thalla/lomavuokraus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
lomavuokraus/deploy/README.md
Tero Halla-aho f91b62dc51
Some checks failed
CI / checks (push) Has been cancelled
Details
CI / checks (pull_request) Has been cancelled
Details
Add encrypted kubeconfig and ignore plaintext
2025-12-13 23:32:01 +02:00

1.5 KiB
Raw Blame History

Deploying to k3s (Hetzner)

Prereqs

  • kubectl installed locally.
  • Access to the cluster kubeconfig.
  • Secrets loaded (dotenv via scripts/load-secrets.sh).

Kubeconfig

  • By default deploy/deploy.sh will use $KUBECONFIG. If that is unset and creds/kubeconfig.yaml exists, it will export KUBECONFIG=$PWD/creds/kubeconfig.yaml.
  • Recommended flow for new devs:
    1. Obtain the kubeconfig from the cluster admin.
    2. Save it as creds/kubeconfig.yaml (ignored by git), or set KUBECONFIG to your own path. The repo also includes creds/kubeconfig.enc.yaml (sops/age-encrypted) and a plaintext copy can be produced with the age key.
    3. Verify access: kubectl get ns (you should see lomavuokraus-test/staging/prod).
  • If you want to keep the kubeconfig in-repo but encrypted, store it as creds/kubeconfig.enc.yaml with sops/age and decrypt to creds/kubeconfig.yaml before deploying:
    • Decrypt: SOPS_AGE_KEY_FILE=creds/age-key.txt sops -d creds/kubeconfig.enc.yaml > creds/kubeconfig.yaml
    • Encrypt (admin only): SOPS_AGE_KEY_FILE=creds/age-key.txt sops -e kubeconfig.yaml > creds/kubeconfig.enc.yaml

Deploy commands

  • Test: ./deploy/deploy-test.sh
  • Staging (default): ./deploy/deploy-staging.sh or TARGET=staging ./deploy/deploy.sh
  • Prod: ./deploy/deploy-prod.sh

Notes

  • Ensure deploy/.last-image exists (run deploy/build.sh first).
  • AUTH_SECRET/DATABASE_URL should be in your env or loaded via scripts/load-secrets.sh.