harkon/ai-tax-agent
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
ai-tax-agent/docs/POST_BUILD_DEPLOYMENT.md
harkon f0f7674b8d
Some checks failed
CI/CD Pipeline / Code Quality & Linting (push) Has been cancelled
Details
CI/CD Pipeline / Policy Validation (push) Has been cancelled
Details
CI/CD Pipeline / Test Suite (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-coverage) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-extract) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-firm-connectors) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-forms) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-hmrc) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-ingestion) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-kg) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-normalize-map) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-ocr) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rag-indexer) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rag-retriever) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-reason) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rpa) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (ui-review) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-coverage) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-extract) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-kg) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-rag-retriever) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (ui-review) (push) Has been cancelled
Details
CI/CD Pipeline / Generate SBOM (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
Details
CI/CD Pipeline / Notifications (push) Has been cancelled
Details
clean up base infra
2025-10-11 11:42:43 +01:00

378 lines
9.8 KiB
Markdown
Raw Permalink Blame History

# Post-Build Deployment Guide
This guide covers the deployment steps **after** Docker images have been built and pushed to the Gitea registry.
## Prerequisites
✅ Docker images built and pushed to `gitea.harkon.co.uk/ai-tax-agent/*:v1.0.0`
✅ Production environment file generated (`.env.production`)
✅ SSH access to production server (`deploy@141.136.35.199`)
✅ Gitea access token created with `write:package` scope
---
## Deployment Steps
### Step 1: Prepare Remote Server Directory Structure
```bash
# Create directory structure on remote server
ssh deploy@141.136.35.199 << 'EOF'
mkdir -p /opt/ai-tax-agent/{compose/production,data,logs,backups}
mkdir -p /opt/ai-tax-agent/compose/{prometheus,loki,grafana}
EOF
```
### Step 2: Copy Configuration Files
```bash
# Copy production compose files
scp infra/base/infrastructure.yaml deploy@141.136.35.199:/opt/ai-tax-agent/compose/production/
scp infra/base/services.yaml deploy@141.136.35.199:/opt/ai-tax-agent/compose/production/
scp infra/base/monitoring.yaml deploy@141.136.35.199:/opt/ai-tax-agent/compose/production/
# Copy environment file
scp infra/environments/production/.env deploy@141.136.35.199:/opt/ai-tax-agent/compose/.env
# Copy monitoring configs
scp infra/compose/prometheus/prometheus.yml deploy@141.136.35.199:/opt/ai-tax-agent/compose/prometheus/
scp infra/compose/loki/loki-config.yml deploy@141.136.35.199:/opt/ai-tax-agent/compose/loki/loki.yml
scp infra/compose/promtail/promtail-config.yml deploy@141.136.35.199:/opt/ai-tax-agent/compose/loki/promtail-config.yml
```
### Step 3: Update Traefik Configuration
Add the AI Tax Agent middleware to Traefik's dynamic configuration:
```bash
# Create Traefik dynamic config for AI Tax Agent
ssh deploy@141.136.35.199 << 'EOF'
cat > /opt/compose/traefik/config/ai-tax-agent.yaml << 'TRAEFIK'
http:
middlewares:
# Rate limiting for API
api-ratelimit:
rateLimit:
average: 100
burst: 50
period: 1s
# CORS headers
api-cors:
headers:
accessControlAllowMethods:
- GET
- POST
- PUT
- DELETE
- OPTIONS
accessControlAllowOriginList:
- "https://app.harkon.co.uk"
accessControlAllowHeaders:
- "Content-Type"
- "Authorization"
accessControlMaxAge: 100
addVaryHeader: true
# Security headers
security-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
TRAEFIK
EOF
```
### Step 4: Deploy Infrastructure Services
```bash
# Use the deployment script
./scripts/deploy-to-production.sh infrastructure
# Or manually:
ssh deploy@141.136.35.199 << 'EOF'
cd /opt/ai-tax-agent
docker compose -f compose/production/infrastructure.yaml up -d
EOF
```
**Wait 2-3 minutes** for infrastructure services to initialize.
### Step 5: Initialize Vault
```bash
# Initialize Vault (first time only)
ssh deploy@141.136.35.199 << 'EOF'
# Vault will auto-unseal if configured, otherwise:
docker exec vault vault operator init -key-shares=5 -key-threshold=3 > ~/vault-keys.txt
docker exec vault vault operator unseal <unseal-key-1>
docker exec vault vault operator unseal <unseal-key-2>
docker exec vault vault operator unseal <unseal-key-3>
EOF
# IMPORTANT: Save vault-keys.txt securely and delete from server!
scp deploy@141.136.35.199:~/vault-keys.txt ./vault-keys-SECURE.txt
ssh deploy@141.136.35.199 "rm ~/vault-keys.txt"
```
### Step 6: Initialize MinIO
```bash
# MinIO is ready immediately, access at:
# https://minio.harkon.co.uk
# Username: admin (from .env.production MINIO_ROOT_USER)
# Password: <from .env.production MINIO_ROOT_PASSWORD>
# Create required buckets
ssh deploy@141.136.35.199 << 'EOF'
docker exec apa-minio mc alias set local http://localhost:9000 admin <MINIO_ROOT_PASSWORD>
docker exec apa-minio mc mb local/documents
docker exec apa-minio mc mb local/processed
docker exec apa-minio mc mb local/models
docker exec apa-minio mc mb local/temp
EOF
```
### Step 7: Initialize Neo4j
```bash
# Access Neo4j Browser at:
# https://neo4j.harkon.co.uk
# Username: neo4j
# Password: <from .env.production NEO4J_PASSWORD>
# Verify connection
ssh deploy@141.136.35.199 << 'EOF'
docker exec apa-neo4j cypher-shell -u neo4j -p <NEO4J_PASSWORD> "RETURN 'Connected' as status;"
EOF
```
### Step 8: Deploy Application Services
```bash
# Deploy all application services
./scripts/deploy-to-production.sh services
# Or manually:
ssh deploy@141.136.35.199 << 'EOF'
cd /opt/ai-tax-agent
docker compose -f compose/production/services.yaml up -d
EOF
```
**Wait 1-2 minutes** for services to start.
### Step 9: Deploy Monitoring Stack
```bash
# Deploy monitoring
./scripts/deploy-to-production.sh monitoring
# Or manually:
ssh deploy@141.136.35.199 << 'EOF'
cd /opt/ai-tax-agent
docker compose -f compose/production/monitoring.yaml up -d
EOF
```
### Step 10: Configure Authentik OAuth for Grafana
1. **Login to Authentik**: https://auth.harkon.co.uk
2. **Create OAuth Provider**:
- Applications → Providers → Create
- Type: OAuth2/OpenID Provider
- Name: `Grafana`
- Client ID: `grafana` (copy this)
- Client Secret: Generate and copy
- Redirect URIs: `https://grafana.harkon.co.uk/login/generic_oauth`
- Scopes: `openid`, `profile`, `email`, `groups`
3. **Create Application**:
- Applications → Create
- Name: `Grafana`
- Slug: `grafana`
- Provider: Select the provider created above
- Launch URL: `https://grafana.harkon.co.uk`
4. **Update Environment Variables**:
```bash
# On remote server, update .env.production
ssh deploy@141.136.35.199
nano /opt/ai-tax-agent/compose/.env.production
# Update these values:
GRAFANA_OAUTH_CLIENT_ID=grafana
GRAFANA_OAUTH_CLIENT_SECRET=<secret-from-authentik>
# Restart Grafana
cd /opt/ai-tax-agent
docker compose -f compose/production/monitoring.yaml restart apa-grafana
```
### Step 11: Verify Deployment
```bash
# Run verification script
./scripts/verify-deployment.sh
# Or check manually:
./scripts/health-check.sh
```
### Step 12: Access Services
| Service | URL | Authentication |
|---------|-----|----------------|
| **Application UI** | https://app.harkon.co.uk | Authentik SSO |
| **API Gateway** | https://api.harkon.co.uk | Authentik SSO |
| **Grafana** | https://grafana.harkon.co.uk | Authentik OAuth |
| **Prometheus** | https://prometheus.harkon.co.uk | Authentik SSO |
| **Vault** | https://vault.harkon.co.uk | Vault Token |
| **MinIO Console** | https://minio-console.harkon.co.uk | MinIO Credentials |
| **Neo4j Browser** | https://neo4j.harkon.co.uk | Neo4j Credentials |
| **Qdrant** | https://qdrant.harkon.co.uk | Authentik SSO |
---
## Post-Deployment Tasks
### 1. Configure Grafana Dashboards
1. Login to Grafana: https://grafana.harkon.co.uk
2. Add Prometheus data source:
- Configuration → Data Sources → Add data source
- Type: Prometheus
- URL: `http://prometheus:9090`
- Save & Test
3. Add Loki data source:
- Configuration → Data Sources → Add data source
- Type: Loki
- URL: `http://loki:3100`
- Save & Test
4. Import dashboards (optional):
- Create → Import
- Dashboard ID: 1860 (Node Exporter Full)
- Dashboard ID: 7362 (Docker Monitoring)
### 2. Set Up Alerts (Optional)
Create alert rules in Prometheus or Grafana for:
- Service health checks
- High memory usage
- High CPU usage
- Disk space warnings
- Failed authentication attempts
### 3. Configure Backups
```bash
# Set up automated backups (cron job on server)
ssh deploy@141.136.35.199
crontab -e
# Add daily backup at 2 AM
0 2 * * * /opt/ai-tax-agent/scripts/backup.sh
```
### 4. Test Application Workflows
1. **Upload a document** via UI
2. **Check ingestion** service logs
3. **Verify extraction** in Neo4j
4. **Test RAG retrieval** via API
5. **Review results** in UI
---
## Troubleshooting
### Services Not Starting
```bash
# Check logs
ssh deploy@141.136.35.199 "docker logs <container-name>"
# Check resource usage
ssh deploy@141.136.35.199 "docker stats"
# Restart specific service
ssh deploy@141.136.35.199 "cd /opt/ai-tax-agent && docker compose -f compose/production/services.yaml restart <service-name>"
```
### SSL Certificate Issues
```bash
# Check Traefik logs
ssh deploy@141.136.35.199 "docker logs traefik --tail 100"
# Force certificate renewal
ssh deploy@141.136.35.199 "docker exec traefik rm /var/traefik/certs/godaddy-acme.json && docker restart traefik"
```
### Database Connection Issues
```bash
# Check PostgreSQL
ssh deploy@141.136.35.199 "docker exec postgres pg_isready"
# Check Neo4j
ssh deploy@141.136.35.199 "docker exec neo4j cypher-shell -u neo4j -p <password> 'RETURN 1;'"
# Check Redis
ssh deploy@141.136.35.199 "docker exec redis redis-cli ping"
```
---
## Rollback Procedure
If deployment fails:
```bash
# Use rollback script
./scripts/rollback-deployment.sh
# Or manually restore from backup
ssh deploy@141.136.35.199 << 'EOF'
cd /opt/ai-tax-agent
docker compose -f compose/production/services.yaml down
docker compose -f compose/production/infrastructure.yaml down
docker compose -f compose/production/monitoring.yaml down
# Restore from backup
tar -xzf backups/backup-<timestamp>.tar.gz -C /opt/ai-tax-agent/
# Restart services
docker compose -f compose/production/infrastructure.yaml up -d
sleep 30
docker compose -f compose/production/services.yaml up -d
docker compose -f compose/production/monitoring.yaml up -d
EOF
```
---
## Next Steps
1. ✅ Monitor application logs for errors
2. ✅ Set up automated backups
3. ✅ Configure alerting rules
4. ✅ Document any custom configurations
5. ✅ Train users on the application
6. ✅ Plan for scaling (if needed)
---
## Support
For issues or questions:
- Check logs: `./scripts/verify-deployment.sh`
- Review documentation: `docs/DEPLOYMENT_CHECKLIST.md`
- Contact: [Your support contact]
Reference in New Issue View Git Blame Copy Permalink