF0970816FA7A7C340E6BEF8575A8D4.gr7.eu-central-1.eks.amazonaws.com']) {
+            sh '''
+              ./kubernetes/helm-deploy.sh aws-staging "${IMAGE_TAG}"
+            '''
+          }
+        }
+      }
+    }
+
     stage('Deploy test') {
       when {
         branch 'test'

diff --git a/charts/openvsx/Chart.lock b/charts/openvsx/Chart.lock
@@ -2,5 +2,11 @@ dependencies:
 - name: alloy
   repository: https://grafana.github.io/helm-charts
   version: 1.1.2
-digest: sha256:66403884b7f293e86e2a61d0d822fd0878a6b4a64e5e88f181b93022bc4f9bcd
-generated: "2025-08-20T12:51:18.346537659+03:00"
+- name: postgresql-ha
+  repository: https://charts.bitnami.com/bitnami
+  version: 16.3.2
+- name: aws-load-balancer-controller
+  repository: https://aws.github.io/eks-charts
+  version: 1.14.0
+digest: sha256:e2c6dcf71280bba07adec1bf48d16ede03c8e30b5075a1899e460a6c393eaf16
+generated: "2026-03-21T12:01:49.110601-04:00"
diff --git a/charts/openvsx/Chart.yaml b/charts/openvsx/Chart.yaml
@@ -8,3 +8,11 @@ dependencies:
   - name: alloy
     version: 1.1.2
     repository: https://grafana.github.io/helm-charts
+  - name: postgresql-ha
+    version: 16.3.2
+    repository: https://charts.bitnami.com/bitnami
+    condition: eks.enabled
+  - name: aws-load-balancer-controller
+    version: 1.14.0
+    repository: https://aws.github.io/eks-charts
+    condition: eks.enabled
diff --git a/charts/openvsx/crds/service-monitor.yaml b/charts/openvsx/crds/service-monitor.yaml
diff --git a/...vsx/templates/clamav-rest/deployment.yaml → ...sx/templates/clamav-rest/statefulset.yaml b/...vsx/templates/clamav-rest/deployment.yaml → ...sx/templates/clamav-rest/statefulset.yaml
@@ -1,29 +1,29 @@
 {{- if .Values.clamav.enabled }}
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: {{ .Values.clamav.name }}-{{ .Values.environment }}
   namespace: {{ .Values.namespace }}
   labels:
     app: {{ .Values.name }}
     environment: {{ .Values.environment }}
 spec:
+  serviceName: {{ .Values.clamav.name }}-{{ .Values.environment }}
   revisionHistoryLimit: 1
   replicas: {{ .Values.clamav.replicas }}
   selector:
     matchLabels:
       app: {{ .Values.name }}
       environment: {{ .Values.environment }}
       component: {{ .Values.clamav.name }}-{{ .Values.environment }}
-  strategy:
-    type: Recreate
   template:
     metadata:
       labels:
         app: {{ .Values.name }}
         environment: {{ .Values.environment }}
         component: {{ .Values.clamav.name }}-{{ .Values.environment }}
     spec:
+      terminationGracePeriodSeconds: 10
       containers:
         - name: {{ .Values.clamav.name }}-{{ .Values.environment }}
           image: "{{ .Values.clamav.image.repository }}:{{ .Values.clamav.image.tag }}"
@@ -70,9 +70,15 @@ spec:
       volumes:
       - name: run-dir
         emptyDir: {}
-      - name: clamav-db
-        persistentVolumeClaim:
-          claimName: clamav-db
       - name: tmp-scans
         emptyDir: {}
+  volumeClaimTemplates:
+  - metadata:
+      name: clamav-db
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      storageClassName: {{ .Values.clamav.persistence.storageClass | quote }}
+      resources:
+        requests:
+          storage: {{ .Values.clamav.persistence.size | default "5Gi" }}
 {{- end }}
diff --git a/charts/openvsx/templates/deployment.yaml b/charts/openvsx/templates/deployment.yaml
@@ -9,7 +9,9 @@ metadata:
 spec:
   progressDeadlineSeconds: 3600
   revisionHistoryLimit: 1
+  {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
+  {{- end }}
   selector:
     matchLabels:
       app: {{ .Values.name }}

diff --git a/charts/openvsx/templates/grafana-alloy.yaml b/charts/openvsx/templates/grafana-alloy.yaml
@@ -57,6 +57,10 @@ data:
 
     {{- end }}
     prometheus.remote_write "default" {
+      external_labels = {
+        cluster = sys.env("CLUSTER_NAME"),
+        __replica__ = sys.env("POD_NAME"),
+      }
       endpoint {
         name = "hosted-prometheus"
         url = sys.env("PROMETHEUS_URL")

diff --git a/charts/openvsx/templates/hpa-postgresql.yaml b/charts/openvsx/templates/hpa-postgresql.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: postgresql-{{ .Values.environment }}-hpa
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/name: postgresql-ha
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    # Matches your 'staging-postgresql-ha-postgresql' naming logic
+    name: {{ .Values.environment }}-postgresql-ha-postgresql
+  minReplicas: 3
+  maxReplicas: 9
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 60
+{{- end }}
diff --git a/charts/openvsx/templates/ingress.yaml b/charts/openvsx/templates/ingress.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.eks.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  labels:
+    app: {{ .Values.name }}
+    environment: {{ .Values.environment }}
+  name: {{ .Values.name }}-{{ .Values.environment }}
+  namespace: {{ .Values.namespace }}
+  annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=60
+    alb.ingress.kubernetes.io/certificate-arn: {{ .Values.ingress.certArn }}
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
+    alb.ingress.kubernetes.io/ssl-redirect: "443"
+    alb.ingress.kubernetes.io/actions.forward-cors: >
+      {"type":"fixed-response","fixedResponseConfig":{"contentType":"text/plain","statusCode":"204"}}
+    alb.ingress.kubernetes.io/conditions.forward-cors: >
+      [{"field":"http-request-method","httpRequestMethodConfig":{"values":["OPTIONS"]}}]
+    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=60,client_keep_alive.seconds=60
+spec:
+ ingressClassName: alb
+ rules:
+  - host: {{ .Values.host }}
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: forward-cors
+            port:
+              name: use-annotation
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+           name: {{ .Values.name }}-{{ .Values.environment }}
+           port:
+            number: {{ .Values.service.port }}
+{{- end }}
diff --git a/charts/openvsx/templates/keda-openvsx-app.yaml b/charts/openvsx/templates/keda-openvsx-app.yaml
@@ -0,0 +1,51 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: keda.sh/v1alpha1
+kind: ScaledObject
+metadata:
+  name: {{ .Values.name }}-{{ .Values.environment }}-keda
+  namespace: {{ .Values.namespace }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ .Values.name }}-{{ .Values.environment }}
+  minReplicaCount: {{ .Values.autoscaling.minReplicas }}
+  maxReplicaCount: {{ .Values.autoscaling.maxReplicas }}
+  pollingInterval: {{ .Values.autoscaling.pollingInterval }}        # query every 30s, not 15s — reduces noise
+  cooldownPeriod: {{ .Values.autoscaling.cooldownPeriod }}          # wait 10 mins before scaling down — let I/O settle
+  advanced:
+    horizontalPodAutoscalerConfig:
+      behavior:
+        scaleUp:
+          stabilizationWindowSeconds: {{ .Values.autoscaling.scaleUp.stabilizationWindowSeconds }}    # sustained pressure for 3 mins before scaling up
+          policies:
+            - type: Pods
+              value: {{ .Values.autoscaling.scaleUp.pods }}                   # add max 2 pods at a time
+              periodSeconds: {{ .Values.autoscaling.scaleUp.periodSeconds }}  # add max 2 pods every 2 mins — gradual
+        scaleDown:
+          stabilizationWindowSeconds: {{ .Values.autoscaling.scaleDown.stabilizationWindowSeconds }}    # hold for 10 mins before scaling down
+          policies:
+            - type: Pods
+              value: {{ .Values.autoscaling.scaleDown.pods }}
+              periodSeconds: {{ .Values.autoscaling.scaleDown.periodSeconds }}             # remove only 1 pod every 3 mins — conservative
+  triggers:
+    - type: prometheus
+      authenticationRef:
+        name: keda-prometheus-trigger-auth
+      metadata:
+        serverAddress: {{ .Values.autoscaling.prometheusUrl }}   # ← add this line
+        authModes: "basic"
+        metricName: jetty_queue_utilization_sustained
+        query: |
+          avg(
+            avg_over_time(
+              (
+                executor_queued_tasks{environment="{{ .Values.environment }}"}
+                /
+                (executor_queued_tasks{environment="{{ .Values.environment }}"} + executor_queue_remaining_tasks{environment="{{ .Values.environment }}"})
+                * 100
+              )[5m:15s]
+            )
+          )
+        threshold: "70"
+{{- end }}
diff --git a/charts/openvsx/templates/kube-state-metrics-monitor.yaml b/charts/openvsx/templates/kube-state-metrics-monitor.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.eks.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: kube-state-metrics-monitor
+  namespace: open-vsx-org-staging
+  labels:
+    app: open-vsx-org
+    environment: staging
+spec:
+  namespaceSelector:
+    matchNames:
+      - kube-state-metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-state-metrics
+  endpoints:
+    - path: /metrics
+      interval: 60s
+      targetPort: 8080
+{{- end }}
diff --git a/charts/openvsx/templates/node-exporter-service-monitor.yaml b/charts/openvsx/templates/node-exporter-service-monitor.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.eks.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: node-exporter-monitor
+  namespace: open-vsx-org-staging
+  labels:
+    app: open-vsx-org
+    environment: staging
+spec:
+  namespaceSelector:
+    matchNames:
+      - prometheus-node-exporter
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus-node-exporter
+  endpoints:
+    - path: /metrics
+      interval: 60s
+      targetPort: 9100
+{{- end }}
diff --git a/charts/openvsx/templates/route.yaml b/charts/openvsx/templates/route.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.eks.enabled }}
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
@@ -47,3 +48,4 @@ spec:
     name: {{ .Values.name }}-{{ .Values.environment }}
     weight: 100
 {{- end }}
+{{- end }}
diff --git a/charts/openvsx/templates/trigger-auth.yaml b/charts/openvsx/templates/trigger-auth.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: keda.sh/v1alpha1
+kind: TriggerAuthentication
+metadata:
+  name: keda-prometheus-trigger-auth
+  namespace: {{ .Values.namespace }}
+spec:
+  secretTargetRef:
+    - parameter: username
+      name: grafana-cloud-secret-{{ .Values.environment }}
+      key: PROMETHEUS_USERNAME
+    - parameter: password
+      name: grafana-cloud-secret-{{ .Values.environment }}
+      key: PROMETHEUS_PASSWORD
+{{- end }}
diff --git a/charts/openvsx/templates/yara-rest/deployment.yaml b/charts/openvsx/templates/yara-rest/deployment.yaml
@@ -24,10 +24,18 @@ spec:
         environment: {{ .Values.environment }}
         component: {{ .Values.yara.name }}-{{ .Values.environment }}
     spec:
+      terminationGracePeriodSeconds: 10
       containers:
         - name: {{ .Values.yara.name }}-{{ .Values.environment }}
           image: "{{ .Values.yara.image.repository }}:{{ .Values.yara.image.tag }}"
           imagePullPolicy: {{ .Values.yara.image.pullPolicy }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
           ports:
             - name: http
               containerPort: {{ .Values.yara.service.port }}
@@ -71,11 +79,4 @@ spec:
           claimName: yara-rules
       - name: tmp-scans
         emptyDir: {}
-      securityContext:
-        allowPrivilegeEscalation: false
-        readOnlyRootFilesystem: true
-        runAsNonRoot: true
-        capabilities:
-          drop:
-            - ALL
 {{- end }}