feat: Add Kubernetes deployment support (#14)

* feat: Add Kubernetes deployment support with persistent state

- Add production-ready K8s manifests for deployment
- Implement persistent volumes for state preservation
- Create ConfigMap for non-sensitive configuration
- Add secrets template for sensitive credentials
- Include comprehensive deployment documentation
- Update .gitignore to exclude k8s/secrets.yaml

Enables deployment to Kubernetes clusters while maintaining
circuit breaker state, last run tracking, and BigQuery cache
across pod restarts.

* chore: Add comprehensive Kubernetes patterns to .gitignore

- Add kubeconfig and .kube/ directory patterns
- Add Helm chart artifacts (*.tgz, Chart.lock)
- Add Kustomize build outputs
- Add temporary Kubernetes manifest patterns
- Future-proof for additional K8s tooling

Author: MoonBoi9001

.gitignore

@@ -11,6 +11,29 @@ credentials.json
 **/private/
 .secrets
 
+# Kubernetes secrets (never commit actual secrets!)
+k8s/secrets.yaml
+
+# Kubernetes configuration files
+*.kubeconfig
+kubeconfig
+.kube/
+
+# Helm charts
+**/charts/*.tgz
+**/requirements.lock
+**/Chart.lock
+
+# Kustomize builds
+k8s/build/
+kustomization-build.yaml
+
+# Temporary Kubernetes manifests
+*.tmp.yaml
+*.backup.yaml
+k8s/*.tmp
+k8s/*.bak
+
 # Ignore virtual environments
 venv/
 

k8s/README.md

@@ -0,0 +1,177 @@
+# Service Quality Oracle - Kubernetes Deployment
+
+This directory contains Kubernetes manifests for deploying the Service Quality Oracle with persistent state management.
+
+## Prerequisites
+
+- Kubernetes cluster (version 1.19+)
+- `kubectl` configured to access your cluster
+- Docker image published to `ghcr.io/graphprotocol/service-quality-oracle`
+- **Storage class configured** (see Storage Configuration below)
+
+## Quick Start
+
+### 1. Create Secrets (Required)
+
+```bash
+# Copy the example secrets file
+cp k8s/secrets.yaml.example k8s/secrets.yaml
+
+# Edit with your actual credentials
+# IMPORTANT: Never commit secrets.yaml to version control
+nano k8s/secrets.yaml
+```
+
+**Required secrets:**
+- **`google-credentials`**: Service account JSON for BigQuery access
+- **`blockchain-private-key`**: Private key for Arbitrum Sepolia transactions  
+- **`arbitrum-api-key`**: API key for Arbiscan contract verification
+- **`slack-webhook-url`**: Webhook URL for operational notifications
+
+### 2. Configure Storage (Required)
+
+```bash
+# Check available storage classes
+kubectl get storageclass
+
+# If you see a default storage class (marked with *), skip to step 3
+# Otherwise, edit persistent-volume-claim.yaml and uncomment the appropriate storageClassName
+```
+
+**Common storage classes by platform:**
+- **AWS EKS**: `gp2`, `gp3`, `ebs-csi`
+- **Google GKE**: `standard`, `ssd`  
+- **Azure AKS**: `managed-premium`, `managed`
+- **Local/Development**: `hostpath`, `local-path`
+
+### 3. Deploy to Kubernetes
+
+```bash
+# Apply all manifests
+kubectl apply -f k8s/
+
+# Verify deployment
+kubectl get pods -l app=service-quality-oracle
+kubectl get pvc -l app=service-quality-oracle
+```
+
+### 4. Monitor Deployment
+
+```bash
+# Check pod status
+kubectl describe pod -l app=service-quality-oracle
+
+# View logs
+kubectl logs -l app=service-quality-oracle -f
+
+# Check persistent volumes
+kubectl get pv
+```
+
+## Architecture
+
+### Persistent Storage
+
+The service uses **two persistent volumes** to maintain state across pod restarts:
+
+- **`service-quality-oracle-data` (5GB)**: Circuit breaker state, last run tracking, BigQuery cache, CSV outputs
+- **`service-quality-oracle-logs` (2GB)**: Application logs
+
+**Mount points:**
+- `/app/data` → Critical state files (circuit breaker, cache, outputs)
+- `/app/logs` → Application logs
+
+### Configuration Management
+
+**Non-sensitive configuration** → `ConfigMap` (`configmap.yaml`)
+**Sensitive credentials** → `Secret` (`secrets.yaml`)
+
+This separation provides:
+- ✅ Easy configuration updates without rebuilding images
+- ✅ Secure credential management with base64 encoding
+- ✅ Clear separation of concerns
+
+### Resource Allocation
+
+**Requests (guaranteed):**
+- CPU: 250m (0.25 cores)
+- Memory: 512M
+
+**Limits (maximum):**
+- CPU: 1000m (1.0 core)  
+- Memory: 1G
+
+## State Persistence Benefits
+
+With persistent volumes, the service maintains:
+
+1. **Circuit breaker state** → Prevents infinite restart loops
+2. **Last run tracking** → Enables proper catch-up logic
+3. **BigQuery cache** → Dramatic performance improvement (30s vs 5min restarts)
+4. **CSV audit artifacts** → Regulatory compliance and debugging
+
+## Health Checks
+
+The deployment uses **file-based health checks** (same as docker-compose):
+
+**Liveness probe:** Checks `/app/healthcheck` file modification time  
+**Readiness probe:** Verifies `/app/healthcheck` file exists
+
+## Troubleshooting
+
+### Pod Won't Start
+
+```bash
+# Check events
+kubectl describe pod -l app=service-quality-oracle
+
+# Common issues:
+# - Missing secrets
+# - PVC provisioning failures
+# - Image pull errors
+```
+
+### Check Persistent Storage
+
+```bash
+# Verify PVCs are bound
+kubectl get pvc
+
+# Check if volumes are mounted correctly
+kubectl exec -it deployment/service-quality-oracle -- ls -la /app/data
+```
+
+### Debug Configuration
+
+```bash
+# Check environment variables
+kubectl exec -it deployment/service-quality-oracle -- env | grep -E "(BIGQUERY|BLOCKCHAIN)"
+
+# Verify secrets are mounted
+kubectl exec -it deployment/service-quality-oracle -- ls -la /etc/secrets
+```
+
+## Security Best Practices
+
+✅ **Secrets never committed** to version control  
+✅ **Service account** with minimal BigQuery permissions  
+✅ **Private key** stored in Kubernetes secrets (base64 encoded)  
+✅ **Resource limits** prevent resource exhaustion  
+✅ **Read-only filesystem** where possible  
+
+## Production Considerations
+
+- **Backup strategy** for persistent volumes
+- **Monitoring** and alerting setup
+- **Log aggregation** (ELK stack, etc.)
+- **Network policies** for additional security
+- **Pod disruption budgets** for maintenance
+- **Horizontal Pod Autoscaler** (if needed for scaling)
+
+## Next Steps
+
+1. **Test deployment** in staging environment
+2. **Verify state persistence** across pod restarts  
+3. **Set up monitoring** and alerting
+4. **Configure backup** for persistent volumes
+5. **Enable quality checking** after successful validation

k8s/configmap.yaml

@@ -0,0 +1,55 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: service-quality-oracle-config
+  labels:
+    app: service-quality-oracle
+data:
+  # BigQuery Configuration
+  BIGQUERY_LOCATION_ID: "US"
+  BIGQUERY_PROJECT_ID: "graph-mainnet"
+  BIGQUERY_DATASET_ID: "internal_metrics"
+  BIGQUERY_TABLE_ID: "metrics_indexer_attempts"
+  BIGQUERY_CURATION_TABLE_ID: "metrics_curator_signals"
+  BIGQUERY_CURATOR_MAINNET_TABLE_ID: "curator_name_signal_dimensions_daily"
+  BIGQUERY_CURATOR_ARBITRUM_TABLE_ID: "curator_name_signal_dimensions_arbitrum_daily"
+  BIGQUERY_SUBGRAPH_LOOKUP_TABLE_ID: "subgraph_version_id_lookup"
+  BIGQUERY_ANALYSIS_PERIOD_DAYS: "28"
+
+  # Blockchain Configuration (Arbitrum Sepolia)
+  BLOCKCHAIN_CONTRACT_ADDRESS: "0x6d5550698F930210c3f50efe744bF51C55D791f6"
+  BLOCKCHAIN_FUNCTION_NAME: "allowIndexers"
+  BLOCKCHAIN_CHAIN_ID: "421614"
+  BLOCK_EXPLORER_URL: "https://sepolia.arbiscan.io"
+  TX_TIMEOUT_SECONDS: "30"
+
+  # RPC Provider URLs (Arbitrum Sepolia)
+  BLOCKCHAIN_RPC_URL_1: "https://arbitrum-sepolia.drpc.org"
+  BLOCKCHAIN_RPC_URL_2: "https://sepolia-rollup.arbitrum.io/rpc"
+  BLOCKCHAIN_RPC_URL_3: "https://api.zan.top/arb-sepolia"
+  BLOCKCHAIN_RPC_URL_4: "https://arbitrum-sepolia.gateway.tenderly.co"
+
+  # Scheduling Configuration
+  SCHEDULED_RUN_TIME: "10:00"
+
+  # Subgraph URLs
+  SUBGRAPH_URL_PRE_PRODUCTION: "https://api.studio.thegraph.com/query/110664/issuance-eligibility-oracle/v0.1.4"
+  SUBGRAPH_URL_PRODUCTION: "https://gateway.thegraph.com/api/subgraphs/id/"
+
+  # Processing Configuration
+  BATCH_SIZE: "125"
+  MAX_AGE_BEFORE_DELETION: "120"
+
+  # Caching Configuration
+  CACHE_MAX_AGE_MINUTES: "30"
+  FORCE_BIGQUERY_REFRESH: "false"
+
+  # Eligibility Criteria
+  MIN_ONLINE_DAYS: "5"
+  MIN_SUBGRAPHS: "10"
+  MAX_LATENCY_MS: "5000"
+  MAX_BLOCKS_BEHIND: "50000"
+  MIN_CURATION_SIGNAL: "500"
+
+  # Runtime Configuration
+  RUN_ON_STARTUP: "true"

k8s/deployment.yaml

@@ -0,0 +1,99 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: service-quality-oracle
+  labels:
+    app: service-quality-oracle
+spec:
+  replicas: 1  # Single instance due to state management
+  selector:
+    matchLabels:
+      app: service-quality-oracle
+  template:
+    metadata:
+      labels:
+        app: service-quality-oracle
+    spec:
+      containers:
+      - name: service-quality-oracle
+        image: ghcr.io/graphprotocol/service-quality-oracle:latest
+        envFrom:
+        # Load all non-sensitive configuration from ConfigMap
+        - configMapRef:
+            name: service-quality-oracle-config
+        env:
+        # Secrets from Kubernetes Secret
+        - name: GOOGLE_APPLICATION_CREDENTIALS
+          valueFrom:
+            secretKeyRef:
+              name: service-quality-oracle-secrets
+              key: google-credentials
+        - name: BLOCKCHAIN_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: service-quality-oracle-secrets
+              key: blockchain-private-key
+        - name: ETHERSCAN_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: service-quality-oracle-secrets
+              key: etherscan-api-key
+        - name: ARBITRUM_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: service-quality-oracle-secrets
+              key: arbitrum-api-key
+        - name: STUDIO_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: service-quality-oracle-secrets
+              key: studio-api-key
+        - name: STUDIO_DEPLOY_KEY
+          valueFrom:
+            secretKeyRef:
+              name: service-quality-oracle-secrets
+              key: studio-deploy-key
+        - name: SLACK_WEBHOOK_URL
+          valueFrom:
+            secretKeyRef:
+              name: service-quality-oracle-secrets
+              key: slack-webhook-url
+        volumeMounts:
+        - name: data-volume
+          mountPath: /app/data
+        - name: logs-volume
+          mountPath: /app/logs
+        resources:
+          requests:
+            memory: "512M"  # Match docker-compose reservations
+            cpu: "250m"
+          limits:
+            memory: "1G"    # Match docker-compose limits  
+            cpu: "1000m"    # Match docker-compose '1.0' cpus
+        # Use file-based healthcheck like docker-compose (not HTTP)
+        livenessProbe:
+          exec:
+            command:
+            - python
+            - -c
+            - "import os, time; assert os.path.exists('/app/healthcheck') and time.time() - os.path.getmtime('/app/healthcheck') < 300, 'Healthcheck failed'"
+          initialDelaySeconds: 60  # Match docker-compose start_period
+          periodSeconds: 120       # Match docker-compose interval (5m -> 300s, but use 2m for faster detection)
+          timeoutSeconds: 30       # Match docker-compose timeout
+          failureThreshold: 3      # Match docker-compose retries
+        readinessProbe:
+          exec:
+            command:
+            - python  
+            - -c
+            - "import os; assert os.path.exists('/app/healthcheck'), 'Healthcheck file missing'"
+          initialDelaySeconds: 10
+          periodSeconds: 30
+      volumes:
+      - name: data-volume
+        persistentVolumeClaim:
+          claimName: service-quality-oracle-data
+      - name: logs-volume
+        persistentVolumeClaim:
+          claimName: service-quality-oracle-logs
+      restartPolicy: Always