Deprecate docker swarm

Author: adskyiproger

.github/workflows/deploy-and-e2e.yml

@@ -280,8 +280,8 @@ jobs:
       - name: Read known hosts
         run: |
           echo "KNOWN_HOSTS<<EOF" >> $GITHUB_ENV
-          sed -i -e '$a\' ./infrastructure/known-hosts
-          cat ./infrastructure/known-hosts >> $GITHUB_ENV
+          sed -i -e '$a\' ./infrastructure-swarm/known-hosts
+          cat ./infrastructure-swarm/known-hosts >> $GITHUB_ENV
           echo "EOF" >> $GITHUB_ENV
       - name: Install SSH Key
         uses: shimataro/ssh-key-action@v2
@@ -294,7 +294,7 @@ jobs:
           echo "KNOWN_HOSTS=" >> $GITHUB_ENV
       - name: Cleanup e2e stack
         run: |
-          bash infrastructure/deployment/cleanup-e2e-stack.sh \
+          bash infrastructure-swarm/deployment/cleanup-e2e-stack.sh \
           --stack=${stack} \
           --ssh_host=${{ vars.SSH_HOST || secrets.SSH_HOST }} \
           --ssh_port=${{ vars.SSH_PORT || secrets.SSH_PORT }} \

.github/workflows/provision-k8s.yml

@@ -1,4 +1,4 @@
-name: Provision Infrastructure on k8s
+name: Provision Infrastructure
 run-name: "Provision ${{ inputs.environment }} (tag: ${{ inputs.tags }})"
 on:
   workflow_dispatch:
@@ -9,8 +9,7 @@ on:
         default: 'e2e'
         type: choice
         options:
-          - e2e
-
+          - "e2e"
       tags:
         description: 'Tags to apply to the provisioned resources'
         required: true
@@ -24,14 +23,34 @@ on:
           - application
           - tools
           - fail2ban
+          - data-partition
           - decrypt-on-boot
           - checks
           - containerd-setup
-          - kubernetes-installation
-          - join-workers
+          - k8s
           - system-preparation
 jobs:
+  approve:
+    environment: ${{ inputs.environment }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    steps:
+      - name: Waiting for manual approval
+        if: ${{ (vars.APPROVAL_REQUIRED || 'false') == 'true' }}
+        uses: trstringer/manual-approval@v1
+        with:
+          secret: ${{ github.TOKEN }}
+          approvers: ${{ vars.GH_APPROVERS }}
+          minimum-approvals: 1
+          issue-title: "Provision ${{ inputs.environment }} (tag: ${{ inputs.tags }})"
+          issue-body: >
+            Please approve or deny ${{ inputs.environment }} environment provisioning
+            initiated from GitHub Actions by @${{ github.actor }}.
+
+          exclude-workflow-initiator-as-approver: false
+
   provision:
+    needs: approve
     runs-on:
       - self-hosted
       - ${{ inputs.environment }}
@@ -41,11 +60,9 @@ jobs:
       - name: Set variables for ansible
         id: ansible-variables
         run: |
-          JSON_WITH_NEWLINES=$(cat<<EOF
-            ${{ toJSON(env) }}
-          EOF)
-          JSON_WITHOUT_NEWLINES=$(echo $JSON_WITH_NEWLINES | jq -R -c .)
-          echo "EXTRA_VARS=$JSON_WITHOUT_NEWLINES" >> $GITHUB_OUTPUT
+          echo '${{ toJSON(env) }}' > tmp_vars.json
+          JSON_WITHOUT_EMPTY=$(jq -c 'with_entries(select(.value | type == "string" and length > 0))' tmp_vars.json | jq -R )
+          echo "EXTRA_VARS=$JSON_WITHOUT_EMPTY" >> $GITHUB_OUTPUT
         env:
           encrypted_disk_size: ${{ vars.DISK_SPACE }}
           disk_encryption_key: ${{ secrets.ENCRYPTION_KEY }}
@@ -54,6 +71,14 @@ jobs:
           k8s_cluster_env: ${{ inputs.environment }}
           docker_username: ${{ secrets.DOCKER_USERNAME }}
           docker_password: ${{ secrets.DOCKER_TOKEN }}
+          smtp_host: ${{ secrets.SMTP_HOST }}
+          smtp_port: ${{ secrets.SMTP_PORT }}
+          smtp_user: ${{ secrets.SMTP_USERNAME }}
+          smtp_secure: ${{ secrets.SMTP_SECURE }}
+          # FIXME: Make this field configurable via secrets
+          smtp_from: "[email protected]"
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
+          alert_email: ${{ secrets.ALERT_EMAIL }}
       - name: checkout repository
         uses: actions/checkout@v5
       - name: Run Ansible Playbook
@@ -65,7 +90,7 @@ jobs:
         with:
           requirements: galaxy-requirements.yml
           playbook: playbook.yml
-          directory: ./infrastructure-k8s/server-setup
+          directory: ./infrastructure/server-setup
           # Add --verbose to get more output
           options: |-
             --inventory inventory/${{ inputs.environment }}.yml

.github/workflows/provision.yml

@@ -126,8 +126,8 @@ jobs:
         run: |
           cd ${{ github.event.repository.name }}
           echo "KNOWN_HOSTS<<EOF" >> $GITHUB_ENV
-          sed -i -e '$a\' ./infrastructure/known-hosts
-          cat ./infrastructure/known-hosts >> $GITHUB_ENV
+          sed -i -e '$a\' ./infrastructure-swarm/known-hosts
+          cat ./infrastructure-swarm/known-hosts >> $GITHUB_ENV
           echo "EOF" >> $GITHUB_ENV
 
       - name: Install SSH Key
@@ -153,7 +153,7 @@ jobs:
       - name: Check if backup environment if configured in inventory file
         if: needs.get-backup-ssh-key.outputs.environment_exists != 'true'
         run: |
-          FILE=./${{ github.event.repository.name }}/infrastructure/server-setup/inventory/${{ github.event.inputs.environment }}.yml
+          FILE=./${{ github.event.repository.name }}/infrastructure-swarm/server-setup/inventory/${{ github.event.inputs.environment }}.yml
           if grep -q '^[[:blank:]]*backups:[[:blank:]]*$' "$FILE"; then
             echo "Your inventory contains configuration for either a backup target or backup source."
             echo "If you are upgrading OpenCRVS, please start by running environment creator script for the backup server"
@@ -173,7 +173,7 @@ jobs:
           ANSIBLE_SSH_RETRIES: 5
         with:
           playbook: playbook.yml
-          directory: ${{ github.event.repository.name }}/infrastructure/server-setup
+          directory: ${{ github.event.repository.name }}/infrastructure-swarm/server-setup
           options: |
             --verbose
             --inventory inventory/${{ github.event.inputs.environment }}.yml

.github/workflows/reindex.yml

@@ -45,8 +45,8 @@ jobs:
         run: |
           cd ${{ github.event.repository.name }}
           echo "KNOWN_HOSTS<<EOF" >> $GITHUB_ENV
-          sed -i -e '$a\' ./infrastructure/known-hosts
-          cat ./infrastructure/known-hosts >> $GITHUB_ENV
+          sed -i -e '$a\' ./infrastructure-swarm/known-hosts
+          cat ./infrastructure-swarm/known-hosts >> $GITHUB_ENV
           echo "EOF" >> $GITHUB_ENV
 
       - name: Install SSH Key
@@ -59,7 +59,7 @@ jobs:
         run: |
           ssh -p ${{ vars.SSH_PORT }} ${{ secrets.SSH_USER }}@${{ vars.SSH_HOST }} ${{ vars.SSH_ARGS }} "
             docker run --rm \
-              -v /opt/opencrvs/infrastructure/deployment:/workspace \
+              -v /opt/opencrvs/infrastructure-swarm/deployment:/workspace \
               -w /workspace \
               -e 'AUTH_URL=http://auth.${{ inputs.stack }}_app_net:4040/' \
               -e 'EVENTS_URL=http://events.${{ inputs.stack }}_app_net:5555/' \

.github/workflows/reset-2fa.yml

@@ -1,51 +1,62 @@
 name: Reset 2FA
-run-name: Reset 2FA from user ${{ github.event.inputs.user }} in ${{ github.event.inputs.environment }}
+run-name: Reset 2FA from user ${{ inputs.user }} in ${{ inputs.environment }}
 on:
   workflow_dispatch:
     inputs:
       user:
         description: User to remove 2FA from
+        type: string
         required: true
       environment:
         type: choice
-        description: Machine to provision
-        default: qa
+        description: Infrastructure to provision
+        default: "e2e"
         required: true
         options:
-          - development
-          - staging
-          - qa
-          - production
-          - backup
+          - "e2e"
 
 jobs:
-  reset:
-    environment: ${{ github.event.inputs.environment }}
+  approve:
+    environment: ${{ inputs.environment }}
     runs-on: ubuntu-24.04
-    outputs:
-      outcome: ${{ steps.deploy.outcome }}
     timeout-minutes: 60
     steps:
-      - name: Clone country config resource package
-        uses: actions/checkout@v3
+      - name: Waiting for manual approval
+        if: ${{ (vars.APPROVAL_REQUIRED || 'false') == 'true' }}
+        uses: trstringer/manual-approval@v1
         with:
-          fetch-depth: 1
-          path: './${{ github.event.repository.name }}'
+          secret: ${{ github.TOKEN }}
+          approvers: ${{ vars.GH_APPROVERS }}
+          minimum-approvals: 1
+          issue-title: "Reset 2FA from user ${{ inputs.user }} in ${{ inputs.environment }}"
+          issue-body: >
+            Please approve or deny Reset 2FA from user ${{ inputs.user }} in 
+            ${{ inputs.environment }} initiated from GitHub Actions by @${{ github.actor }}.
 
-      - name: Read known hosts
-        run: |
-          cd ${{ github.event.repository.name }}
-          echo "KNOWN_HOSTS<<EOF" >> $GITHUB_ENV
-          sed -i -e '$a\' ./infrastructure/known-hosts
-          cat ./infrastructure/known-hosts >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
+          exclude-workflow-initiator-as-approver: false
 
-      - name: Install SSH Key
-        uses: shimataro/ssh-key-action@v2
+  reset:
+    needs: approve
+    environment: ${{ inputs.environment }}
+    runs-on:
+      - self-hosted
+      - ${{ inputs.environment }}
+      - node
+    timeout-minutes: 60
+    steps:
+      - name: checkout repository
+        uses: actions/checkout@v5
+      - name: Run Ansible Playbook
+        uses: dawidd6/action-ansible-playbook@v4
+        env:
+          ANSIBLE_PERSISTENT_COMMAND_TIMEOUT: 10
+          ANSIBLE_SSH_TIMEOUT: 10
+          ANSIBLE_SSH_RETRIES: 5
         with:
-          key: ${{ secrets.SSH_KEY }}
-          known_hosts: ${{ env.KNOWN_HOSTS }}
-
-      - name: Remove 2FA
-        run: |
-          ssh ${{ secrets.SSH_USER }}@${{ vars.SSH_HOST || secrets.SSH_HOST }} -p ${{ vars.SSH_PORT || secrets.SSH_PORT }} ${{ vars.SSH_ARGS }} "sudo rm /home/${{ github.event.inputs.user }}/.google_authenticator"
+          requirements: galaxy-requirements.yml
+          playbook: reset-2fa.yml
+          directory: ./infrastructure/server-setup
+          # Add --verbose to get more output
+          options: |-
+            --inventory inventory/${{ inputs.environment }}.yml
+            --extra-vars user=${{ inputs.user }}

.github/workflows/restart-droplet.yml

@@ -41,8 +41,8 @@ jobs:
         run: |
           cd ${{ github.event.repository.name }}
           echo "KNOWN_HOSTS<<EOF" >> $GITHUB_ENV
-          sed -i -e '$a\' ./infrastructure/known-hosts
-          cat ./infrastructure/known-hosts >> $GITHUB_ENV
+          sed -i -e '$a\' ./infrastructure-swarm/known-hosts
+          cat ./infrastructure-swarm/known-hosts >> $GITHUB_ENV
           echo "EOF" >> $GITHUB_ENV
 
       - name: Install SSH Key
@@ -71,7 +71,7 @@ jobs:
           ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }}
         run: |
           ssh $SSH_USER@$SSH_HOST $ "
-            sudo /opt/opencrvs/dependencies/infrastructure/cryptfs/mount.sh -p $ENCRYPTION_KEY"
+            sudo /opt/opencrvs/dependencies/infrastructure-swarm/cryptfs/mount.sh -p $ENCRYPTION_KEY"
 
           ssh $SSH_USER@$SSH_HOST $SSH_ARGS "
             sudo service docker restart"

.github/workflows/seed-data.yml

@@ -45,8 +45,8 @@ jobs:
         run: |
           cd ${{ github.event.repository.name }}
           echo "KNOWN_HOSTS<<EOF" >> $GITHUB_ENV
-          sed -i -e '$a\' ./infrastructure/known-hosts
-          cat ./infrastructure/known-hosts >> $GITHUB_ENV
+          sed -i -e '$a\' ./infrastructure-swarm/known-hosts
+          cat ./infrastructure-swarm/known-hosts >> $GITHUB_ENV
           echo "EOF" >> $GITHUB_ENV
 
       - name: Install SSH Key
@@ -86,12 +86,12 @@ jobs:
             MINIO_ROOT_PASSWORD=$MINIO_ROOT_PASSWORD \
             POSTGRES_USER=$POSTGRES_USER \
             POSTGRES_PASSWORD=$POSTGRES_PASSWORD \
-            /opt/opencrvs/${{ inputs.stack }}/infrastructure/clear-all-data.sh $REPLICAS ${{ inputs.stack }}"
+            /opt/opencrvs/${{ inputs.stack }}/infrastructure-swarm/clear-all-data.sh $REPLICAS ${{ inputs.stack }}"
 
           echo "Running migrations..."
           echo
           ssh -p $SSH_PORT $SSH_USER@$SSH_HOST $SSH_ARGS "
-              /opt/opencrvs/${{ inputs.stack }}/infrastructure/run-migrations.sh ${{ inputs.stack }}"
+              /opt/opencrvs/${{ inputs.stack }}/infrastructure-swarm/run-migrations.sh ${{ inputs.stack }}"
 
       - name: Pull the seed-data image
         run: docker pull ghcr.io/opencrvs/ocrvs-data-seeder:${{ inputs.core-image-tag }}