Skip to content

Add production deployment configuration and CI/CD#194

Draft
cooper667 wants to merge 32 commits intockan211-python310-migration-staging-1from
ckan211-prod-deploy-pr
Draft

Add production deployment configuration and CI/CD#194
cooper667 wants to merge 32 commits intockan211-python310-migration-staging-1from
ckan211-prod-deploy-pr

Conversation

@cooper667
Copy link

  • Add deploy/ folder with Dockerfile.prod, nginx, uwsgi configs
  • Add production.ini (secrets externalized to secrets.ini)
  • Add entrypoint that merges production.ini + secrets.ini at startup
  • Add build-deploy.yml GitHub Actions workflow
  • Add dependabot.yml
  • Update supervisor config with nginx and uwsgi programs

- Add deploy/ folder with Dockerfile.prod, nginx, uwsgi configs
- Add production.ini (secrets externalized to secrets.ini)
- Add entrypoint that merges production.ini + secrets.ini at startup
- Add build-deploy.yml GitHub Actions workflow
- Add dependabot.yml
- Update supervisor config with nginx and uwsgi programs
Previous commits were force-pushed away from upstream repos.
Change GitHub environment URL for staging deployments to reflect
the new domain.
…ploads

Updates ckanext-unaids to 5e557c3 which adds CSRF token to file upload
authorization requests, fixing 400 errors when uploading files in CKAN 2.11.
Support all package types (dataset, dataset-2, etc.) in download routes.
DataPusher was failing with 404 for resources using custom package types.
- Change staging domain from dev-adr to dev.adr.fjelltopp.org
- Enable saml2auth plugin and configure Auth0 IDP
- Re-enable login/register redirect to SAML2 login
- Update ckanext-unaids submodule URL to fork
Bake production.ini into image so config changes flow through CI/CD.
Secrets are still merged at runtime via entrypoint from secrets.ini.

After this deploys, run:
kubectl patch deployment ckan -n adr-s --type='json' -p='[
  {"op": "replace", "path": "/spec/template/spec/volumes/3/projected/sources", "value": [
    {"secret": {"name": "jwt-keys"}},
    {"secret": {"name": "ckan-ini-secrets"}}
  ]}
]'
- Dockerfile bakes config as /etc/ckan/base.ini
- Entrypoint merges base.ini + secrets.ini → /etc/ckan/production.ini
- Allows subPath mounts for secrets without overwriting base config

After deploy, apply subPath mount patch (see commit message).
Config merge order at startup: base.ini < env.ini < secrets.ini

- deploy/base.ini: common config (baked into image)
- deploy/staging.ini: staging-specific (CI creates ConfigMap)
- deploy/production.ini: prod-specific (CI creates ConfigMap)
- Entrypoint merges all three into /tmp/production.ini
- CI workflow creates ckan-env-config ConfigMap per environment
@cooper667 cooper667 force-pushed the ckan211-prod-deploy-pr branch from 10a5add to 21d7e3b Compare February 2, 2026 17:31
Point submodule back to fjelltopp/ckanext-unaids instead of fork,
using the same commit as the base branch.
@cooper667 cooper667 marked this pull request as draft February 5, 2026 09:18
@cooper667
Copy link
Author

(draft so I don't accidently merge it)

ConfigParser raises DuplicateOptionError on the duplicate key,
causing the pod to crash on startup.
email_to triggers _setup_error_mail_handler which attaches a
ContextualFilter to the root logger. The filter accesses request.path,
but ckan.csrf_protection.ignore_extensions (default: true) logs a
warning during app init outside request context, crashing uWSGI.
Add Cache-Control: no-store to the catch-all location block so
Azure Front Door never caches HTML pages or error responses.
Static assets retain their 7-day edge cache.
The harvester and background job workers were FATAL in AKS because
supervisor had hardcoded /usr/local/bin/ckan and /etc/ckan/ckan.ini.
In the prod image the binary lives in the virtualenv and config is
merged to /tmp/production.ini. Use supervisor %(ENV_X)s substitution
so the same config works for both dev and prod entrypoints.
/dev/fd/N in child processes points to supervisor's captured pipes,
not the container stdout, causing all logs to be swallowed. Using
/dev/stdout and /dev/stderr ensures output reaches kubectl logs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments