27 lines
1.7 KiB
Markdown
27 lines
1.7 KiB
Markdown
Deploying to k3s (Hetzner)
|
|
==========================
|
|
|
|
Prereqs
|
|
- `kubectl` installed locally.
|
|
- Access to the cluster kubeconfig.
|
|
- Secrets loaded (dotenv via `scripts/load-secrets.sh`).
|
|
|
|
Kubeconfig
|
|
- By default `deploy/deploy.sh` will use `$KUBECONFIG`. If that is unset and `creds/kubeconfig.yaml` exists, it will export `KUBECONFIG=$PWD/creds/kubeconfig.yaml`.
|
|
- Recommended flow for new devs:
|
|
1) Obtain the kubeconfig from the cluster admin.
|
|
2) Save it as `creds/kubeconfig.yaml` (ignored by git), or set `KUBECONFIG` to your own path. The repo also includes `creds/kubeconfig.enc.yaml` (sops/age-encrypted) and a plaintext copy can be produced with the age key.
|
|
3) Verify access: `kubectl get ns` (you should see `lomavuokraus-test/staging/prod`).
|
|
- If you want to keep the kubeconfig in-repo but encrypted, store it as `creds/kubeconfig.enc.yaml` with sops/age and decrypt to `creds/kubeconfig.yaml` before deploying:
|
|
- Decrypt: `SOPS_AGE_KEY_FILE=creds/age-key.txt sops -d creds/kubeconfig.enc.yaml > creds/kubeconfig.yaml`
|
|
- Encrypt (admin only): `SOPS_AGE_KEY_FILE=creds/age-key.txt sops -e kubeconfig.yaml > creds/kubeconfig.enc.yaml`
|
|
|
|
Deploy commands
|
|
- Test: `./deploy/deploy-test.sh`
|
|
- Staging (default): `./deploy/deploy-staging.sh` or `TARGET=staging ./deploy/deploy.sh`
|
|
- Prod: `./deploy/deploy-prod.sh`
|
|
|
|
Notes
|
|
- Ensure `deploy/.last-image` exists (run `deploy/build.sh` first).
|
|
- `AUTH_SECRET`/`DATABASE_URL` should be in your env or loaded via `scripts/load-secrets.sh`.
|
|
- `deploy/deploy.sh` runs `prisma migrate deploy` automatically when `DATABASE_URL` is set; if it isn't, it will try to read `DATABASE_URL` from the in-cluster `lomavuokraus-web-secrets` in the target namespace (recommended for test/staging/prod).
|