Add new steps to the workflows to update the helm release on the canaries and tf, a new rbac is added to the clusters (#1027)

Author: alvarocabanas

.github/workflows/component_k8s_canaries.yml

@@ -0,0 +1,60 @@
+name: 📞 k8s canaries helm update
+
+on:
+  workflow_call:
+    secrets:
+      AWS_ROLE_ARN:
+        required: true
+      AWS_VPC_SUBNET:
+        required: true
+
+    inputs:
+      image-tag:
+        required: true
+        type: string
+      cluster_name:
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  infra:
+    name: Prepare infra
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-2
+
+      - name: Set branch name
+        run: |
+          # Short name for current branch. For PRs, use target branch (base ref)
+          GIT_BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
+          # Is the ref a tag? If so, remove refs/tags/ prefix
+          GIT_BRANCH=${GIT_BRANCH#refs/tags/}
+          echo "GIT_BRANCH=$GIT_BRANCH" >> $GITHUB_ENV
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Upgrade helm release
+        uses: newrelic/fargate-runner-action@main
+        with:
+          aws_region: us-east-2
+          container_make_target: "IMAGE_TAG=${{ inputs.image-tag }} CLUSTER_NAME=${{ inputs.cluster_name }} HELM_DIR=test/k8s-canaries/helm test/k8s-canaries/helm-upgrade"
+          ecs_cluster_name: agent_control
+          task_definition_name: agent_control
+          cloud_watch_logs_group_name: /ecs/test-prerelease-agent_control
+          cloud_watch_logs_stream_name: ecs/test-agent_control
+          aws_vpc_subnet: ${{ secrets.AWS_VPC_SUBNET }}
+          repo_name: ${{ github.repository }}
+          git_clone_url: "ssh://git@github.com/${{ github.repository }}.git"
+          ref: "${{ env.GIT_BRANCH }}"

.github/workflows/nightly.yml

@@ -91,6 +91,16 @@ jobs:
       AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
       AWS_VPC_SUBNET: ${{ secrets.AWS_VPC_SUBNET }}
 
+  k8s_canaries:
+    uses: ./.github/workflows/component_k8s_canaries.yml
+    needs: [ build-image ]
+    with:
+      image-tag: nightly
+      cluster_name: Agent_Control_Canaries_Staging-Cluster
+    secrets:
+      AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
+      AWS_VPC_SUBNET: ${{ secrets.AWS_VPC_SUBNET }}
+
   notify-failure:
     if: ${{ always() && failure() }}
     needs: [ build-image ]

.github/workflows/prerelease.yml

@@ -131,6 +131,16 @@ jobs:
   #      AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
   #      AWS_VPC_SUBNET: ${{ secrets.AWS_VPC_SUBNET }}
 
+  k8s_canaries:
+    uses: ./.github/workflows/component_k8s_canaries.yml
+    needs: [ build-image ]
+    with:
+      image-tag: ${{ github.event.release.tag_name }}-rc
+      cluster_name: Agent_Control_Canaries_Production-Cluster
+    secrets:
+      AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
+      AWS_VPC_SUBNET: ${{ secrets.AWS_VPC_SUBNET }}
+
   get_previous_tag:
     runs-on: ubuntu-latest
     outputs:

.github/workflows/push_pr_canaries_apply.yml

@@ -0,0 +1,62 @@
+permissions:
+  id-token: write
+  contents: read
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - test/k8s-canaries/terraform/**
+concurrency:
+  group: "${{ github.workflow }}-${{ github.head_ref || github.run_id }}"
+  cancel-in-progress: false
+name: terraform apply k8s canaries
+
+jobs:
+  infra:
+    name: Prepare infra
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-2
+
+      - uses: actions/checkout@v4
+
+      - name: Set branch name
+        run: |
+          # Short name for current branch. For PRs, use target branch (base ref)
+          GIT_BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
+          # Is the ref a tag? If so, remove refs/tags/ prefix
+          GIT_BRANCH="${GIT_BRANCH#refs/tags/}"
+          echo "GIT_BRANCH=$GIT_BRANCH" >> "$GITHUB_ENV"
+
+      - name: Sync k8s staging canary
+        uses: newrelic/fargate-runner-action@main
+        with:
+          aws_region: us-east-2
+          container_make_target: "TERRAFORM_DIR=test/k8s-canaries/terraform CANARY_DIR=staging test/k8s-canaries/terraform-apply"
+          ecs_cluster_name: agent_control
+          task_definition_name: agent_control
+          cloud_watch_logs_group_name: /ecs/test-prerelease-agent_control
+          cloud_watch_logs_stream_name: ecs/test-agent_control
+          aws_vpc_subnet: ${{ secrets.AWS_VPC_SUBNET }}
+          repo_name: ${{ github.repository }}
+          git_clone_url: "ssh://git@github.com/${{ github.repository }}.git"
+          ref: "${{ env.GIT_BRANCH }}"
+
+      - name: Sync k8s production canary
+        uses: newrelic/fargate-runner-action@main
+        with:
+          aws_region: us-east-2
+          container_make_target: "TERRAFORM_DIR=test/k8s-canaries/terraform CANARY_DIR=production test/k8s-canaries/terraform-apply"
+          ecs_cluster_name: agent_control
+          task_definition_name: agent_control
+          cloud_watch_logs_group_name: /ecs/test-prerelease-agent_control
+          cloud_watch_logs_stream_name: ecs/test-agent_control
+          aws_vpc_subnet: ${{ secrets.AWS_VPC_SUBNET }}
+          repo_name: ${{ github.repository }}
+          git_clone_url: "ssh://git@github.com/${{ github.repository }}.git"
+          ref: "${{ env.GIT_BRANCH }}"

.github/workflows/push_pr_canaries_plan.yml

@@ -0,0 +1,60 @@
+permissions:
+  id-token: write
+  contents: read
+on:
+  pull_request:
+    paths:
+      - test/k8s-canaries/terraform/**
+concurrency:
+  group: "${{ github.workflow }}-${{ github.head_ref || github.run_id }}"
+  cancel-in-progress: false
+name: plan k8s canaries changes
+
+jobs:
+  infra:
+    name: Prepare infra
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-2
+
+      - uses: actions/checkout@v4
+
+      - name: Set branch name
+        run: |
+          # Short name for current branch. For PRs, use target branch (base ref)
+          GIT_BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
+          # Is the ref a tag? If so, remove refs/tags/ prefix
+          GIT_BRANCH="${GIT_BRANCH#refs/tags/}"
+          echo "GIT_BRANCH=$GIT_BRANCH" >> "$GITHUB_ENV"
+
+      - name: Plan k8s staging canary changes
+        uses: newrelic/fargate-runner-action@main
+        with:
+          aws_region: us-east-2
+          container_make_target: "TERRAFORM_DIR=test/k8s-canaries/terraform CANARY_DIR=staging test/k8s-canaries/terraform-plan"
+          ecs_cluster_name: agent_control
+          task_definition_name: agent_control
+          cloud_watch_logs_group_name: /ecs/test-prerelease-agent_control
+          cloud_watch_logs_stream_name: ecs/test-agent_control
+          aws_vpc_subnet: ${{ secrets.AWS_VPC_SUBNET }}
+          repo_name: ${{ github.repository }}
+          git_clone_url: "ssh://git@github.com/${{ github.repository }}.git"
+          ref: "${{ env.GIT_BRANCH }}"
+
+      - name: Plan k8s production canary changes
+        uses: newrelic/fargate-runner-action@main
+        with:
+          aws_region: us-east-2
+          container_make_target: "TERRAFORM_DIR=test/k8s-canaries/terraform CANARY_DIR=production test/k8s-canaries/terraform-plan"
+          ecs_cluster_name: agent_control
+          task_definition_name: agent_control
+          cloud_watch_logs_group_name: /ecs/test-prerelease-agent_control
+          cloud_watch_logs_stream_name: ecs/test-agent_control
+          aws_vpc_subnet: ${{ secrets.AWS_VPC_SUBNET }}
+          repo_name: ${{ github.repository }}
+          git_clone_url: "ssh://git@github.com/${{ github.repository }}.git"
+          ref: "${{ env.GIT_BRANCH }}"

test/k8s-canaries/Makefile

@@ -1,5 +1,6 @@
 TERRAFORM_DIR := ./terraform
 HELM_DIR := ./helm
+AWS_REGION := us-east-2
 .DEFAULT_GOAL := all
 
 # Generate a random key to add to the helm deployment annotation
@@ -10,27 +11,45 @@ DEPLOYMENT_KEY := $(shell openssl rand -base64 32 | tr -dc A-Za-z0-9 | head -c 1
 all:
 	@echo "No default target"
 
-.PHONY: test/k8s-canaries/sync
-test/k8s-canaries/sync:
+.PHONY: test/k8s-canaries/terraform-plan
+test/k8s-canaries/terraform-plan:
 ifndef CANARY_DIR
-	@echo "CANARY_DIR variable must be provided to know which canary to sync"
+	@echo "CANARY_DIR variable must be provided to know which canary to terraform-plan"
+	exit 1
+endif
+	terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) init && \
+	terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) plan
+
+.PHONY: test/k8s-canaries/terraform-apply
+test/k8s-canaries/terraform-apply:
+ifndef CANARY_DIR
+	@echo "CANARY_DIR variable must be provided to know which canary to terraform-apply"
 	exit 1
 endif
 	terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) init && \
 	terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) apply -auto-approve
 
-.PHONY: test/k8s-canaries/helm
-test/k8s-canaries/helm:
+
+.PHONY: test/k8s-canaries/update-kubeconfig-from-aws
+test/k8s-canaries/update-kubeconfig-from-aws:
+ifndef CLUSTER_NAME
+	@echo "CLUSTER_NAME variable must be provided for test/k8s-canaries/aws-eks"
+	exit 1
+endif
+	@aws eks update-kubeconfig --region=$(AWS_REGION) --name $(CLUSTER_NAME)
+
+.PHONY: test/k8s-canaries/helm-upgrade
+test/k8s-canaries/helm-upgrade: test/k8s-canaries/update-kubeconfig-from-aws
 ifndef NR_LICENSE_KEY
-	@echo "NR_LICENSE_KEY variable must be provided for k8s-canaries/helm"
+	@echo "NR_LICENSE_KEY variable must be provided for test/k8s-canaries/helm-upgrade"
 	exit 1
 endif
 ifndef CLUSTER_NAME
-	@echo "CLUSTER_NAME variable must be provided for k8s-canaries/helm"
+	@echo "CLUSTER_NAME variable must be provided for test/k8s-canaries/helm-upgrade"
 	exit 1
 endif
 ifndef IMAGE_TAG
-	@echo "IMAGE_TAG variable must be provided for k8s-canaries/helm"
+	@echo "IMAGE_TAG variable must be provided for test/k8s-canaries/helm-upgrade"
 	exit 1
 endif
 	@helm repo add newrelic https://helm-charts.newrelic.com
@@ -40,3 +59,4 @@ endif
     --set global.cluster=$(CLUSTER_NAME) \
     --set agent-control-deployment.image.tag=$(IMAGE_TAG) \
     --set agent-control-deployment.podAnnotations.deploymentKey="${DEPLOYMENT_KEY}"
+

test/k8s-canaries/README.md

@@ -22,12 +22,12 @@ The default terraform dir for where the terraform modules are taken from is:
 `TERRAFORM_DIR := ./terraform`
 
 ```bash
-$ make CANARY_DIR=staging test/k8s-canaries/sync
+$ make CANARY_DIR=staging test/k8s-canaries/terraform-apply
 ```
 
 If this target is called from the root of this repository, the TERRAFORM_DIR should be overwritten to point to the relative path:
 ```bash
-$ make TERRAFORM_DIR=test/k8s-canaries/terraform CANARY_DIR=staging test/k8s-canaries/sync
+$ make TERRAFORM_DIR=test/k8s-canaries/terraform CANARY_DIR=staging test/k8s-canaries/terraform-apply
 ```
 
 ### Helm Upgrade for nightlies and prereleases
@@ -39,10 +39,10 @@ The default helm dir where there is the default values file to apply is:
 `HELM_DIR := ./helm`
 
 ```bash
-$ make NR_LICENSE_KEY=xxx CLUSTER_NAME=my-cluster IMAGE_TAG=nightly test/k8s-canaries/helm
+$ make NR_LICENSE_KEY=xxx CLUSTER_NAME=my-cluster IMAGE_TAG=nightly test/k8s-canaries/helm-upgrade
 ```
 
 If this target is called from the root of this repository, the HELM_DIR should be overwritten to point to the relative path:
 ```bash
-$ make HELM_DIR=test/k8s-canaries/helm NR_LICENSE_KEY=xxx CLUSTER_NAME=my-cluster IMAGE_TAG=nightly test/k8s-canaries/helm
+$ make HELM_DIR=test/k8s-canaries/helm NR_LICENSE_KEY=xxx CLUSTER_NAME=my-cluster IMAGE_TAG=nightly test/k8s-canaries/helm-upgrade
 ```

test/k8s-canaries/terraform/modules/eks_cluster/main.tf

@@ -107,7 +107,7 @@ resource "aws_eks_node_group" "eks-nodegroup" {
 
   launch_template {
     id      = aws_launch_template.eks_node.id
-    version = "$Latest"
+    version = "1"
   }
 
   ami_type       = var.nodes_ami_type

test/k8s-canaries/terraform/modules/eks_cluster/outputs.tf

@@ -1,10 +1,6 @@
-output "ekscluster" {
+output "cluster" {
   value = {
-    aws_eks_cluster = {
-      ekscluster = {
-        name     = aws_eks_cluster.ekscluster.name
-        endpoint = aws_eks_cluster.ekscluster.endpoint
-      }
-    }
+     name     = aws_eks_cluster.ekscluster.name
+     endpoint = aws_eks_cluster.ekscluster.endpoint
   }
 }