rise-deploy 0.16.1

A simple and powerful CLI for deploying containerized applications
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

# yaml-language-server: $schema=../docs/schemas/backend-settings.schema.json
# Insecure development configuration - DO NOT USE IN PRODUCTION.

server:
  host: "0.0.0.0"
  port: 3000
  public_url: "http://rise.local:3000"
  frontend_dev_proxy_url: "http://localhost:5173"
  cookie_domain: "" # Empty = current host only (for localhost:3000 access)
  cookie_secure: false
  jwt_signing_secret: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" # Generate with: openssl rand -base64 32
  jwt_claims: ["sub", "email", "name"]
  static_dir: "${RISE_STATIC_DIR:-static}" # In-container: /var/lib/rise/static; local dev: static/
  docs_dir: "${RISE_DOCS_DIR:-docs}" # In-container: /var/rise/docs; local dev: docs/

database:
  url: "${DATABASE_URL}"

encryption:
  type: "aes-gcm-256"
  key: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" # Generate with: openssl rand -base64 32

auth:
  issuer: "http://localhost:5556/dex"
  client_id: "rise-backend"
  client_secret: "rise-backend-secret"
  admin_users:
    - "admin@example.com"
  # Allow all users to create teams (default: true). Set to false to restrict team creation to admins only.
  allow_team_creation: true
  platform_access:
    policy: restrictive
    allowed_user_emails:
      - "admin@example.com"
      - "dev@example.com"

controller: {}

registry:
  type: "oci-client-auth"
  registry_url: "rise-registry:5000" # Internal URL for deployment controllers
  namespace: "rise-apps"
  client_registry_url: "rise-registry:5000" # Client-facing URL for CLI push operations

deployment_controller:
  type: "kubernetes"
  production_ingress_url_template: "{project_name}.rise.local"
  staging_ingress_url_template: "{project_name}-{deployment_group}.preview.rise.local"
  namespace_format: "rise-{project_name}"
  auth_backend_url: "http://host.minikube.internal:3000" # URL for Nginx auth subrequests (Docker bridge IP for Minikube to reach host)
  auth_signin_url: "http://rise.local:3000" # Domain for user-facing OAuth redirects
  ingress_annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  ingress_port: 8080 # `mise minikube:up` port-forwards ingress to this port
  ingress_schema: "http" # Use http for local development
  host_aliases:
    rise.local: "192.168.49.1" # Minikube host IP
  # Extra projected service account tokens mounted in every app pod at
  # /var/run/secrets/rise/tokens/<name>
  # extra_service_token_audiences:
  #   vault: "https://vault.example.com"
  network_policy_egress_allow_cidrs:
    - "192.168.49.0/24" # Minikube host network
  access_classes:
    public:
      display_name: "Public"
      description: "Fully public - no authentication required."
      ingress_class: "nginx"
      access_requirement: None
    authenticated:
      display_name: "Authenticated"
      description: "Requires authentication but not project membership."
      ingress_class: "nginx"
      access_requirement: Authenticated
    private:
      display_name: "Private"
      description: "Requires authentication and project membership."
      ingress_class: "nginx"
      access_requirement: Member