feature/k8s wrapper deploy (#13392)

* check k8s wrapper tag exists * add trigger * add az cli version * fix az login inputs * add inline script for azure cli * init k8s wrapper deploy pipeline * fix condition * fix condition * fix context for k8s wrapper * fix needs for flux push * debugg-environments * fix output typo * skip check exists step * add override-tag parameter * parametrize registry and repository * fix needs for flux push * fix stop condition * fix condition * use bool check * add schedule and remove on pull request trigger * Update charts/kuberneteswrapper/Chart.yaml Co-authored-by: David Ovrelid <46874830+framitdavid@users.noreply.github.com> --------- Co-authored-by: David Ovrelid <46874830+framitdavid@users.noreply.github.com>
Altinn · Aug 20, 2024 · 29196be · 29196be
1 parent 681c093
commit 29196be
Show file tree

Hide file tree

Showing 18 changed files with 396 additions and 12 deletions.
diff --git a/.github/workflows/deploy-designer.yaml b/.github/workflows/deploy-designer.yaml
@@ -31,17 +31,9 @@ jobs:
     uses: ./.github/workflows/template-short-sha.yaml
 
   construct-environments-array:
-    needs: get-short-sha
-    runs-on: ubuntu-latest
-    outputs:
-      environmentsjson: ${{ steps.construct-enviornments.outputs.environmentsjson }}
-    steps:
-      - name: Construct environment
-        id: construct-enviornments
-        run: |
-          environments="${{ github.event.inputs.environments || 'staging,prod' }}"
-          jsonArray=$(echo "[\"$(echo $environments | sed 's/,/\",\"/g')\"]")
-          echo "environmentsjson=${jsonArray}" >> $GITHUB_OUTPUT
+    uses: ./.github/workflows/template-construct-environments.yaml
+    with:
+      environments: ${{ github.event.inputs.environments || 'staging,prod' }}
 
   determine-tag:
     needs: get-short-sha
@@ -55,7 +47,7 @@ jobs:
           if [ "${{ github.ref }}" == "refs/heads/main" ]; then
             echo "tag=${{ needs.get-short-sha.outputs.short-sha }}" >> $GITHUB_OUTPUT
           else
-            sanitized_branch_name=$(echo "${{ github.ref_name }}" | tr '/' '-')
+            sanitized_branch_name=$(echo "${{ github.ref_name }}" | tr -d '()' | tr '/' '-')
             echo "tag=${sanitized_branch_name}-${{ needs.get-short-sha.outputs.short-sha }}" >> $GITHUB_OUTPUT
           fi
 

diff --git a/.github/workflows/deploy-kubernetes-wrapper.yaml b/.github/workflows/deploy-kubernetes-wrapper.yaml
@@ -0,0 +1,112 @@
+name: Deploy Kubernetes Wrapper
+on:
+
+  workflow_dispatch:
+    inputs:
+      environments:
+        description: 'Environments to deploy to. Multiple environments can be specified by separating them with a comma.'
+        required: false
+        default: 'dev'
+      override-tag:
+        type: boolean
+        description: If true, workflow will not be stopped if tag already exists
+        default: false
+
+  schedule:
+    - cron: '0 8 * * 1' # 8 AM UTC every Monday
+
+permissions:
+      id-token: write
+      contents: read
+
+jobs:
+  get-short-sha:
+    uses: ./.github/workflows/template-short-sha.yaml
+    with:
+      checkout-repository: 'Altinn/app-kubernetes-wrapper'
+
+  determine-tag-exists:
+    needs: get-short-sha
+    environment: dev
+    runs-on: ubuntu-latest
+    outputs:
+      tag-exists: ${{ steps.determine-tag-exists.outputs.tag-exists }}
+    env:
+      repository-name: altinn-kuberneteswrapper
+      registry-name: altinntjenestercontainerregistry
+    steps:
+      - name: 'Azure login'
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID_FC }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID_FC }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_FC }}
+
+      - name: Determine tag exists
+        id: determine-tag-exists
+        uses: azure/CLI@v2
+        with:
+          azcliversion: latest
+          inlineScript: |
+            SHORT_SHA=${{ needs.get-short-sha.outputs.short-sha }}
+            exists_tag=$(az acr repository show-tags --name ${{ env.registry-name }} --repository ${{ env.repository-name }} --query "[?contains(@, '$SHORT_SHA')]" --output tsv)
+            if [ -z "$exists_tag" ]; then
+              echo "tag-exists=false" >> $GITHUB_OUTPUT
+            else
+              echo "tag-exists=true" >> $GITHUB_OUTPUT
+            fi
+
+  construct-environments-array:
+    needs: [get-short-sha, determine-tag-exists]
+    if: ${{ needs.determine-tag-exists.outputs.tag-exists == 'false' || github.event.inputs.override-tag }}
+    uses: ./.github/workflows/template-construct-environments.yaml
+    with:
+      environments: ${{ github.event.inputs.environments || 'dev,staging,prod' }}
+
+  docker-build-push:
+    needs: [get-short-sha, determine-tag-exists, construct-environments-array]
+    uses: ./.github/workflows/template-docker-push.yaml
+    with:
+      tags: ${{ needs.get-short-sha.outputs.short-sha }},latest
+      registry-name: altinntjenestercontainerregistry.azurecr.io
+      repository-name: altinn-kuberneteswrapper
+      environment: dev # dev environment has push access and doesn't require review
+      checkout-repository: 'Altinn/app-kubernetes-wrapper'
+      context: src/KubernetesWrapper
+      dockerfile: src/KubernetesWrapper/Dockerfile
+    secrets:
+      client-id: ${{ secrets.AZURE_CLIENT_ID_FC }}
+      tenant-id: ${{ secrets.AZURE_TENANT_ID_FC }}
+      subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_FC }}
+
+  helm-push:
+    needs: [get-short-sha, determine-tag-exists, construct-environments-array]
+    uses: ./.github/workflows/template-helm-push.yaml
+    with:
+      tag: 0.1.0+${{ needs.get-short-sha.outputs.short-sha }} # Helm version needs to be valid sematic version
+      chart-name: kuberneteswrapper
+      registry-name: altinntjenestercontainerregistry.azurecr.io
+      environment: dev
+    secrets:
+      client-id: ${{ secrets.AZURE_CLIENT_ID_FC }}
+      tenant-id: ${{ secrets.AZURE_TENANT_ID_FC }}
+      subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_FC }}
+
+  flux-config-push:
+    needs: [get-short-sha, construct-environments-array, docker-build-push, helm-push]
+    strategy:
+      matrix:
+        environment: ${{ fromJSON(needs.construct-environments-array.outputs.environmentsjson) }}
+    uses: ./.github/workflows/template-flux-config-push.yaml
+    with:
+      tag: ${{ needs.get-short-sha.outputs.short-sha }}
+      registry-name: altinntjenestercontainerregistry.azurecr.io
+      environment: ${{ matrix.environment }}
+      config-chart-name: kuberneteswrapper-config
+      artifact-name: kuberneteswrapper
+      helm-set-arguments: environmentName=${{ matrix.environment }},chartVersion=0.1.0+${{ needs.get-short-sha.outputs.short-sha }},imageTag=${{ needs.get-short-sha.outputs.short-sha }}
+    secrets:
+      client-id: ${{ secrets.AZURE_CLIENT_ID_FC }}
+      tenant-id: ${{ secrets.AZURE_TENANT_ID_FC }}
+      subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_FC }}
+
diff --git a/.github/workflows/template-construct-environments.yaml b/.github/workflows/template-construct-environments.yaml
@@ -0,0 +1,25 @@
+name: Construct environments array
+
+on:
+  workflow_call:
+    inputs:
+      environments:
+        required: true
+        type: string
+    outputs:
+      environmentsjson:
+        description: "Environments json"
+        value: ${{ jobs.construct-environments-array.outputs.environmentsjson }}
+
+jobs:
+  construct-environments-array:
+    runs-on: ubuntu-latest
+    outputs:
+      environmentsjson: ${{ steps.construct-enviornments.outputs.environmentsjson }}
+    steps:
+      - name: Construct environment
+        id: construct-enviornments
+        run: |
+          environments="${{ inputs.environments }}"
+          jsonArray=$(echo "[\"$(echo $environments | sed 's/,/\",\"/g')\"]")
+          echo "environmentsjson=${jsonArray}" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/template-docker-push.yaml b/.github/workflows/template-docker-push.yaml
@@ -24,6 +24,10 @@ on:
         required: false
         type: string
         default: ''
+      checkout-repository:
+        required: false
+        type: string
+        default: ''
 
     secrets:
       client-id:
@@ -42,6 +46,8 @@ jobs:
     environment: ${{ inputs.environment }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          repository: ${{ inputs.checkout-repository }}
 
       - name: 'Azure login'
         uses: azure/login@v2

diff --git a/.github/workflows/template-short-sha.yaml b/.github/workflows/template-short-sha.yaml
@@ -2,6 +2,11 @@ name: Calculate short sha
 
 on:
   workflow_call:
+    inputs:
+      checkout-repository:
+        required: false
+        type: string
+        default: ''
     outputs:
       short-sha:
         description: "Short sha commit"
@@ -15,6 +20,8 @@ jobs:
       short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          repository: ${{ inputs.checkout-repository }}
 
       - name: Set short SHA
         id: set-short-sha

diff --git a/charts/kuberneteswrapper-config/Chart.yaml b/charts/kuberneteswrapper-config/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: altinn-designer
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
diff --git a/charts/kuberneteswrapper-config/templates/helm-release.yaml b/charts/kuberneteswrapper-config/templates/helm-release.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kuberneteswrapper
+  namespace: default
+spec:
+  releaseName: kuberneteswrapper
+  targetNamespace: default
+  interval: 5m
+  install:
+    remediation:
+      retries: 1
+  upgrade:
+    remediation:
+      retries: 1
+  chart:
+    spec:
+      version: "{{ .Values.chartVersion }}"
+      chart: kuberneteswrapper
+      sourceRef:
+        kind: HelmRepository
+        name: studio-charts
+        namespace: default
+  values:
+    image:
+      tag: "{{ .Values.imageTag }}"
+    environment: "{{ .Values.environmentName }}"
diff --git a/charts/kuberneteswrapper-config/values.yaml b/charts/kuberneteswrapper-config/values.yaml
@@ -0,0 +1,3 @@
+chartVersion: ""
+imageTag: ""
+environmentName: ""
diff --git a/charts/kuberneteswrapper/.helmignore b/charts/kuberneteswrapper/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/charts/kuberneteswrapper/Chart.yaml b/charts/kuberneteswrapper/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+description: A Helm chart for the kubernetes api wrapper
+# name can only be lowercase. It is used in the templates.
+name: kuberneteswrapper
+version: 1.1.0
diff --git a/charts/kuberneteswrapper/templates/_helpers.tpl b/charts/kuberneteswrapper/templates/_helpers.tpl
@@ -0,0 +1,17 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/charts/kuberneteswrapper/templates/deployment.yaml b/charts/kuberneteswrapper/templates/deployment.yaml
@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ template "name" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "name" . }}
+        release: {{ .Release.Name }}
+    spec:
+    {{- if .Values.image.serviceAccount}}
+      serviceAccountName: {{ .Values.image.serviceAccount }}
+    {{- end }}
+    {{- if .Values.image.pullSecrets }}
+      imagePullSecrets:
+      {{- range $secret := .Values.image.pullSecrets }}
+        - name : {{ $secret.name }}
+      {{- end }}
+    {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ required "A valid image.repository value is required!" .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.image.environment}}
+          env:
+          {{- range $environment := .Values.image.environment}}
+            - name: {{ $environment.name }}
+              value: {{ quote $environment.value }}
+          {{- end }}
+          {{- end }}
+          ports:
+            - containerPort: {{ .Values.service.internalPort }}
diff --git a/charts/kuberneteswrapper/templates/ingress.yaml b/charts/kuberneteswrapper/templates/ingress.yaml
@@ -0,0 +1,31 @@
+{{- $serviceName := include "fullname" . }}
+{{- $servicePort := .Values.service.externalPort }}
+{{- range $ingress := .Values.ingress }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingress.metadata.name }}
+  annotations:
+  {{- range $key, $value := $ingress.metadata.annotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+spec:
+  rules:
+  {{- if not (hasKey $.Values.hosts $.Values.environment) }}
+    {{ fail "the chosen environment has no host" }}
+  {{- end }}
+  {{- $host := index $.Values.hosts $.Values.environment }}
+  - host: {{ $host }}
+    http:
+      paths:
+      {{- range $path := $ingress.paths }}
+      - path: {{ $path.path }}
+        pathType: "Prefix"
+        backend:
+          service:
+            name: {{ $serviceName }}
+            port:
+              number: {{ $servicePort }}
+      {{- end }}
+---
+{{- end }}
diff --git a/charts/kuberneteswrapper/templates/role.yaml b/charts/kuberneteswrapper/templates/role.yaml
@@ -0,0 +1,9 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: default
+  name: kubernetes-read-role
+rules:
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get", "list"]