Kubernetes Deployment

Helm Chart

Install Expunct using the official Helm chart:


helm repo add pii-redactor https://uni-qingzhuo-zhen.github.io/pii-redactor/charts
helm install pii-redactor pii-redactor/pii-redactor \
  --set config.databaseUrl=postgresql+asyncpg://... \
  --set config.apiKeySecret=your-secret \
  --set config.encryptionKey=your-key

Key Helm Values

Value	Description	Default
`replicaCount`	Number of API replicas	`2`
`config.databaseUrl`	PostgreSQL connection string	—
`config.apiKeySecret`	Secret for API key hashing	—
`config.encryptionKey`	Fernet key for credential encryption	—
`resources.requests.memory`	Memory request	`512Mi`
`resources.limits.memory`	Memory limit	`2Gi`
`autoscaling.enabled`	Enable HPA	`false`
`autoscaling.minReplicas`	Min replicas	`2`
`autoscaling.maxReplicas`	Max replicas	`10`

Architecture

A production Kubernetes deployment consists of:

API pods — FastAPI + Uvicorn serving the REST API. Stateless and horizontally scalable.
Worker pods — Background job processing for async file/batch redaction. Scale independently from API pods.
PostgreSQL — Managed database (e.g., Cloud SQL, RDS) or in-cluster StatefulSet.
Persistent volume — Temporary file storage for uploads and processing intermediates.

Example Values File


replicaCount: 3
 
config:
  databaseUrl: postgresql+asyncpg://pii:secret@postgres:5432/pii_redactor
  apiKeySecret: your-secret-key
  encryptionKey: your-fernet-key
  logFormat: json
  logLevel: info
 
resources:
  requests:
    cpu: 250m
    memory: 512Mi
  limits:
    cpu: "2"
    memory: 4Gi
 
autoscaling:
  enabled: true
  minReplicas: 2
  maxReplicas: 10
  targetCPUUtilizationPercentage: 70
 
ingress:
  enabled: true
  className: nginx
  hosts:
    - host: pii-redactor.internal.example.com
      paths:
        - path: /
          pathType: Prefix

Secrets Management

Store sensitive values in Kubernetes Secrets rather than Helm values:


kubectl create secret generic pii-redactor-secrets \
  --from-literal=database-url='postgresql+asyncpg://...' \
  --from-literal=api-key-secret='your-secret' \
  --from-literal=encryption-key='your-fernet-key'

Then reference them in your values file:


config:
  existingSecret: pii-redactor-secrets

Health Checks

The Helm chart configures liveness and readiness probes against the /health endpoint by default. Customize probe settings in your values file if needed.