diff --git a/README.md b/README.md index 94e9a0f2c..6a16af74e 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ __All__ - [Getting started (dockerized)](doc/getting-started.md) - [Setup](doc/setup.md) - [About databases](doc/databases.md) +- [Deployment](doc/deployment.md) __API__ - [API configuration](apps/api-server/doc/config.md) diff --git a/doc/deployment.md b/doc/deployment.md new file mode 100644 index 000000000..b7240145e --- /dev/null +++ b/doc/deployment.md @@ -0,0 +1,65 @@ +## Deployment + +We use the [included](charts/openstad-headless) [Helm](https://helm.sh/) chart to deploy to our own test cluster. The +deployment is described via the scripts located in the `operations/deployments/openstad-headless` directory. For each +environment we created a single deploy script. For example to the deploy to acc you would run the +`./operations/deployments/openstad-headless/deploy-acc.sh` script. This automatically decrypts the secret values +located in the repository using SOPS. + +### Requirements + +- [SOPS](https://github.com/getsops/sops) is installed +- [Helm](https://helm.sh/) is installed +- You have access to the `headless.agekey` private key +- You have access to and configured the context used in the deployment script. + +### Adding secrets + +> **NOTE**: Export the location of the agekey file in a variable called `SOPS_AGE_KEY_FILE` + +Adding new secrets to the Helm deployment can be done by using the utilities scripts [`decrypt.sh`]((operations/scripts/decrypt.sh)) and [`encrypt.sh`](operations/scripts/encrypt.sh). + +To decrypt all secrets ending with `.enc.yml` you can run the following command: +```sh +$ ./operations/scripts/decrypt.sh +``` + +To decrypt a single file you can run the following command: +```sh +$ ./operations/scripts/decrypt.sh /path/to/secret.enc.yml +``` +This places a decrypted `yml` next to the encrypted file. Make sure to not commit this unecrypted file to git. To avoid +this issue make sure to store secrets in a file called `secrets.yml`. + +To encrypt a yml file you can run the `encrypt.sh` script. This creates a `$filename.enc.yml` file next to the +unencrypted file. Make sure to decrypt the original file first to avoid overriding values. Call the encrypt script with the file to encrypt. +```sh +$ ./operations/scripts/encrypt.sh operations/deployments/openstad-headless/environments/acc/secrets/secrets.yml +``` + +### Using deployment scripts +Run the deployment script for the specific environment, for example acc: +```sh +$ ./operations/deployments/openstad-headless/deploy-acc.sh +``` + +### Customizing deployments +Every deployment has their own `yml` files with their own config. This can be customized per environment. In the root of +every deployment an environments folder is created with the following structure: + +``` +└── environments + └── acc # Environment name + ├── images.yml # Target images to deploy + ├── secrets + │   ├── secrets.enc.yml # Encrypted yml containing secret values for deployment + │   └── secrets.yml # Unencrypted yml containing secrets. Not in git + └── values.yml # Custom values for Helm deployment (plain text) +``` + +These files get called in custom deployment scripts like `deploy-acc.sh`. These scripts configure the correct kubernetes +context, configure deployment namespace, decrypts files, combines multiple value files and runs the helm command to +install or upgrade release. + +If you want to create a new environment you can copy the deployment script (`deploy-acc.sh`) and change the configuration +in the script itself. This allows other users to also deploy to that environment by simply running the script.