Skip to content

DEPLOYMENT.md

Latest commit

 

History

History
901 lines (654 loc) · 19.8 KB

DEPLOYMENT.md

File metadata and controls

901 lines (654 loc) · 19.8 KB

Trading Platform - Production Deployment Guide

Overview

This guide provides comprehensive instructions for deploying the AI-Powered Financial Trading Analysis Platform to a production Kubernetes cluster.

Table of Contents

Prerequisites

Required Tools

  • Docker (v20.10+)
  • Kubernetes cluster (v1.24+)
  • kubectl (matching cluster version)
  • Helm (v3.8+) - for Helm deployment
  • Access to a container registry (Docker Hub, GCR, ECR, etc.)

Cluster Requirements

  • Minimum Resources: 2 CPUs, 4GB RAM
  • Recommended: 8 CPUs, 16GB RAM for production
  • Storage: Persistent volume support
  • Ingress Controller: NGINX Ingress (or compatible)
  • Cert-Manager (optional): For automatic SSL/TLS certificates

Required Secrets

Obtain the following before deployment:

  1. Google OAuth Credentials (for authentication)

    • Client ID
    • Client Secret
    • Configure OAuth consent screen and callback URLs

  2. API Keys (optional but recommended)

    • Alpha Vantage API key
    • News API key
    • Quandl API key

  3. Flask Secret Key (generate a strong random string)

    python -c "import secrets; print(secrets.token_hex(32))"

Quick Start

For the impatient, here's the fastest path to deployment:

# 1. Build and push image
docker build -t your-registry/trader-tools:latest .
docker push your-registry/trader-tools:latest

# 2. Create secrets file
cp helm/trader-tools/values.yaml my-values.yaml
# Edit my-values.yaml with your secrets

# 3. Deploy with Helm
helm install trader-tools ./helm/trader-tools -f my-values.yaml

# 4. Get the URL
kubectl get ingress -n trader-tools

MicroK8s Deployment

For local or edge deployments without Docker registry requirements, use MicroK8s with ArgoCD GitOps:

Quick MicroK8s Setup

# Install MicroK8s
sudo snap install microk8s --classic --channel=1.28/stable

# Enable required addons
microk8s enable dns storage registry ingress metrics-server

# Build and push to local registry
docker build -t localhost:32000/trader-tools:latest .
docker push localhost:32000/trader-tools:latest

# Install ArgoCD
microk8s kubectl create namespace argocd
microk8s kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

# Deploy application via ArgoCD
# Edit argocd/application.yaml with your Git repo URL
microk8s kubectl apply -f argocd/application.yaml

For detailed MicroK8s deployment instructions, see MICROK8S.md

Benefits of MicroK8s + ArgoCD

  • ✅ No external Docker registry required (uses localhost:32000)
  • ✅ GitOps workflow with automated syncing
  • ✅ Self-healing deployments
  • ✅ Perfect for edge/IoT deployments
  • ✅ Low resource footprint
  • ✅ Single-command cluster setup

Build & Push Docker Image

Build the Image

# From project root
docker build -t trader-tools:latest .

# Test locally (optional)
docker run -p 5000:5000 --env-file .env trader-tools:latest

Tag and Push to Registry

Docker Hub

docker tag trader-tools:latest yourusername/trader-tools:latest
docker push yourusername/trader-tools:latest

Google Container Registry (GCR)

docker tag trader-tools:latest gcr.io/your-project-id/trader-tools:latest
docker push gcr.io/your-project-id/trader-tools:latest

Amazon ECR

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
docker tag trader-tools:latest 123456789.dkr.ecr.us-east-1.amazonaws.com/trader-tools:latest
docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/trader-tools:latest

Azure Container Registry (ACR)

az acr login --name yourregistry
docker tag trader-tools:latest yourregistry.azurecr.io/trader-tools:latest
docker push yourregistry.azurecr.io/trader-tools:latest

Deployment Methods

Method 1: Helm (Recommended)

Helm provides the most flexible and maintainable deployment approach.

1. Create a Custom Values File

cp helm/trader-tools/values.yaml my-production-values.yaml

2. Edit my-production-values.yaml

# Image configuration
image:
  repository: your-registry/trader-tools
  tag: "v1.0.0"

# Ingress configuration
ingress:
  enabled: true
  hosts:
    - host: trading.yourdomain.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: trader-tools-tls
      hosts:
        - trading.yourdomain.com

# Secrets (REQUIRED - fill these in!)
secrets:
  secretKey: "your-generated-secret-key"
  googleClientId: "your-google-client-id"
  googleClientSecret: "your-google-client-secret"
  alphaVantageApiKey: "your-alpha-vantage-key"
  newsApiKey: "your-news-api-key"
  quandlApiKey: "your-quandl-api-key"

# Resource allocation
resources:
  limits:
    cpu: 2000m
    memory: 4Gi
  requests:
    cpu: 1000m
    memory: 2Gi

# Auto-scaling
autoscaling:
  enabled: true
  minReplicas: 3
  maxReplicas: 20

3. Install the Chart

# Create namespace
kubectl create namespace trader-tools

# Install with Helm
helm install trader-tools ./helm/trader-tools \
  -f my-production-values.yaml \
  --namespace trader-tools

# Or install from values via command line (more secure for secrets)
helm install trader-tools ./helm/trader-tools \
  --namespace trader-tools \
  --set image.repository=your-registry/trader-tools \
  --set image.tag=v1.0.0 \
  --set-string secrets.secretKey="your-secret-key" \
  --set-string secrets.googleClientId="your-client-id" \
  --set-string secrets.googleClientSecret="your-client-secret"

4. Upgrade Deployment

# After making changes
helm upgrade trader-tools ./helm/trader-tools \
  -f my-production-values.yaml \
  --namespace trader-tools

5. Uninstall

helm uninstall trader-tools --namespace trader-tools

Method 2: Kustomize

For those who prefer Kustomize over Helm.

1. Update Image in kustomization.yaml

cd k8s
# Edit kustomization.yaml and update the image reference

2. Create Secrets

kubectl create namespace trader-tools

kubectl create secret generic trader-tools-secret \
  --from-literal=SECRET_KEY='your-secret-key' \
  --from-literal=DATABASE_URL='sqlite:////data/financial_analysis.db' \
  --from-literal=GOOGLE_CLIENT_ID='your-google-client-id' \
  --from-literal=GOOGLE_CLIENT_SECRET='your-google-client-secret' \
  --from-literal=ALPHA_VANTAGE_API_KEY='your-alpha-vantage-key' \
  --from-literal=NEWS_API_KEY='your-news-api-key' \
  --from-literal=QUANDL_API_KEY='your-quandl-key' \
  --namespace trader-tools

3. Deploy

# Preview changes
kubectl kustomize k8s

# Apply all resources
kubectl apply -k k8s

# Verify deployment
kubectl get all -n trader-tools

4. Update Ingress Host

# Edit ingress.yaml with your domain
kubectl edit ingress trader-tools -n trader-tools

Method 3: Plain Kubernetes Manifests

For manual control over each resource.

1. Create Namespace

kubectl apply -f k8s/namespace.yaml

2. Create Secrets

# Copy and edit the secret template
cp k8s/secret.yaml.template k8s/secret.yaml

# Base64 encode your secrets
echo -n 'your-secret-key' | base64

# Edit secret.yaml with encoded values, then apply
kubectl apply -f k8s/secret.yaml

3. Apply Resources in Order

kubectl apply -f k8s/configmap.yaml
kubectl apply -f k8s/pvc.yaml
kubectl apply -f k8s/deployment.yaml
kubectl apply -f k8s/service.yaml
kubectl apply -f k8s/ingress.yaml
kubectl apply -f k8s/hpa.yaml

4. Verify Deployment

kubectl get pods -n trader-tools
kubectl get svc -n trader-tools
kubectl get ingress -n trader-tools

Method 4: ArgoCD (GitOps)

For automated, Git-driven deployments with self-healing capabilities.

Prerequisites

  • ArgoCD installed on your cluster
  • Application code in a Git repository (GitHub, GitLab, Bitbucket, etc.)
  • kubectl access to the cluster

1. Install ArgoCD

# Create namespace
kubectl create namespace argocd

# Install ArgoCD
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

# Wait for ready
kubectl wait --for=condition=available --timeout=300s deployment/argocd-server -n argocd

2. Access ArgoCD UI

# Port forward to access UI
kubectl port-forward svc/argocd-server -n argocd 8080:443

# Get admin password
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

# Access at https://localhost:8080
# Username: admin
# Password: (from command above)

3. Configure Git Repository

Edit argocd/application.yaml to point to your Git repository:

source:
  repoURL: https://github.com/YOUR_USERNAME/YOUR_REPO.git
  targetRevision: main
  path: helm/trader-tools

4. Create Secrets Manually

Secrets are not stored in Git for security:

# Create namespace
kubectl create namespace trader-tools

# Create secrets from template
cp k8s/secret.yaml.template k8s/secret-local.yaml

# Edit with your values (DO NOT commit)
nano k8s/secret-local.yaml

# Apply
kubectl apply -f k8s/secret-local.yaml

5. Deploy Application

# Using Helm chart (recommended)
kubectl apply -f argocd/application.yaml

# Or using Kustomize
kubectl apply -f argocd/application-kustomize.yaml

# Or for development environment
kubectl apply -f argocd/application-dev.yaml

6. Monitor Deployment

# Watch sync status via CLI
argocd app get trader-tools

# Or view in UI
# https://localhost:8080/applications/trader-tools

# Watch pods
kubectl get pods -n trader-tools -w

GitOps Workflow

With ArgoCD, deployments are automated:

  1. Make changes: Edit code or configs locally
  2. Commit and push: Git push to your repository
  3. Auto-sync: ArgoCD detects changes and syncs (every 3 minutes)
  4. Self-heal: If cluster state drifts, ArgoCD automatically corrects it
  5. Rollback: Easy rollback via UI or CLI to any previous revision

For detailed ArgoCD setup and best practices, see argocd/README.md

Configuration

Environment Variables

Key configuration options:

Variable Description Default Required
SECRET_KEY Flask session secret -
GOOGLE_CLIENT_ID Google OAuth client ID -
GOOGLE_CLIENT_SECRET Google OAuth client secret -
DATABASE_URL Database connection string sqlite:////data/financial_analysis.db -
ALPHA_VANTAGE_API_KEY Alpha Vantage API key - -
NEWS_API_KEY News API key - -
FLASK_ENV Application environment production -
LOG_LEVEL Logging level INFO -
MONITORING_INTERVAL Alert check interval (seconds) 60 -

Google OAuth Setup

  1. Go to Google Cloud Console
  2. Create a new project or select existing
  3. Enable Google+ API
  4. Create OAuth 2.0 credentials
  5. Add authorized redirect URIs:
    • https://your-domain.com/authorize
    • https://your-domain.com/login/google/authorized
  6. Use Client ID and Client Secret in your secrets

Storage Configuration

The application uses SQLite by default with persistent storage:

  • PVC Size: 10Gi (adjust in values.yaml or pvc.yaml)
  • Storage Class: Depends on your cluster (gp2, standard, etc.)
  • Access Mode: ReadWriteOnce

For production, consider PostgreSQL:

secrets:
  databaseUrl: "postgresql://user:password@postgres-host:5432/trading_platform"

Post-Deployment

Verify Deployment

# Check pod status
kubectl get pods -n trader-tools

# View logs
kubectl logs -f deployment/trader-tools -n trader-tools

# Check service
kubectl get svc -n trader-tools

# Check ingress
kubectl get ingress -n trader-tools

Access the Application

# Get ingress URL
kubectl get ingress trader-tools -n trader-tools

# Port-forward for testing (optional)
kubectl port-forward svc/trader-tools 8080:80 -n trader-tools
# Access at http://localhost:8080

Initialize Database

The init container automatically creates the database schema on first deploy.

To manually initialize:

kubectl exec -it deployment/trader-tools -n trader-tools -- python -c "
from db_config import init_database
from flask import Flask
app = Flask(__name__)
init_database(app)
print('Database initialized')
"

Create Admin User

kubectl exec -it deployment/trader-tools -n trader-tools -- python -c "
from models import db, User
from flask import Flask
app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:////data/financial_analysis.db'
db.init_app(app)
with app.app_context():
    admin = User(email='admin@yourdomain.com', name='Admin User')
    db.session.add(admin)
    db.session.commit()
    print('Admin user created')
"

Monitoring

Health Checks

The application exposes a health endpoint:

# Check health
curl https://your-domain.com/health

Kubernetes Probes

  • Liveness Probe: /health endpoint (30s interval)
  • Readiness Probe: /health endpoint (10s interval)

Metrics

If using Prometheus:

# Port-forward Prometheus
kubectl port-forward svc/prometheus 9090:9090

# View metrics at http://localhost:9090

Logs

# View logs from all pods
kubectl logs -l app=trader-tools -n trader-tools --tail=100 -f

# View logs from specific pod
kubectl logs -f <pod-name> -n trader-tools

# View previous container logs (if crashed)
kubectl logs <pod-name> -n trader-tools --previous

Scaling

Manual Scaling

# Scale to 5 replicas
kubectl scale deployment trader-tools --replicas=5 -n trader-tools

Auto-Scaling

HorizontalPodAutoscaler is included:

  • Min Replicas: 2
  • Max Replicas: 10
  • CPU Target: 70%
  • Memory Target: 80%

View scaling status:

kubectl get hpa -n trader-tools
kubectl describe hpa trader-tools -n trader-tools

Adjust scaling parameters:

kubectl edit hpa trader-tools -n trader-tools

Troubleshooting

Common Issues

Pods in CrashLoopBackOff

# Check logs
kubectl logs <pod-name> -n trader-tools

# Common causes:
# - Missing required secrets (SECRET_KEY, GOOGLE_CLIENT_ID)
# - Database initialization failure
# - Port conflicts

Ingress Not Working

# Check ingress status
kubectl describe ingress trader-tools -n trader-tools

# Verify ingress controller is running
kubectl get pods -n ingress-nginx

# Check DNS resolution
nslookup your-domain.com

Database Errors

# Check PVC
kubectl get pvc -n trader-tools

# Check volume mount
kubectl describe pod <pod-name> -n trader-tools

# Exec into pod and check database
kubectl exec -it <pod-name> -n trader-tools -- ls -la /data

Memory/CPU Issues

# Check resource usage
kubectl top pods -n trader-tools

# Increase resources in values.yaml or deployment.yaml
resources:
  limits:
    cpu: 4000m
    memory: 8Gi

Debug Commands

# Get all resources
kubectl get all -n trader-tools

# Describe deployment
kubectl describe deployment trader-tools -n trader-tools

# Get events
kubectl get events -n trader-tools --sort-by='.lastTimestamp'

# Exec into pod
kubectl exec -it <pod-name> -n trader-tools -- /bin/bash

# View config
kubectl get configmap trader-tools-config -n trader-tools -o yaml

Security Considerations

Best Practices Implemented

  1. Non-root User: Application runs as UID 1000
  2. Read-only Filesystem: Where possible
  3. No Privilege Escalation: Disabled
  4. Dropped Capabilities: All unnecessary capabilities dropped
  5. Network Policies: Define network policies for pod-to-pod communication
  6. Secret Management: Use external secret managers (Vault, Sealed Secrets)
  7. Image Scanning: Scan images with Trivy or Snyk before deployment
  8. RBAC: Implement least-privilege service accounts
  9. TLS/SSL: Always use HTTPS in production
  10. Rate Limiting: Enabled via Ingress annotations

Additional Security Steps

# Create network policy
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: trader-tools-netpol
  namespace: trader-tools
spec:
  podSelector:
    matchLabels:
      app: trader-tools
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: ingress-nginx
      ports:
        - protocol: TCP
          port: 5000
  egress:
    - {}  # Allow all egress (adjust as needed)
EOF

Secrets Management with Sealed Secrets

# Install sealed-secrets controller
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml

# Install kubeseal CLI
brew install kubeseal

# Create sealed secret
kubectl create secret generic trader-tools-secret \
  --from-literal=SECRET_KEY='your-secret-key' \
  --dry-run=client -o yaml | \
  kubeseal -o yaml > sealed-secret.yaml

# Apply sealed secret
kubectl apply -f sealed-secret.yaml -n trader-tools

CI/CD Integration

GitHub Actions Example

name: Build and Deploy

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Build Docker image
        run: docker build -t ${{ secrets.REGISTRY }}/trader-tools:${{ github.sha }} .
      
      - name: Push to registry
        run: |
          echo ${{ secrets.REGISTRY_PASSWORD }} | docker login -u ${{ secrets.REGISTRY_USER }} --password-stdin ${{ secrets.REGISTRY }}
          docker push ${{ secrets.REGISTRY }}/trader-tools:${{ github.sha }}
      
      - name: Deploy to Kubernetes
        uses: azure/k8s-deploy@v4
        with:
          manifests: |
            k8s/deployment.yaml
          images: ${{ secrets.REGISTRY }}/trader-tools:${{ github.sha }}
          namespace: trader-tools

Backup and Restore

Backup Database

# Create backup
kubectl exec -it deployment/trader-tools -n trader-tools -- \
  tar -czf /tmp/backup.tar.gz /data/financial_analysis.db

# Copy backup locally
kubectl cp trader-tools/<pod-name>:/tmp/backup.tar.gz ./backup-$(date +%Y%m%d).tar.gz

Restore Database

# Copy backup to pod
kubectl cp ./backup.tar.gz trader-tools/<pod-name>:/tmp/backup.tar.gz

# Restore
kubectl exec -it <pod-name> -n trader-tools -- \
  tar -xzf /tmp/backup.tar.gz -C /

Maintenance

Rolling Updates

# Update image
kubectl set image deployment/trader-tools \
  trader-tools=your-registry/trader-tools:v2.0.0 \
  -n trader-tools

# Watch rollout
kubectl rollout status deployment/trader-tools -n trader-tools

Rollback

# Rollback to previous version
kubectl rollout undo deployment/trader-tools -n trader-tools

# Rollback to specific revision
kubectl rollout undo deployment/trader-tools --to-revision=2 -n trader-tools

Cleanup

# Delete everything
kubectl delete namespace trader-tools

# Or with Helm
helm uninstall trader-tools -n trader-tools
kubectl delete namespace trader-tools

Support

For issues and questions:

License

Copyright © 2026 Your Company. All rights reserved.