Skip to content

Select theme

Overview
Concepts
Architecture
Onboard an app
Worked examples
Operations
Troubleshooting
Disaster recovery
Reference
Glossary

Select theme

On this page

Overview
1. Decide
2. Build & ship the image — details
3. Database (if needed) — details
4. GitOps deploy — details
5. Secrets & config — details
6. Metrics & canary — details
7. Go live
8. Day-2

On this page

Overview
1. Decide
2. Build & ship the image — details
3. Database (if needed) — details
4. GitOps deploy — details
5. Secrets & config — details
6. Metrics & canary — details
7. Go live
8. Day-2

New-app checklist

The playbook in one screen. Fill in <app>, <owner>, <domain>. Each box links to the step with the full template. Work top to bottom.

App:

Ticks are saved in your browser per app name — type the app you’re onboarding to keep its own progress.

1. Decide

Section titled “1. Decide”

Pick <app>, the namespace (also <app>), and the hostname api.<domain>
Does it need a database? a browser login (Keycloak client)? — note which steps apply

2. Build & ship the image — details

Section titled “2. Build & ship the image — details”

Add a multi-stage Dockerfile (distroless/static, arm64; bundle migrate if it has migrations)
Add .dockerignore
Add the GitHub Actions workflow → pushes ghcr.io/<owner>/<app>:sha-<sha>
Push → confirm the image + sha- tag in GHCR; make the package public (or plan a pull secret)

3. Database (if needed) — details

Section titled “3. Database (if needed) — details”

Add a CNPG Cluster (<app>-pg) in workloads/<app>/
App reads DB_URL from the auto-created <app>-pg-app secret’s uri key
Add the migrations PreSync Job (runs before the rollout)
(Recommended) add backup.barmanObjectStore + a ScheduledBackup

4. GitOps deploy — details

Section titled “4. GitOps deploy — details”

Create workloads/<app>/: namespace, Rollout, Service, Ingress (Traefik + cert-manager)
Add apps/<app>.yaml (the Argo CD Application pointing at workloads/<app>/)
DNS: api.<domain> → node public IP (grey cloud)

5. Secrets & config — details

Section titled “5. Secrets & config — details”

Create out-of-band secrets via kubectl (e.g. <app>-kc, <app>-pg-backup-creds) — never in Git
Add the non-secret ConfigMap (<app>-config)

6. Metrics & canary — details

Section titled “6. Metrics & canary — details”

App exposes /metrics
Add the ServiceMonitor (label release: kube-prom-stack)
Add the AnalysisTemplate (success-rate result[0] >= 0.95) + wire strategy.canary.analysis into the Rollout

7. Go live

Section titled “7. Go live”

Commit + push the gitops repo → Argo CD syncs
App shows Synced / Healthy; pods Running; cert READY=True
curl https://api.<domain>/healthz (or your liveness path) returns 200

8. Day-2

Section titled “8. Day-2”

Ship a change: push code → CI builds → bump the image tag in rollout.yaml → push → watch the canary (details)
(Optional) add a worked-example page for this app

Stuck? See Troubleshooting. Rebuilding the whole platform? See Disaster recovery.

Last updated: Jun 18, 2026

Previous
Secrets Next
Example: the Penvoice API