docs/production-cutover.md

Source: docs/production-cutover.md

Imported Content

Production Cutover (No Mocks)

This checklist removes remaining mock dependencies from production runtime and verifies live routes.

1. Enforce no-mock config

Confirm staging/prod values:

statusMock.enabled=false
gateway.env.EGI_CONTROL_CENTER_URL=https://...
gateway.env.AGENTFIELD_URL=https://...

2. Enforce Argo prune/self-heal

Staging/prod child applications must include:

syncPolicy:
  automated:
    prune: true
    selfHeal: true
  syncOptions:
    - CreateNamespace=true

3. Hard refresh and prune sync

Run on control-plane host:

export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

kubectl annotate application anchor-staging -n argocd argocd.argoproj.io/refresh=hard --overwrite
kubectl patch application anchor-staging -n argocd --type merge -p '{"operation":{"sync":{"prune":true}}}'

kubectl annotate application anchor-prod -n argocd argocd.argoproj.io/refresh=hard --overwrite
kubectl patch application anchor-prod -n argocd --type merge -p '{"operation":{"sync":{"prune":true}}}'

4. Verify mock workloads are gone

kubectl get deploy -n anchor-staging | rg status-mock || true
kubectl get deploy -n anchor-prod | rg status-mock || true
kubectl get pods -n anchor-staging | rg status-mock || true
kubectl get pods -n anchor-prod | rg status-mock || true

5. Verify production app health

curl -I https://ops.anchor-msp.com
curl -sS https://ops.anchor-msp.com/health
curl -sS https://ops.anchor-msp.com/api/v1/openapi | head -n 5

6. Verify authenticated summary routes

Use a valid workspace-scoped JWT and run:

BASE="https://ops.anchor-msp.com/api/v1"
curl -sS -i -H "Authorization: Bearer $JWT" -H "x-workspace-id: $WS" "$BASE/dashboard/summary"
curl -sS -i -H "Authorization: Bearer $JWT" -H "x-workspace-id: $WS" "$BASE/portal/summary"
curl -sS -i -H "Authorization: Bearer $JWT" -H "x-workspace-id: $WS" "$BASE/ops/summary"

7. Run automated preflight script

From app repo root:

export BASE_URL="https://ops.anchor-msp.com"
export STATUS_API_URL="https://status.anchor-msp.com"
export STATUS_API_TOKEN="<status token>"
export ANCHOR_WORKSPACE_ID="<workspace uuid>"
export ANCHOR_OPERATOR_JWT="<workspace-scoped operator jwt>"
./scripts/deploy/preflight-prod.sh

Notes:

ANCHOR_OPERATOR_JWT used by preflight must include required operator roles and a jti claim.
UI operator login can run without env fallback using /auth/operator, but this preflight script is env-token based.

Imported Content​

Production Cutover (No Mocks)

1. Enforce no-mock config​

2. Enforce Argo prune/self-heal​

3. Hard refresh and prune sync​

4. Verify mock workloads are gone​

5. Verify production app health​

6. Verify authenticated summary routes​

7. Run automated preflight script​