From 225a143aa153fc54a9d2ccff0d8852b14533beab Mon Sep 17 00:00:00 2001 From: Oleksandr Tsurenko Date: Thu, 17 Aug 2023 18:06:11 +0200 Subject: [PATCH 01/11] TECH-1861 - Initial deployment of CLA Assistent to K8s --- .github/workflows/build-and-deploy.yaml | 77 +++++++++++++++++++++ .github/workflows/build.yml | 89 ------------------------- deploy/prod/cla-assistent.yaml | 71 ++++++++++++++++++++ 3 files changed, 148 insertions(+), 89 deletions(-) create mode 100644 .github/workflows/build-and-deploy.yaml delete mode 100644 .github/workflows/build.yml create mode 100644 deploy/prod/cla-assistent.yaml diff --git a/.github/workflows/build-and-deploy.yaml b/.github/workflows/build-and-deploy.yaml new file mode 100644 index 000000000..5b568d8e5 --- /dev/null +++ b/.github/workflows/build-and-deploy.yaml @@ -0,0 +1,77 @@ +on: + push: + branches: + - main + - TECH-1861 + +name: Deploy to AWS Production (K8s) + +jobs: + deploy: + name: Deploy + runs-on: ubuntu-latest + environment: production + env: + AWS_REGION: us-east-1 + CLUSTER_NAME: maker-prod + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Extract commit hash + id: vars + shell: bash + run: | + echo "::set-output name=sha_short::$(git rev-parse --short HEAD)" + + - name: Build, tag, and push image to Amazon ECR + id: build-image + env: + SHA_TAG: ${{ steps.vars.outputs.sha_short }} + LATEST_TAG: latest + ENVIRONMENT_TAG: prod + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + run: | + # Build Docker containers and push them to ECR cla-assistant-prod + docker pull $ECR_REGISTRY/cla-assistant-prod:$LATEST_TAG || true + docker build -t cla-assistant-prod \ + -t $ECR_REGISTRY/cla-assistant-prod:$SHA_TAG \ + -t $ECR_REGISTRY/cla-assistant-prod:$LATEST_TAG \ + -t $ECR_REGISTRY/cla-assistant-prod:$ENVIRONMENT_TAG \ + -f Dockerfile \ + . + + docker push $ECR_REGISTRY/cla-assistant-prod --all-tags + + - name: Preparing Helm values files + id: preparing-helm-values + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + run: | + sed -i 's/${ECR_REGISTRY}/'$(echo $ECR_REGISTRY)/ deploy/prod/cla-assistant.yaml + + - name: Deploying CLA Assistant Logger to Kubernetes with Helm + uses: bitovi/github-actions-deploy-eks-helm@v1.2.4 + with: + values: image.repository=${{ steps.login-ecr.outputs.registry }}/cla-assistant-prod,image.tag=${{ steps.vars.outputs.sha_short }} + cluster-name: ${{ env.CLUSTER_NAME }} + config-files: deploy/prod/cla-assistant.yaml + chart-path: techops-services/common + namespace: cla-assistant + timeout: 5m0s + name: cla-assistant + chart-repository: https://techops-services.github.io/helm-charts + version: 0.0.14 + atomic: true diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 3ddacc76b..000000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,89 +0,0 @@ -# SPDX-FileCopyrightText: 2022 SAP SE or an SAP affiliate company and CLA-assistant contributors -# -# SPDX-License-Identifier: Apache-2.0 - -name: CI/CDPipeline -permissions: - id-token: write - contents: read -on: - workflow_dispatch: - inputs: - ref: - description: "commit sha to deploy to staging" - required: true - default: "refs/heads/main" - push: - branches: - - "*" - tags: - - "*" - pull_request: - branches: - - main -jobs: - build: - runs-on: ${{ matrix.os }} - strategy: - matrix: - node_version: - - 16 - os: - - ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.inputs.ref }} - - - name: Use specified node version - uses: actions/setup-node@v1 - with: - version: ${{ matrix.node_version }} - - name: Npm Install - run: | - npm install - - - name: grunt build and test - run: | - grunt build - grunt test - grunt coverage - - name: Test Coverage - uses: coverallsapp/github-action@master - with: - github-token: ${{ secrets.github_token }} - git-commit: ${{ github.event.inputs.ref || github.sha }} - path-to-lcov: ./output/coverage/lcov.info - - name: build the docker image with commit SHA for staging - if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' }} - run: docker build -t eu.gcr.io/sap-cla-assistant/cla-assistant:${{ github.event.inputs.ref || github.sha }} . - - name: build the docker images with tag name and latest for production - if: startsWith(github.ref, 'refs/tags') - run: docker build -t eu.gcr.io/sap-cla-assistant/cla-assistant:${GITHUB_REF:10} -t eu.gcr.io/sap-cla-assistant/cla-assistant:latest -t sapclaassistant/claassistant:latest -t sapclaassistant/claassistant:${GITHUB_REF:10} . - - name: push the latest and release images to dockerhub only for releases - if: startsWith(github.ref, 'refs/tags') - run: | - docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }} - docker push sapclaassistant/claassistant - - id: "gcp-identity-federation-auth" - name: "Authenticate to GCP via OIDC Identity Federation" - uses: "google-github-actions/auth@v0.4.4" - if: ${{ startsWith(github.ref, 'refs/tags') || github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' }} - with: - create_credentials_file: "true" - workload_identity_provider: "projects/209238640650/locations/global/workloadIdentityPools/github-actions/providers/github-oidc" - service_account: "github-actions-containerupload@sap-cla-assistant.iam.gserviceaccount.com" - # Configure docker to use the gcloud command-line tool as a credential helper - - run: gcloud auth configure-docker - if: ${{ startsWith(github.ref, 'refs/tags') || github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' }} - - name: push image to gcp during push on main branch for testing in staging - if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' }} - run: docker push eu.gcr.io/sap-cla-assistant/cla-assistant:${{ github.event.inputs.ref || github.sha }} - - name: push images to gcp during new release for production usage - if: startsWith(github.ref, 'refs/tags') - run: | - docker push eu.gcr.io/sap-cla-assistant/cla-assistant:latest - docker push eu.gcr.io/sap-cla-assistant/cla-assistant:${GITHUB_REF:10} - - name: deploy to staging cloud run service - if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' }} - run: gcloud --quiet --project sap-cla-assistant beta run deploy cla-assistant-staging --platform managed --region europe-west1 --image eu.gcr.io/sap-cla-assistant/cla-assistant:${{ github.event.inputs.ref || github.sha }} diff --git a/deploy/prod/cla-assistent.yaml b/deploy/prod/cla-assistent.yaml new file mode 100644 index 000000000..7a1f79926 --- /dev/null +++ b/deploy/prod/cla-assistent.yaml @@ -0,0 +1,71 @@ +replicaCount: 1 +service: + name: cla-assistent + port: 80 + type: ClusterIP + containerPort: 8080 + tls: + enabled: true + issuerName: cloudflare +image: + repository: ${ECR_REGISTRY}/cla-assistent-prod + pullPolicy: Always + tag: prod +serviceAccount: + create: false +ingress: + enabled: true + host: cla.daifoundation.org + annotations: + external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true' +podAnnotations: + reloader.stakater.com/auto: 'true' +resources: + limits: + cpu: 2 + memory: 4096Mi + requests: + cpu: 250m + memory: 256Mi +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 60 +env: + PROTOCOL: + type: kv + value: 'https' + PORT: + type: kv + value: '8080' + HOST: + type: kv + value: 'cla.daifoundation.org' + GITHUB_CLIENT: + type: parameterStore + name: github-client + parameter_name: /eks/maker-prod/cla-assistent/github-client + GITHUB_SECRET: + type: parameterStore + name: github-secret + parameter_name: /eks/maker-prod/cla-assistent/github-secret + GITHUB_TOKEN: + type: parameterStore + name: github-token + parameter_name: /eks/maker-prod/cla-assistent/github-token + MONGODB: + type: parameterStore + name: mongodb + parameter_name: /eks/maker-prod/cla-assistent/mongodb + GITHUB_ADMIN_USERS: + type: parameterStore + name: github-admin-users + parameter_name: /eks/maker-prod/cla-assistent/github-admin-users +readinessProbe: + tcpSocket: + port: 80 +livenessProbe: + tcpSocket: + port: 80 From 1ff984a2872060e09971e1f6775e6ff9169d832d Mon Sep 17 00:00:00 2001 From: Oleksandr Tsurenko Date: Thu, 17 Aug 2023 18:09:14 +0200 Subject: [PATCH 02/11] TECH-1861 - Typo --- deploy/prod/{cla-assistent.yaml => cla-assistant.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deploy/prod/{cla-assistent.yaml => cla-assistant.yaml} (100%) diff --git a/deploy/prod/cla-assistent.yaml b/deploy/prod/cla-assistant.yaml similarity index 100% rename from deploy/prod/cla-assistent.yaml rename to deploy/prod/cla-assistant.yaml From 7a51e836bbaac2857623f8ffe8cb5d8a58b6090b Mon Sep 17 00:00:00 2001 From: Oleksandr Tsurenko Date: Thu, 17 Aug 2023 18:13:52 +0200 Subject: [PATCH 03/11] TECH-1861 - Seems like string is too long --- deploy/prod/cla-assistant.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/prod/cla-assistant.yaml b/deploy/prod/cla-assistant.yaml index 7a1f79926..09c6aab16 100644 --- a/deploy/prod/cla-assistant.yaml +++ b/deploy/prod/cla-assistant.yaml @@ -61,7 +61,7 @@ env: parameter_name: /eks/maker-prod/cla-assistent/mongodb GITHUB_ADMIN_USERS: type: parameterStore - name: github-admin-users + name: github-admins parameter_name: /eks/maker-prod/cla-assistent/github-admin-users readinessProbe: tcpSocket: From 883c491a575b776c806d9250263a3fdaf00bfb38 Mon Sep 17 00:00:00 2001 From: Oleksandr Tsurenko Date: Thu, 17 Aug 2023 18:17:38 +0200 Subject: [PATCH 04/11] TECH-1861 - Temporary removing atomic deployment to debug issue --- .github/workflows/build-and-deploy.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-and-deploy.yaml b/.github/workflows/build-and-deploy.yaml index 5b568d8e5..4b4b3910c 100644 --- a/.github/workflows/build-and-deploy.yaml +++ b/.github/workflows/build-and-deploy.yaml @@ -74,4 +74,3 @@ jobs: name: cla-assistant chart-repository: https://techops-services.github.io/helm-charts version: 0.0.14 - atomic: true From 476e7251b041e5ff17866a87a3e8535ec665d142 Mon Sep 17 00:00:00 2001 From: Oleksandr Tsurenko Date: Thu, 17 Aug 2023 18:20:29 +0200 Subject: [PATCH 05/11] TECH-1861 - Adding SecretStoreName --- .github/workflows/build-and-deploy.yaml | 1 + deploy/prod/cla-assistant.yaml | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-deploy.yaml b/.github/workflows/build-and-deploy.yaml index 4b4b3910c..5b568d8e5 100644 --- a/.github/workflows/build-and-deploy.yaml +++ b/.github/workflows/build-and-deploy.yaml @@ -74,3 +74,4 @@ jobs: name: cla-assistant chart-repository: https://techops-services.github.io/helm-charts version: 0.0.14 + atomic: true diff --git a/deploy/prod/cla-assistant.yaml b/deploy/prod/cla-assistant.yaml index 09c6aab16..043aaf719 100644 --- a/deploy/prod/cla-assistant.yaml +++ b/deploy/prod/cla-assistant.yaml @@ -61,8 +61,10 @@ env: parameter_name: /eks/maker-prod/cla-assistent/mongodb GITHUB_ADMIN_USERS: type: parameterStore - name: github-admins + name: github-admin-users parameter_name: /eks/maker-prod/cla-assistent/github-admin-users +externalSecrets: + clusterSecretStoreName: maker-prod readinessProbe: tcpSocket: port: 80 From a43ca0acc6c645adc8a8352a0845dfd1312f79a4 Mon Sep 17 00:00:00 2001 From: Oleksandr Tsurenko Date: Thu, 17 Aug 2023 18:24:51 +0200 Subject: [PATCH 06/11] TECH-1861 - Setting the same port everywhere --- deploy/prod/cla-assistant.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/deploy/prod/cla-assistant.yaml b/deploy/prod/cla-assistant.yaml index 043aaf719..4e5a9c2f6 100644 --- a/deploy/prod/cla-assistant.yaml +++ b/deploy/prod/cla-assistant.yaml @@ -1,7 +1,7 @@ replicaCount: 1 service: name: cla-assistent - port: 80 + port: 8080 type: ClusterIP containerPort: 8080 tls: @@ -15,7 +15,7 @@ serviceAccount: create: false ingress: enabled: true - host: cla.daifoundation.org + host: cla-k8s.daifoundation.org annotations: external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true' podAnnotations: @@ -42,7 +42,7 @@ env: value: '8080' HOST: type: kv - value: 'cla.daifoundation.org' + value: 'cla-k8s.daifoundation.org' GITHUB_CLIENT: type: parameterStore name: github-client @@ -67,7 +67,7 @@ externalSecrets: clusterSecretStoreName: maker-prod readinessProbe: tcpSocket: - port: 80 + port: 8080 livenessProbe: tcpSocket: - port: 80 + port: 8080 From 04932b37b6ff4d544f31b4dc128f0b6c793364a3 Mon Sep 17 00:00:00 2001 From: Oleksandr Tsurenko Date: Thu, 17 Aug 2023 18:36:13 +0200 Subject: [PATCH 07/11] TECH-1861 - Creating K8s service --- deploy/prod/cla-assistant.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/prod/cla-assistant.yaml b/deploy/prod/cla-assistant.yaml index 4e5a9c2f6..aae2ba2f7 100644 --- a/deploy/prod/cla-assistant.yaml +++ b/deploy/prod/cla-assistant.yaml @@ -1,5 +1,6 @@ replicaCount: 1 service: + enabled: true name: cla-assistent port: 8080 type: ClusterIP From 3ef7622bb406150dd2f9fd91ff4c02bea8b3c7e7 Mon Sep 17 00:00:00 2001 From: Oleksandr Tsurenko Date: Fri, 18 Aug 2023 13:50:34 +0200 Subject: [PATCH 08/11] TECH-1861 - Deploying with correct hostname --- deploy/prod/cla-assistant.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy/prod/cla-assistant.yaml b/deploy/prod/cla-assistant.yaml index aae2ba2f7..ae62c3a49 100644 --- a/deploy/prod/cla-assistant.yaml +++ b/deploy/prod/cla-assistant.yaml @@ -16,11 +16,11 @@ serviceAccount: create: false ingress: enabled: true - host: cla-k8s.daifoundation.org + host: cla.daifoundation.org annotations: - external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true' + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" podAnnotations: - reloader.stakater.com/auto: 'true' + reloader.stakater.com/auto: "true" resources: limits: cpu: 2 @@ -37,13 +37,13 @@ autoscaling: env: PROTOCOL: type: kv - value: 'https' + value: "https" PORT: type: kv - value: '8080' + value: "8080" HOST: type: kv - value: 'cla-k8s.daifoundation.org' + value: "cla.daifoundation.org" GITHUB_CLIENT: type: parameterStore name: github-client From 8cedff478ac84224216eb3013a7b479b803912ab Mon Sep 17 00:00:00 2001 From: Oleksandr Tsurenko Date: Fri, 18 Aug 2023 13:56:26 +0200 Subject: [PATCH 09/11] TECH-1861 - Removing temporary branch --- .github/workflows/build-and-deploy.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-and-deploy.yaml b/.github/workflows/build-and-deploy.yaml index 5b568d8e5..1ece18500 100644 --- a/.github/workflows/build-and-deploy.yaml +++ b/.github/workflows/build-and-deploy.yaml @@ -2,7 +2,6 @@ on: push: branches: - main - - TECH-1861 name: Deploy to AWS Production (K8s) From 2c3d3b9ab64c7b5ef5e3a3df9d64ce28eabb5070 Mon Sep 17 00:00:00 2001 From: Oleksandr Tsurenko Date: Mon, 21 Aug 2023 13:05:12 +0200 Subject: [PATCH 10/11] TECH-1861 - Fixing PR comments --- .github/workflows/build-and-deploy.yaml | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-and-deploy.yaml b/.github/workflows/build-and-deploy.yaml index 1ece18500..40b070976 100644 --- a/.github/workflows/build-and-deploy.yaml +++ b/.github/workflows/build-and-deploy.yaml @@ -2,6 +2,7 @@ on: push: branches: - main + - TECH-1861 name: Deploy to AWS Production (K8s) @@ -13,6 +14,9 @@ jobs: env: AWS_REGION: us-east-1 CLUSTER_NAME: maker-prod + SERVICE_NAME: cla-assistant + AWS_ECR_NAME: cla-assistant-prod + ENVIRONMENT_TAG: prod steps: - name: Checkout @@ -40,19 +44,18 @@ jobs: env: SHA_TAG: ${{ steps.vars.outputs.sha_short }} LATEST_TAG: latest - ENVIRONMENT_TAG: prod ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} run: | - # Build Docker containers and push them to ECR cla-assistant-prod - docker pull $ECR_REGISTRY/cla-assistant-prod:$LATEST_TAG || true - docker build -t cla-assistant-prod \ - -t $ECR_REGISTRY/cla-assistant-prod:$SHA_TAG \ - -t $ECR_REGISTRY/cla-assistant-prod:$LATEST_TAG \ - -t $ECR_REGISTRY/cla-assistant-prod:$ENVIRONMENT_TAG \ + # Build Docker containers and push them to ECR ${{ env.AWS_ECR_NAME }} + docker pull $ECR_REGISTRY/$AWS_ECR_NAME:$LATEST_TAG || true + docker build -t $AWS_ECR_NAME \ + -t $ECR_REGISTRY/$AWS_ECR_NAME:$SHA_TAG \ + -t $ECR_REGISTRY/$AWS_ECR_NAME:$LATEST_TAG \ + -t $ECR_REGISTRY/$AWS_ECR_NAME:$ENVIRONMENT_TAG \ -f Dockerfile \ . - docker push $ECR_REGISTRY/cla-assistant-prod --all-tags + docker push $ECR_REGISTRY/$AWS_ECR_NAME --all-tags - name: Preparing Helm values files id: preparing-helm-values @@ -64,13 +67,13 @@ jobs: - name: Deploying CLA Assistant Logger to Kubernetes with Helm uses: bitovi/github-actions-deploy-eks-helm@v1.2.4 with: - values: image.repository=${{ steps.login-ecr.outputs.registry }}/cla-assistant-prod,image.tag=${{ steps.vars.outputs.sha_short }} + values: image.repository=${{ steps.login-ecr.outputs.registry }}/${{ env.AWS_ECR_NAME }},image.tag=${{ steps.vars.outputs.sha_short }} cluster-name: ${{ env.CLUSTER_NAME }} config-files: deploy/prod/cla-assistant.yaml chart-path: techops-services/common namespace: cla-assistant timeout: 5m0s - name: cla-assistant + name: ${{ env.SERVICE_NAME }} chart-repository: https://techops-services.github.io/helm-charts version: 0.0.14 atomic: true From 120543dcb95a58f5a0372ff4a535fc44101c0dd5 Mon Sep 17 00:00:00 2001 From: Oleksandr Tsurenko Date: Fri, 25 Aug 2023 14:12:58 +0200 Subject: [PATCH 11/11] TECH-1861 - Getting rid of -prod in the ECR name --- .github/workflows/build-and-deploy.yaml | 2 +- deploy/prod/cla-assistant.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-deploy.yaml b/.github/workflows/build-and-deploy.yaml index 40b070976..bee3fbbfc 100644 --- a/.github/workflows/build-and-deploy.yaml +++ b/.github/workflows/build-and-deploy.yaml @@ -15,7 +15,7 @@ jobs: AWS_REGION: us-east-1 CLUSTER_NAME: maker-prod SERVICE_NAME: cla-assistant - AWS_ECR_NAME: cla-assistant-prod + AWS_ECR_NAME: cla-assistant ENVIRONMENT_TAG: prod steps: diff --git a/deploy/prod/cla-assistant.yaml b/deploy/prod/cla-assistant.yaml index ae62c3a49..018dda6e1 100644 --- a/deploy/prod/cla-assistant.yaml +++ b/deploy/prod/cla-assistant.yaml @@ -9,7 +9,7 @@ service: enabled: true issuerName: cloudflare image: - repository: ${ECR_REGISTRY}/cla-assistent-prod + repository: ${ECR_REGISTRY}/cla-assistent pullPolicy: Always tag: prod serviceAccount: