Merge pull request #7894 from GeorgianaElena/more-health-checks

Run health checks when infrastructure code changes

Author: GeorgianaElena

.github/workflows/pd-triggered-health-check.yaml

@@ -2,11 +2,14 @@ name: PD triggered health-check
 on:
   repository_dispatch:
     types: [health-check]
-    outputs:
 
 jobs:
-  run-health-check:
+  get_incident_details:
     runs-on: ubuntu-latest
+    outputs:
+      cluster: ${{ steps.details.outputs.cluster }}
+      hub: ${{ steps.details.outputs.hub }}
+      provider: ${{ steps.details.outputs.provider }}
     steps:
     - name: Get the incident details
       id: details
@@ -29,67 +32,54 @@ jobs:
           f.write(f"{cluster}\n")
           f.write(f"{hub}\n")
           f.write(f"{provider}")
-    - uses: actions/checkout@v6
-      with:
-        submodules: true
-    - uses: actions/setup-python@v6
-      with:
-        python-version: '3.13'
-    - name: Save pip's install cache on job completion
-      uses: actions/cache@v5
-      with:
-        path: ~/.cache/pip
-        key: ${{ github.run_id }}
 
-    - name: Install deployer script's Python dependencies
-      run: |
-        pip install --editable .
-        go install github.com/google/go-jsonnet/cmd/jsonnet@v0.20.0
-
-    - name: Setup deploy for ${{ steps.details.outputs.cluster }} cluster
-      uses: ./.github/actions/setup-deploy
-      with:
-        provider: ${{ steps.details.outputs.provider }}
-        GCP_KMS_DECRYPTOR_KEY: ${{ secrets.GCP_KMS_DECRYPTOR_KEY }}
-
-    - name: Run health check against ${{ steps.details.outputs.cluster }} ${{ steps.details.outputs.hub }}
-      uses: nick-fields/retry@v3
-      continue-on-error: true
-      id: health_check
-      with:
-        timeout_minutes: 10
-        max_attempts: 3
-        command: |
-          echo "health_check_output<<EOF" | tee --append "$GITHUB_OUTPUT"
-          deployer run-hub-health-check ${{ steps.details.outputs.cluster }} ${{ steps.details.outputs.hub }} | tee --append "$GITHUB_OUTPUT"
-          echo "EOF" | tee --append "$GITHUB_OUTPUT"
+  health_check:
+    needs: get_incident_details
+    uses: ./.github/workflows/reusable-health-check.yaml
+    with:
+      cluster: ${{ needs.get_incident_details.outputs.cluster }}
+      hub: ${{ needs.get_incident_details.outputs.hub }}
+      provider: ${{ needs.get_incident_details.outputs.provider }}
+    secrets: inherit
 
+  report_status:
+    needs: [get_incident_details, health_check]
+    runs-on: ubuntu-latest
+    steps:
     - name: Report Status
       if: always()
       uses: ravsamhq/notify-slack-action@v2
       with:
         notify_when: success,failure
-        status: ${{ job.status }} # required
-        notification_title: Health check status for <${{ env.URL }}|${{ steps.details.outputs.cluster }} ${{ steps.details.outputs.hub }}>
-        message_format: ':point_right: ${{ job.status }}'
+        status: ${{ needs.health_check.result }}
+        notification_title: Health check status for <${{ env.URL }}|${{ needs.get_incident_details.outputs.cluster }} ${{ needs.get_incident_details.outputs.hub }}>
+        message_format: ':point_right: ${{ needs.health_check.result }}'
         mention_groups: '!channel'
         mention_groups_when: failure
         footer: <{run_url}|GitHub Run>
       env:
         SLACK_WEBHOOK_URL: ${{ secrets.SLACK_PD_NOTIFICATIONS_WEBHOOK_URL }}
         URL: https://2i2c-org.pagerduty.com/incidents/${{ github.event.client_payload.id }}
 
+    - name: Set note content
+      id: note
+      run: |
+        if [[ "${{ needs.health_check.outputs.health_check_output }}" == *"Skipping"* ]]; then
+          echo "note_content=Health check skipped" >> "$GITHUB_OUTPUT"
+        else
+          echo "note_content=Health check status was: ${{ needs.health_check.result }}" >> "$GITHUB_OUTPUT"
+        fi
 
     - name: Leave a note to the incident
       uses: ./.github/actions/pagerduty-note
       with:
         incident_id: ${{ github.event.client_payload.id }}
         token: ${{ secrets.PD_TOKEN }}
-        note_content: 'The health checks status was: ${{ job.status }}'
+        note_content: ${{ steps.note.outputs.note_content }}
 
     - name: Resolve the incident if successful run
       # We don't yet run health checks against binders
-      if: steps.health_check.outcome == 'success' && !contains(steps.health_check.outputs.health_check_output, 'Skipping')
+      if: needs.health_check.result == 'success' && !contains(needs.health_check.outputs.health_check_output, 'Skipping')
       env:
         ID: ${{ github.event.client_payload.id }}
         PD_TOKEN: ${{ secrets.PD_TOKEN }}

.github/workflows/reusable-health-check.yaml

@@ -0,0 +1,70 @@
+# Call this reusable workflow like
+# jobs:
+#   job1:
+#     uses: ./.github/workflows/run-hub-health-check.yaml
+#     with:
+#       cluster: cluster-name
+#       hub: hub-name
+#       provider: provider
+#
+# https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows
+#
+name: Run a hub health check
+
+on:
+  workflow_call:
+    inputs:
+      cluster:
+        required: true
+        type: string
+      hub:
+        required: true
+        type: string
+      provider:
+        required: true
+        type: string
+    secrets:
+      GCP_KMS_DECRYPTOR_KEY:
+        required: true
+    outputs:
+      health_check_output:
+        value: ${{ jobs.run_health_check.outputs.output1 }}
+jobs:
+  run_health_check:
+    runs-on: ubuntu-latest
+    outputs:
+      output1: ${{ steps.health_check.outputs.health_check_output }}
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        submodules: true
+    - uses: actions/setup-python@v6
+      with:
+        python-version: '3.13'
+    - name: Save pip's install cache on job completion
+      uses: actions/cache@v5
+      with:
+        path: ~/.cache/pip
+        key: ${{ github.run_id }}
+
+    - name: Install deployer script's Python dependencies
+      run: |
+        pip install --editable .
+        go install github.com/google/go-jsonnet/cmd/jsonnet@v0.20.0
+
+    - name: Setup deploy for ${{ inputs.cluster }} cluster
+      uses: ./.github/actions/setup-deploy
+      with:
+        provider: ${{ inputs.provider }}
+        GCP_KMS_DECRYPTOR_KEY: ${{ secrets.GCP_KMS_DECRYPTOR_KEY }}
+
+    - name: Run health check against ${{ inputs.cluster }} ${{ inputs.hub }}
+      uses: nick-fields/retry@v3
+      id: health_check
+      with:
+        timeout_minutes: 10
+        max_attempts: 3
+        command: |
+          echo "health_check_output<<EOF" >> "$GITHUB_OUTPUT"
+          deployer run-hub-health-check ${{ inputs.cluster }} ${{ inputs.hub }} | tee --append "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"

.github/workflows/run-health-check.yaml

@@ -0,0 +1,117 @@
+name: Run a health check on hubs
+
+on:
+  push:
+    branches:
+    - main
+    paths:
+    - terraform/**
+    - eksctl/**
+  pull_request:
+    branches:
+    - main
+    paths:
+    - terraform/**
+    - eksctl/**
+
+# ref: https://docs.github.com/en/actions/using-jobs/using-concurrency
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || 'not-a-pr' }}
+  cancel-in-progress: false
+
+env:
+  TERM: xterm
+  USE_GKE_GCLOUD_AUTH_PLUGIN: 'True'
+
+jobs:
+  generate-jobs:
+    runs-on: ubuntu-latest
+    outputs:
+      support-jobs: ${{ steps.generate-jobs.outputs.support-jobs }}
+      staging-jobs: ${{ steps.generate-jobs.outputs.staging-jobs }}
+      prod-jobs: ${{ steps.generate-jobs.outputs.prod-jobs }}
+
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        submodules: true
+
+    - name: Identify files that have been added or modified
+          # Action repo: https://github.com/dorny/paths-filter
+      uses: dorny/paths-filter@v3
+      id: changed-files
+      with:
+        token: ''
+        list-files: csv
+        filters: |
+          changed:
+            - added|modified: terraform/**
+            - added|modified: eksctl/**
+
+        # This step will create a comment-body.txt file containing the jobs to be run in a
+        # Markdown table format to be posted on a Pull Request
+    - name: Generate matrix jobs
+      id: generate-jobs
+      run: |
+        deployer plan-health-check "${{ steps.changed-files.outputs.changed_files }}"
+
+        # The comment-deployment-plan-pr.yaml workflow won't have the correct context to
+        # know the PR number, so we save it to a file to pass to that workflow
+    - name: Save Pull Request number to a file
+      if: github.event_name == 'pull_request'
+      run: |
+        echo "${{ github.event.number }}" > pr-number.txt
+
+        # Upload the pr-number.txt and comment-body.txt files as artifacts for the
+        # comment-deployment-plan-pr.yaml workflow to access
+    - name: Upload artifacts
+      if: >
+        github.event_name == 'pull_request' &&
+        (steps.generate-jobs.outputs.support-jobs != '[]' ||
+        steps.generate-jobs.outputs.staging-jobs != '[]' ||
+        steps.generate-jobs.outputs.prod-jobs != '[]')
+      uses: actions/upload-artifact@v6
+      with:
+        name: pr
+        path: |
+          pr-number.txt
+          comment-body.txt
+  upgrade-staging:
+    runs-on: ubuntu-latest
+    needs: [generate-jobs]
+    name: ${{ matrix.jobs.cluster_name }}-${{ matrix.jobs.hub_name }}-${{ matrix.jobs.provider }}
+    if: |
+      !cancelled() &&
+      (github.event_name == 'push' && contains(github.ref, 'main')) &&
+      needs.generate-jobs.result == 'success' &&
+      needs.generate-jobs.outputs.staging-jobs != '[]'
+    strategy:
+      fail-fast: false
+      matrix:
+        jobs: ${{ fromJson(needs.generate-jobs.outputs.staging-jobs) }}
+    uses: ./.github/workflows/reusable-health-check.yaml
+    with:
+      cluster: ${{ matrix.jobs.cluster_name }}
+      hub: ${{ matrix.jobs.hub_name }}
+      provider: ${{ matrix.jobs.provider }}
+    secrets: inherit
+
+  upgrade-prod:
+    runs-on: ubuntu-latest
+    needs: [generate-jobs]
+    name: ${{ matrix.jobs.cluster_name }}-${{ matrix.jobs.hub_name }}-${{ matrix.jobs.provider }}
+    if: |
+      !cancelled() &&
+      (github.event_name == 'push' && contains(github.ref, 'main')) &&
+      needs.generate-jobs.result == 'success' &&' &&
+      needs.generate-jobs.outputs.prod-jobs != '[]'
+    strategy:
+      fail-fast: false
+      matrix:
+        jobs: ${{ fromJson(needs.generate-jobs.outputs.prod-jobs) }}
+    uses: ./.github/workflows/reusable-health-check.yaml
+    with:
+      cluster: ${{ matrix.jobs.cluster_name }}
+      hub: ${{ matrix.jobs.hub_name }}
+      provider: ${{ matrix.jobs.provider }}
+    secrets: inherit

config/clusters/2i2c-jetstream2/cluster.yaml

@@ -1,5 +1,6 @@
 name: 2i2c-jetstream2
 provider: kubeconfig # allocation CIS250031_IU in https://js2.jetstream-cloud.org/project/
+provider_url: https://js2.jetstream-cloud.org/project/
 kubeconfig:
   file: enc-deployer-credentials.secret.yaml
 support:

config/clusters/projectpythia-binder/cluster.yaml

@@ -1,5 +1,6 @@
 name: projectpythia-binder
 provider: kubeconfig # allocation SEE240014_IU in https://js2.jetstream-cloud.org/project/
+provider_url: https://js2.jetstream-cloud.org/project/
 kubeconfig:
   file: enc-deployer-credentials.secret.yaml
 support:

config/clusters/utoronto/cluster.yaml

@@ -1,5 +1,6 @@
 name: utoronto
 provider: kubeconfig # azure based, cloud infra work requires a dedicated utoronto account
+provider_url: https://portal.azure.com/?l=en.en-gb#@utoronto.onmicrosoft.com/resource/subscriptions/ead3521a-d994-4a44-a68d-b16e35642d5b/resourceGroups/2i2c-utoronto-cluster/providers/Microsoft.ContainerService/managedClusters/hub-cluster/overview
 kubeconfig:
   file: enc-deployer-credentials.secret.yaml
 support: