Add production deployment configuration and CI/CD#194
Draft
cooper667 wants to merge 35 commits intockan211-python310-migration-staging-1from
Draft
Add production deployment configuration and CI/CD#194cooper667 wants to merge 35 commits intockan211-python310-migration-staging-1from
cooper667 wants to merge 35 commits intockan211-python310-migration-staging-1from
Conversation
cooper667
commented
Jan 22, 2026
cooper667
commented
- Add deploy/ folder with Dockerfile.prod, nginx, uwsgi configs
- Add production.ini (secrets externalized to secrets.ini)
- Add entrypoint that merges production.ini + secrets.ini at startup
- Add build-deploy.yml GitHub Actions workflow
- Add dependabot.yml
- Update supervisor config with nginx and uwsgi programs
- Add deploy/ folder with Dockerfile.prod, nginx, uwsgi configs - Add production.ini (secrets externalized to secrets.ini) - Add entrypoint that merges production.ini + secrets.ini at startup - Add build-deploy.yml GitHub Actions workflow - Add dependabot.yml - Update supervisor config with nginx and uwsgi programs
Previous commits were force-pushed away from upstream repos.
Change GitHub environment URL for staging deployments to reflect the new domain.
…ploads Updates ckanext-unaids to 5e557c3 which adds CSRF token to file upload authorization requests, fixing 400 errors when uploading files in CKAN 2.11.
Support all package types (dataset, dataset-2, etc.) in download routes. DataPusher was failing with 404 for resources using custom package types.
- Change staging domain from dev-adr to dev.adr.fjelltopp.org - Enable saml2auth plugin and configure Auth0 IDP - Re-enable login/register redirect to SAML2 login - Update ckanext-unaids submodule URL to fork
Bake production.ini into image so config changes flow through CI/CD.
Secrets are still merged at runtime via entrypoint from secrets.ini.
After this deploys, run:
kubectl patch deployment ckan -n adr-s --type='json' -p='[
{"op": "replace", "path": "/spec/template/spec/volumes/3/projected/sources", "value": [
{"secret": {"name": "jwt-keys"}},
{"secret": {"name": "ckan-ini-secrets"}}
]}
]'
- Dockerfile bakes config as /etc/ckan/base.ini - Entrypoint merges base.ini + secrets.ini → /etc/ckan/production.ini - Allows subPath mounts for secrets without overwriting base config After deploy, apply subPath mount patch (see commit message).
Config merge order at startup: base.ini < env.ini < secrets.ini - deploy/base.ini: common config (baked into image) - deploy/staging.ini: staging-specific (CI creates ConfigMap) - deploy/production.ini: prod-specific (CI creates ConfigMap) - Entrypoint merges all three into /tmp/production.ini - CI workflow creates ckan-env-config ConfigMap per environment
cooper667
force-pushed
the
ckan211-prod-deploy-pr
branch
from
10a5add to
21d7e3b
Compare
Point submodule back to fjelltopp/ckanext-unaids instead of fork, using the same commit as the base branch.
ChasNelson1990
had a problem deploying
to
staging
GitHub Actions
Failure
…elop into ckan211-prod-deploy-pr
ConfigParser raises DuplicateOptionError on the duplicate key, causing the pod to crash on startup.
email_to triggers _setup_error_mail_handler which attaches a ContextualFilter to the root logger. The filter accesses request.path, but ckan.csrf_protection.ignore_extensions (default: true) logs a warning during app init outside request context, crashing uWSGI.
Add Cache-Control: no-store to the catch-all location block so Azure Front Door never caches HTML pages or error responses. Static assets retain their 7-day edge cache.
The harvester and background job workers were FATAL in AKS because supervisor had hardcoded /usr/local/bin/ckan and /etc/ckan/ckan.ini. In the prod image the binary lives in the virtualenv and config is merged to /tmp/production.ini. Use supervisor %(ENV_X)s substitution so the same config works for both dev and prod entrypoints.
/dev/fd/N in child processes points to supervisor's captured pipes, not the container stdout, causing all logs to be swallowed. Using /dev/stdout and /dev/stderr ensures output reaches kubectl logs.
The ckan-worker supervisor process was configured to run as user=ckan, but Azure PostgreSQL requires SSL and psycopg2 looks for a client cert at /root/.postgresql/postgresql.crt which the ckan user cannot access. This matches all other supervisor processes which already run as root.
Configures email sending through ACS using the verified adr-s.fjelltopp.org domain. Credentials are in K8s secret.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.