Deployment Model
Purpose
Section titled “Purpose”This document defines the initial deployment approach.
The platform must run on Kubernetes and be deployed through Helm.
Initial Environment
Section titled “Initial Environment”The first deployment target is a dedicated server with Kubernetes installed.
This is acceptable for early test and controlled production-like usage, but the architecture must not depend on single-server assumptions.
Environments
Section titled “Environments”The platform should support:
- local
- test
- staging
- production
Test, staging, and production must use the same application code and Helm charts. Differences must be represented through Helm values, environment variables, secrets, topology, and operational configuration.
Deployment Units
Section titled “Deployment Units”Initial deployables:
- web-console
- docs
- platform-api
- mqtt-ingestion-worker
- telemetry-worker
- PostgreSQL/TimescaleDB
- NATS JetStream
Container Registry
Section titled “Container Registry”Initial registry: GitHub Container Registry unless replaced by an explicit decision.
Initial CI/CD system: GitHub Actions.
The first CI workflow is named ci and runs for pull requests and pushes to the
main branch. The same command set must stay runnable locally and in CI:
- Install dependencies.
- Run linting.
- Run type checks.
- Run tests.
- Build applications and documentation.
- Run the documentation check.
When branch protection is enabled, ci should become a required pull request
check.
Later deployment pipelines will add:
- Build container images.
- Push images to registry.
- Deploy to test environment.
- Promote to staging.
- Promote to production after validation.
Helm charts must configure:
- Image repository and tag.
- Replicas.
- Environment variables.
- Secrets references.
- Service ports.
- Ingress.
- Resource requests and limits.
- Persistence.
- Health and readiness probes.
- Metrics configuration where relevant.
No cloud-specific assumptions are allowed.
Phase 4.5 Test and Controlled Production Deployment
Section titled “Phase 4.5 Test and Controlled Production Deployment”Phase 4.5 introduces an early Kubernetes test slice and a controlled production slice before production business behavior is implemented.
The first cluster is the dedicated server at 91.99.127.138. It currently runs
k3s with Traefik, cert-manager, and the local-path storage class. This is an
acceptable early target, but it is not a high-availability production design.
The Phase 4.5 release model is GitOps-based:
- the product repository contains application code, Dockerfiles, and the Helm
chart under
infra/helm/sens-platform, - the private
sens-platform-infrarepository contains cluster and environment desired state, - Argo CD runs inside the k3s cluster first and may later move to a separate management cluster,
- environments deploy immutable image tags and chart revisions,
- runtime deployments use SemVer image tags only,
- every published backend image records the Git SHA through image metadata and release metadata for auditability,
- test uses
alphapre-release tags such as0.5.0-alpha.1, - future staging should use
rcpre-release tags such as0.5.0-rc.1, - production uses stable SemVer tags such as
0.5.0, - the production promotion workflow derives the stable production tag from the current validated test alpha tag, and the stable tag must already be published before the manual production sync,
- branch names may be recorded for human context, but runtime deployment must resolve to immutable revisions.
Initial public hostnames are:
argo.iot-sens.schlossers.atfor Argo CD,docs.dev.iot-sens.schlossers.atfor the test documentation site,docs.iot-sens.schlossers.atfor the production documentation site,api.dev.iot-sens.schlossers.atfor the testplatform-apioperation endpoints,api.iot-sens.schlossers.atfor the productionplatform-apioperation endpoints.
Test runs in sens-test and automatically follows successful main builds
through generated alpha SemVer tags, for example 0.5.0-alpha.123.1.
Production runs in sens-production, has no automated Argo CD sync policy, and
is synchronized manually only by the local Argo CD user sebastian or the
break-glass admin user.
Only platform-api is publicly exposed for smoke checks. Workers,
TimescaleDB, NATS JetStream, and the mock MQTT broker remain cluster-internal.
The mock MQTT broker is enabled for test and disabled for production.
The Helm chart includes embedded single-instance StatefulSets for TimescaleDB and NATS. These components are acceptable for the controlled start but must not be treated as production-ready database or broker infrastructure for real customer data. Before customer-critical operation, backup, restore, monitoring, and migration procedures must be completed and tested.
Single-Server Warning
Section titled “Single-Server Warning”Running Kubernetes, database, broker, and applications on a single server creates availability and data-loss risks.
This is acceptable for early stages only if backups and restore procedures are documented and tested.
Before customer-critical operation, backup, monitoring, and restore processes must be validated.