Deployment & operations¶
siphon-http is a siphon addon — the runnable artifact is a siphon binary
built with the http feature (composed by a siphon binary that registers the
namespace and task hooks). You deploy that binary with three inputs mounted
at runtime:
siphon.yaml— the binary's main config, with anextensions.httpentry.http.yaml— this addon's config (servers+clients) — see Configuration.script.py— your@http.routehandlers — see Script API.
Reference templates for all of the below live under
deploy/ in
the repo.
Docker¶
A multi-stage build produces the HTTP-enabled siphon binary and ships it with the config + script mounted at runtime:
docker build -f deploy/Dockerfile -t siphon-http .
docker run \
-v $PWD/siphon.yaml:/etc/siphon/siphon.yaml \
-v $PWD/http.yaml:/etc/siphon/http.yaml \
-v $PWD/script.py:/etc/siphon/script.py \
-p 8443:8443 siphon-http
The image's entrypoint runs siphon -c /etc/siphon/siphon.yaml; it exposes the
HTTPS and localhost ports the example config listens on.
Docker Compose¶
For a local bring-up, mount your siphon.yaml, http.yaml, script, and TLS
material:
# docker-compose.yml
services:
siphon-http:
build:
context: ..
dockerfile: deploy/Dockerfile
image: siphon-http:local
ports:
- "8443:8443"
- "127.0.0.1:9090:9090"
volumes:
- ./siphon.yaml:/etc/siphon/siphon.yaml:ro
- ./http.example.yaml:/etc/siphon/http.yaml:ro
- ./script.py:/etc/siphon/script.py:ro
- ./tls:/etc/siphon/tls:ro
restart: unless-stopped
Kubernetes¶
The deploy/k8s/
manifests give a horizontally-scaled deployment:
| Manifest | What it does |
|---|---|
configmap.yaml |
siphon.yaml + http.yaml. |
deployment.yaml |
2 replicas, TCP readiness/liveness probes, resource requests/limits, config + script + TLS mounts. |
service.yaml |
ClusterIP on 443 → container 8443. |
hpa.yaml |
CPU-target autoscale, 2 → 10 replicas. |
pdb.yaml |
Keep ≥ 1 pod during voluntary disruptions. |
Bring it up:
# Build + push your `siphon --features http` image, then:
kubectl create configmap siphon-http-script --from-file=script.py=./your_routes.py
kubectl create secret tls siphon-http-tls --cert=server.crt --key=server.key
kubectl apply -f configmap.yaml -f deployment.yaml -f service.yaml -f hpa.yaml -f pdb.yaml
The routing script is supplied as its own ConfigMap (siphon-http-script) so
it can be updated independently of the addon config, and TLS material comes from
a kubernetes.io/tls Secret.
Readiness & liveness¶
The deployment uses TCP probes against the HTTPS container port — the socket
being open means the listener is accepting. @http.on_startup runs to completion
before any listener accepts, so a pod is not "ready" until startup work is done.
Scaling notes¶
Aggregate throughput per pod is bounded by the per-request Python handler under the CPython GIL — see Performance & scaling. Two levers:
- Scale out — add replicas (the HPA does this on CPU). The Rust request path is not the limit, so more pods means more aggregate throughput.
- Scale up within a pod — build siphon against free-threaded CPython, so handlers run on every core inside one process.
Building the binary¶
siphon-http rides inside a siphon binary; the http feature must be wired into
that binary's build. Build the HTTP-enabled binary with the feature enabled:
Then run it against your config: