testing

Author: adskyiproger

.github/workflows/deploy-dependencies.yml

@@ -9,9 +9,7 @@ on:
         default: "dev"
         type: choice
         options:
-          - demo
-          - dev
-          - dev-stg
+          - ""
 jobs:
   github-to-k8s-sync-env:
     uses: ./.github/workflows/github-to-k8s-sync-env.yml

.github/workflows/deploy-mosip.yml

@@ -0,0 +1,52 @@
+name: Deploy MOSIP
+run-name: "Deploy MOSIP on ${{ inputs.environment }}"
+on:
+  workflow_call:
+    inputs:
+      environment:
+        type: string
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Target environment"
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - demo
+          - dev
+          - dev-stg
+jobs:
+  github-to-k8s-sync-env:
+    uses: ./.github/workflows/github-to-k8s-sync-env.yml
+    with:
+      environment: ${{ inputs.environment }}
+    secrets: inherit
+  deploy:
+    needs: github-to-k8s-sync-env
+    environment: ${{ inputs.environment }}
+    env:
+      ENV: ${{ inputs.environment }}
+      BRANCH: ${{ github.ref_name }}
+    runs-on:
+      - self-hosted
+      - k8s
+      - ${{ inputs.environment }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Deploy OpenCRVS MOSIP API
+        if: inputs.deploy_mosip
+        run: |
+          helm upgrade --install mosip-api oci://ghcr.io/opencrvs/opencrvs-mosip \
+          --namespace "opencrvs-${ENV}" \
+          -f environments/${ENV}/mosip-api/values.yaml \
+          --set hostname=${{ vars.DOMAIN }} \
+          --create-namespace \
+          --atomic
+      - name: Cleanup Helm Locks
+        if: failure() || cancelled()
+        run: |
+          kubectl -n "opencrvs-${ENV}" get secrets -l owner=helm -o json | \
+          jq -r '.items[] | select(.metadata.labels.status=="pending-install" or .metadata.labels.status=="pending-upgrade") | .metadata.name' | \
+          xargs -r kubectl -n "opencrvs-${ENV}" delete secret || \
+          echo "No helm locks found, all is good"

.github/workflows/deploy-opencrvs-with-approval.yml

@@ -0,0 +1,110 @@
+name: Deploy OpenCRVS (with approval)
+run-name: "Deploy OpenCRVS on ${{ inputs.environment }} (core: ${{ inputs.core-image-tag }}, country: ${{ inputs.countryconfig-image-tag }})"
+on:
+  workflow_call:
+    inputs:
+      core-image-tag:
+        type: string
+      countryconfig-image-tag:
+        type: string
+      environment:
+        type: string
+  workflow_dispatch:
+    inputs:
+      core-image-tag:
+        description: "Tag of the core image"
+        required: true
+        default: "v1.9.0-beta-1"
+      countryconfig-image-tag:
+        description: "Tag of the countryconfig image"
+        required: true
+        default: "v1.9.0-beta-1"
+      environment:
+        description: "Target environment"
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - demo1
+jobs:
+  approve:
+    uses: trstringer/manual-approval@v1
+    with:
+      secret: ${{ github.TOKEN }}
+      approvers: ${{ vars.DEPLOY_APPROVERS }} # comma separated list of GitHub usernames
+      minimum-approvals: 1
+      issue-title: 'Deploy (${{ github.event.inputs.environment }}): core: ${{ github.event.inputs.core-image-tag }} country config: ${{ github.event.inputs.countryconfig-image-tag }}'
+      issue-body: 'Please approve or deny the deployment of core: ${{ github.event.inputs.core-image-tag }} country config: ${{ github.event.inputs.countryconfig-image-tag }} to ${{ github.event.inputs.environment }}'
+      exclude-workflow-initiator-as-approver: false
+  github-to-k8s-sync-env:
+    uses: ./.github/workflows/github-to-k8s-sync-env.yml
+    with:
+      environment: ${{ inputs.environment }}
+    secrets: inherit
+  deploy:
+    needs: github-to-k8s-sync-env
+    environment: ${{ inputs.environment }}
+    env:
+      ENV: ${{ inputs.environment }}
+      BRANCH: ${{ github.ref_name }}
+      CORE_IMAGE_TAG: ${{ inputs.core-image-tag }}
+      COUNTRYCONFIG_IMAGE_TAG: ${{ inputs.countryconfig-image-tag }}
+      COUNTRYCONFIG_IMAGE_NAME: ${{ secrets.DOCKERHUB_ACCOUNT || 'opencrvs' }}/${{ secrets.DOCKERHUB_REPO || 'ocrvs-farajaland'}}
+    runs-on:
+      - self-hosted
+      - k8s
+      - ${{ inputs.environment }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Generate summary
+        env:
+          PUBLIC_DOMAIN: ${{ vars.DOMAIN }}
+        run: |
+          SUMMARY=$(cat <<EOF
+          ### Deployment Summary
+
+          | Key | Value |
+          |-----|-------|
+          | Environment URL | https://$PUBLIC_DOMAIN |
+          | Core image tag | \`${{ inputs.core-image-tag }}\` |
+          | Country config image | \`${{ inputs.countryconfig-image-tag }}\` |
+          | Branch name | \`${{ github.ref_name }}\` |
+          EOF
+          )
+          echo "$SUMMARY" | sed 's/^          //' >> $GITHUB_STEP_SUMMARY
+      - name: Create namespace
+        run: kubectl create namespace "opencrvs-${ENV}" || true
+      - name: Copy secrets from dependencies into application namespace
+        # Only redis secret for now needs to be copied
+        run: |
+          secrets=(
+            "redis-opencrvs-users"
+          )
+          for secret in "${secrets[@]}"; do
+            kubectl get secret $secret -n opencrvs-deps-${ENV} -o yaml \
+            | sed "s#namespace: opencrvs-deps-${ENV}#namespace: opencrvs-${ENV}#" \
+            | grep -vE 'resourceVersion|uid|creationTimestamp' \
+            | kubectl apply -n opencrvs-${ENV} -f - \
+            || echo "Secret $secret doesn't exist in opencrvs-deps-${ENV} namespace"
+          done
+      - name: Deploy with Helm
+        run: |
+          helm upgrade --install opencrvs oci://ghcr.io/opencrvs/opencrvs-services \
+            --timeout 15m \
+            --namespace "opencrvs-${ENV}" \
+            -f environments/${ENV}/opencrvs-services/values.yaml \
+            --create-namespace \
+            --atomic \
+            --wait \
+            --wait-for-jobs \
+            --set image.tag="$CORE_IMAGE_TAG" \
+            --set countryconfig.image.tag="$COUNTRYCONFIG_IMAGE_TAG" \
+            --set countryconfig.image.name="$COUNTRYCONFIG_IMAGE_NAME" \
+            --set hostname=${{ vars.DOMAIN }}
+      - name: Cleanup Helm Locks
+        if: failure() || cancelled()
+        run: |
+          kubectl -n "opencrvs-${ENV}" get secrets -l owner=helm -o json | \
+          jq -r '.items[] | select(.metadata.labels.status=="pending-install" or .metadata.labels.status=="pending-upgrade") | .metadata.name' | \
+          xargs -r kubectl -n "opencrvs-${ENV}" delete secret || \
+          echo "No helm locks found, all is good"

.github/workflows/deploy-opencrvs.yml

@@ -11,8 +11,6 @@ on:
         type: string
       reset:
         type: boolean
-      deploy_mosip:
-        type: boolean
   workflow_dispatch:
     inputs:
       core-image-tag:
@@ -29,19 +27,12 @@ on:
         default: "dev"
         type: choice
         options:
-          - demo
-          - dev
-          - dev-stg
+          - ""
       reset:
         description: "Reset environment after deploy"
         required: false
         default: false
         type: boolean
-      deploy_mosip:
-        description: "Deploy MOSIP integration"
-        required: false
-        default: false
-        type: boolean
 jobs:
   github-to-k8s-sync-env:
     uses: ./.github/workflows/github-to-k8s-sync-env.yml
@@ -86,15 +77,8 @@ jobs:
           EOF
           )
           echo "$SUMMARY" | sed 's/^          //' >> $GITHUB_STEP_SUMMARY
-      - name: Deploy OpenCRVS MOSIP API
-        if: inputs.deploy_mosip
-        run: |
-          helm upgrade --install mosip-api oci://ghcr.io/opencrvs/opencrvs-mosip \
-          --namespace "opencrvs-${ENV}" \
-          -f environments/${ENV}/mosip-api/values.yaml \
-          --set hostname=${{ vars.DOMAIN }} \
-          --create-namespace \
-          --atomic
+      - name: Create namespace
+        run: kubectl create namespace "opencrvs-${ENV}" || true
       - name: Copy secrets from dependencies into application namespace
         # Only redis secret for now needs to be copied
         run: |

.github/workflows/k8s-reindex.yml

@@ -9,9 +9,7 @@ on:
         default: "dev"
         type: choice
         options:
-          - demo
-          - dev
-          - dev-stg
+          - ""
   workflow_call:
     inputs:
       environment:

.github/workflows/k8s-reset-data.yml

@@ -14,9 +14,7 @@ on:
         default: "dev"
         type: choice
         options:
-          - demo
-          - dev
-          - dev-stg
+          - ""
   workflow_call:
     inputs:
       environment:

.github/workflows/k8s-seed-data.yml

@@ -9,9 +9,7 @@ on:
         default: "dev"
         type: choice
         options:
-          - demo
-          - dev
-          - dev-stg
+          - demo-prod
   workflow_call:
     inputs:
       environment:
@@ -42,16 +40,13 @@ jobs:
             ' > ${namespace}.json
       - name: Seeding data
         run: |
-          kubectl delete job -n opencrvs-${ENV} data-seed || true
-          kubectl delete pod -n opencrvs-${ENV} -lapp=events;
-          sleep 30;
-          kubectl wait --for=condition=ready pod -n opencrvs-${ENV} -lapp=events;
+          kubectl delete job --wait -n ${namespace} data-seed || true
           helm template -f ${namespace}.json \
               --set data_seed.enabled=true \
-              --namespace opencrvs-${ENV} \
+              --namespace ${namespace} \
               -s templates/data-seed-job.yaml \
-              oci://ghcr.io/opencrvs/opencrvs-services | kubectl apply -n opencrvs-${ENV} -f -
-          sleep 30;
-          kubectl logs job/data-seed -f -n opencrvs-${ENV} || true
-          kubectl wait --for=condition=complete job/data-seed -n opencrvs-${ENV} --timeout=600s;
-          kubectl delete pod -n opencrvs-${ENV} -lapp=events;
+              oci://ghcr.io/opencrvs/opencrvs-services | kubectl apply -n ${namespace} --wait --timeout=600s -f -
+          kubectl get pods -n ${namespace} -lapp=data-seed
+          kubectl wait --for=condition=Complete job/data-seed -n ${namespace} --timeout=600s; RES=$?
+          kubectl logs job/data-seed -f -n ${namespace}
+          exit $RES

.github/workflows/provision.md

@@ -9,8 +9,7 @@ on:
         default: 'demo'
         type: choice
         options:
-          - dev
-          - demo
+          - ""
       tags:
         description: 'Tags to apply to the provisioned resources'
         required: true
@@ -27,8 +26,7 @@ on:
           - decrypt-on-boot
           - checks
           - containerd-setup
-          - kubernetes-installation
-          - join-workers
+          - k8s
           - system-preparation
 jobs:
   provision:
@@ -62,7 +60,6 @@ jobs:
           smtp_from: "[email protected]"
           smtp_password: ${{ secrets.SMTP_PASSWORD }}
           alert_email: ${{ secrets.ALERT_EMAIL }}
-
       - name: checkout repository
         uses: actions/checkout@v5
       - name: Run Ansible Playbook