testing

Author: adskyiproger

.github/workflows/deploy-dependencies.yml

@@ -10,6 +10,7 @@ on:
         type: choice
         options:
           - demo
+          - demo-prod
           - dev
           - dev-stg
 jobs:

.github/workflows/deploy-opencrvs.yml

@@ -30,6 +30,7 @@ on:
         type: choice
         options:
           - demo
+          - demo-prod
           - dev
           - dev-stg
       reset:

.github/workflows/k8s-reset-data.yml

@@ -15,6 +15,7 @@ on:
         type: choice
         options:
           - demo
+          - demo-prod
           - dev
           - dev-stg
   workflow_call:

.github/workflows/k8s-seed-data.yml

@@ -10,6 +10,7 @@ on:
         type: choice
         options:
           - demo
+          - demo-prod
           - dev
           - dev-stg
   workflow_call:

.github/workflows/provision.yml

@@ -10,6 +10,7 @@ on:
         type: choice
         options:
           - dev
+          - demo-prod
           - demo
       tags:
         description: 'Tags to apply to the provisioned resources'
@@ -27,8 +28,7 @@ on:
           - decrypt-on-boot
           - checks
           - containerd-setup
-          - kubernetes-installation
-          - join-workers
+          - k8s
           - system-preparation
 jobs:
   provision:
@@ -62,7 +62,6 @@ jobs:
           smtp_from: "[email protected]"
           smtp_password: ${{ secrets.SMTP_PASSWORD }}
           alert_email: ${{ secrets.ALERT_EMAIL }}
-
       - name: checkout repository
         uses: actions/checkout@v5
       - name: Run Ansible Playbook

environments/demo-prod/dependencies/values.yaml

@@ -0,0 +1,23 @@
+storage_type: host_path
+
+ingress:
+  tls_resolver: letsencrypt
+
+minio:
+  use_default_credentials: false
+
+elasticsearch:
+  use_default_credentials: false
+
+mongodb:
+  use_default_credentials: false
+
+postgres:
+  use_default_credentials: false
+
+monitoring:
+  enabled: true
+
+elastalert:
+  env:
+    HTTP_POST2_ALERT_URL: http://countryconfig.opencrvs-demo-prod.svc.cluster.local:3040

environments/demo-prod/mosip-api/values.yaml

@@ -0,0 +1,2 @@
+ingress:
+  ssl_enabled: true

environments/demo-prod/opencrvs-services/values.yaml

@@ -0,0 +1,54 @@
+########################################################################################
+# Initial configuration file for OpenCRVS installation
+########################################################################################
+# Some properties are not defined in this file and should be provided as key/value at
+# installation time:
+# - hostname: valid DNS name for opencrvs
+# - countryconfig.image.name: Countryconfig image repository
+# - countryconfig.image.tag: Countryconfig image tag
+ingress:
+  tls_resolver: letsencrypt
+
+hpa:
+  enabled: false
+
+env:
+  APN_SERVICE_URL: "http://apm-server.opencrvs-deps-demo-prod.svc.cluster.local:8200"
+
+influxdb:
+  host: influxdb-0.influxdb.opencrvs-deps-demo-prod.svc.cluster.local
+elasticsearch:
+  auth_mode: auto
+  host: elasticsearch.opencrvs-deps-demo-prod.svc.cluster.local
+
+
+minio:
+  auth_mode: use_secret
+  host: minio-0.minio.opencrvs-deps-demo-prod.svc.cluster.local
+  external_hostname: minio.test-k8s.opencrvs.dev
+
+mongodb:
+  auth_mode: auto
+  host: mongodb-0.mongodb.opencrvs-deps-demo-prod.svc.cluster.local
+
+redis:
+  auth_mode: acl
+  host: redis-0.redis.opencrvs-deps-demo-prod.svc.cluster.local
+
+postgres:
+  auth_mode: auto
+  host: postgres-0.postgres.opencrvs-deps-demo-prod.svc.cluster.local
+
+imagePullSecrets:
+  # Default value for credentials created while yarn environment:init
+  - name: dockerhub-credentials
+
+countryconfig:
+  smtp-config:
+    - ALERT_EMAIL
+    - SENDER_EMAIL_ADDRESS
+    - SMTP_HOST
+    - SMTP_PASSWORD
+    - SMTP_PORT
+    - SMTP_SECURE
+    - SMTP_USERNAME

environments/demo-prod/traefik/values.yaml

@@ -0,0 +1,74 @@
+# Overwriting https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml
+namespaceOverride: "traefik"
+logs:
+  general:
+    # "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC"
+    level: "INFO"
+    # format: "common" # For local environment
+    format: "json" # For server environment
+  access:
+    # -- To enable access logs
+    enabled: true
+    format: "json"
+ingressRoute:
+  dashboard:
+    enabled: false
+
+# Be explicit that we only use CRDs, not ingress/gw support
+providers: 
+  kubernetesCRD:
+    enabled: true
+  kubernetesIngress:
+    enabled: true
+  kubernetesGateway:
+    enabled: false
+
+service:
+  enabled: true
+  single: false
+  type: NodePort
+
+ports:
+  web:
+    port: 8000
+    hostPort: 80
+    protocol: TCP
+    nodePort: 30080
+  websecure:
+    port: 8443
+    nodePort: 30443
+    hostPort: 443
+    protocol: TCP
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      tlsChallenge: false
+      httpChallenge:
+        entryPoint: web
+      email: [email protected]
+      # Storage for production certificates:
+      # storage: /data/acme.json
+      # Storage for staging certificates:
+      storage: /data/acme-staging.json
+      # Staging server
+      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+      # Production server
+      # caServer: https://acme-v02.api.letsencrypt.org/directory
+
+# Additional arguments
+additionalArguments:
+  - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
+  - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
+  - "--certificatesresolvers.letsencrypt.acme.email=vadym@opencrvs.org"
+  # Storage for staging certificates:
+  - "--certificatesresolvers.letsencrypt.acme.storage=/data/acme-staging.json"
+  # Storage for staging certificates:
+  # - "--certificatesresolvers.letsencrypt.acme.storage=/data/acme.json"
+
+deployment:
+  hostNetwork: true
+  additionalVolumes:
+    - name: acme
+      hostPath:
+        path: /data/traefik

examples/dev/README.md

@@ -6,40 +6,8 @@ OpenCRVS can be deployed either:
 
 * **Manually** (using Helm and CLI commands), see [README-on-existing-cluster](README-on-existing-cluster.md) or
 * **Automatically** (using the provided GitHub Action Workflows).
-
 ---
 
-# Prerequisites
-
-Before starting the deployment, ensure the following requirements are met:
-
-**1. Virtual Machine resources**
-
-   * Minimum: **8 CPU cores, 16 GB RAM, 50 GB SSD**.
-
-**2. Operating System**
-
-   * VM is running **Ubuntu 24.04 LTS**.
-
-**3. Networking and Domain Configuration**
-
-* The VM must have a **public IP address** and (or) ports **80** and **443** must be accessible.
-* A **valid domain name** must be configured and point to the VM.
-* Required DNS records:
-
-  * An **A record** pointing the primary domain to the VM IP (e.g., `opencrvs.example.com`).
-  * A **wildcard A record** (e.g., `*.opencrvs.example.com`) or individual subdomains pointing to the same VM IP.
-* These settings are required for **Traefik** to issue valid SSL certificates using Let’s Encrypt (`http-01` challenge).
-
-> See the [OpenCRVS documentation on DNS setup](https://documentation.opencrvs.org/setup/3.-installation/3.3-set-up-a-server-hosted-environment/3.3.5-setup-dns-a-records#domain-a-records) for details.
-
-> If you don't have public IP Address please follow guide "How to run traefik with self-signed SSL Certificate", see [TODO](#link-goes-here)
-
-**4. Create provisioning User**
-
-   * The VM must be provisioned with an SSH user account according to [Provision Your Server Nodes with SSH Access](https://documentation.opencrvs.org/setup/3.-installation/3.3-set-up-a-server-hosted-environment/3.3.1-provision-your-server-nodes-with-ssh-access).
-
----
 
 # Deployment Package Contents
 
@@ -73,6 +41,35 @@ The deployment package includes the following components:
   * MOSIP integration version: `latest`
 
 
+---
+
+# Prerequisites
+
+Before starting the deployment, ensure the following requirements are met:
+
+**1. Virtual Machine resources**
+
+   * Minimum: **8 CPU cores, 16 GB RAM, 50 GB SSD**.
+
+**2. Operating System**
+
+   * VM is running **Ubuntu 24.04 LTS**.
+
+**3. Networking and Domain Configuration**
+
+* The VM must have a **public IP address** and (or) ports **80** and **443** must be accessible.
+* A **valid domain name** must be configured and point to the VM.
+* Required DNS records:
+
+  * An **A record** pointing the primary domain to the VM IP (e.g., `opencrvs.example.com`).
+  * A **wildcard A record** (e.g., `*.opencrvs.example.com`) or individual subdomains pointing to the same VM IP.
+* These settings are required for **Traefik** to issue valid SSL certificates using Let’s Encrypt (`http-01` challenge).
+
+> See the [OpenCRVS documentation on DNS setup](https://documentation.opencrvs.org/setup/3.-installation/3.3-set-up-a-server-hosted-environment/3.3.5-setup-dns-a-records#domain-a-records) for details.
+
+> If you don't have public IP Address please follow guide "How to run traefik with self-signed SSL Certificate", see [TODO](#link-goes-here)
+
+---
 
 # Deploy OpenCRVS with GitHub Actions Workflows
 
@@ -88,27 +85,8 @@ You will need to provide the following values while installation multiple times:
 * Environment name: `<env name>`
 ---
 
-## 1. Bootstrap GitHub Self-Hosted Runner
-
-The self-hosted runner must be installed on the single VM (or master node).
-
-1. Login as `provision` user
-
-2. Run the following command on the VM:
-    ```bash
-    curl -s https://raw.githubusercontent.com/opencrvs/infrastructure/refs/heads/develop/github-runner/node-runner.sh -o runner.sh && bash runner.sh
-    ```
-
-**Verify runner is available**
-
-1. If successful, you will see a confirmation message:
-    ```
-    ✅ Runner '....-runner' is installed and started!
-    ```
-2. In your GitHub repository, navigate to **Settings → Actions → Runners** and verify that the runner appears as a self-hosted runner.
-
 ---
-## 2.  Create a GitHub environment
+## 1.  Create a GitHub environment
 
 * Checkout forked infrastructure repository into any folder on your laptop
   ```
@@ -122,8 +100,36 @@ The self-hosted runner must be installed on the single VM (or master node).
   ```
   yarn environment:init
   ```
+* Go to GitHub and verify the newly created environment
+
+
+## 2.1. Bootstrap GitHub Self-Hosted Runner
+
+The self-hosted runner must be installed on the single VM (master node). The VM must be provisioned with an SSH user account according to [Provision Your Server Nodes with SSH Access](https://documentation.opencrvs.org/setup/3.-installation/3.3-set-up-a-server-hosted-environment/3.3.1-provision-your-server-nodes-with-ssh-access).
+
+> NOTE: On previous step environment configuration script left correct command as output.
+
+1. Login as any user with sudo or root access
+
+2. Run the following command on the VM:
+    ```bash
+    curl -sfL https://raw.githubusercontent.com/opencrvs/infrastructure/refs/heads/ocrvs-9792/scripts/bootstrap/opencrvs-bootstrap.sh -o opencrvs-bootstrap.sh | \
+    bash opencrvs-bootstrap.sh --owner <org name> \
+                --repo <repo name> \
+                --env <env name> \
+                --token <github token> \
+                --enable-runner
+    ```
+
+**Verify runner is available**
+
+1. If successful, you will see a confirmation message:
+    ```
+    ✅ Runner '....-runner' is installed and started!
+    ```
+2. In your GitHub repository, navigate to **Settings → Actions → Runners** and verify that the runner appears as a self-hosted runner.
 
-### 2.1 Update infrastructure configuration
+### 2.2 Update infrastructure configuration
 
 * Navigate to the `infrastructure/server-setup/inventory` folder.
 * Open a configuration file for your environment, see example.
@@ -173,12 +179,12 @@ all:
           ansible_connection: local
 ```
 
-### 2.2 Update OpenCRVS environment configuration files
+### 2.3 Update OpenCRVS helm chart values
 
-At environment creation phase environment files are stored into `environments/<env name>` folder. Navigate to this folder and update files one by one. Folder contains configuration for the following helm charts:
-- traefik: Usually helm chart doesn't require updates.
-- dependencies: Usually helm chart doesn't require updates.
-- opencrvs-services: Update countryconfig container image, hostname, environment variables, ingress & Traefik TLS/SSL configuration etc.
+At environment creation phase helm chart values files are stored into `environments/<env name>` folder. Usually default configuration properties are sufficient for first deployment:
+- traefik
+- dependencies
+- opencrvs-services
 
 Commit your changes.
 
@@ -224,4 +230,4 @@ Data seed script also executed at the end of deployment workflow.
 
 Verification steps:
 - Go to login page: `https://<your domain>`
-- Login using demo users: https://documentation.opencrvs.org/setup/3.-installation/3.1-set-up-a-development-environment/3.1.4-log-in-to-opencrvs-locally
+- Login using demo users: https://documentation.opencrvs.org/setup/3.-installation/3.1-set-up-a-development-environment/3.1.4-log-in-to-opencrvs-locally