Helm deployments

.dockerignore

@@ -0,0 +1,9 @@
+.git
+.github
+**/bin
+**/obj
+test
+**/.vs
+**/.idea
+**/.vscode
+*.user

.github/workflows/deploy.yml

@@ -2,17 +2,24 @@ name: deploy
 
 on:
   workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        options: [dev, staging, production]
+        required: true
 
 concurrency:
   group: deploy-${{ github.ref }}
   cancel-in-progress: false
 
 jobs:
-  ecr:
+  deploy:
     runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
     permissions:
       id-token: write # This is required for requesting the JWT
       contents: read # This is required for actions/checkout
+
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
@@ -25,9 +32,6 @@ jobs:
       - name: Restore dependencies
         run: dotnet restore
 
-      - name: Install dotnet sql package
-        run: dotnet tool install --global microsoft.sqlpackage --version 170.3.93
-
       - name: Build
         run: dotnet build --configuration Release --no-restore
 
@@ -39,40 +43,34 @@ jobs:
         with:
           role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }}
           aws-region: ${{ vars.ECR_REGION }}
-      
+
       - name: Login to ECR
         uses: aws-actions/amazon-ecr-login@33f92af657bba1882ab79d8621debd2f6769a0c9
         id: login-ecr
 
       - name: Build and Push Server.UI Container
         run: |
-          dotnet publish src/Server.UI/Server.UI.csproj \
-            --configuration Release \
-            --no-build \
-            /t:PublishContainer \
-            /p:ContainerRegistry=${{ steps.login-ecr.outputs.registry }} \
-            /p:ContainerRepository=${{ vars.ECR_REPOSITORY }} \
-            /p:ContainerImageTag=cats-${{ github.sha }}
+          docker build \
+            -f src/Server.UI/Dockerfile \
+            -t ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:cats-${{ github.sha }} \
+            .
+          docker push ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:cats-${{ github.sha }}
 
       - name: Build and Push Worker Container
         run: |
-          dotnet publish src/Worker/Worker.csproj \
-            --configuration Release \
-            --no-build \
-            /t:PublishContainer \
-            /p:ContainerRegistry=${{ steps.login-ecr.outputs.registry }} \
-            /p:ContainerRepository=${{ vars.ECR_REPOSITORY }} \
-            /p:ContainerImageTag=worker-${{ github.sha }}
-
+          docker build \
+            -f src/Worker/Dockerfile \
+            -t ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:worker-${{ github.sha }} \
+            .
+          docker push ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:worker-${{ github.sha }}
+
       - name: Build and Push DatabaseSeeding Container
         run: |
-          dotnet publish src/DatabaseSeeding/DatabaseSeeding.csproj \
-            --configuration Release \
-            --no-build \
-            /t:PublishContainer \
-            /p:ContainerRegistry=${{ steps.login-ecr.outputs.registry }} \
-            /p:ContainerRepository=${{ vars.ECR_REPOSITORY }} \
-            /p:ContainerImageTag=seeder-${{ github.sha }}
+          docker build \
+            -f src/DatabaseSeeding/Dockerfile \
+            -t ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:seeder-${{ github.sha }} \
+            .
+          docker push ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:seeder-${{ github.sha }}
 
       - name: Build and Push DatabaseMigrator Container
         run: |
@@ -81,25 +79,16 @@ jobs:
             -t ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:migrator-${{ github.sha }} \
             .
           docker push ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:migrator-${{ github.sha }}
-      
+
       - name: Generate app version
         id: version
         run: echo "app_version=$(date +'%Y.%m.%d').${{ github.run_number }}" >> $GITHUB_OUTPUT
 
-      - name: Generate Kubernetes Manifests
-        run: |
-          mkdir -p deploy
-          for file in infra/*.yml; do
-            envsubst < "$file" > "deploy/$(basename "$file")"
-          done
-        env:
-          IMAGE_TAG: ${{ github.sha }}
-          APP_VERSION: ${{ steps.version.outputs.app_version }}
-          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          REPOSITORY: ${{ vars.ECR_REPOSITORY }}
-          NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
-          DOTNET_ENVIRONMENT: "Development"
-
+      - name: Setup Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        with:
+          version: v3.21.2
+
       - name: Configure kubectl
         run: |
           echo "${{ secrets.KUBE_CERT }}" > ca.crt
@@ -111,33 +100,72 @@ jobs:
           KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
           KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
 
-      - name: Run database migration
+      - name: Build Helm dependencies
         run: |
-          kubectl -n ${KUBE_NAMESPACE} delete pod -l app=migrator --wait=false || true
-          kubectl -n ${KUBE_NAMESPACE} apply -f deploy/migrator-pod.yml
-          if ! kubectl -n ${KUBE_NAMESPACE} wait --for=jsonpath='{.status.phase}'=Succeeded --timeout=300s pod/migrator-${{ github.sha }}; then
-            echo "Migration pod did not succeed within timeout."
-            kubectl -n ${KUBE_NAMESPACE} describe pod/migrator-${{ github.sha }} || true
-            exit 1
-          fi
+          set -euo pipefail
+          helm repo add hmpps-helm-charts https://ministryofjustice.github.io/hmpps-helm-charts
+          helm dependency update ./helm_deploy/cats
+
+      - name: Run database migrations
+        run: |
+          set -euo pipefail
+          helm upgrade --install cats-migrate ./helm_deploy/cats \
+            --namespace "${KUBE_NAMESPACE}" \
+            --values ./helm_deploy/cats/values-${{ inputs.environment }}.yaml \
+            --set migrator.enabled=true \
+            --set serviceAccountName="${KUBE_NAMESPACE}" \
+            --set migrator.image.repository="${REGISTRY}/${REPOSITORY}" \
+            --set migrator.image.tag="migrator-${{ github.sha }}" \
+            --timeout 5m
+          kubectl -n "${KUBE_NAMESPACE}" wait --for=jsonpath='{.status.phase}'=Succeeded --timeout=300s pod -l app=migrator
         env:
           KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: ${{ vars.ECR_REPOSITORY }}
 
-      - name: Run database seeding
+      - name: Seed the database
         run: |
-          kubectl -n ${KUBE_NAMESPACE} delete pod -l app=seeder --wait=false || true
-          kubectl -n ${KUBE_NAMESPACE} apply -f deploy/seeder-pod.yml
-          if ! kubectl -n ${KUBE_NAMESPACE} wait --for=jsonpath='{.status.phase}'=Succeeded --timeout=300s pod/seeder-${{ github.sha }}; then
-            echo "Seeder pod did not succeed within timeout."
-            kubectl -n ${KUBE_NAMESPACE} describe pod/seeder-${{ github.sha }} || true
-            exit 1
-          fi
+          set -euo pipefail
+          helm upgrade --install cats-seed ./helm_deploy/cats \
+            --namespace "${KUBE_NAMESPACE}" \
+            --values ./helm_deploy/cats/values-${{ inputs.environment }}.yaml \
+            --set seeder.enabled=true \
+            --set serviceAccountName="${KUBE_NAMESPACE}" \
+            --set seeder.image.repository="${REGISTRY}/${REPOSITORY}" \
+            --set seeder.image.tag="seeder-${{ github.sha }}" \
+            --timeout 5m
+          kubectl -n "${KUBE_NAMESPACE}" wait --for=jsonpath='{.status.phase}'=Succeeded --timeout=300s pod -l app=seeder
         env:
           KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: ${{ vars.ECR_REPOSITORY }}
 
-      - name: Deploy to Kubernetes
+      - name: Deploy CATS and Worker
         run: |
-          rm -f deploy/migrator-pod.yml deploy/seeder-pod.yml
-          kubectl -n ${KUBE_NAMESPACE} apply -f deploy/
+          set -euo pipefail
+          IMAGE_REPOSITORY="${REGISTRY}/${REPOSITORY}"
+
+          helm upgrade --install cats ./helm_deploy/cats \
+            --namespace "${KUBE_NAMESPACE}" \
+            --values ./helm_deploy/cats/values-${{ inputs.environment }}.yaml \
+            --set app.enabled=true \
+            --set worker.enabled=true \
+            --set rabbitmq.enabled=true \
+            --set redis.enabled=true \
+            --set serviceAccountName="${KUBE_NAMESPACE}" \
+            --set app.serviceAccountName="${KUBE_NAMESPACE}" \
+            --set app.image.repository="${IMAGE_REPOSITORY}" \
+            --set app.image.tag="cats-${{ github.sha }}" \
+            --set app.env.Sentry__Release="${APP_VERSION}" \
+            --set app.env.AppConfigurationSettings__Version="${APP_VERSION}" \
+            --set worker.serviceAccountName="${KUBE_NAMESPACE}" \
+            --set worker.image.repository="${IMAGE_REPOSITORY}" \
+            --set worker.image.tag="worker-${{ github.sha }}" \
+            --set worker.env.Sentry__Release="${APP_VERSION}" \
+            --set worker.env.AppConfigurationSettings__Version="${APP_VERSION}" \
+            --atomic --wait --timeout 10m
         env:
           KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: ${{ vars.ECR_REPOSITORY }}
+          APP_VERSION: ${{ steps.version.outputs.app_version }}

.github/workflows/validate-helm.yml

@@ -0,0 +1,80 @@
+name: Validate Helm
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - helm_deploy/**
+      - .github/workflows/validate-helm.yml
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Setup Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        with:
+          version: v3.21.2
+
+      - name: Build chart dependencies
+        run: |
+          helm repo add hmpps-helm-charts https://ministryofjustice.github.io/hmpps-helm-charts
+          helm dependency update ./helm_deploy/cats
+
+      - name: Lint and template all environments
+        run: |
+          set -euo pipefail
+          for env in dev staging production; do
+            echo "::group::helm lint ($env)"
+            helm lint ./helm_deploy/cats --values ./helm_deploy/cats/values-$env.yaml
+            echo "::endgroup::"
+
+            echo "::group::helm template app ($env)"
+            # Render with placeholder per-deploy values that CI normally supplies via --set,
+            # so templating exercises the same paths as a real deploy.
+            helm template cats ./helm_deploy/cats \
+              --namespace "cfocats-$env" \
+              --values ./helm_deploy/cats/values-$env.yaml \
+              --set app.enabled=true \
+              --set worker.enabled=true \
+              --set rabbitmq.enabled=true \
+              --set redis.enabled=true \
+              --set serviceAccountName="cfocats-$env" \
+              --set app.serviceAccountName="cfocats-$env" \
+              --set app.image.repository="example/cfocats" \
+              --set app.image.tag="cats-validate" \
+              --set worker.serviceAccountName="cfocats-$env" \
+              --set worker.image.repository="example/cfocats" \
+              --set worker.image.tag="worker-validate" \
+              > /dev/null
+            echo "::endgroup::"
+
+            echo "::group::helm template migrate ($env)"
+            helm template cats-migrate ./helm_deploy/cats \
+              --namespace "cfocats-$env" \
+              --values ./helm_deploy/cats/values-$env.yaml \
+              --set migrator.enabled=true \
+              --set serviceAccountName="cfocats-$env" \
+              --set migrator.image.repository="example/cfocats" \
+              --set migrator.image.tag="migrator-validate" \
+              > /dev/null
+            echo "::endgroup::"
+
+            echo "::group::helm template seed ($env)"
+            helm template cats-seed ./helm_deploy/cats \
+              --namespace "cfocats-$env" \
+              --values ./helm_deploy/cats/values-$env.yaml \
+              --set seeder.enabled=true \
+              --set serviceAccountName="cfocats-$env" \
+              --set seeder.image.repository="example/cfocats" \
+              --set seeder.image.tag="seeder-validate" \
+              > /dev/null
+            echo "::endgroup::"
+          done

.gitignore

@@ -481,3 +481,7 @@ aspire-output/
 
 # ls cache files for C# develop extension
 *csproj.lscache
+
+# Helm
+helm_deploy/*/charts/
+helm_deploy/*/Chart.lock

helm_deploy/cats/.helmignore

@@ -0,0 +1,7 @@
+.git/
+.gitignore
+*.tmproj
+*.bak
+*.orig
+.vscode/
+.idea/

helm_deploy/cats/Chart.yaml

@@ -0,0 +1,33 @@
+apiVersion: v2
+name: cats
+description: |
+  HMPPS - Case Assessment and Tracking System (CATS)
+type: application
+
+# Version of this chart. Bump on every change to the chart/values.
+version: "0.1.0"
+
+# Mirrors the application version; the running image is selected via image tags at deploy time.
+appVersion: "0.1.0"
+
+dependencies:
+  # Web tier (Blazor Server UI) — ingress, SignalR sticky sessions, multiple replicas.
+  - name: generic-service
+    alias: app
+    version: "3.17.2"
+    repository: https://ministryofjustice.github.io/hmpps-helm-charts
+    condition: app.enabled
+
+  # Background worker (Quartz jobs) — single instance, no ingress.
+  - name: generic-service
+    alias: worker
+    version: "3.17.2"
+    repository: https://ministryofjustice.github.io/hmpps-helm-charts
+    condition: worker.enabled
+
+  # todo: enable prometheus alerts
+  # https://user-guide.cloud-platform.service.justice.gov.uk/documentation/monitoring-an-app/how-to-create-alarms.html#creating-your-own-custom-alerts
+  # uncomment and re-run `helm dependency update ./helm_deploy/cats` to fetch it.
+  # - name: generic-prometheus-alerts
+  #   version: "1.17.1"
+  #   repository: https://ministryofjustice.github.io/hmpps-helm-charts

helm_deploy/cats/templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{/*
+Environment variables that expose the MSSQL connection details from the
+rds-mssql-instance-output namespace secret, plus the composed connection string.
+Used by the migrator and seeder Pods.
+*/}}
+{{- define "cats.databaseEnv" -}}
+- name: DATABASE_ADDRESS
+  valueFrom:
+    secretKeyRef:
+      name: rds-mssql-instance-output
+      key: rds_instance_address
+- name: DATABASE_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: rds-mssql-instance-output
+      key: database_username
+- name: DATABASE_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: rds-mssql-instance-output
+      key: database_password
+- name: ConnectionStrings__CatsDb
+  value: {{ .Values.connectionStrings.catsDb | quote }}
+{{- end -}}