feat: First deploy on aks devopslab/diego (#5)

* added devopslab/diego as helm chart

* aks-helm: fix parameters

* fix typo

* fixed environment github input

* minor fix

* minor fix

* minor fix

* minor fix

* minor fix

* added association to "PagoPA IaC Reader" for dev-aks app

* minor fix

* try again

* fix environment input

* minor fix

* setup helm

* upgraded runner version

* use new template repo for actions

* upgrated helm chart blueprint deploy

* upgraded action

* aks deploy on devopslabb

.github/workflows/aks-helm-deploy-devopslab-dev.yml

@@ -0,0 +1,92 @@
+name: Helm@devopslab-dev
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        required: true
+        description: The name of the environment where to deploy
+        type: environment
+    secrets:
+      token:
+        required: true
+        description: Github Token
+
+env:
+  NAMESPACE: diego
+  APP_NAME: diegoappstatus
+  AKS_NAME: dvopla-d-neu-dev01-aks
+  AKS_RESOURCE_GROUP: dvopla-d-neu-dev01-aks-rg
+
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  create_runner:
+    name: Create Runner
+    runs-on: ubuntu-22.04
+    environment: dev
+    outputs:
+      runner_name: ${{ steps.create_github_runner.outputs.runner_name }}
+    steps:
+      - name: Create GitHub Runner
+        id: create_github_runner
+        # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
+        with:
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
+          resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
+          pat_token: ${{ secrets.BOT_TOKEN }}
+          self_hosted_runner_image_tag: "v1.4.0"
+
+  deploy_helm:
+    name: Deploy on AKS
+    runs-on: [ self-hosted, "${{ needs.create_runner.outputs.runner_name }}" ]
+    needs: [ create_runner ]
+    environment: dev
+    steps:
+      - name: Checkout
+        id: checkout
+        # from https://github.com/actions/checkout/commits/main
+        uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Deploy Aks blueprint chart
+        uses: pagopa/github-actions-template/aks-blueprint-helm-deploy@dd79d69bbc777cd4f79e14e332267b9c728e2d63
+        with:
+          namespace: ${{ env.NAMESPACE }}
+          release-name: ${{ env.APP_NAME }}
+          helm-upgrade-options: "--debug"
+          chart-path: "helm/devopslab/diego"
+          values-file-name: values-${{ inputs.environment }}.yaml
+          aks-name: ${{ env.AKS_NAME }}
+          aks-resource-group: ${{ env.AKS_RESOURCE_GROUP }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+  cleanup_runner:
+    name: Cleanup Runner
+    if: always()
+    runs-on: ubuntu-22.04
+    environment: dev
+    needs: [create_runner, deploy_helm]
+    steps:
+      - name: Cleanup GitHub Runner
+        id: cleanup_github_runner
+        # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@main
+        with:
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
+          runner_name: ${{ needs.create_runner.outputs.runner_name }}
+          pat_token: ${{ secrets.BOT_TOKEN }}

.identity/02_github_environment_runner.tf

@@ -15,9 +15,9 @@ module "github_environment_runner_secrets" {
   github_repository_environment_name = local.github_env_name
 
   secrets = {
+    "AZURE_CLIENT_ID" : module.github_runner_aks.client_id,
     "AZURE_TENANT_ID" : data.azurerm_client_config.current.tenant_id,
     "AZURE_SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
-    "AZURE_CLIENT_ID" : module.github_runner_aks.client_id,
     "AZURE_CONTAINER_APP_ENVIRONMENT_NAME" : local.container_app_github_runner_env_name,
     "AZURE_RESOURCE_GROUP_NAME" : local.container_app_github_runner_env_rg,
   }

.identity/99_outputs.tf

@@ -6,10 +6,10 @@ output "subscription_id" {
   value = data.azurerm_subscription.current.subscription_id
 }
 
-output "ci_service_principal_github_action_name" {
+output "service_principal_github_action_name" {
   value = module.github_runner_aks.display_name
 }
 
-output "ci_service_principal_github_action_client_id" {
+output "service_principal_github_action_client_id" {
   value = module.github_runner_aks.client_id
 }

.identity/modules/app-github-runner-aks/main.tf

@@ -27,3 +27,12 @@ resource "azurerm_role_assignment" "environment_runner_github_runner_rg" {
   role_definition_name = "Contributor"
   principal_id         = azuread_service_principal.github_app.object_id
 }
+
+#
+# Associate custom role
+#
+resource "azurerm_role_assignment" "pagopa_iac_reader" {
+  scope                = var.subscription_id
+  role_definition_name = "PagoPA IaC Reader"
+  principal_id         = azuread_service_principal.github_app.object_id
+}

helm/devopslab/diego/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/devopslab/diego/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: microservice-chart
+  repository: https://pagopa.github.io/aks-microservice-chart-blueprint
+  version: 2.8.0
+digest: sha256:379d9a7c312874dd1771386d92d8f597cb3fed497bb80dfde102513b582123d4
+generated: "2023-02-20T15:50:38.149796+01:00"

helm/devopslab/diego/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+name: devops-app-status
+description: App that allow to expose a simple health checks endpoints
+type: application
+version: 1.0.0
+appVersion: 1.0.0
+dependencies:
+- name: microservice-chart
+  version: 2.8.0
+  repository: "https://pagopa.github.io/aks-microservice-chart-blueprint"

helm/devopslab/diego/values-dev.yaml

@@ -0,0 +1,93 @@
+microservice-chart:
+  namespace: "diego"
+  nameOverride: ""
+  fullnameOverride: ""
+
+#
+# Deploy
+#
+  deployment:
+    create: true
+    # forceRedeploy: true
+
+  image:
+    repository: ghcr.io/pagopa/devops-app-status
+    tag: v1.0.0
+    pullPolicy: Always
+
+  livenessProbe:
+    httpGet:
+      path: /status
+      port: 8000
+    initialDelaySeconds: 60
+    failureThreshold: 6
+    periodSeconds: 10
+
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 8000
+    initialDelaySeconds: 60
+    failureThreshold: 6
+    periodSeconds: 10
+
+
+#
+# Network
+#
+  service:
+    create: true
+    type: ClusterIP
+    ports:
+    - 8000
+
+  ingress:
+    create: true
+    host: "dev01.diego.internal.devopslab.pagopa.it"
+    path: /diego/status(/|$)(.*)
+    rewriteTarget: /$2
+    servicePort: 8000
+    # proxyBodySize: 2m
+    annotations: {
+      nginx.ingress.kubernetes.io/satisfy: "any"
+    }
+
+  serviceAccount:
+    create: false
+    annotations: {}
+    name: ""
+
+  podAnnotations: {}
+
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
+
+  securityContext:
+    allowPrivilegeEscalation: false
+
+  resources:
+    requests:
+      memory: "128Mi"
+      cpu: "40m"
+    limits:
+      memory: "128Mi"
+      cpu: "40m"
+
+  autoscaling:
+    enable: true
+    minReplica: 1
+    maxReplica: 3
+    pollingInterval: 30 # seconds
+    cooldownPeriod: 300 # seconds
+    triggers:
+      - type: cpu
+        metadata:
+          type: Utilization
+          value: "60"
+
+  # nodeSelector: {}
+
+  # tolerations: []
+
+  # affinity: {}