LuxStudio Web Platform Deployments & CI/CD

Overview

This document describes how the LuxStudio Web Platform (LuxAPI + Portal) is built, validated, and deployed to Kubernetes environments using CircleCI. It covers:

• Web platform deployment targets (LuxAPI, Portal, PostgreSQL, MinIO)

• Kubernetes environments (Pluto dev/staging, Saturn production)

• CircleCI CI/CD workflows and container builds

• Code quality and release gates

• Security, secrets management, and Kubernetes operations

Note: For Luxoria Desktop (WinUI 3) deployments using GitHub Actions, see Desktop Deployments.

LuxStudio Web Platform Deployment Flow

┌──────────────────────────────────────────────────────────────────┐
│  Developer Creates Feature Branch                                │
│  (feat/*, fix/*, or chore/*)                                     │
└─────────────────────────┬────────────────────────────────────────┘
                          │
                          ↓
        ┌─────────────────────────────────┐
        │  Push to Remote & Create PR     │
        │  ✓ CircleCI Build & Test        │
        │  ✓ Unit Tests (xUnit, Jest)     │
        │  ✓ Code Quality (SonarCloud)    │
        │  ✓ Kustomize Validation         │
        │  ✗ NO DEPLOYMENT                │
        └──────────┬──────────────────────┘
                   │ PR Approved
                   ↓
    ┌──────────────────────────────────┐
    │  Merge to DEVELOP Branch         │
    │  ✓ Semantic Release              │
    │  ✓ Generate changelog            │
    │  ✓ Create git tag (v1.2.0)       │
    │  ✓ Mark as pre-release           │
    └──────────┬───────────────────────┘
               │
               ↓
    ┌─────────────────────────────┐
    │  Build & Push Containers    │
    │  ├─ LuxAPI image            │
    │  └─ LuxStudio Portal image  │
    │  Tags: SHA + version        │
    └──────────┬──────────────────┘
               │
               ↓
    ┌─────────────────────────────┐
    │  AUTO DEPLOY to PLUTO       │
    │  (Dev/Staging Kubernetes)   │
    │  ✓ Health checks            │
    │  ✓ Smoke tests              │
    └──────────┬──────────────────┘
               │ Release Management
               ↓
    ┌────────────────────────────────────┐
    │  Create Release PR (develop→main)  │
    │  Update version in package.json    │
    └──────────┬─────────────────────────┘
               │ PR Review & Approve
               ↓
    ┌──────────────────────────────────┐
    │  Merge to MAIN Branch            │
    │  ✓ Semantic Release (stable)     │
    │  ✓ Generate release notes        │
    │  ✓ Create git tag (v1.2.0)       │
    └──────────┬───────────────────────┘
               │
               ↓
    ┌─────────────────────────────┐
    │  Build & Push Containers    │
    │  ├─ LuxAPI image            │
    │  └─ LuxStudio Portal image  │
    │  Tags: SHA + version        │
    └──────────┬──────────────────┘
               │
               ↓
    ┌────────────────────────────────┐
    │    MANUAL APPROVAL REQUIRED    │
    │  Admin authorization needed    │
    │  Security review checkpoint    │
    └──────────┬─────────────────────┘
               │ Approved ✓
               ↓
    ┌────────────────────────────────┐
    │  DEPLOY to SATURN              │
    │  (Production Kubernetes)       │
    │  ✓ Rolling update              │
    │  ✓ Health verification         │
    │  ✓ Smoke tests                 │
    │  ✓ Monitor for 24h             │
    └────────────────────────────────┘

Environments

Environment Architecture

Environment Details

• Local: Developer workstation using docker-compose (LuxStudio) or local builds (Desktop).

• Pluto (Dev/Staging): Kubernetes namespace luxstudio-pluto; non-production validation.

• Saturn (Production): Kubernetes namespace luxstudio-saturn; live customer traffic.

Branching & Release Model

Git Workflow Diagram

• Branches: Short-lived feat/* and fix/* merge into develop; releases are promoted from develop to main.

• Semantic Release: Runs on both develop (marked as pre-release) and main (marked as stable), using same version format (e.g., 1.2.0).

• Environment Mapping: develop → Pluto (dev/staging); main → Saturn (production).

• CI System: CircleCI handles all web/API build, test, containerization, and Kubernetes deployments.

Deployment Targets

Luxoria Desktop (WinUI 3) - Distribution Pipeline

Artifact Details:

• Artifact: Inno Setup installer (and optional portable build).

• Build: dotnet publish targeting net9.0-windows10.0.26100.0 (x86, x64, ARM64).

• Signing: Code signing via LuxoriaSoft certificate (SmartScreen-friendly).

• Distribution: Download from luxoria.bluepelicansoft.com or GitHub Releases.

LuxStudio Web Platform - Container Architecture

Services:

• LuxAPI (ASP.NET Core 8): RESTful API backend with business logic

• LuxStudio Portal (Next.js/React): Web user interface

• PostgreSQL 17.2: Relational database (Alpine container)

• MinIO: S3-compatible object storage for files

Container Images:

• Built per service and tagged per environment (e.g., dev, latest, semantic version)

• Pushed to private container registry

• Image naming convention: $REGISTRY/luxapi:<tag> and $REGISTRY/luxstudio:<tag>

Orchestration & Networking:

• Orchestration: Kubernetes with Kustomize overlays (depl/base, depl/overlays/pluto, depl/overlays/saturn)

• Ingress: Traefik with Let's Encrypt (cert-manager) for TLS termination

• Namespaces: luxstudio-pluto (dev) and luxstudio-saturn (production)

Supporting Infrastructure

CI/CD Workflows

CircleCI Pipeline (Web/API and Container Deployment)

Pull Request from Feature Branch:

• Build, test, lint, kustomize dry-run

• NO deployment to any environment

• Fails if quality gates not met

Develop Branch Workflow:

1. Semantic-release (v1.2.0, marked as pre-release)

2. Build & push images tagged with commit SHA and version

3. Automatically deploy to Pluto (dev/staging)

4. Run smoke tests

Main Branch Workflow (Production Release):

1. Semantic-release stable (v1.2.0)

2. Build & push images tagged with commit SHA and release tag

3. Requires manual approval (admin authorization)

4. Deploy to Saturn (production)

5. GitHub Actions triggered for desktop release build

GitHub Actions Pipeline (Desktop Release & Signing)

Quality Gates - Enforcement Points

Unit Tests: All test projects must pass. Commitlint/Husky: Conventional commits enforce semantic-release versioning. SonarCloud: Quality gate (bugs, coverage, code smells) enforced on PRs and protected branches. Formatting/Linting: Frontend linters (ESLint/Tailwind/Prettier) and .NET analyzers must pass before deploy.

Release Promotion & Deployment Flow

Complete Release Lifecycle

Step-by-Step Release Summary

1. Feature Branch → PR: Validate in CircleCI (tests, lint, kustomize dry-run); no deploy.

2. Merge to develop: Semantic-release pre-release; images tagged with SHA and pre-release; auto-deploy to Pluto (dev/staging).

3. Merge to main: Semantic-release stable; images tagged with SHA and release; manual approval then deploy to Saturn (production); desktop tag triggers GitHub Actions release build.

4. Post-Deploy Checks: Smoke tests, health endpoints, ingress verification; roll back with kubectl rollout undo if needed.

Deployment Commands & Operations

Dev/Staging (Pluto) Deployment

Production (Saturn) Deployment

Rollback Procedure (Emergency)

Desktop Release Build (Local)

Code Quality Standards & Testing Strategy

Testing Pyramid

Unit Tests: xUnit test suites across Core, Modules, SDK, and LuxAPI where applicable. Static Analysis: SonarQube badges and gates for reliability, security, maintainability, coverage. API/Frontend Tests: Run as part of CI when defined (lint + unit for Next.js/Vue portals). Manual Smoke Tests: Post-deploy verification of health endpoints and ingress routing.

Security, Secrets & Access Control

Secrets Management Architecture

Sensitive Environment Variables:

• JWT keys, SMTP credentials, MinIO credentials set via secrets

• Referenced in overlays patches

• Never logged or exposed in CI output

TLS Security:

• Automatic certificates via cert-manager + Let's Encrypt on Traefik ingress

• HTTPS enforced (redirect HTTP → HTTPS)

• Certificate auto-renewal 30 days before expiry

Least Privilege Access:

• Service accounts and namespaces isolate Pluto/Saturn

• Database users scoped per environment

• Role-Based Access Control (RBAC) enforced

Code Signing:

• Desktop binaries and installers signed to satisfy SmartScreen

• Using LuxoriaSoft Code Signing Certificate

• Timestamp authority: DigiCert (ensures validity after cert expiry)

Production Rollback & Recovery

Rollout Monitoring & Automatic Rollback

Health Probes:

• Liveness probes: Restart unhealthy pods

• Readiness probes: Remove from load balancer if not ready

Rollout Monitoring:

• kubectl rollout status monitors deployment progress

• kubectl logs captures application startup errors

Rollback Procedure:

• kubectl rollout undo deployment/<name> -n <namespace> for API/portal

• GitHub Releases versioned for desktop rollback (users can download previous installer)

Ingress Verification:

• Confirm Traefik routes and TLS for Pluto/Saturn hosts after deploy

Operational Best Practices & Runbooks

Best Practices Summary

Troubleshooting & Common Issues

Pod Crash - Diagnosis & Recovery

High Latency - Investigation Checklist

Storage/Disk Full - Emergency Cleanup

Example GitHub Actions Workflows

Desktop Release Workflow (Windows Runner)

Container Image Build Reference

Building and Pushing Images

LuxAPI (ASP.NET Core Backend):

LuxStudio Portal (Next.js Frontend):

Image Tagging Strategy:

• Commit SHA for traceability (abc1234)

• Semantic version for both environments (1.2.0)

• Pre-release vs stable determined by GitHub release flag

• Never use latest in production manifests

Required Secrets and Configuration

CircleCI Contexts & Secrets

GitHub Actions Secrets (Desktop Release)

Kubernetes Secrets (Runtime Configuration)

Deployment Quick Reference

Document Version: 1.0 Last Updated: January 2026 Owner: DevOps Team Status: Production Ready