Merge pull request #1 from test-zeus-ai/values-update-helm

Migrate traceviewer service to GKE

Author: secops-zeus

.github/workflows/deploy.yaml

@@ -0,0 +1,295 @@
+name: Build and Deploy
+
+on:
+  push:
+    branches:
+      - main-prod
+    paths:
+      - .github/workflows/deploy.yaml
+      - helm/**
+      - package.json
+      - package-lock.json
+      - packages/injected/**
+      - packages/playwright-core/**
+      - packages/protocol/**
+      - packages/trace/**
+      - packages/trace-viewer/**
+      - packages/web/**
+      - utils/build/**
+  workflow_dispatch:
+    inputs:
+      deploy_prod:
+        description: "Deploy to production"
+        required: true
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  SERVICE_NAME: traceviewer
+  APP_DIR: .
+  DOCKERFILE: packages/trace-viewer/Dockerfile
+  CHART_DIR: helm
+  GAR_LOCATION: ${{ vars.GAR_LOCATION }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    outputs:
+      image_tag: ${{ steps.meta.outputs.image_tag }}
+      image_repo: ${{ steps.meta.outputs.image_repo }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ github.ref == 'refs/heads/main-prod' && secrets.GCP_WIF_PROVIDER_PROD || secrets.GCP_WIF_PROVIDER_DEV }}
+          service_account: ${{ github.ref == 'refs/heads/main-prod' && secrets.GCP_SA_PROD || secrets.GCP_SA_DEV }}
+          token_format: access_token
+
+      - name: Setup gcloud
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: docker-container
+
+      - name: Login to GAR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Build image metadata
+        id: meta
+        run: |
+          IMAGE_TAG="${GITHUB_SHA}-${GITHUB_RUN_ATTEMPT}"
+          PROJECT_ID="${{ github.ref == 'refs/heads/main-prod' && vars.GCP_PROJECT_ID_PROD || vars.GCP_PROJECT_ID_DEV }}"
+          GAR_REPO="${{ github.ref == 'refs/heads/main-prod' && vars.GAR_DOCKER_REPOSITORY_PROD || vars.GAR_DOCKER_REPOSITORY_DEV }}"
+          IMAGE_REPO="${GAR_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${GAR_REPO}/${SERVICE_NAME}"
+          echo "image_tag=${IMAGE_TAG}" >>"${GITHUB_OUTPUT}"
+          echo "image_repo=${IMAGE_REPO}" >>"${GITHUB_OUTPUT}"
+
+      - name: Build and push image
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ env.APP_DIR }}
+          file: ${{ env.DOCKERFILE }}
+          push: true
+          tags: ${{ steps.meta.outputs.image_repo }}:${{ steps.meta.outputs.image_tag }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  helm4-compat:
+    if: github.ref == 'refs/heads/main-prod'
+    needs: build
+    runs-on: ubuntu-latest
+    env:
+      TARGET_ENV: ${{ github.ref == 'refs/heads/main-prod' && 'prod' || 'dev' }}
+      VALUES_FILE: ${{ github.ref == 'refs/heads/main-prod' && 'values-prod.yaml' || 'values-dev.yaml' }}
+      DEPLOY_NAMESPACE: ${{ github.ref == 'refs/heads/main-prod' && 'testzeus-prod' || 'testzeus-dev' }}
+      GKE_CLUSTER: ${{ github.ref == 'refs/heads/main-prod' && vars.GKE_PROD_CLUSTER || vars.GKE_DEV_CLUSTER }}
+      GKE_LOCATION: ${{ github.ref == 'refs/heads/main-prod' && vars.GKE_PROD_LOCATION || vars.GKE_DEV_LOCATION }}
+      GCP_PROJECT_ID: ${{ github.ref == 'refs/heads/main-prod' && vars.GCP_PROJECT_ID_PROD || vars.GCP_PROJECT_ID_DEV }}
+      GAR_HELM_REPOSITORY: ${{ github.ref == 'refs/heads/main-prod' && vars.GAR_HELM_REPOSITORY_PROD || vars.GAR_HELM_REPOSITORY_DEV }}
+      GCP_SA: ${{ github.ref == 'refs/heads/main-prod' && secrets.GCP_SA_PROD || secrets.GCP_SA_DEV }}
+      GCP_WIF_PROVIDER: ${{ github.ref == 'refs/heads/main-prod' && secrets.GCP_WIF_PROVIDER_PROD || secrets.GCP_WIF_PROVIDER_DEV }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Helm 4 (compat check)
+        uses: azure/setup-helm@v4
+        with:
+          version: v4.0.0
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ env.GCP_WIF_PROVIDER }}
+          service_account: ${{ env.GCP_SA }}
+
+      - name: Get GKE credentials
+        uses: google-github-actions/get-gke-credentials@v2
+        with:
+          cluster_name: ${{ env.GKE_CLUSTER }}
+          location: ${{ env.GKE_LOCATION }}
+          project_id: ${{ env.GCP_PROJECT_ID }}
+
+      - name: Login Helm to GAR OCI registry
+        run: |
+          gcloud auth print-access-token | \
+            helm registry login -u oauth2accesstoken --password-stdin \
+            "${GAR_LOCATION}-docker.pkg.dev"
+
+      - name: Set Helm dependency repository (target env)
+        run: |
+          CHART_REPO="oci://${GAR_LOCATION}-docker.pkg.dev/${GCP_PROJECT_ID}/${GAR_HELM_REPOSITORY}"
+          sed -i "/- name: service-template/,/repository:/ s#repository: \".*\"#repository: \"${CHART_REPO}\"#" "${CHART_DIR}/Chart.yaml"
+
+      - name: Helm dependency update (Helm 4)
+        run: helm dependency update "${CHART_DIR}"
+
+      - name: Helm lint (Helm 4)
+        run: helm lint "${CHART_DIR}" -f "${CHART_DIR}/${VALUES_FILE}"
+
+      - name: Helm template render (Helm 4)
+        run: |
+          helm template "${SERVICE_NAME}-helm4-compat" "${CHART_DIR}" \
+            -f "${CHART_DIR}/${VALUES_FILE}" \
+            --set-string service-template.containers[0].image.repository=${{ needs.build.outputs.image_repo }} \
+            --set-string service-template.containers[0].image.tag=${{ needs.build.outputs.image_tag }} \
+            --set-string service-template.serviceAccount.annotations.iam\\.gke\\.io/gcp-service-account=${{ env.GCP_SA }} \
+            > rendered-helm4.yaml
+
+      - name: Guard rendered manifest fields
+        run: |
+          if grep -nE '^[[:space:]]*(managedFields:|resourceVersion:|uid:|creationTimestamp:)$' rendered-helm4.yaml; then
+            echo "Forbidden metadata fields found in rendered output."
+            exit 1
+          fi
+          if grep -nE '^[[:space:]]*status:[[:space:]]*$' rendered-helm4.yaml; then
+            echo "Forbidden status field found in rendered output."
+            exit 1
+          fi
+
+      - name: Helm upgrade dry-run (Helm 4)
+        run: |
+          helm upgrade "${SERVICE_NAME}-helm4-compat" "${CHART_DIR}" \
+            -f "${CHART_DIR}/${VALUES_FILE}" \
+            --set-string service-template.containers[0].image.repository=${{ needs.build.outputs.image_repo }} \
+            --set-string service-template.containers[0].image.tag=${{ needs.build.outputs.image_tag }} \
+            --set-string service-template.serviceAccount.annotations.iam\\.gke\\.io/gcp-service-account=${{ env.GCP_SA }} \
+            --namespace "${DEPLOY_NAMESPACE}" \
+            --create-namespace \
+            --install \
+            --dry-run \
+            --server-side=false \
+            --debug
+
+  deploy-dev:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main-prod'
+    needs: [build, helm4-compat]
+    runs-on: ubuntu-latest
+    environment: dev
+    env:
+      GKE_CLUSTER: ${{ vars.GKE_DEV_CLUSTER }}
+      GKE_LOCATION: ${{ vars.GKE_DEV_LOCATION }}
+      GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID_DEV }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v4.0.0
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WIF_PROVIDER_DEV }}
+          service_account: ${{ secrets.GCP_SA_DEV }}
+
+      - name: Get GKE credentials
+        uses: google-github-actions/get-gke-credentials@v2
+        with:
+          cluster_name: ${{ env.GKE_CLUSTER }}
+          location: ${{ env.GKE_LOCATION }}
+          project_id: ${{ env.GCP_PROJECT_ID }}
+
+      - name: Login Helm to GAR OCI registry
+        run: |
+          gcloud auth print-access-token | \
+            helm registry login -u oauth2accesstoken --password-stdin \
+            "${GAR_LOCATION}-docker.pkg.dev"
+
+      - name: Set Helm dependency repository (dev)
+        run: |
+          CHART_REPO="oci://${GAR_LOCATION}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID_DEV }}/${{ vars.GAR_HELM_REPOSITORY_DEV }}"
+          sed -i "/- name: service-template/,/repository:/ s#repository: \".*\"#repository: \"${CHART_REPO}\"#" "${CHART_DIR}/Chart.yaml"
+
+      - name: Helm dependency update
+        run: helm dependency update "${CHART_DIR}"
+
+      - name: Helm deploy to dev
+        run: |
+          helm upgrade "${SERVICE_NAME}" "${CHART_DIR}" \
+            -f "${CHART_DIR}/values-dev.yaml" \
+            --set-string service-template.containers[0].image.repository=${{ needs.build.outputs.image_repo }} \
+            --set-string service-template.containers[0].image.tag=${{ needs.build.outputs.image_tag }} \
+            --set-string service-template.serviceAccount.annotations.iam\\.gke\\.io/gcp-service-account=${{ secrets.GCP_SA_DEV }} \
+            --namespace "testzeus-dev" \
+            --create-namespace \
+            --install \
+            --wait \
+            --rollback-on-failure \
+            --server-side=false \
+            --timeout 5m
+
+  deploy-prod:
+    if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main-prod' && github.event.inputs.deploy_prod == 'true'
+    needs: [build, helm4-compat]
+    runs-on: ubuntu-latest
+    environment: production
+    env:
+      GKE_CLUSTER: ${{ vars.GKE_PROD_CLUSTER }}
+      GKE_LOCATION: ${{ vars.GKE_PROD_LOCATION }}
+      GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID_PROD }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v4.0.0
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WIF_PROVIDER_PROD }}
+          service_account: ${{ secrets.GCP_SA_PROD }}
+
+      - name: Get GKE credentials
+        uses: google-github-actions/get-gke-credentials@v2
+        with:
+          cluster_name: ${{ env.GKE_CLUSTER }}
+          location: ${{ env.GKE_LOCATION }}
+          project_id: ${{ env.GCP_PROJECT_ID }}
+
+      - name: Login Helm to GAR OCI registry
+        run: |
+          gcloud auth print-access-token | \
+            helm registry login -u oauth2accesstoken --password-stdin \
+            "${GAR_LOCATION}-docker.pkg.dev"
+
+      - name: Set Helm dependency repository (prod)
+        run: |
+          CHART_REPO="oci://${GAR_LOCATION}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID_PROD }}/${{ vars.GAR_HELM_REPOSITORY_PROD }}"
+          sed -i "/- name: service-template/,/repository:/ s#repository: \".*\"#repository: \"${CHART_REPO}\"#" "${CHART_DIR}/Chart.yaml"
+
+      - name: Helm dependency update
+        run: helm dependency update "${CHART_DIR}"
+
+      - name: Helm deploy to prod
+        run: |
+          helm upgrade "${SERVICE_NAME}" "${CHART_DIR}" \
+            -f "${CHART_DIR}/values-prod.yaml" \
+            --set-string service-template.containers[0].image.repository=${{ needs.build.outputs.image_repo }} \
+            --set-string service-template.containers[0].image.tag=${{ needs.build.outputs.image_tag }} \
+            --set-string service-template.serviceAccount.annotations.iam\\.gke\\.io/gcp-service-account=${{ secrets.GCP_SA_PROD }} \
+            --namespace "testzeus-prod" \
+            --create-namespace \
+            --install \
+            --wait \
+            --rollback-on-failure \
+            --server-side=false \
+            --timeout 5m

helm/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+name: trace-viewer
+version: 1.0.0
+description: Playwright trace viewer
+type: application
+
+dependencies:
+  - name: service-template
+    version: "~0.5.0"
+    repository: "oci://us-central1-docker.pkg.dev/prod-testarmy/helm-repository-prod"

helm/templates/NOTES.txt

@@ -0,0 +1,33 @@
+{{- $values := index .Values "service-template" -}}
+{{- $serviceName := $values.fullnameOverride | default (printf "%s-service-template" .Release.Name) -}}
+1. Get the application URL by running these commands:
+{{- if $values.service }}
+  {{- if contains "LoadBalancer" ($values.service.type | default "ClusterIP") }}
+    NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+          You can watch the status by running 'kubectl get svc -w {{ $serviceName }}'
+    export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ $serviceName }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+    echo http://$SERVICE_IP:{{ $values.service.port | default 80 }}
+  {{- else if contains "ClusterIP" ($values.service.type | default "ClusterIP") }}
+    {{- $appName := $values.fullnameOverride | default "service-template" -}}
+    export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ $appName }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+    echo "Visit http://127.0.0.1:8080 to use your application"
+    {{- $containerPort := 8080 -}}
+    {{- if $values.containers -}}
+      {{- if (index $values.containers 0).ports -}}
+        {{- $containerPort = (index (index $values.containers 0).ports 0).containerPort | default 8080 -}}
+      {{- end -}}
+    {{- end -}}
+    kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:{{ $containerPort }}
+  {{- else if contains "NodePort" ($values.service.type | default "ClusterIP") }}
+    export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ $serviceName }})
+    export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+    echo http://$NODE_IP:$NODE_PORT
+  {{- end }}
+{{- end }}
+
+{{- if and $values.autoscaling (and $values.autoscaling.enabled (and $values.vpa $values.vpa.enabled)) }}
+WARNING: Both HPA and VPA are enabled. This is a conflicting configuration as both will try to manage resources for the same workload.
+{{- end }}
+{{- if and $values.persistentStorage (and $values.persistentStorage.enabled (eq $values.persistentStorage.accessMode "ReadWriteOnce") (gt (int ($values.replicaCount | default 1)) 1)) }}
+WARNING: persistentStorage is enabled with ReadWriteOnce access mode but replicaCount is greater than 1. Only one pod will be able to mount the volume.
+{{- end }}