Operations

Deploy KendrWeb like a product, not just a bundle of static files.

Production deployment includes the site, backend API, database, proxy configuration, environment secrets, and rollout checks. This guide captures the operational assumptions already encoded in the repo so the deployment story stays coherent as the docs section grows.

Local setup Admin dashboard

Required environment

The backend will not come up cleanly without a small set of required environment variables. Keep these documented separately from customer-facing configuration because they are deployment concerns. 

export KENDR_DATABASE_URL='postgresql://kendr:change-me@127.0.0.1:5432/kendrweb'
export KENDR_ADMIN_EMAIL='admin@example.com'
export KENDR_LOGIN_OTP_SECRET='...'
Production secrets typically include

POSTGRES_DB, POSTGRES_USER, POSTGRES_PASSWORD, KENDR_ALLOWED_ORIGINS, KENDR_ADMIN_EMAIL, KENDR_LOGIN_OTP_SECRET, WEB_PORT, KENDR_SERVER_NAME, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. Portal OTP email uses SES from noreply@kendr.org unless KENDR_SES_FROM_EMAIL overrides it.

Local Compose topology

The repository ships a three-service local stack. Treat it as the default development topology so the site, proxy, backend, and persistence stay close to production behavior.

web

Nginx serves the static KendrWeb site and proxies /api/* to the backend container.

api

Python serves install telemetry, auth, credits, API keys, catalog, OAuth, admin routes, and hosted query execution.

postgres

PostgreSQL stores the full operational state behind both customer and admin workflows.

Production rollout model

The repository already assumes an automated deploy to EC2. The workflow copies the app, writes environment, configures Nginx, manages certificate state, and starts the production compose stack.

1
Copy application files
The workflow writes the app into /home/<EC2_USERNAME>/kendrweb on the target machine.
2
Write the production environment
Secrets are rendered into the production environment before compose is started.
3
Configure host Nginx and TLS
The workflow manages the site config for kendr.org and reuses or issues certs as needed.
4
Launch the stack
Production uses sudo docker compose -f docker-compose.prod.yml up -d --build.
Important

The workflow owns the host Nginx site file. Avoid running certbot --nginx manually against that same config.

Go-live checklist

A release is not done when the containers are running. Validate the public site, the customer plane, the admin plane, and the backend contract before calling the deployment complete.

  • Confirm the homepage, docs pages, community page, and use-case pages load over HTTPS.
  • Check /api/health, /api/catalog, and /api/openapi.json from the public domain.
  • Verify portal registration, login, credit purchase flow, and API key creation on the live deployment.
  • Verify admin login and confirm packages, surfaces, execution settings, and notifications are readable and writable.
  • Confirm OAuth metadata at /.well-known/oauth-authorization-server is reachable.
  • Ensure inbound rules allow both port 80 and 443 if the site is exposed publicly.