This repository contains the infrastructure-as-code used to deploy and operate the CELINE platform across local, staging, and production environments.
It defines:
- Kubernetes infrastructure
- Helm / Helmfile-based deployments
- Encrypted secrets handling
- Environment-specific configuration
The repository is operator-oriented and assumes familiarity with Kubernetes tooling.
CELINE infrastructure follows a declarative and reproducible model based on:
- Helm charts as the primary deployment unit
- Helmfile to coordinate multiple Helm releases
- Helm plugins for diffing and secrets integration
- SOPS for encrypted configuration
- Task as a convenience wrapper for common operational commands
- Minikube for local development
No imperative deployment scripts are used.
Infrastructure is applied using Helmfile-driven workflows.
infra/
├── charts/ # CELINE and third-party Helm charts
├── envs/ # Environment bindings (symlinks)
├── defaults/ # Default configurations for charts
├── helmfile.d/ # helmfile catalogue of Helm charts
└── .sops.yaml/.sops # SOPS-encrypted secrets
Local setup is mandatory. Install the following tools:
-
kubectl
https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ -
helmcurl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-4 | bash -
helm-diff(required by Helmfile)helm plugin install https://github.com/databus23/helm-diff --verify=false
-
helm-secrets(required by Helmfile)helm plugin install https://github.com/jkroepke/helm-secrets/releases/download/v4.7.5/secrets-4.7.5.tgz --verify=false helm plugin install https://github.com/jkroepke/helm-secrets/releases/download/v4.7.5/secrets-getter-4.7.5.tgz --verify=false helm plugin install https://github.com/jkroepke/helm-secrets/releases/download/v4.7.5/secrets-post-renderer-4.7.5.tgz --verify=false
-
helmfile
https://helmfile.readthedocs.io/en/latest/#installation -
skaffold
https://skaffold.dev/docs/install/#standalone-binary
Missing any of the above will result in a broken setup.
Start Minikube with sufficient resources:
minikube start --cpus=4 --memory=8192Ensure your kube context is set correctly:
kubectl config use-context minikubeCELINE services rely on Ingress host-based routing.
For local development, services are exposed under *.celine.local.
Add the following entry to /etc/hosts:
192.168.49.2 dashboard.celine.local s3.celine.local keycloak.celine.local marquez.celine.local mqtt.celine.local sso.celine.local prefect.celine.local superset.celine.local
Notes:
- Replace
192.168.49.2with the output ofminikube ipif different - Hostnames must match ingress definitions
- OAuth redirect URIs depend on these domains
Using localhost will not work.
All secrets are stored encrypted at rest.
Typical workflows:
sops -e secrets.yaml > secrets.enc.yaml
sops -d secrets.enc.yamlHelmfile integrates with helm-secrets to decrypt secrets at deploy time.
Plaintext secrets must never be committed.
From the infra/ directory:
helmfile -e dev applyhelmfile -e dev diffhelmfile -e dev destroyhelmfile -e dev apply --selector name=<release-name>- Do not commit plaintext secrets
- Encrypt secrets before apply
- Prefer
helmfile diffbeforeapply - Avoid manual
helm install - Keep environment changes isolated
- Production environments require additional safeguards
This repository is intended for:
- Infrastructure engineers
- Platform operators
- CI/CD automation
It is not intended as a general developer quickstart.
- CELINE pipelines: https://github.com/celine-eu/celine-pipelines
- CELINE project: https://celineproject.eu/
- CELINE docs: https://celine-eu.github.io/