Prod deployment overview

info

Use this overview as the entry point for Blaster production work. It links to focused runbooks for Kubernetes manifests, Flux GitOps, Cloudflare tunnelling and security hardening.

Blaster GitOps series

1. Blaster GitOps summary
2. Blaster repo and branches
3. Dockerfile & GitLab CI
4. Clerk authentication & user setup
5. Google OAuth for Clerk
6. Blaster prep for automation
7. Dev app k8s manifests
8. Dev flux sources & Kustomizations
9. Dev image automation
10. Dev SOPS & age
11. Dev verification & troubleshooting
12. Dev full runbook
13. Prod overview - you are here
14. Prod app k8s manifests and deployment
15. Prod Flux GitOps and image automation
16. Prod Cloudflare, Origin CA and tunnel routing
17. Prod full runbook
18. Post development branches

1. What this deployment does

Blaster production runs as a Next.js app on your on-prem Kubernetes cluster, fronted by:

• A blaster namespace with PostgreSQL and the Blaster app Deployment.
• FluxCD GitOps pulling manifests from games/blaster and automating image updates.
• Cloudflare Tunnel and Origin CA certificates terminating TLS for https://blaster.muppit.au/.

Secrets are managed with SOPS + age, and everything is driven from Git.

2. Runbook structure

Use these documents depending on the task:

1. Kubernetes manifests and app deployment

   How the blaster namespace is built: DB StatefulSet, app Deployment, Ingress, Secrets, ConfigMaps and SOPS encryption.

   • See Prod app k8s manifests and deployment

2. Flux GitOps and image automation

   How Flux tracks games/blaster on main, decrypts k8s/prod, watches Docker image tags and commits updated tags back to Git.

   • See Prod Flux GitOps and image automation

3. Cloudflare and Origin CA / tunnel routing

   How blaster.muppit.au is configured through Cloudflare Tunnel, how Origin CA certs are issued, and how to restart cloudflared safely.

   • See Prod Cloudflare, Origin CA and tunnel routing

4. Dev to Prod full runbook

   The full runbook with all commands to publish the game into production.

   • See Prod full runbook

5. Security hardening Git flow

   How to branch, push and open a merge request for security work such as auth hardening, without trampling prod.

   • See Post Git flow

3. Typical production change flow

1. Update app code and commit to develop.
2. Promote to main via GitLab merge request.
3. GitLab CI builds a new prod-YYYYMMDD.BUILD image and pushes to registry.reids.net.au/games/blaster.
4. Flux ImageRepository discovers the new tag, ImagePolicy selects it and ImageUpdateAutomation commits the new image tag into k8s/prod.
5. Flux Kustomization applies the updated manifests.
6. Cloudflare serves https://blaster.muppit.au/ via the tunnel, using the Origin CA certificate from the blaster namespace.

4. Verification checklist

After a change, verify:

• Blaster pods are Ready in the blaster namespace.
• The app is using the expected prod-YYYYMMDD.BUILD image.
• TLS Secret blaster-muppit-au-tls is present and Certificate is Ready=True.
• Cloudflare DNS and tunnel config include blaster.muppit.au.
• curl -k https://blaster.muppit.au/ -I returns HTTP/2 200.