Merge pull request #137 from bcgov/pipeline1

Infrastructure upgrade
bcgov · Nov 19, 2024 · f0443d5 · f0443d5
2 parents ba39407 + 7480b59
commit f0443d5
Show file tree

Hide file tree

Showing 41 changed files with 2,353 additions and 2,204 deletions.
diff --git a/.github/actions/deploy-to-environment/action.yaml b/.github/actions/deploy-to-environment/action.yaml
@@ -25,6 +25,9 @@ inputs:
   openshift_token:
     description: Openshift Service Account Token
     required: true
+  deploy_postgres:
+    description: Should Postgres database be installed for this release
+    default: "true"
 
 runs:
   using: composite
@@ -40,58 +43,29 @@ runs:
         insecure_skip_tls_verify: true
         namespace: ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }}
 
-    - name: Deploy Patroni Secret
-      shell: bash
-      run: >-
-        oc get --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} secret patroni-${{ inputs.job_name }}-secret || oc process --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f openshift/patroni.secret.yaml -p APP_DB_NAME=${{ inputs.acronym }} -p INSTANCE=${{ inputs.job_name }} | oc create --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f -
-
-    - name: Deploy Patroni
-      shell: bash
-      run: |
-        if [[ "${{ inputs.job_name }}" == pr-* ]]; then
-          oc process --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f openshift/patroni-ephemeral.dc.yaml -p APP_NAME=${{ inputs.acronym }} -p INSTANCE=${{ inputs.job_name }} -p NAMESPACE=${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} | oc apply --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f -
-        else
-          oc process --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f openshift/patroni.dc.yaml -p INSTANCE=${{ inputs.job_name }} -p NAMESPACE=${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} | oc apply --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f -
-        fi
-
-    - name: Wait on Patroni
-      shell: bash
-      run: |
-        oc rollout --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} status statefulset/patroni-${{ inputs.job_name }} --watch=true
-
-    - name: Deploy Redis Secret
+    - name: set lower case owner name
       shell: bash
       run: |
-        if [[ "${{ inputs.job_name }}" == pr-* ]]; then
-          oc get --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} secret redis-${{ inputs.job_name }}-secret || oc process --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f openshift/redis.secret.yaml -p CLUSTER_MODE=no -p INSTANCE=${{ inputs.job_name }} | oc create --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f -
-        else
-          oc get --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} secret redis-${{ inputs.job_name }}-secret || oc process --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f openshift/redis.secret.yaml -p CLUSTER_MODE=yes -p INSTANCE=${{ inputs.job_name }} | oc create --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f -
-        fi
+        echo "OWNER_LC=${OWNER,,}" >>${GITHUB_ENV}
+      env:
+        OWNER: "${{ github.repository_owner }}"
 
-    - name: Deploy Redis
+    - name: Helm Deploy
       shell: bash
-      run: |
-        if [[ "${{ inputs.job_name }}" == pr-* ]]; then
-          oc process --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f openshift/redis-ephemeral.dc.yaml -p APP_NAME=${{ inputs.acronym }} -p INSTANCE=${{ inputs.job_name }} | oc apply --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f -
-        else
-          oc process --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f openshift/redis-cluster.dc.yaml -p APP_NAME=${{ inputs.acronym }} -p INSTANCE=${{ inputs.job_name }} | oc apply --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f -
-        fi
-
-    - name: Wait on Redis
-      shell: bash
-      run: |
-        if [[ "${{ inputs.job_name }}" == pr-* ]]; then
-          oc rollout --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} status dc/redis-${{ inputs.job_name }} --watch=true
-        else
-          oc rollout --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} status statefulset/redis-${{ inputs.job_name }} --watch=true
-        fi
-
-    - name: Deploy App
-      shell: bash
-      run: |
-        oc process --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f ./openshift/app.dc.yaml -p REPO_NAME=${{ inputs.app_name }} -p JOB_NAME=${{ inputs.job_name }} -p NAMESPACE=${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -p APP_NAME=${{ inputs.acronym }} -p IMAGE_TAG=sha-$(git rev-parse --short HEAD) -p HOST_ROUTE=${{ inputs.acronym }}-${{ inputs.namespace_environment }}-${{ inputs.job_name }}.apps.silver.devops.gov.bc.ca -o yaml | oc apply --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} -f -
+      run: >-
+        helm upgrade --install --atomic ${{ inputs.job_name }} ${{ inputs.app_name }}
+        --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }}
+        --repo https://$OWNER_LC.github.io/common-hosted-email-service
+        --values ./.github/environments/values.${{ inputs.environment }}.yaml
+        --set image.repository=ghcr.io/$OWNER_LC
+        --set image.tag=sha-$(git rev-parse --short HEAD)
+        --set route.host=${{ inputs.acronym }}-${{ inputs.namespace_environment }}-${{ inputs.job_name }}.apps.silver.devops.gov.bc.ca
+        --set postgres.name=postgres-${{ inputs.job_name }}
+        --set postgres.enabled=${{ inputs.deploy_postgres }}
+        --timeout 15m
+        --wait
 
-    - name: Wait on App
+    - name: Wait on Deployment
       shell: bash
       run: |
-        oc rollout --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} status dc/${{ inputs.acronym }}-app-${{ inputs.job_name }} --watch=true
+        oc rollout --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} status dc/${{ inputs.app_name }}-${{ inputs.job_name }} --watch=true
diff --git a/.github/environments/values.dev.yaml b/.github/environments/values.dev.yaml
@@ -0,0 +1,74 @@
+---
+autoscaling:
+  enabled: true
+  maxReplicas: 4
+
+config:
+  enabled: true
+  configMap:
+    KC_ENABLED: "true"
+    KC_PUBLICKEY: >-
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsmuiI3bzde2avKEZd8P/ivnUFL9JxwfykQ9eC6qULkkALW4Nj+m0rH+yTuWTWPwZsYyICtWXbQui6Yh+EP0+bTeDzeDaD1oSUgqC4c9EySs64sGPQLE3sHllwONo8AegNQSiPw+KHE2Rf3ky61KuQHOhrszHKq1qT71ct5iPK9oeZ4vkr6A0XfNNOzih6Jp+XrmNmU85+ssNJ7Oy9plwxHBC73Ff3Jw8UF2dRPPLOJT3oAtYJYD4uuQebPq3bKv2n8iQftLG80l1frM1iG/jddoKItSYBRYsi4Mc65gGgkfsTQGk+Up0SULpO/nIASHWLSYNZOTiqAqMgkWQ+Ga9vQIDAQAB
+    KC_REALM: comsvcauth
+    KC_SERVERURL: "https://dev.loginproxy.gov.bc.ca/auth"
+    SERVER_LOGLEVEL: info
+
+postgres:
+  enabled: true
+  # -------- backups ---------
+  pgBackRestConfig:
+    global:
+      # log-level-console: debug
+      # --- pvc
+      repo1-retention-full: "2"
+      repo1-retention-diff: "3"
+    repos:
+      - name: repo1
+        schedules:
+          full: "0 7 * * *" # full backup every day at 7am
+          differential: "0 */2 * * *" # differential every 2 hours
+        volume:
+          volumeClaimSpec:
+            accessModes:
+              - "ReadWriteOnce"
+            resources:
+              requests:
+                storage: 2Gi
+            storageClassName: "netapp-file-backup"
+    manual:
+      repoName: repo1
+      options:
+        - --type=full
+    repoHost:
+      resources:
+        requests:
+          cpu: 20m
+          memory: 128Mi
+        limits:
+          cpu: 50m
+          memory: 256Mi
+    sidecars:
+      pgbackrest:
+        resources:
+          requests:
+            cpu: 5m
+            memory: 16Mi
+          limits:
+            cpu: 20m
+            memory: 64Mi
+      pgbackrestConfig:
+        resources:
+          requests:
+            cpu: 5m
+            memory: 32Mi
+          limits:
+            cpu: 20m
+            memory: 64Mi
+    jobs:
+      resources:
+        requests:
+          cpu: 10m
+          memory: 64Mi
+        limits:
+          cpu: 50m
+          memory: 128Mi
diff --git a/.github/environments/values.pr.yaml b/.github/environments/values.pr.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  basicAuth: true
+  oidcAuth: true
+  defaultBucket: false
diff --git a/.github/environments/values.prod.yaml b/.github/environments/values.prod.yaml
@@ -0,0 +1,190 @@
+---
+autoscaling:
+  enabled: true
+  maxReplicas: 4
+
+config:
+  enabled: true
+  configMap:
+    KC_ENABLED: "true"
+    KC_PUBLICKEY: >-
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtq5+xTKB1FRCwufdluEx8mNIZU3eXpo91QUrqlpq226HcyF9WPihdpuZzdlS+kW6EC2prZfJpvDvzT/Og4fx9ZoQVKV0uYvWvEg5Sc3ikQMfO0ngqUC6FkxElj9LzpijpdEQd0JAmmem2329lITwWroX70imLhYu3aY+Q3hSY2lg5OJCBw0I2pulfQiMsGn3vgkwSvmIsDhOgSnwPJhPxD9TY6kjvTff6LB1bFSwlxh1l8dRBqRabDunoHn/uHfhVAHB/SgPkvP5Ybc5bP/idBNP0kiQcWiT02Z7aB1r7Fnd5YH9FEDhhF5OIYYBzHP4hPm6AgqG/IDhAuiqf/F9eQIDAQAB
+    KC_REALM: comsvcauth
+    KC_SERVERURL: "https://loginproxy.gov.bc.ca/auth"
+    SERVER_LOGLEVEL: http
+
+postgres:
+  enabled: true
+
+  # --------------------------------
+  # --------crunchydb config: ------
+  # --------------------------------
+
+  instances:
+    - name: db # do not change this name after initial install, pvc (data) and stateful sets will be deleted
+      replicas: 3
+      dataVolumeClaimSpec:
+        accessModes:
+          - "ReadWriteOnce"
+        resources:
+          requests:
+            storage: 5Gi
+        storageClassName: "netapp-block-standard"
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 100m
+          memory: 256Mi
+      sidecars:
+        replicaCertCopy:
+          resources:
+            requests:
+              cpu: 1m
+              memory: 32Mi
+            limits:
+              cpu: 50m
+              memory: 64Mi
+
+  # -------- backups ---------
+  pgBackRestConfig:
+    manual:
+      repoName: repo1
+      options:
+        - --type=full
+    repoHost:
+      resources:
+        requests:
+          cpu: 20m
+          memory: 128Mi
+        limits:
+          cpu: 50m
+          memory: 256Mi
+    sidecars:
+      pgbackrest:
+        resources:
+          requests:
+            cpu: 5m
+            memory: 16Mi
+          limits:
+            cpu: 20m
+            memory: 64Mi
+      pgbackrestConfig:
+        resources:
+          requests:
+            cpu: 5m
+            memory: 32Mi
+          limits:
+            cpu: 20m
+            memory: 64Mi
+    jobs:
+      resources:
+        requests:
+          cpu: 10m
+          memory: 64Mi
+        limits:
+          cpu: 50m
+          memory: 128Mi
+    configuration:
+      # secret for saving backups to S3
+      - secret:
+          name: pgbackrest-s3
+    global:
+      # log-level-console: debug
+      # --- pvc
+      repo1-retention-full: "3"
+      repo1-retention-diff: "12"
+      # --- s3
+      repo2-path: /backups/common-hosted-email-service/postgres/prod
+      repo2-retention-full: "30"
+      repo2-s3-uri-style: path
+    repos:
+      - name: repo1
+        schedules:
+          full: "0 7 * * *" # full backup every day at 7am
+          differential: "0 */2 * * *" # differential every 2 hours
+        volume:
+          volumeClaimSpec:
+            accessModes:
+              - "ReadWriteOnce"
+            resources:
+              requests:
+                storage: 10Gi
+            storageClassName: "netapp-file-backup"
+      - name: repo2
+        schedules:
+          full: "0 3 * * *" # full backup every day at 3am
+        s3:
+          bucket: csstops
+          endpoint: https://nrs.objectstore.gov.bc.ca
+          region: us-east-1
+    # -- restore from backup
+    # ref: https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/disaster-recovery#perform-an-in-place-point-in-time-recovery-pitr
+    restore:
+      enabled: false
+      repoName: repo1 # eg `repo1` (pvc) or `repo2` (s3)
+      options:
+        - --type=time
+        - --target="2024-10-28 14:15:11-04"
+
+  # -------- monitoring ---------
+  monitoring: true
+  monitoringConfig:
+    resources:
+      requests:
+        cpu: 1m
+        memory: 16Mi
+      limits:
+        cpu: 35m
+        memory: 32Mi
+
+redis:
+  architecture: replication
+  global:
+    storageClass: netapp-block-standard
+  enabled: true
+  auth:
+    enabled: false
+  image:
+    registry: artifacts.developer.gov.bc.ca/docker-remote
+  replica:
+    shareProcessNamespace: true
+    replicaCount: 3
+    persistentVolumeClaimRetentionPolicy:
+      enabled: true
+      whenDeleted: Delete
+    persistence:
+      enabled: true
+      accessMode: ReadWriteOnce
+      size: 25Mi
+    resources:
+      limits:
+        cpu: 50m
+        memory: 150Mi
+      requests:
+        cpu: 20m
+        memory: 50Mi
+  sentinel:
+    enabled: true
+    quorum: 1
+    podSecurityContext: {}
+    containerSecurityContext: {}
+    image:
+      registry: artifacts.developer.gov.bc.ca/docker-remote
+    persistence:
+      enabled: true
+      accessMode: ReadWriteOnce
+      size: 25Mi
+      storageClass: netapp-block-standard
+    persistentVolumeClaimRetentionPolicy:
+      enabled: true
+      whenScaled: Delete
+      whenDeleted: Delete
+    resources:
+      limits:
+        cpu: 50m
+        memory: 150Mi
+      requests:
+        cpu: 20m
+        memory: 50Mi