Bounty Submission: Universal One-Click Deployment (Docker + K8s + Tilt) for FinMind

[aliraza556]

Summary

• Universal one-click deployment across all 12 mandatory platforms using Docker as the base packaging standard
• Full Kubernetes stack via Helm charts with ingress/TLS (cert-manager), HPA autoscaling (CPU + memory), secret management, startup/readiness/liveness probes, network policies, and Prometheus ServiceMonitor
• Tilt integration for local K8s development with live-reload, port-forwards, and Helm-based deploys
• Enhanced health checks: new /health/ready endpoint validates DB + Redis connectivity (returns 503 when degraded)
• One-command deploy scripts (deploy.sh / deploy.ps1) with built-in deployment verification

/claim #144

Platforms Covered

Platform	Config Files	Type
Railway	railway.json, railway.toml	Backend
Heroku	heroku.yml, app.json, Procfile	Full stack
Render	render.yaml	Full stack
Fly.io	fly.toml, deploy/fly-frontend.toml	Full stack
DigitalOcean App Platform	.do/app.yaml	Full stack
DigitalOcean Droplet	deploy/digitalocean-droplet.sh	Full stack
AWS ECS Fargate	deploy/aws-ecs-task-definition.json, deploy/aws-ecs-service.json, deploy/aws-deploy.sh	Full stack
AWS App Runner	deploy/aws-apprunner.yaml	Backend
GCP Cloud Run	deploy/gcp-cloudrun.yaml, deploy/gcp-deploy.sh	Full stack
Azure Container Apps	deploy/azure-containerapp.yaml, deploy/azure-deploy.sh	Full stack
Kubernetes	k8s/helm/finmind/ (16 template files)	Full stack
Tilt	Tiltfile	Local K8s dev
Netlify	netlify.toml	Frontend
Vercel	vercel.json	Frontend

Kubernetes Features

• Helm charts (k8s/helm/finmind/)
• Ingress with TLS via cert-manager
• HPA autoscaling (CPU + memory targets, scale-down stabilization)
• Secret management (Kubernetes Secrets via stringData)
• Health probes (startup, readiness, liveness on all components)
• Observability baseline (Prometheus ServiceMonitor, optional)
• Network policies (PostgreSQL + Redis isolated to backend-only access)
• Init-DB job (Helm post-install/post-upgrade hook)
• Production Docker Compose (docker-compose.prod.yml)

Runtime Acceptance Criteria

• Frontend reachable (Nginx serves SPA on port 80 with HEALTHCHECK)
• Backend health reachable (/health basic + /health/ready deep check)
• DB + Redis connected (verified by /health/ready → {"status":"ok","checks":{"database":"connected","redis":"connected"}})
• Auth flows working (register, login, refresh, logout via JWT)
• Core modules working (expenses, bills, reminders, dashboard, insights, categories)

Test Plan

• Run docker compose -f docker-compose.prod.yml up -d --build and verify all services start
• Hit GET /health → returns {"status":"ok"}
• Hit GET /health/ready → returns {"status":"ok","checks":{"database":"connected","redis":"connected"}}
• Register + login → receive access_token and refresh_token
• Access /expenses/, /bills/, /reminders/, /categories/, /dashboard/summary, /insights/ with Bearer token
• Run ./deploy.sh verify http://localhost for automated end-to-end verification
• helm template finmind ./k8s/helm/finmind renders all manifests without errors
• tilt up starts all services in local K8s cluster with live-reload
• Review platform-specific configs for correctness (Railway, Heroku, Render, Fly.io, DO, AWS, GCP, Azure, Netlify, Vercel)

Files Changed

Modified (4):

• packages/backend/app/__init__.py — Added /health/ready deep health endpoint
• packages/backend/Dockerfile — Added curl, HEALTHCHECK, increased timeout
• app/Dockerfile — Added VITE_API_URL build arg, HEALTHCHECK
• .gitignore — Removed entries for deployment.md and docker-compose.prod.yml

Added (43):

• docker-compose.prod.yml — Production Docker Compose
• deploy.sh / deploy.ps1 — Universal one-click deploy scripts
• DEPLOYMENT.md — Comprehensive deployment guide
• Platform configs: railway.json, railway.toml, heroku.yml, app.json, Procfile, render.yaml, fly.toml, netlify.toml, vercel.json, .do/app.yaml
• Cloud deploy scripts: deploy/aws-deploy.sh, deploy/gcp-deploy.sh, deploy/azure-deploy.sh, deploy/digitalocean-droplet.sh
• Cloud config files: deploy/aws-ecs-task-definition.json, deploy/aws-ecs-service.json, deploy/aws-apprunner.yaml, deploy/gcp-cloudrun.yaml, deploy/azure-containerapp.yaml, deploy/fly-frontend.toml
• Helm chart: k8s/helm/finmind/ (Chart.yaml, values.yaml, 14 templates)
• Tilt: Tiltfile

Validation

• Frontend lint: cd app && npm run lint
• Frontend tests: cd app && npm test -- --runInBand
• Backend tests: ./scripts/test-backend.ps1
• Updated docs if needed

Security and Ownership

• PR opened from a fork (not direct push to main)
• CODEOWNERS review requested

Checklist

• No secrets added
• No unrelated files changed
• Breaking changes documented

Closed: #144

[rohitdash08]

@aliraza556, can you please create a walkthrough video using some free plans on render and netlify

[aliraza556]

@aliraza556, can you please create a walkthrough video using some free plans on render and netlify

@rohitdash08 I have provided the video on Discord chat. Please check it.

[rohitdash08]

@aliraza556, not all the services are running while doing tilt up, can you please check and fix that issue.

[rohitdash08]

Please connect over discord, as most of the requirement are still incomplete.

[aliraza556]

Hi @rohitdash08,

Thanks for the detailed review! I've addressed all your feedback in the latest commit. Here's a breakdown:

1. deploy.ps1 — "backend is missing"
Added proper Deploy-AWS, Deploy-GCP, Deploy-Azure, and Deploy-DigitalOcean functions that auto-detect bash (WSL/Git Bash) and actually execute the deploy scripts instead of just printing messages.

2. deploy/aws-deploy.sh — "not one-click / frontend never deployed"
Completely rewrote the script for end-to-end deployment. It now:

• Auto-detects default VPC, subnets, and creates a security group
• Creates an ALB with path-based routing (API paths → backend, everything else → frontend)
• Builds frontend with the correct VITE_API_URL pointing to the ALB DNS
• Adds frontend container to the ECS task definition
• Creates the ECS service and waits for stabilization
• No more manual "Next steps" — it's fully automated

3. .do/app.yaml — "REDIS_URL hardcoded, no Redis provisioned"
Added a Redis dev database (finmind-redis) to the App Spec and replaced the hardcoded URL with ${finmind-redis.DATABASE_URL}.

4. deploy/gcp-deploy.sh — "VITE_API_URL runtime vs build-time"
Restructured the flow: deploy backend first → get its URL → rebuild the frontend image with VITE_API_URL as a build-time arg via Cloud Build → then deploy frontend. This ensures the correct API URL is baked in at build time.

5. heroku.yml — "frontend built but never served"
Created a combined Dockerfile.heroku that serves both frontend (nginx static files) and backend (gunicorn) from a single container. Nginx handles the Heroku $PORT, serves the SPA, and reverse-proxies API routes to gunicorn internally. Both services are now reachable from the single web process.