Add local runner deployment and improve LoadBalancer infrastructure

k8s/omegaup/overlays/production/backend/deployment.yaml

@@ -6,8 +6,13 @@ metadata:
   labels:
     app.kubernetes.io/name: grader-runner
     app.kubernetes.io/part-of: backend
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
 spec:
   type: LoadBalancer
+  loadBalancerSourceRanges:
+  - 0.0.0.0/0
   selector:
     app.kubernetes.io/name: grader
   ports:

k8s/omegaup/overlays/production/backend/grader-ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grader-ingress
+  namespace: omegaup
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+spec:
+  rules:
+  - host: grader.omegaup.com
+    http:
+      paths:
+      - pathType: Prefix
+        path: /
+        backend:
+          service:
+            name: grader-service
+            port:
+              number: 11302
+  tls:
+  - hosts:
+    - grader.omegaup.com
+    secretName: grader-ingress-cert

k8s/omegaup/overlays/production/backend/kustomization.yaml

@@ -7,6 +7,8 @@ resources:
 - ../../../base/backend
 - deployment.yaml
 - grader-metrics.yaml
+- runner-deployment.yaml
+- grader-ingress.yaml
 
 patches:
 - patch: |
@@ -79,6 +81,7 @@ generators:
 - grader-metrics-secret-generator.yaml
 - broadcaster-secret-generator.yaml
 - gitserver-secret-generator.yaml
+- runner-secret-generator.yaml
 
 images:
 - name: omegaup/backend

k8s/omegaup/overlays/production/backend/runner-deployment.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1  
+kind: Deployment  
+metadata:  
+  name: runner-deployment  
+  labels:  
+    app.kubernetes.io/name: runner  
+    app.kubernetes.io/part-of: backend  
+    env: production  
+spec:  
+  replicas: 0  # Disabled until IP header validation is fixed
+  revisionHistoryLimit: 1  
+  selector:  
+    matchLabels:  
+      app.kubernetes.io/name: runner  
+  strategy:  
+    type: RollingUpdate  
+  template:  
+    metadata:  
+      labels:  
+        app.kubernetes.io/name: runner  
+        app.kubernetes.io/version: "v1.9.67"  
+        app.kubernetes.io/part-of: backend  
+        env: production  
+      annotations:  
+        prometheus.io/port: '6060'  
+        prometheus.io/scrape: 'true'  
+    spec:  
+      containers:  
+      - name: runner  
+        image: omegaup/runner:v1.9.67  
+        command: ['/usr/bin/omegaup-runner']
+        args: ['-config', '/etc/omegaup/runner/config.json']  
+        ports:  
+        - name: prometheus  
+          containerPort: 6060  
+        resources:  
+          limits:  
+            cpu: 500m  
+            memory: 512Mi  
+          requests:  
+            cpu: 200m  
+            memory: 128Mi  
+        volumeMounts:  
+        - name: runner-secret  
+          mountPath: /etc/omegaup/runner  
+        - name: runner-secret  
+          mountPath: /etc/omegaup/grader
+        - name: omegaup-runner  
+          mountPath: /var/lib/omegaup  
+      volumes:  
+      - name: omegaup-runner  
+        emptyDir: {}  
+      - name: runner-secret  
+        secret:  
+          secretName: runner-secret

k8s/omegaup/overlays/production/backend/runner-secret-generator.yaml

@@ -0,0 +1,6 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: runner-secret-generator
+files:
+  - runner-secret.yaml

k8s/omegaup/overlays/production/backend/runner-secret.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: runner-secret
+    annotations:
+        kustomize.config.k8s.io/needs-hash: "true"
+type: Opaque
+stringData:
+    certificate.pem: ENC[AES256_GCM,data:rMnQZ5K1ppvQEUqaeZr5RwujdJziK1hqLSTLR+mR4ucfxesm30d2ANGI+jBOo7cc/VM1n6iZ9MgHQa/GxZ4Rx9qOJopyoNFUf4XgqXnwfLk7O7uHmiEzMDbLtp34h0GTl6Li+ySunrFakNbzZe32raaN33Q0fbIKpect/tuw6y5dQidAwdpqIyRhvODRPF81n2SE1eL0rPRACATCBf8CNHLgovVsFwWXEpt4P/Wpddc9qn2UVZ6x4nEDytyL5Bf5mKjocJiJACbi9gtTcPXgfzVZ44aG//5gR5u2XdD69fA36oeKBzB+S71AiRyEaT2FR83h9SzqZHy2+cqaOWy4tzjHGmAjs4fJ2rj5qQ9n3Yf2MV2nN976QTDsrjVOzS5mHtutE+rUmFKSnKukjq37i3VXKERjQuNS5lwrycNDMYsy3/j+YXnfKHLp9ZNnSw7q7XvA6AQktwP30/xL1oVpUuHXI3Rty12p4pAiiZEizHpumbuXj51rtnzytrpAY0N8gEwudFfCKx+zry/hV0wRvLe5PGnoaar6l6VFyMPGzFOkj7JvaXXEa4ri6Aqd1zjckd3385TCtLDtfpQdC5r9g+XFSHd7LJgQR/6fNmGzhqFS+BsTepVgOTBbyP1wM9k9MoIUS5sEjk4rRr7iP6AoEF6QSajoOG29QSSd9rtu0phDKhxsEq+4fIiYt29qscy/BFBU8mBnZpzbRnXP0gtG6SAH7y9LGJHxhHFgA43P2GRaM74jLOxO+Kh//We86C7f4GVmg3f+zLHACoHyC0FPq5QX/KSXCS76tWq4WR4pFnOTM7Ks59X5e+qkTbZS8KTmctzK0KhfJeoZ5LmQQPTlZppOofcbZUC768zQK88XxSAIo/UC96ciCv8kfWQ1c0nNj1SIPzafv95IyU6bpTbY1b4q7rBIomUuOGCdzdPGG1cb0Ig7jgIjiMIIX4lKhlQCdi14Zy22+g1og56sMY2zAR7SvtsBYTexbL3Vh6W30ZIgDKmN8bXpTLWgQsm3cxCIJ0lnvCAfjbI4ajVEHC/kvD6tbrkEVkQselBljuI734X3Do0EQw35m6LGHFmjA93CZTI/FZ7mupafNou18bWMp1Twsvlk9vNk1VuKOiVcX6j51AZQinLVqNhZLe1uj+bwT+nFQo46VbpnhjopDxlLB/5Iuz5erFZmp88Ueyl8hfPLRghxV6WUY9xpKq2C8b+ioZ0VSEkeENy9Esod9OX2rTfQ/drQ2LrUN+qErd0BsZO006sFQ48HFzUEZadhPumBNAuJ4H130nnegcN1eJY1Ws4U94ebl0KpgFkh83pWc97Nue1/jGfbAc3+fRC/ZdUC5Cp3dlrWuMfoH1p4X0nmD3Ocp7WO5FfAoa8iq619ylotSR5KR3I5CIQeyMR61Gwr+LiozcfYUL4Cif7WN8wTwcRQllrV76gOX9eVGfOcHfsX+Nc3qJwSrWRD6UX2SNXKIdbMjFaSPHpne3CFQFghxGYLwPojJX73dhtsOwr7+uFkrCEI3dHGoLnDa+xCIzBvgezJdt0F69carrqH1UJUs9tCz4LlF5BAUIfBNBeIJ2BvY8Z4oeqhqfvT7Ig9dihoddLwVGNovmeFwkGSRD7yFBXkn1bi0lnnCjRcSUFXng2gVwokSVATCn4s+k2uE9SehlQzEqDEQiXP5ERk8ENBtHqUInM3CnS9aHz66ccE3pVuh8CNioQju0Ah8+EG5d62VC7f921Z45vN23FtRayW1UF8XZ3PY96EzhcWFZoZ2Bv2Wtvjga8B8gaWagPuAdJZPjLKyvQTRR0TkYTLNWCr3U/tAc5PMlcc8slVPoJ771uT9FYh82++tUjDnA/sgUEqUbblIKzo3iPcys5D+LtdnxTVeYagoMe13rCXqO5FdOy5Ltebl7rUVYXkdfTfIj4RD+m1nMeGk508tcDHh5nnlOf9S5INHBdmS2uwtrpLthH27nOQCJyDAM1g8kLzwE0TxU1w/psYzsk4N/LBcOiJRGnGRnFHtjqYV8zPIyTv74VNeYueuGI02HZCdRfBdpflOXifRyCyW+tDCu6tnuLIoh2kkOHyP5J9LPqMFMOaCyxc7bSOzxCWj5JB8Ovr9FD2fzaADggYtq/rr0h/Yxc8cc18zPY9Leqg8Yv/mJwy8CH9T5pxEpGpGzO2JcTI8wijnSaJSPKoc5VIl+7879zWGyaVsxORU2P+YWsgvDiouMLlxtEpNtYkXv7wZOVc1Ys4GpeH60RgXhquQf7Fcz8SOCjNqmKHLQWKNo1N1+W1uBp/NExp3g+QmqqbP0jaHzl7XqqipRTLGR/ykti1KuxrHcICHsieue3QFoN1Lqf0z69ouVqshGfdIVpWOws1ReswDJz4iAqnHqJ2aoBXLfEimKCyTTPVpz/qfm8KaygXKshbDobAt3pGP5RaVfapehcVst1Z3W0T5XlkCBn4NkFYC/YIQKRq5RiLPaxbV0QMCLtakDILvpfWDYQi2WWOH1vup/bccjLmIty/lZEqiETOa1gS/G4fqU29BpOPB7XQmVbnHacvHsvfdl9v37vrpR4E/zurYgBVvtHyoqZzcVJHiWKSFdDs7ncQvmwa/VvItXNwBD+lb6h/lwuubzOT0EzZbJuFXMwbH402RJqLIEzyC3P7LyEVy35NLuOFjCiyHciDFiijWlbkGeAGSL1hIr47640QJVMOsM/DMxoeWwy0GzgU9ygHTzxYEKsGxKE2NHcaAzX3V3uJRevpU1j3nbag3izPsE21/+iu9Dh0d55vXTw+d8u9cenWyniPfe9KsD2QlRT5bzIsZ26gM6+Aq2hsFbi4waXmV/tL7rxNt8+7HOxQUUHj8FoorQE3adzcowoVlQ6uQOjBn6sTretieXqhSQ6xmgazY0tQiuJxCQto1z4QTk2kbMs6k7q3nHMpHXxQ1B/cFCsH72Kj2zHd5QS1MJOSYNdATk1Xa704BRbmt6Ta9Z63iBYRgQGRcoUatBdtWd29aWqMTSSeHSgEMYnGfu2pTN8yGn4lU/s7HUa+MBwUojDDW9k1IiUQeyfalIUh9y8MhJwSTl7r5sfgn0NZZyY5lm6hbDWPEx8nNVUK6ZtjtNIX9J+EcJWAuX+ie1eYupQjlTz51B9r7Cm1LNCO3vFXVRsk/EgvlrJDYDKd4lYyTK6TPgyUTlLOU9XRPShyu39PAlLoZNQdiBo5l/SRxWxr2ZfCqvnCNkmca/N6cQ0b8rXT9WVBweZzeLWVsrWvWDe48JYhTwIowRTggs8zXC7seMSCSqMqLEq0gMEcn4eHlfIFBOdFPVcX4tCCG4V5CKZHv2gx/eD5BRpsYc6hmHnpONTZd3GACcdBZ/g1EqHCVtLLbiEdFkDJB7kYDhJ2X+brNCQzBNT5x/LjxKmyPxtgb5AHKDGukR9CWEh5SaW1ca9ObqW5lozjiax58ZyZDHib9Fd3Ho5Z3J25ckzoEzMJ4UR/h2rCCf/gjEU+OSS3Yw8ePtoeeW5Sp3qs7UB0KLBcVWCVAf4cQOdyWTGY6M+EORDVMgA66SMACRKC48ecwDs3WF4An6cw7BSIsCQZlx0ub6RK4g6q5LzDSi02/nLZJMiep0cQWenlffEs0gWyk2dZ8q5U0X6x9umAbhKgLLTPZiKARUCFgbbAPuQYw+NwefRPr3r59IoW0LLMtz6nd77esfmku5LvCMMiWSxmEyGaWKjfv+Dy31Znj4nF5uE+P4H/6c7txn3bKX7uMqUMFHEl2WVlf3HeaRNwmNaTDAZiSzJXJTGiRhxT3VZ+LmqpxOnyAxw3n2LYNPv/UOcCudUdTgw0AxM2l48cg1hCC4sqIxnq6MiTiROuuGeKb2FCkMnq6cklCOgKsTU7LtE2VTNTWfVWPlRQ1NKGD/cbCwzTPBdk0YgmX6vbcb1r2v9IFRAppTMDdhH8uby06ubeFeO7fAXpfun6482aeglBuuQ2/XtgkCWkGiAGpgsWSz+A4bvQ8Meyyn/m02Ln8Rcmy+GkD+vYxKwYRB8w5ls4jM5S4uiNbyu8LOFazcDCGmE7H1B7eTWq91kN8UvYcuJcnIdvUGIyATkyV9xx+MsPRiExbO+dpW/6h00QMT0KeYffM/mTbYGuGa75JUfaIXTaCvMkqp2HLYzz//cL8uiVHF5uDp/sAmx/QCrmva0YTL3I4MOnz7xk61Ifa6w+R4109QX+bxBEaDPjGazVJEtSXKK37s5l6IGpSfVYzlE=,iv:hCkjEufmMmZYI4NzOkiRX4Ma/AD4p3rLQSFPhW51kC0=,tag:J8POnCOmgjmujfSgcTtJxg==,type:str]
+    key.pem: ENC[AES256_GCM,data:s2aPn3I7TKsnURyRQjw28cdPOALLFv3sb7/tcLbItUtbKIzkc3LuydGtZ3zANO3zqp+Lt2LPGNAyNhLASwUFpNXNLP30f6rTskmES5Q3rVrfjgiDCZSbI2XA8zpS4mAbiXN8YML16xtQ68BjZ9edAaMUOEeKjFPoZ/FHVbu/9mZ5liHkDxOcw0VfCHyIb8ZR0GP4cdNqGSa/a3CoM3AKbmyjSKe28uzno/X+wi2q9FMKKRv4/8nnBwLIsEdxjnFB76iqFCStawZfXz/2vOfP75H+hUenZ0xLBK+9PDjLogQ2ew==,iv:+BmAOWvWPwFP7ARJ1CFuSp4NOP2zvjcU0iApX9EyR2A=,tag:ph9x/j5BjDdEny88VyEnYA==,type:str]
+    config.json: ENC[AES256_GCM,data:nIKtWKNNvYu5Z6tdW+uBFxVVYRUbX3usq3CE/ieyV7/7mSQ3TIDtiy/F+/9OX4yv/LLVN0UIaZZDkeVLihPcLlmkzAu9w/8j/CA3UR4orVvFvLWm35Nb4nCdvActMPFOOAK3cQv8D4pYBkul55VkkU+UrL2QSFRVnJpIJtKD7oT63WubJHqtCTJw6tRcwi2K5e8jZvXd/GP65L7TCYXV8rlSIBt//3ifeeIHp8PZSqeNBhmtvScdvwj0Of6ADZf1UdbZy2pGmHm4pnIAEMpjG7FlYNDhlZ9aGemjT/Pe/wUspRqtbMauVE6Lx+XbnoI+wGUjBrTY4LvYdzNK404W0rkohVILq5fBXhWibWrvR3QaXXH4vrDag8sU8YI9nTCweaDD/ilGwP+9POAx1+GQLK9HoBIj16+sJreTV7Ck4guAVU8FyUxVqG87NToYazAgD1gULfd2WlKIsm3S7fp5x1l4C0k9/DDvkRy2NrfXBX2ygPPLrJMZNfjcoXmrD0L+KqtxXWjQm8wS8Oo=,iv:7ihOT0O+HXhsu8fYeaP014+rWe0m9tHFRoy8TH82CDE=,tag:qaSs2RRl1fbFIFj7dlaFCQ==,type:str]
+sops:
+    kms:
+        - arn: arn:aws:kms:us-east-1:273107833591:key/mrk-b51dea56f02f4964835066e80ee531b0
+          created_at: "2025-10-15T16:04:46Z"
+          enc: AQICAHik82tDrWUjAnFKor0DW0Qtxt+MUW7jXDsQO0uycf6klQH88FmGgC8elI6RXFxWwKKyAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMOOjcS+7Ji/XF/BqIAgEQgDtEHkWc7W62OlG+Xl1FhrU/4rvrODoEWLIHgCgrTFW5ss0fEjmOmMRC93GN+RA9KCNq+2OAUv5GcxVVwg==
+          aws_profile: ""
+    lastmodified: "2025-10-15T17:30:45Z"
+    mac: ENC[AES256_GCM,data:tRNxK/MU6BujyZRsgUuUqGUOgV/3zz7qj3UyLgD7vwPDyOGo6uHFRZti5M2LDA5E3fcs0ZNfsZaJT4KTP4g+bgMsldi83n8goQv3CkVf4BnY1uR+YoOpyRCQ5BEc2dfnds1E63+0fNwgM2R45umTklbjmaEzXKMK7YR6Y30xVGM=,iv:xiPxZqjMgPoH34Wk+vLE4XGHPbxoS9PP5lfeYAD6x8M=,tag:9ptCf/wAXldc0FGGrNBJOg==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2