Add production deployment with manual approval gate

- Add values-prod.yaml with persistence enabled (20Gi PostgreSQL, 100Gi MinIO) - Add deploy_prod job triggered on semantic version tags (v1.0.0, etc.) - Production deployment requires manual approval for safety - Add integration_test_prod job to verify prod deployment - Production uses orchard.common.global.bsf.tools hostname - Trusts main branch (skip re-running all tests for tags)
2026-01-15 20:52:44 +00:00
parent 157ac0ccb2
commit 161d08c508
2 changed files with 265 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -318,3 +318,51 @@ cleanup_feature:
    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
      when: manual
  allow_failure: true
+
+# Deploy to production (version tags only, manual approval required)
+deploy_prod:
+  stage: deploy
+  # For tag pipelines, most jobs don't run (trusting main was tested)
+  # We only need build_image to have the image available
+  needs: [build_image]
+  image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
+  variables:
+    NAMESPACE: orch-prod-namespace
+    VALUES_FILE: helm/orchard/values-prod.yaml
+    BASE_URL: https://orchard.common.global.bsf.tools
+  before_script:
+    - kubectl config use-context esv/bsf/bsf-integration/orchard/orchard-mvp:orchard-prod
+    - *helm_setup
+  script:
+    - echo "Deploying to PRODUCTION - version $CI_COMMIT_TAG"
+    - cd $CI_PROJECT_DIR
+    - |
+      helm upgrade --install orchard-prod ./helm/orchard \
+        --namespace $NAMESPACE \
+        -f $VALUES_FILE \
+        --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
+        --wait \
+        --atomic \
+        --timeout 10m
+    - kubectl rollout status deployment/orchard-prod-server -n $NAMESPACE --timeout=10m
+    - *verify_deployment
+  environment:
+    name: production
+    url: https://orchard.common.global.bsf.tools
+    kubernetes:
+      agent: esv/bsf/bsf-integration/orchard/orchard-mvp:orchard-prod
+  rules:
+    # Only run on semantic version tags (v1.0.0, v1.2.3, etc.)
+    - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+$/'
+      when: manual  # Require manual approval for prod
+  allow_failure: false
+
+# Integration tests for production deployment
+integration_test_prod:
+  <<: *integration_test_template
+  needs: [deploy_prod]
+  variables:
+    BASE_URL: https://orchard.common.global.bsf.tools
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+$/'
+      when: on_success