Runbook — Deploy

Use this runbook for a normal Helm-based deployment of a Finnest Power bundle after CI has built, signed, and published service images and the umbrella chart.

Preconditions

• kubectl access to the target cluster and namespace.
• Helm 3.16 or newer.
• Published chart version and service image tags from the release workflow.
• Required secrets already present: database credentials, Keycloak credentials, TLS material, and license key.
• Latest backup is healthy before deploying to production.

Steps

1. Confirm the target context:

   kubectl config current-context
   kubectl get ns finnest-prod

2. Render the release locally and inspect image tags:

   helm template finnest-power oci://ghcr.io/finnestbr/charts/finnest-power \
     --version <chart-version> \
     -f infra/helm/finnest-power/values-bundles/<bundle>.yaml \
     -n finnest-prod > /tmp/finnest-power-rendered.yaml

3. Deploy atomically:

   helm upgrade --install finnest-power oci://ghcr.io/finnestbr/charts/finnest-power \
     --version <chart-version> \
     -f infra/helm/finnest-power/values-bundles/<bundle>.yaml \
     -n finnest-prod --create-namespace --atomic --timeout 10m

4. Wait for rollout:

   kubectl -n finnest-prod rollout status deploy --timeout=10m

Verification

• kubectl -n finnest-prod get pods shows all Finnest pods ready.
• Gateway /healthz and /readyz return success.
• Smoke test covers public data, consent, and payment readiness endpoints for the deployed bundle.
• Grafana/Loki/Tempo or the configured customer backend receives traces and logs for the new version.