Implement PR deployment and prod / preprod enviroment (#402) (#404)

ThomasSamson · web-flow · commit dc7c7e86ae4b · 2023-06-21T15:57:05.000+02:00
* Implement PR deployment and prod / preprod enviroment

* Restore gcr subdirectory name

* Add tag remover job

* test syntax

* Use GITHUB_ENV

* Use github env in helm

* Enable Build

* Fix syntax

* Try fix on helm release

* Fix release name

* debug cors

* Edit cleanup job

* Fix cors

* Enable build

* Change staging branch name

* Remove bucket

* Change preprod URLs

* edit cors in helm upgrade

* Add prod branch name temp
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -3,17 +3,28 @@ name: CD
 on:
   push:
     branches:
-      - deploy-v3
-      - v3
+      - prod
+      - staging
   # Deploy if "deploy" label exists
   pull_request:
     types: [ reopened, synchronize, labeled ]
 
 # Do not use concurrency to prevent simultaneous helm deployments
 jobs:
+  remove-deploy-label:
+    name: Remove deploy label
+    if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: mondeja/remove-labels-gh-action@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          labels: |
+            deploy
+
   build:
     name: Build
-    if: ${{ github.repository == 'api-platform/website' && (github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'deploy')) }}
+    if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy'))
     uses: ./.github/workflows/build.yml
     with:
       tags: |
@@ -32,16 +43,11 @@ jobs:
   deploy:
     name: Deploy
     needs: [ build ]
-    if: github.event_name == 'push'
+    if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy'))
     uses: ./.github/workflows/deploy.yml
     with:
       environment: prod
-      url: test-v3.preprod-tilleuls.ovh
       docker-images-version: ${{ github.sha }}
-      cors: '["https://test-v3.preprod-tilleuls.ovh", "http://localhost", "https://localhost", "http://localhost:3000"]'
-      release: website
-      namespace: website
-
       gke-cluster: api-platform-demo
       gke-zone: europe-west1-c
     secrets:
@@ -50,24 +56,3 @@ jobs:
       gh-key: ${{ secrets.GH_KEY }}
       # cloudflare-api-token: ${{ secrets.CF_API_TOKEN }}
       # cloudflare-zone-id: ${{ secrets.CF_ZONE_ID }}
-
-  feature-deploy:
-    name: Feature Deploy
-    needs: [ build ]
-    if: github.event_name == 'pull_request'
-    uses: ./.github/workflows/deploy.yml
-    with:
-      environment: ${{ needs.build.outputs.version }}
-      url: ${{ needs.build.outputs.version }}-test-v3.preprod-tilleuls.ovh
-      docker-images-version: ${{ needs.build.outputs.version }}
-      cors: '["https://${{ needs.build.outputs.version }}-test-v3.preprod-tilleuls.ovh", "http://localhost", "https://localhost", "http://localhost:3000"]'
-      release: ${{ needs.build.outputs.version }}
-      namespace: ${{ needs.build.outputs.version }}
-      gke-cluster: api-platform-demo
-      gke-zone: europe-west1-c
-    secrets:
-      gke-credentials: ${{ secrets.GKE_SA_KEY }}
-      gke-project: ${{ secrets.GKE_PROJECT }}      
-      gh-key: ${{ secrets.GH_KEY }}
-      # cloudflare-api-token: ${{ secrets.CF_API_TOKEN }}
-      # cloudflare-zone-id: ${{ secrets.CF_ZONE_ID }}
diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
@@ -33,9 +33,16 @@ jobs:
           gcloud components install gke-gcloud-auth-plugin
           gcloud --quiet auth configure-docker
           gcloud container clusters get-credentials api-platform-demo --zone europe-west1-c
-      - name: Check for existing namespace
-        id: k8s-namespace
-        run: echo "namespace=$(kubectl get namespace pr-${{ github.event.number }} | tr -d '\n' 2> /dev/null)" >> $GITHUB_OUTPUT
-      - name: Uninstall release
-        if: steps.k8s-namespace.outputs.namespace != ''
-        run: kubectl delete namespace pr-${{ github.event.number }}
+      - name: Uninstall helm release
+        id: uninstall_helm_release
+        run: |
+          export RELEASE_NAME=pr-$(jq --raw-output .pull_request.number $GITHUB_EVENT_PATH)
+          echo "Uninstalling release ${RELEASE_NAME}"
+          if ! helm uninstall ${RELEASE_NAME} --kube-context nonprod --wait ; then
+            echo "HELM Uninstall has failed !"
+            echo "Please ask the SRE team to manually clean remaining objects"
+            exit 1
+          fi
+          echo "HELM uninstall successfull"
+          echo "Cleaning remaining PVC..."
+          kubectl delete pvc -l app.kubernetes.io/instance=$RELEASE_NAME
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -8,27 +8,11 @@ on:
         description: GitHub Environment Name
         default: prod
         required: false
-      url:
-        type: string
-        description: GitHub Environment Url (without scheme)
-        required: true
       docker-images-version:
         type: string
         description: Docker Images Version
         default: latest
         required: false
-      cors:
-        type: string
-        description: CORS
-        required: true
-      release:
-        type: string
-        description: Release Name
-        required: true
-      namespace:
-        type: string
-        description: Namespace Name
-        required: true
       gke-cluster:
         type: string
         description: Google Kubernetes Engine Cluster
@@ -58,9 +42,6 @@ jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
-    environment:
-      name: ${{ inputs.environment }}
-      url: https://${{ inputs.url }}
     permissions:
       contents: 'read'
       id-token: 'write'
@@ -90,9 +71,32 @@ jobs:
           helm repo add bitnami https://charts.bitnami.com/bitnami/
           helm repo add stable https://charts.helm.sh/stable/
           helm dependency build ./helm/api-platform
+      - name: Define namespace
+        run: |       
+          set -o pipefail
+          if [[ "${{ github.ref }}" == 'refs/heads/prod' ]]; then
+              # Tags are deployed in prod
+              echo "CONTEXT=prod" >> "$GITHUB_ENV"
+              echo "RELEASE_NAME=website-prod" >> "$GITHUB_ENV"
+              echo "URL=api-platform.com" >> "$GITHUB_ENV"
+              echo "CORS='[\"https://api-platform.com\", \"http://localhost\", \"https://localhost\", \"http://localhost:3000\"]'" >> "$GITHUB_ENV"
+              echo "NAMESPACE=prod-website" >> "$GITHUB_ENV"
+          else
+              CONTEXT=nonprod
+              if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
+                  echo RELEASE_NAME=pr-$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH") >> "$GITHUB_ENV"
+                  export RELEASE_NAME=pr-$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")
+              else
+                  echo "RELEASE_NAME=${{ github.ref_name }}" >> "$GITHUB_ENV"
+                  export RELEASE_NAME=${{ github.ref_name }}
+              fi
+              echo "URL=$RELEASE_NAME.apip.preprod-tilleuls.ovh" >> "$GITHUB_ENV"
+              echo "NAMESPACE=nonprod-website" >> "$GITHUB_ENV"
+              echo 'CORS=["https://${{ env.RELEASE_NAME}}.apip.preprod-tilleuls.ovh", "http://localhost", "https://localhost", "http://localhost:3000"]' >> "$GITHUB_ENV"
+          fi
       - name: Check for existing namespace
         id: k8s-namespace
-        run: echo "namespace=$(kubectl get namespace ${{ inputs.namespace }} | tr -d '\n' 2> /dev/null)" >> $GITHUB_OUTPUT
+        run: echo "namespace=$(kubectl get namespace ${{ env.NAMESPACE }} | tr -d '\n' 2> /dev/null)" >> $GITHUB_OUTPUT
       # Release name MUST start with a letter
       # GitHub doesn't support multilines environment variables (JWT_*_KEY)
       - name: Deploy in new namespace
@@ -101,14 +105,14 @@ jobs:
           set -o pipefail
           JWT_PASSPHRASE=$(openssl rand -base64 32)
           JWT_SECRET_KEY=$(openssl genpkey -pass file:<(echo "$JWT_PASSPHRASE") -aes256 -algorithm rsa -pkeyopt rsa_keygen_bits:4096)
-          helm upgrade ${{ inputs.release }} ./helm/api-platform \
+          helm upgrade ${{ env.RELEASE_NAME }} ./helm/api-platform \
             --reuse-values \
             --install \
             --create-namespace \
             --debug \
             --wait \
             --atomic \
-            --namespace=${{ inputs.namespace }} \
+            --namespace=${{ env.NAMESPACE }} \
             --set=app.version=${{ github.sha }} \
             --set=php.image.repository=eu.gcr.io/${{ secrets.gke-project }}/website/php \
             --set=php.image.tag=${{ inputs.docker-images-version }} \
@@ -123,18 +127,18 @@ jobs:
             --set=bucket.s3Name=api-platform-website-v3 \
             --set=service.type=NodePort \
             --set=ingress.enabled=true \
-            --set=ingress.hosts[0].host=${{ inputs.url }} \
+            --set=ingress.hosts[0].host=${{ env.URL }} \
             --set=ingress.hosts[0].paths[0].path=/ \
             --set=ingress.hosts[0].paths[0].pathType=ImplementationSpecific \
-            --set=ingress.tls[0].hosts[0]=${{ inputs.url }} \
+            --set=ingress.tls[0].hosts[0]=${{ env.URL }} \
             --set=ingress.annotations."cert-manager\.io/cluster-issuer"=letsencrypt-production \
-            --set=ingress.tls[0].secretName=website-ssl \
+            --set=ingress.tls[0].secretName=${{ env.RELEASE_NAME }}-website-ssl \
             --set=php.jwt.secretKey="$JWT_SECRET_KEY" \
             --set=php.jwt.publicKey="$(openssl pkey -in <(echo "$JWT_SECRET_KEY") -passin file:<(echo "$JWT_PASSPHRASE") -pubout)" \
             --set=php.jwt.passphrase=$JWT_PASSPHRASE \
-            --set=php.corsAllowOrigin="^$(echo "${{ join(fromJSON(inputs.cors), '|') }}" | sed 's/\./\\./g')$" \
-            --set=php.host=${{ inputs.url }} \
-            --set=next.rootUrl=${{ inputs.url }} \
+            --set=php.corsAllowOrigin="^$(echo "${{ join(fromJSON(env.CORS), '|') }}" | sed 's/\./\\./g')$" \
+            --set=php.host=${{ env.URL }} \
+            --set=next.rootUrl=${{ env.URL }} \
             --set=github.key=${{ secrets.gh-key }} \
             --set=ressources.requests.cpu=250m \
             --set=ressources.requests.memory=256Mi \
@@ -146,14 +150,14 @@ jobs:
         if: steps.k8s-namespace.outputs.namespace != ''
         run: |
           set -o pipefail
-          helm upgrade ${{ inputs.release }} ./helm/api-platform \
+          helm upgrade ${{ env.RELEASE_NAME }} ./helm/api-platform \
             --reuse-values \
             --install \
             --create-namespace \
             --debug \
             --wait \
             --atomic \
-            --namespace=${{ inputs.namespace }} \
+            --namespace=${{ env.NAMESPACE }} \
             --set=app.version=${{ github.sha }} \
             --set=php.image.repository=eu.gcr.io/${{ secrets.gke-project }}/website/php \
             --set=php.image.tag=${{ inputs.docker-images-version }} \
@@ -164,9 +168,9 @@ jobs:
             --set=pwa.image.repository=eu.gcr.io/${{ secrets.gke-project }}/website/pwa \
             --set=pwa.image.tag=${{ inputs.docker-images-version }} \
             --set=pwa.image.pullPolicy=Always \
-            --set=php.corsAllowOrigin="^$(echo "${{ join(fromJSON(inputs.cors), '|') }}" | sed 's/\./\\./g')$" \
+            --set=php.corsAllowOrigin="^$(echo "${{ join(fromJSON(env.CORS), '|') }}" | sed 's/\./\\./g')$" \
             --set=github.key=${{ secrets.gh-key }} \
-            --set=next.rootUrl=${{ inputs.url }} \
+            --set=next.rootUrl=${{ env.URL }} \
             --set=ressources.requests.cpu=250m \
             --set=ressources.requests.memory=256Mi \
             --set=ressources.limits.memory=700Mi \
@@ -175,4 +179,4 @@ jobs:
             | sed --unbuffered '/USER-SUPPLIED VALUES/,$d'
       - name: Debug kube events
         if: failure()
-        run: kubectl get events --namespace=${{ inputs.namespace }} --sort-by .metadata.creationTimestamp
+        run: kubectl get events --namespace=${{ env.NAMESPACE }} --sort-by .metadata.creationTimestamp
diff --git a/helm/api-platform/templates/configmap.yaml b/helm/api-platform/templates/configmap.yaml
@@ -12,6 +12,4 @@ data:
   php-trusted-proxies: "{{ join "," .Values.php.trustedProxies }}"
   mercure-url: "http://{{ include "api-platform.fullname" . }}/.well-known/mercure"
   mercure-public-url: {{ .Values.mercure.publicUrl | default "http://127.0.0.1/.well-known/mercure" | quote }}
-  bucket-s3-upstream: {{ .Values.bucket.s3Upstream | quote }}
-  bucket-s3-name: {{ .Values.bucket.s3Name | quote }}
   next-root-url: {{ .Values.next.rootUrl | quote }}
diff --git a/helm/api-platform/templates/deployment.yaml b/helm/api-platform/templates/deployment.yaml
@@ -48,16 +48,6 @@ spec:
                 secretKeyRef:
                   name: {{ include "api-platform.fullname" . }}
                   key: mercure-jwt-secret
-            - name: BUCKET_S3_UPSTREAM
-              valueFrom:
-                configMapKeyRef:
-                  name: {{ include "api-platform.fullname" . }}
-                  key: bucket-s3-upstream
-            - name: BUCKET_S3_NAME
-              valueFrom:
-                configMapKeyRef:
-                  name: {{ include "api-platform.fullname" . }}
-                  key: bucket-s3-name
           ports:
             - name: http
               containerPort: 80
diff --git a/helm/api-platform/values.yaml b/helm/api-platform/values.yaml
@@ -34,10 +34,6 @@ next:
 github:
   key: changeMe
   
-bucket:
-  s3Upstream: ChangeMe
-  s3Name: ChangeMe
-
 caddy:
   image:
     repository: "chart-example.local/api-platform/caddy"
