TEsting

Author: adskyiproger

.github/workflows/deploy-opencrvs-with-approval.yml

@@ -0,0 +1,110 @@
+name: Deploy OpenCRVS (with approval)
+run-name: "Deploy OpenCRVS on ${{ inputs.environment }} (core: ${{ inputs.core-image-tag }}, country: ${{ inputs.countryconfig-image-tag }})"
+on:
+  workflow_call:
+    inputs:
+      core-image-tag:
+        type: string
+      countryconfig-image-tag:
+        type: string
+      environment:
+        type: string
+  workflow_dispatch:
+    inputs:
+      core-image-tag:
+        description: "Tag of the core image"
+        required: true
+        default: "v1.9.0-beta-1"
+      countryconfig-image-tag:
+        description: "Tag of the countryconfig image"
+        required: true
+        default: "v1.9.0-beta-1"
+      environment:
+        description: "Target environment"
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - demo1
+jobs:
+  approve:
+    uses: trstringer/manual-approval@v1
+    with:
+      secret: ${{ github.TOKEN }}
+      approvers: ${{ vars.DEPLOY_APPROVERS }} # comma separated list of GitHub usernames
+      minimum-approvals: 1
+      issue-title: 'Deploy (${{ github.event.inputs.environment }}): core: ${{ github.event.inputs.core-image-tag }} country config: ${{ github.event.inputs.countryconfig-image-tag }}'
+      issue-body: 'Please approve or deny the deployment of core: ${{ github.event.inputs.core-image-tag }} country config: ${{ github.event.inputs.countryconfig-image-tag }} to ${{ github.event.inputs.environment }}'
+      exclude-workflow-initiator-as-approver: false
+  github-to-k8s-sync-env:
+    uses: ./.github/workflows/github-to-k8s-sync-env.yml
+    with:
+      environment: ${{ inputs.environment }}
+    secrets: inherit
+  deploy:
+    needs: github-to-k8s-sync-env
+    environment: ${{ inputs.environment }}
+    env:
+      ENV: ${{ inputs.environment }}
+      BRANCH: ${{ github.ref_name }}
+      CORE_IMAGE_TAG: ${{ inputs.core-image-tag }}
+      COUNTRYCONFIG_IMAGE_TAG: ${{ inputs.countryconfig-image-tag }}
+      COUNTRYCONFIG_IMAGE_NAME: ${{ secrets.DOCKERHUB_ACCOUNT || 'opencrvs' }}/${{ secrets.DOCKERHUB_REPO || 'ocrvs-farajaland'}}
+    runs-on:
+      - self-hosted
+      - k8s
+      - ${{ inputs.environment }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Generate summary
+        env:
+          PUBLIC_DOMAIN: ${{ vars.DOMAIN }}
+        run: |
+          SUMMARY=$(cat <<EOF
+          ### Deployment Summary
+
+          | Key | Value |
+          |-----|-------|
+          | Environment URL | https://$PUBLIC_DOMAIN |
+          | Core image tag | \`${{ inputs.core-image-tag }}\` |
+          | Country config image | \`${{ inputs.countryconfig-image-tag }}\` |
+          | Branch name | \`${{ github.ref_name }}\` |
+          EOF
+          )
+          echo "$SUMMARY" | sed 's/^          //' >> $GITHUB_STEP_SUMMARY
+      - name: Create namespace
+        run: kubectl create namespace "opencrvs-${ENV}" || true
+      - name: Copy secrets from dependencies into application namespace
+        # Only redis secret for now needs to be copied
+        run: |
+          secrets=(
+            "redis-opencrvs-users"
+          )
+          for secret in "${secrets[@]}"; do
+            kubectl get secret $secret -n opencrvs-deps-${ENV} -o yaml \
+            | sed "s#namespace: opencrvs-deps-${ENV}#namespace: opencrvs-${ENV}#" \
+            | grep -vE 'resourceVersion|uid|creationTimestamp' \
+            | kubectl apply -n opencrvs-${ENV} -f - \
+            || echo "Secret $secret doesn't exist in opencrvs-deps-${ENV} namespace"
+          done
+      - name: Deploy with Helm
+        run: |
+          helm upgrade --install opencrvs oci://ghcr.io/opencrvs/opencrvs-services \
+            --timeout 15m \
+            --namespace "opencrvs-${ENV}" \
+            -f environments/${ENV}/opencrvs-services/values.yaml \
+            --create-namespace \
+            --atomic \
+            --wait \
+            --wait-for-jobs \
+            --set image.tag="$CORE_IMAGE_TAG" \
+            --set countryconfig.image.tag="$COUNTRYCONFIG_IMAGE_TAG" \
+            --set countryconfig.image.name="$COUNTRYCONFIG_IMAGE_NAME" \
+            --set hostname=${{ vars.DOMAIN }}
+      - name: Cleanup Helm Locks
+        if: failure() || cancelled()
+        run: |
+          kubectl -n "opencrvs-${ENV}" get secrets -l owner=helm -o json | \
+          jq -r '.items[] | select(.metadata.labels.status=="pending-install" or .metadata.labels.status=="pending-upgrade") | .metadata.name' | \
+          xargs -r kubectl -n "opencrvs-${ENV}" delete secret || \
+          echo "No helm locks found, all is good"

.github/workflows/k8s-seed-data.yml

@@ -49,17 +49,17 @@ jobs:
                 -s templates/data-seed-job.yaml \
                 oci://ghcr.io/opencrvs/opencrvs-services | kubectl apply --wait -n ${namespace} -f -
 
-        - name: Checking data-seed job status
-          run: |
-            while true; do
-              kubectl wait --for=condition=ready pod -ljob-name=data-seed --timeout=300s -n ${namespace} && \
-              kubectl logs job/data-seed --all-containers -f -n ${namespace} && \
-              touch /tmp/logs_stramed-${namespace}-data-seed.txt  || break;
-              sleep 10; done &
-            echo "---------------------- Waiting for job completion ----------------------"
-            kubectl wait --for=condition=complete job/data-seed -n ${namespace} --timeout=600s; status=$? || true
-            [ $status -ne 0 ] && kubectl get pods -n ${namespace} --show-labels && kubectl describe pod -ljob-name=${job_name} -n ${namespace};
-            [ ! -f /tmp/logs_stramed-${namespace}-data-seed.txt ] && kubectl logs job/data-seed --all-containers -n ${namespace} || \
-              rm -vf /tmp/logs_stramed-${namespace}-data-seed.txt
-            kill %1 2>/dev/null && echo "Stopped log streaming" || true
-            exit $status
+      - name: Checking data-seed job status
+        run: |
+          while true; do
+            kubectl wait --for=condition=ready pod -ljob-name=data-seed --timeout=300s -n ${namespace} && \
+            kubectl logs job/data-seed --all-containers -f -n ${namespace} && \
+            touch /tmp/logs_stramed-${namespace}-data-seed.txt  || break;
+            sleep 10; done &
+          echo "---------------------- Waiting for job completion ----------------------"
+          kubectl wait --for=condition=complete job/data-seed -n ${namespace} --timeout=600s; status=$? || true
+          [ $status -ne 0 ] && kubectl get pods -n ${namespace} --show-labels && kubectl describe pod -ljob-name=${job_name} -n ${namespace};
+          [ ! -f /tmp/logs_stramed-${namespace}-data-seed.txt ] && kubectl logs job/data-seed --all-containers -n ${namespace} || \
+            rm -vf /tmp/logs_stramed-${namespace}-data-seed.txt
+          kill %1 2>/dev/null && echo "Stopped log streaming" || true
+          exit $status

.github/workflows/update-envs.yml

@@ -19,6 +19,7 @@ import {
 import { readFileSync, writeFileSync } from 'fs'
 import { error, info, log, success, warn } from './logger'
 import { generateInventory, copyChartsValues } from './templates'
+import { updateWorkflowEnvironments } from './update-workflows';
 
 const notEmpty = (value: string | number) =>
   value.toString().trim().length > 0 ? true : 'Please enter a value'
@@ -242,6 +243,17 @@ const githubQuestions = [
     validate: notEmpty,
     initial: process.env.GITHUB_REPOSITORY,
     scope: 'REPOSITORY' as const
+  },
+]
+const githubOtherQuestions = [
+  {
+    name: 'githubApprovers',
+    type: 'text' as const,
+    message: 'Please provide/update list of production approvers?',
+    initial: process.env.GH_APPROVERS,
+    valueType: 'VARIABLE' as const,
+    valueLabel: 'GH_APPROVERS',
+    scope: 'REPOSITORY' as const
   }
 ]
 const githubTokenQuestion = [
@@ -307,7 +319,7 @@ const countryQuestions = [
     type: 'text' as const,
     message:
       'What is the ISO 3166-1 alpha-3 country-code? (e.g. "NZL" for New Zealand) Reference: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-3',
-    valueType: 'VARIABLE' as const,
+    valueType: 'SECRET' as const,
     valueLabel: 'COUNTRY',
     initial: process.env.COUNTRY,
     scope: 'REPOSITORY' as const
@@ -534,18 +546,6 @@ const emailQuestions = [
   }
 ]
 
-// const vpnHostQuestions = [
-//   {
-//     name: 'vpnAdminPassword',
-//     type: 'text' as const,
-//     message: `Admin password for Wireguard UI`,
-//     initial: generateLongPassword(),
-//     valueType: 'SECRET' as const,
-//     valueLabel: 'VPN_ADMIN_PASSWORD',
-//     scope: 'ENVIRONMENT' as const
-//   }
-// ]
-
 const sentryQuestions = [
   {
     name: 'sentryDsn',
@@ -719,15 +719,14 @@ const metabaseAdminQuestions = [
 
 ALL_QUESTIONS.push(
   ...githubTokenQuestion,
+  ...githubOtherQuestions,
   ...dockerhubQuestions,
   ...infrastructureQuestions,
   ...countryQuestions,
   ...databaseAndMonitoringQuestions,
   ...notificationTransportQuestions,
   ...smsQuestions,
   ...emailQuestions,
-  // TODO: remove vpn questions
-  // ...vpnHostQuestions,
   ...sentryQuestions,
   ...derivedVariables,
   ...metabaseAdminQuestions
@@ -743,10 +742,10 @@ ALL_QUESTIONS.push(
         scope: 'ENVIRONMENT' as const,
         message: 'Purpose for the environment?',
         choices: [
-          { title: 'Development/Quality assurance/Testing (no PII data)', value: 'non-prod' },
+          { title: 'Development/Quality assurance/Testing (no PII data)', value: 'non-production' },
           {
             title: 'Staging (hosts PII data, no backups)',
-            value: 'production'
+            value: 'staging'
           },
           {
             title: 'Production (hosts PII data, requires frequent backups)',
@@ -855,11 +854,15 @@ ALL_QUESTIONS.push(
   } else {
     log(kleur.green('\nSuccessfully logged in to Github\n'))
   }
+  if (environment_type === 'production') {
+    log('\n', kleur.yellow().bold(
+      'WARNING! You are setting up a production environment.\n Make sure you have read the deployment guide carefully before proceeding.\n'
+    ))
+    await promptAndStoreAnswer(environment, githubOtherQuestions, existingValues)
+  }
 
   log('\n', kleur.bold().underline('Docker Hub'))
-
   await promptAndStoreAnswer(environment, dockerhubQuestions, existingValues)
-
 
   log('\n', kleur.bold().underline('Kubernetes & Runtime'))
 
@@ -873,8 +876,10 @@ ALL_QUESTIONS.push(
     ? infrastructure.workerNodes.split(',').map((ip: string) => ip.trim())
     : []
   const backupHost = infrastructure.backupHost || ''
+  log('\n', kleur.bold().underline('Running configuration files updates'))
   generateInventory(environment, {worker_nodes: workerNodes, backup_host: backupHost, kube_api_host: infrastructure.kubeAPIHost})
-  copyChartsValues(environment, { env: environment})
+  copyChartsValues(environment, { env: environment, environment_type: environment_type })
+  await updateWorkflowEnvironments();
 
   log('\n', kleur.bold().underline('Databases & monitoring'))
   await promptAndStoreAnswer(

infrastructure/environments/setup-environment.ts

@@ -1,5 +1,7 @@
 storage_type: host_path
 
+environment_type: {{environment_type}}
+
 ingress:
   tls_resolver: letsencrypt
 

infrastructure/environments/templates/charts-values/dependencies/values.yaml

@@ -9,6 +9,8 @@
 ingress:
   tls_resolver: letsencrypt
 
+environment_type: {{environment_type}}
+
 hpa:
   enabled: false