From d39409ef9d9cc017603200494327148d442d2013 Mon Sep 17 00:00:00 2001 From: Diego Lagos <92735530+diegolagospagopa@users.noreply.github.com> Date: Sun, 19 Mar 2023 17:18:23 +0100 Subject: [PATCH] feat: First deploy on aks devopslab/diego (#5) * added devopslab/diego as helm chart * aks-helm: fix parameters * fix typo * fixed environment github input * minor fix * minor fix * minor fix * minor fix * minor fix * added association to "PagoPA IaC Reader" for dev-aks app * minor fix * try again * fix environment input * minor fix * setup helm * upgraded runner version * use new template repo for actions * upgrated helm chart blueprint deploy * upgraded action * aks deploy on devopslabb --- .../aks-helm-deploy-devopslab-dev.yml | 92 ++++++++++++++++++ .github/workflows/aks-helm-deploy.yml | 81 ---------------- .identity/02_github_environment_runner.tf | 2 +- .identity/99_outputs.tf | 4 +- .../modules/app-github-runner-aks/main.tf | 9 ++ helm/devopslab/diego/.helmignore | 23 +++++ helm/devopslab/diego/Chart.lock | 6 ++ helm/devopslab/diego/Chart.yaml | 10 ++ helm/devopslab/diego/values-dev.yaml | 93 +++++++++++++++++++ helm/devopslab/diego/values-prod.yaml | 0 helm/devopslab/diego/values-uat.yaml | 0 11 files changed, 236 insertions(+), 84 deletions(-) create mode 100644 .github/workflows/aks-helm-deploy-devopslab-dev.yml delete mode 100644 .github/workflows/aks-helm-deploy.yml create mode 100644 helm/devopslab/diego/.helmignore create mode 100644 helm/devopslab/diego/Chart.lock create mode 100644 helm/devopslab/diego/Chart.yaml create mode 100644 helm/devopslab/diego/values-dev.yaml create mode 100644 helm/devopslab/diego/values-prod.yaml create mode 100644 helm/devopslab/diego/values-uat.yaml diff --git a/.github/workflows/aks-helm-deploy-devopslab-dev.yml b/.github/workflows/aks-helm-deploy-devopslab-dev.yml new file mode 100644 index 0000000..fb2341c --- /dev/null +++ b/.github/workflows/aks-helm-deploy-devopslab-dev.yml @@ -0,0 +1,92 @@ +name: Helm@devopslab-dev + +on: + workflow_dispatch: + inputs: + environment: + required: true + description: The name of the environment where to deploy + type: environment + secrets: + token: + required: true + description: Github Token + +env: + NAMESPACE: diego + APP_NAME: diegoappstatus + AKS_NAME: dvopla-d-neu-dev01-aks + AKS_RESOURCE_GROUP: dvopla-d-neu-dev01-aks-rg + + +permissions: + id-token: write + contents: read + +jobs: + create_runner: + name: Create Runner + runs-on: ubuntu-22.04 + environment: dev + outputs: + runner_name: ${{ steps.create_github_runner.outputs.runner_name }} + steps: + - name: Create GitHub Runner + id: create_github_runner + # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main + uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main + with: + client_id: ${{ secrets.AZURE_CLIENT_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} + resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} + pat_token: ${{ secrets.BOT_TOKEN }} + self_hosted_runner_image_tag: "v1.4.0" + + deploy_helm: + name: Deploy on AKS + runs-on: [ self-hosted, "${{ needs.create_runner.outputs.runner_name }}" ] + needs: [ create_runner ] + environment: dev + steps: + - name: Checkout + id: checkout + # from https://github.com/actions/checkout/commits/main + uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707 + with: + persist-credentials: false + fetch-depth: 0 + + - name: Deploy Aks blueprint chart + uses: pagopa/github-actions-template/aks-blueprint-helm-deploy@dd79d69bbc777cd4f79e14e332267b9c728e2d63 + with: + namespace: ${{ env.NAMESPACE }} + release-name: ${{ env.APP_NAME }} + helm-upgrade-options: "--debug" + chart-path: "helm/devopslab/diego" + values-file-name: values-${{ inputs.environment }}.yaml + aks-name: ${{ env.AKS_NAME }} + aks-resource-group: ${{ env.AKS_RESOURCE_GROUP }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + cleanup_runner: + name: Cleanup Runner + if: always() + runs-on: ubuntu-22.04 + environment: dev + needs: [create_runner, deploy_helm] + steps: + - name: Cleanup GitHub Runner + id: cleanup_github_runner + # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main + uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@main + with: + client_id: ${{ secrets.AZURE_CLIENT_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} + runner_name: ${{ needs.create_runner.outputs.runner_name }} + pat_token: ${{ secrets.BOT_TOKEN }} diff --git a/.github/workflows/aks-helm-deploy.yml b/.github/workflows/aks-helm-deploy.yml deleted file mode 100644 index 84a19c2..0000000 --- a/.github/workflows/aks-helm-deploy.yml +++ /dev/null @@ -1,81 +0,0 @@ -name: Self Hosted Runner - -on: - workflow_dispatch: - inputs: - environment: - required: true - description: The name of the environment where to deploy - type: string - secrets: - token: - required: true - description: Github Token - -env: - NAMESPACE: apiconfig - APP_NAME: pagopaapiconfig - - -permissions: - id-token: write - contents: read - -jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: ${{ inputs.environment }} - if: ${{ inputs.matrix == inputs.environment || inputs.environment == 'all' }} - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main - uses: pagopa/github-self-hosted-runner-azure-create-action@b4590e069e753daee6bc9809d484523cc7026035 - with: - client_id: ${{ vars.client_id }} - tenant_id: ${{ vars.tenant_id }} - subscription_id: ${{ vars.subscription_id }} - container_app_environment_name: app - resource_group_name: runner-rg - pat_token: ${{ inputs.token }} - - deploy: - needs: [ create_runner ] - runs-on: [ self-hosted, "${{ needs.create_runner.outputs.runner_name }}" ] - name: Deploy on AKS - steps: - - name: Deploy - uses: pagopa/github-actions-template/aks-deploy@deploy_aks_beta - with: - branch: ${{ github.ref_name }} - client_id: ${{ inputs.client_id }} - tenant_id: ${{ inputs.tenant_id }} - subscription_id: ${{ inputs.subscription_id }} - env: ${{ inputs.env }} - namespace: ${{ env.NAMESPACE }} - cluster_name: pagopa-d-weu-dev-aks - resource_group: pagopa-d-weu-dev-aks-rg - app_name: ${{ env.APP_NAME }} - helm_upgrade_options: ${{( inputs.beta && '--set microservice-chart.deployment.create=false') || '' }} - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: dev-runner - needs: [ create_runner, deploy ] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main - uses: pagopa/github-self-hosted-runner-azure-cleanup-action@97731a35e6ffc79b66c4dfd2aae5e4fd04e3ebb5 - with: - client_id: ${{ vars.client_id }} - tenant_id: ${{ vars.tenant_id }} - subscription_id: ${{ vars.subscription_id }} - resource_group_name: runner-rg - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ inputs.token }} diff --git a/.identity/02_github_environment_runner.tf b/.identity/02_github_environment_runner.tf index 8a9435a..c7e7c01 100644 --- a/.identity/02_github_environment_runner.tf +++ b/.identity/02_github_environment_runner.tf @@ -15,9 +15,9 @@ module "github_environment_runner_secrets" { github_repository_environment_name = local.github_env_name secrets = { + "AZURE_CLIENT_ID" : module.github_runner_aks.client_id, "AZURE_TENANT_ID" : data.azurerm_client_config.current.tenant_id, "AZURE_SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id, - "AZURE_CLIENT_ID" : module.github_runner_aks.client_id, "AZURE_CONTAINER_APP_ENVIRONMENT_NAME" : local.container_app_github_runner_env_name, "AZURE_RESOURCE_GROUP_NAME" : local.container_app_github_runner_env_rg, } diff --git a/.identity/99_outputs.tf b/.identity/99_outputs.tf index c381b88..64c2fc1 100644 --- a/.identity/99_outputs.tf +++ b/.identity/99_outputs.tf @@ -6,10 +6,10 @@ output "subscription_id" { value = data.azurerm_subscription.current.subscription_id } -output "ci_service_principal_github_action_name" { +output "service_principal_github_action_name" { value = module.github_runner_aks.display_name } -output "ci_service_principal_github_action_client_id" { +output "service_principal_github_action_client_id" { value = module.github_runner_aks.client_id } diff --git a/.identity/modules/app-github-runner-aks/main.tf b/.identity/modules/app-github-runner-aks/main.tf index 60a7d9f..6a9413e 100644 --- a/.identity/modules/app-github-runner-aks/main.tf +++ b/.identity/modules/app-github-runner-aks/main.tf @@ -27,3 +27,12 @@ resource "azurerm_role_assignment" "environment_runner_github_runner_rg" { role_definition_name = "Contributor" principal_id = azuread_service_principal.github_app.object_id } + +# +# Associate custom role +# +resource "azurerm_role_assignment" "pagopa_iac_reader" { + scope = var.subscription_id + role_definition_name = "PagoPA IaC Reader" + principal_id = azuread_service_principal.github_app.object_id +} diff --git a/helm/devopslab/diego/.helmignore b/helm/devopslab/diego/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/helm/devopslab/diego/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/devopslab/diego/Chart.lock b/helm/devopslab/diego/Chart.lock new file mode 100644 index 0000000..55a0b08 --- /dev/null +++ b/helm/devopslab/diego/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: microservice-chart + repository: https://pagopa.github.io/aks-microservice-chart-blueprint + version: 2.8.0 +digest: sha256:379d9a7c312874dd1771386d92d8f597cb3fed497bb80dfde102513b582123d4 +generated: "2023-02-20T15:50:38.149796+01:00" diff --git a/helm/devopslab/diego/Chart.yaml b/helm/devopslab/diego/Chart.yaml new file mode 100644 index 0000000..0f0aa2a --- /dev/null +++ b/helm/devopslab/diego/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: devops-app-status +description: App that allow to expose a simple health checks endpoints +type: application +version: 1.0.0 +appVersion: 1.0.0 +dependencies: +- name: microservice-chart + version: 2.8.0 + repository: "https://pagopa.github.io/aks-microservice-chart-blueprint" diff --git a/helm/devopslab/diego/values-dev.yaml b/helm/devopslab/diego/values-dev.yaml new file mode 100644 index 0000000..0efd6a7 --- /dev/null +++ b/helm/devopslab/diego/values-dev.yaml @@ -0,0 +1,93 @@ +microservice-chart: + namespace: "diego" + nameOverride: "" + fullnameOverride: "" + +# +# Deploy +# + deployment: + create: true + # forceRedeploy: true + + image: + repository: ghcr.io/pagopa/devops-app-status + tag: v1.0.0 + pullPolicy: Always + + livenessProbe: + httpGet: + path: /status + port: 8000 + initialDelaySeconds: 60 + failureThreshold: 6 + periodSeconds: 10 + + readinessProbe: + httpGet: + path: /status + port: 8000 + initialDelaySeconds: 60 + failureThreshold: 6 + periodSeconds: 10 + + +# +# Network +# + service: + create: true + type: ClusterIP + ports: + - 8000 + + ingress: + create: true + host: "dev01.diego.internal.devopslab.pagopa.it" + path: /diego/status(/|$)(.*) + rewriteTarget: /$2 + servicePort: 8000 + # proxyBodySize: 2m + annotations: { + nginx.ingress.kubernetes.io/satisfy: "any" + } + + serviceAccount: + create: false + annotations: {} + name: "" + + podAnnotations: {} + + podSecurityContext: + seccompProfile: + type: RuntimeDefault + + securityContext: + allowPrivilegeEscalation: false + + resources: + requests: + memory: "128Mi" + cpu: "40m" + limits: + memory: "128Mi" + cpu: "40m" + + autoscaling: + enable: true + minReplica: 1 + maxReplica: 3 + pollingInterval: 30 # seconds + cooldownPeriod: 300 # seconds + triggers: + - type: cpu + metadata: + type: Utilization + value: "60" + + # nodeSelector: {} + + # tolerations: [] + + # affinity: {} diff --git a/helm/devopslab/diego/values-prod.yaml b/helm/devopslab/diego/values-prod.yaml new file mode 100644 index 0000000..e69de29 diff --git a/helm/devopslab/diego/values-uat.yaml b/helm/devopslab/diego/values-uat.yaml new file mode 100644 index 0000000..e69de29