chore: adding wl identity Pidm-487

.github/workflows/04h_deploy_with_github_runner.yml

@@ -7,6 +7,10 @@ on:
         required: true
         description: The name of the environment where to deploy
         type: string
+      branch:
+        required: false
+        default: ${{ github.ref_name }}
+        type: string
       target:
         required: true
         description: The environment target of the job
@@ -33,30 +37,8 @@ permissions:
   contents: read
 
 jobs:
-  create_runner:
-    name: Create Runner
-    runs-on: ubuntu-22.04
-    environment:
-      name: ${{ inputs.environment }}
-    if: ${{ inputs.target == inputs.environment || inputs.target == 'all' }}
-    outputs:
-      runner_name: ${{ steps.create_github_runner.outputs.runner_name }}
-    steps:
-      - name: Create GitHub Runner
-        id: create_github_runner
-        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
-        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
-        with:
-          client_id: ${{ secrets.CLIENT_ID }}
-          tenant_id: ${{ secrets.TENANT_ID }}
-          subscription_id: ${{ secrets.SUBSCRIPTION_ID }}
-          container_app_environment_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_NAME }}
-          resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }} # RG of the runner
-          pat_token: ${{ secrets.BOT_TOKEN_GITHUB }}
-
   deploy:
-    needs: [ create_runner ]
-    runs-on: [ self-hosted, "${{ needs.create_runner.outputs.runner_name }}" ]
+    runs-on: [ self-hosted-job, "${{ inputs.environment }}" ]
     if: ${{ inputs.target == inputs.environment || inputs.target == 'all' }}
     name: Deploy on AKS
     environment: ${{ inputs.environment }}
@@ -65,7 +47,7 @@ jobs:
         id: helm_generation
         shell: bash
         run: |
-          HELM_ARGS="--debug --wait --timeout 5m0s"
+          HELM_ARGS="--debug --wait --timeout 15m0s --set microservice-chart.azure.workloadIdentityClientId=${{vars.WORKLOAD_IDENTITY_ID}} --set postgresql.azure.workloadIdentityClientId=${{vars.WORKLOAD_IDENTITY_ID}} --set postgresql-nexi.azure.workloadIdentityClientId=${{vars.WORKLOAD_IDENTITY_ID}} --set oracle.azure.workloadIdentityClientId=${{vars.WORKLOAD_IDENTITY_ID}}"
           if ${USE_POSTGRES}; then
             HELM_ARGS="$HELM_ARGS --set postgresql.forceRedeploy=true --set postgresql.enabled=true"
           fi
@@ -84,7 +66,7 @@ jobs:
       - name: Deploy
         uses: pagopa/github-actions-template/aks-deploy@main
         with:
-          branch: ${{ github.ref_name }}
+          branch: ${{ inputs.branch }}
           client_id: ${{ secrets.CLIENT_ID }}
           subscription_id: ${{ secrets.SUBSCRIPTION_ID }}
           tenant_id: ${{ secrets.TENANT_ID }}
@@ -94,22 +76,3 @@ jobs:
           resource_group: ${{ vars.CLUSTER_RESOURCE_GROUP }}
           app_name: ${{ env.APP_NAME }}
           helm_upgrade_options: ${{ steps.helm_generation.outputs.helm_args }}
-
-  cleanup_runner:
-    name: Cleanup Runner
-    needs: [ create_runner, deploy ]
-    if: ${{ success() || failure() && inputs.target == inputs.environment || inputs.target == 'all' }}
-    runs-on: ubuntu-22.04
-    environment: ${{ inputs.environment }}
-    steps:
-      - name: Cleanup GitHub Runner
-        id: cleanup_github_runner
-        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action
-        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@0ee2f58fd46d10ac7f00bce4304b98db3dbdbe9a
-        with:
-          client_id: ${{ secrets.CLIENT_ID }}
-          tenant_id: ${{ secrets.TENANT_ID }}
-          subscription_id: ${{ secrets.SUBSCRIPTION_ID }}
-          resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }}
-          runner_name: ${{ needs.create_runner.outputs.runner_name }}
-          pat_token: ${{ secrets.BOT_TOKEN_GITHUB }}

.identity/00_data.tf

@@ -40,3 +40,13 @@ data "azurerm_key_vault_secret" "key_vault_slack_webhook_url" {
 data "azurerm_resource_group" "app_rg" {
   name  = "pagopa-${var.env_short}-api-config-rg"
 }
+
+data "azurerm_user_assigned_identity" "workload_identity_clientid" {
+  name                = "apiconfig-workload-identity"
+  resource_group_name = "pagopa-${var.env_short}-${local.location_short}-${var.env}-aks-rg"
+}
+
+data "azurerm_user_assigned_identity" "identity_cd_01" {
+  resource_group_name = "${local.product}-identity-rg"
+  name                = "${local.product}-${local.domain}-job-01-github-cd-identity"
+}

.identity/03_github_environment.tf

@@ -21,7 +21,7 @@ resource "github_repository_environment" "github_repository_environment" {
 
 locals {
   env_secrets = {
-    "CLIENT_ID" : module.github_runner_app.application_id,
+    "CLIENT_ID" : data.azurerm_user_assigned_identity.identity_cd_01.client_id,
     "TENANT_ID" : data.azurerm_client_config.current.tenant_id,
     "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
   }
@@ -32,6 +32,7 @@ locals {
     "CLUSTER_RESOURCE_GROUP" : local.aks_cluster.resource_group_name,
     "DOMAIN" : local.domain,
     "NAMESPACE" : local.domain,
+    "WORKLOAD_IDENTITY_ID": data.azurerm_user_assigned_identity.workload_identity_clientid.client_id
   }
   repo_secrets = {
     "SONAR_TOKEN" : data.azurerm_key_vault_secret.key_vault_sonar.value,

.identity/99_main.tf

@@ -4,11 +4,11 @@ terraform {
   required_providers {
     azuread = {
       source  = "hashicorp/azuread"
-      version = "2.30.0"
+      version = "~> 2.53"
     }
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.45.0"
+      version = "~> 3.117"
     }
     github = {
       source  = "integrations/github"

helm/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: microservice-chart
   repository: https://pagopa.github.io/aks-microservice-chart-blueprint
-  version: 3.0.0
+  version: 7.5.0
 - name: microservice-chart
   repository: https://pagopa.github.io/aks-microservice-chart-blueprint
-  version: 3.0.0
+  version: 7.5.0
 - name: microservice-chart
   repository: https://pagopa.github.io/aks-microservice-chart-blueprint
-  version: 3.0.0
-digest: sha256:ee7bbc6340aff59d4886edd5f41d1f65f20659969359927a6151001b263c3512
-generated: "2024-03-14T11:50:54.060245+01:00"
+  version: 7.5.0
+digest: sha256:0ba2d3153400e4efc93c37fa7d978b51d6cee38f36523325eee3b173cceb3667
+generated: "2025-05-14T14:42:56.754755+02:00"

helm/Chart.yaml

@@ -2,21 +2,21 @@ apiVersion: v2
 name: apiconfig-testing-support
 description: Microservice that handles tests about Nodo dei Pagamenti
 type: application
-version: 0.16.0
-appVersion: 0.0.2
+version: 0.22.0
+appVersion: 0.0.2-6-PIDM-487
 dependencies:
   - name: microservice-chart
-    version: 3.0.0
+    version: 7.5.0
     repository: "https://pagopa.github.io/aks-microservice-chart-blueprint"
     alias: postgresql
     condition: postgresql.enabled
   - name: microservice-chart
-    version: 3.0.0
+    version: 7.5.0
     repository: "https://pagopa.github.io/aks-microservice-chart-blueprint"
     alias: postgresql-nexi
     condition: postgresql-nexi.enabled
   - name: microservice-chart
-    version: 3.0.0
+    version: 7.5.0
     repository: "https://pagopa.github.io/aks-microservice-chart-blueprint"
     alias: oracle
     condition: oracle.enabled

helm/values-dev.yaml

@@ -4,24 +4,25 @@ microservice-chart: &microservice-chart
   fullnameOverride: ""
   image:
     repository: ghcr.io/pagopa/pagopa-api-config-testing-support
-    tag: "0.0.2"
+    tag: "0.0.2-6-PIDM-487"
     pullPolicy: Always
   livenessProbe:
     httpGet:
       path: /actuator/health/liveness
       port: 8080
-    initialDelaySeconds: 90
+    initialDelaySeconds: 120
     failureThreshold: 6
     periodSeconds: 10
   readinessProbe:
     httpGet:
       path: /actuator/health/readiness
       port: 8080
-    initialDelaySeconds: 90
+    initialDelaySeconds: 120
     failureThreshold: 6
     periodSeconds: 10
   deployment:
     create: true
+    replicas: 1
   service:
     create: true
     type: ClusterIP
@@ -33,9 +34,9 @@ microservice-chart: &microservice-chart
     #    path: /api-config-testing-support/(.*)
     servicePort: 8080
   serviceAccount:
-    create: false
-    annotations: {}
-    name: ""
+    name: "apiconfig-workload-identity"
+  azure:
+    workloadIdentityClientId: <workload-identity-client-id-set-automatically-by-gha>
   podAnnotations: {}
   podSecurityContext:
     seccompProfile:
@@ -45,27 +46,27 @@ microservice-chart: &microservice-chart
   resources:
     requests:
       memory: "400Mi"
-      cpu: "0.2"
+      cpu: "0.25"
     limits:
       memory: "640Mi"
-      cpu: "0.25"
+      cpu: "0.3"
   autoscaling:
-    enable: true
-    minReplica: 1
-    maxReplica: 3
-    pollingInterval: 10 # seconds
-    cooldownPeriod: 50 # seconds
-    triggers:
-      - type: cpu
-        metadata:
-          # Required
-          type: Utilization # Allowed types are 'Utilization' or 'AverageValue'
-          value: "75"
-      - type: memory
-        metadata:
-          # Required
-          type: Utilization # Allowed types are 'Utilization' or 'AverageValue'
-          value: "75"
+    enable: false
+    #    minReplica: 1
+    #    maxReplica: 3
+    #    pollingInterval: 10 # seconds
+    #    cooldownPeriod: 50 # seconds
+    #    triggers:
+    #      - type: cpu
+    #        metadata:
+    #          # Required
+    #          type: Utilization # Allowed types are 'Utilization' or 'AverageValue'
+    #          value: "75"
+    #      - type: memory
+    #        metadata:
+    #          # Required
+    #          type: Utilization # Allowed types are 'Utilization' or 'AverageValue'
+    #          value: "75"
   envConfig: &envConfig
     #    WEBSITE_SITE_NAME: 'pagopa-api-config-testing-support'
     ENV: 'dev'
@@ -84,16 +85,14 @@ microservice-chart: &microservice-chart
     #    DB_CONFIG_USER: "NODO4_CFG"
     #    DB_CONFIG_DRIVER: "oracle.jdbc.OracleDriver"
     #    HEALTHCHECK_QUERY: "select 1 from DUAL"
-  secretProvider: &azureSecretProvider
-    create: true
-    envSecrets: &envSecret
-      # required
-      APPLICATIONINSIGHTS_CONNECTION_STRING: 'ai-d-connection-string'
-      OTEL_AUTH_BEARER: "otel-auth-bearer"
-      #      DB_CONFIG_PASSWORD: 'oracle-db-cfg-password'
-    keyvault:
-      name: "pagopa-d-apiconfig-kv"
-      tenantId: "7788edaf-0346-4068-9d79-c868aed15b3d"
+  envSecret: &envSecret
+    # required
+    APPLICATIONINSIGHTS_CONNECTION_STRING: 'ai-d-connection-string'
+    OTEL_AUTH_BEARER: "otel-auth-bearer"
+    #      DB_CONFIG_PASSWORD: 'oracle-db-cfg-password'
+  keyvault:
+    name: "pagopa-d-apiconfig-kv"
+    tenantId: "7788edaf-0346-4068-9d79-c868aed15b3d"
   tmpVolumeMount:
     create: true
   affinity:
@@ -112,53 +111,53 @@ postgresql:
   !!merge <<: *microservice-chart
   ingress:
     !!merge <<: *ingress
-    path: /api-config-testing-support/p(/|$)(.*)
+    path: /api-config-testing-support/p/(.*)
   envConfig:
     !!merge <<: *envConfig
     WEBSITE_SITE_NAME: 'pagopa-api-config-postgres-testing-support'
     OTEL_SERVICE_NAME: "pagopa-api-config-postgres-testing-support"
-    DB_CONFIG_URL: "jdbc:postgresql://ndp.d.db-nodo-pagamenti.com:6432/nodo?sslmode=require&prepareThreshold=0&currentSchema=cfg"
+    DB_CONFIG_URL: "jdbc:postgresql://ndp.d.db-nodo-pagamenti.com:5432/nodo?sslmode=require&prepareThreshold=0&currentSchema=cfg"
     DB_CONFIG_USER: "cfg"
     DB_CONFIG_DRIVER: "org.postgresql.Driver"
     HEALTHCHECK_QUERY: "select 1"
-  secretProvider:
-    !!merge <<: *azureSecretProvider
-    envSecrets:
-      !!merge <<: *envSecret
-      DB_CONFIG_PASSWORD: "postgresql-db-cfg-password"
+  envSecret:
+    !!merge <<: *envSecret
+    DB_CONFIG_PASSWORD: "postgresql-db-cfg-password"
 postgresql-nexi:
-  !!merge <<: *microservice-chart
-  ingress:
-    !!merge <<: *ingress
-    path: /api-config-testing-support/pnexi(/|$)(.*)
-  envConfig:
-    !!merge <<: *envConfig
-    WEBSITE_SITE_NAME: 'pagopa-api-config-postgres-nexi-testing-support'
-    OTEL_SERVICE_NAME: "pagopa-api-config-postgres-nexi-testing-support"
-    DB_CONFIG_URL: "jdbc:postgresql://db-postgres-ndp.d.db-nodo-pagamenti.com:5444/ndpspct?prepareThreshold=0&currentSchema=NODO4_CFG"
-    DB_CONFIG_USER: "pp_nodo4_cfg"
-    DB_CONFIG_DRIVER: "org.postgresql.Driver"
-    HEALTHCHECK_QUERY: "select 1"
-  secretProvider:
-    !!merge <<: *azureSecretProvider
-    envSecrets:
-      !!merge <<: *envSecret
-      DB_CONFIG_PASSWORD: "db-cfg-password"
+  enabled: false
+#  !!merge <<: *microservice-chart
+#  ingress:
+#    !!merge <<: *ingress
+#    path: /api-config-testing-support/pnexi(/|$)(.*)
+#  envConfig:
+#    !!merge <<: *envConfig
+#    WEBSITE_SITE_NAME: 'pagopa-api-config-postgres-nexi-testing-support'
+#    OTEL_SERVICE_NAME: "pagopa-api-config-postgres-nexi-testing-support"
+#    DB_CONFIG_URL: "jdbc:postgresql://db-postgres-ndp.d.db-nodo-pagamenti.com:5444/ndpspct?prepareThreshold=0&currentSchema=NODO4_CFG"
+#    DB_CONFIG_USER: "pp_nodo4_cfg"
+#    DB_CONFIG_DRIVER: "org.postgresql.Driver"
+#    HEALTHCHECK_QUERY: "select 1"
+#  secretProvider:
+#    !!merge <<: *azureSecretProvider
+#    envSecrets:
+#      !!merge <<: *envSecret
+#      DB_CONFIG_PASSWORD: "db-cfg-password"
 oracle:
-  !!merge <<: *microservice-chart
-  ingress:
-    !!merge <<: *ingress
-    path: /api-config-testing-support/o(/|$)(.*)
-  envConfig:
-    !!merge <<: *envConfig
-    WEBSITE_SITE_NAME: 'pagopa-api-config-oracle-testing-support'
-    OTEL_SERVICE_NAME: "pagopa-api-config-oracle-testing-support"
-    DB_CONFIG_URL: "jdbc:oracle:thin:@(DESCRIPTION=(ENABLE=BROKEN)(ADDRESS=(PROTOCOL=tcp)(PORT=1522)(HOST=db-nodo-pagamenti.d.db-nodo-pagamenti.com))(CONNECT_DATA=(SERVICE_NAME=NDPSPCT_PP_NODO4_CFG))(SO_KEEPALIVE=true)(TCP_KEEPIDLE=60)(TCP_KEEPINTVL=30)(TCP_KEEPCNT=15))"
-    DB_CONFIG_USER: "NODO4_CFG"
-    DB_CONFIG_DRIVER: "oracle.jdbc.OracleDriver"
-    HEALTHCHECK_QUERY: "select 1 from DUAL"
-  secretProvider:
-    !!merge <<: *azureSecretProvider
-    envSecrets:
-      !!merge <<: *envSecret
-      DB_CONFIG_PASSWORD: 'oracle-db-cfg-password'
+  enabled: false
+#  !!merge <<: *microservice-chart
+#  ingress:
+#    !!merge <<: *ingress
+#    path: /api-config-testing-support/o(/|$)(.*)
+#  envConfig:
+#    !!merge <<: *envConfig
+#    WEBSITE_SITE_NAME: 'pagopa-api-config-oracle-testing-support'
+#    OTEL_SERVICE_NAME: "pagopa-api-config-oracle-testing-support"
+#    DB_CONFIG_URL: "jdbc:oracle:thin:@(DESCRIPTION=(ENABLE=BROKEN)(ADDRESS=(PROTOCOL=tcp)(PORT=1522)(HOST=db-nodo-pagamenti.d.db-nodo-pagamenti.com))(CONNECT_DATA=(SERVICE_NAME=NDPSPCT_PP_NODO4_CFG))(SO_KEEPALIVE=true)(TCP_KEEPIDLE=60)(TCP_KEEPINTVL=30)(TCP_KEEPCNT=15))"
+#    DB_CONFIG_USER: "NODO4_CFG"
+#    DB_CONFIG_DRIVER: "oracle.jdbc.OracleDriver"
+#    HEALTHCHECK_QUERY: "select 1 from DUAL"
+#  secretProvider:
+#    !!merge <<: *azureSecretProvider
+#    envSecrets:
+#      !!merge <<: *envSecret
+#      DB_CONFIG_PASSWORD: 'oracle-db-cfg-password'

helm/values-prod.yaml

@@ -101,6 +101,6 @@
 #    create: false
 microservice-chart:
   image:
-    tag: 0.0.2
+    tag: 0.0.2-6-PIDM-487
   canaryDelivery:
     create: false