Create Cloud Run service for website on production (#2143)

michaelkedar · web-flow · commit 2fec824a4315 · 2024-05-01T11:00:51.000+10:00
- Move terraform config out into out of oss-vdb-test environment into
base osv module
- Build/push osv-website docker image to oss-vdb registry
- Recreate osv-website Cloud Deploy pipeline on production, and add
production target.
diff --git a/deployment/build-and-stage.yaml b/deployment/build-and-stage.yaml
@@ -217,22 +217,21 @@ steps:
   waitFor: ['build-nvd-cve-osv', 'cloud-build-queue']
 
 # Build/push Website image
-# TODO(michaelkedar): The image gets saved on oss-vdb-test while we experiment with migration
 - name: 'gcr.io/cloud-builders/docker'
   entrypoint: 'bash'
-  args: ['-c', 'docker pull gcr.io/oss-vdb-test/osv-website:latest || exit 0']
+  args: ['-c', 'docker pull gcr.io/oss-vdb/osv-website:latest || exit 0']
   id: 'pull-website'
   waitFor: ['setup']
 - name: 'gcr.io/cloud-builders/docker'
   args: ['buildx', 'build', '--build-arg', 'BUILDKIT_INLINE_CACHE=1',
-         '-t', 'gcr.io/oss-vdb-test/osv-website:latest', '-t', 'gcr.io/oss-vdb-test/osv-website:$COMMIT_SHA',
-         '-f', 'gcp/appengine/Dockerfile', '--cache-from', 'gcr.io/oss-vdb-test/osv-website:latest', '--pull', '.']
+         '-t', 'gcr.io/oss-vdb/osv-website:latest', '-t', 'gcr.io/oss-vdb/osv-website:$COMMIT_SHA',
+         '-f', 'gcp/appengine/Dockerfile', '--cache-from', 'gcr.io/oss-vdb/osv-website:latest', '--pull', '.']
   env:
   - BUILDKIT_PROGRESS=plain
   id: 'build-website'
   waitFor: ['pull-website']
 - name: 'gcr.io/cloud-builders/docker'
-  args: ['push', '--all-tags', 'gcr.io/oss-vdb-test/osv-website']
+  args: ['push', '--all-tags', 'gcr.io/oss-vdb/osv-website']
   waitFor: ['build-website', 'cloud-build-queue']
 
 # Build/push NVD mirror image
@@ -302,11 +301,10 @@ steps:
   dir: deployment/clouddeploy/gke-indexer
 
 # Website
-# TODO(michaelkedar): Move off of oss-vdb-test for prod
 - name: 'gcr.io/cloud-builders/gcloud'
-  args: ['deploy', 'releases', 'create', 'osv-$SHORT_SHA', '--project=oss-vdb-test', '--region=us-central1',
+  args: ['deploy', 'releases', 'create', 'osv-$SHORT_SHA', '--project=oss-vdb', '--region=us-central1',
     '--delivery-pipeline=osv-website', '--images',
-    "osv-website=gcr.io/oss-vdb-test/osv-website:$COMMIT_SHA"
+    "osv-website=gcr.io/oss-vdb/osv-website:$COMMIT_SHA"
   ]
   dir: deployment/clouddeploy/osv-website
 
diff --git a/deployment/clouddeploy/osv-website/clouddeploy.yaml b/deployment/clouddeploy/osv-website/clouddeploy.yaml
@@ -7,8 +7,8 @@ serialPipeline:
   stages:
   - targetId: staging-website
     profiles: [ staging ]
-  # - targetId: production-website
-  #   profiles: [ prod ]
+  - targetId: production-website
+    profiles: [ prod ]
 ---
 
 apiVersion: deploy.cloud.google.com/v1
@@ -22,18 +22,18 @@ executionConfigs:
 - usages:
   - RENDER
   - DEPLOY
-  serviceAccount: deployment@oss-vdb-test.iam.gserviceaccount.com # TODO(michaelkedar): remember to change service account back
-# ---
+  serviceAccount: deployment@oss-vdb.iam.gserviceaccount.com
+---
 
-# apiVersion: deploy.cloud.google.com/v1
-# kind: Target
-# metadata:
-#   name: production-website
-# description: oss-vdb website instance
-# run:
-#   location: projects/oss-vdb/locations/us-west2
-# executionConfigs:
-# - usages:
-#   - RENDER
-#   - DEPLOY
-#   serviceAccount: deployment@oss-vdb.iam.gserviceaccount.com
+apiVersion: deploy.cloud.google.com/v1
+kind: Target
+metadata:
+  name: production-website
+description: oss-vdb website instance
+run:
+  location: projects/oss-vdb/locations/us-west2
+executionConfigs:
+- usages:
+  - RENDER
+  - DEPLOY
+  serviceAccount: deployment@oss-vdb.iam.gserviceaccount.com
diff --git a/deployment/clouddeploy/osv-website/run-prod.yaml b/deployment/clouddeploy/osv-website/run-prod.yaml
@@ -0,0 +1,24 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: osv-website
+spec:
+  template:
+    metadata:
+      annotations:
+        autoscaling.knative.dev/minScale: '1'
+        run.googleapis.com/vpc-access-connector: projects/oss-vdb/locations/us-west2/connectors/connector
+    spec:
+      containers:
+      - image: osv-website
+        env:
+        - name: REDISHOST
+          value: '10.85.52.228'
+        - name: REDISPORT
+          value: '6379'
+        startupProbe:
+          httpGet:
+            path: /_ah/warmup  # TODO(michaelkedar): Better endpoint for these
+        livenessProbe:
+          httpGet:
+            path: /_ah/warmup
diff --git a/deployment/deploy-prod.yaml b/deployment/deploy-prod.yaml
@@ -24,6 +24,8 @@ steps:
   args: ['deploy', 'releases', 'promote', '--quiet', '--release=osv-$SHORT_SHA', '--region=us-central1', '--delivery-pipeline=osv-api', '--to-target=production-api-multi', '--annotations=tag=$TAG_NAME']
 - name: gcr.io/cloud-builders/gcloud
   args: ['deploy', 'releases', 'promote', '--quiet', '--release=osv-$SHORT_SHA', '--region=us-central1', '--delivery-pipeline=gke-indexer', '--to-target=production-indexer', '--annotations=tag=$TAG_NAME']
+- name: gcr.io/cloud-builders/gcloud
+  args: ['deploy', 'releases', 'promote', '--quiet', '--release=osv-$SHORT_SHA', '--region=us-central1', '--delivery-pipeline=osv-website', '--to-target=production-website', '--annotations=tag=$TAG_NAME']
 
 # Tag the deployed images with the git tag
 - name: gcr.io/cloud-builders/gcloud
@@ -50,6 +52,8 @@ steps:
   args: ['container', 'images', 'add-tag', '--quiet', 'gcr.io/oss-vdb/cpe-repo-gen:$COMMIT_SHA', 'gcr.io/oss-vdb/cpe-repo-gen:$TAG_NAME']
 - name: gcr.io/cloud-builders/gcloud
   args: ['container', 'images', 'add-tag', '--quiet', 'gcr.io/oss-vdb/osv-server:$COMMIT_SHA', 'gcr.io/oss-vdb/osv-server:$TAG_NAME']
+- name: gcr.io/cloud-builders/gcloud
+  args: ['container', 'images', 'add-tag', '--quiet', 'gcr.io/oss-vdb/osv-website:$COMMIT_SHA', 'gcr.io/oss-vdb/osv-website:$TAG_NAME']
 
 serviceAccount: 'projects/oss-vdb/serviceAccounts/deployment@oss-vdb.iam.gserviceaccount.com'
 options:
diff --git a/deployment/terraform/environments/oss-vdb-test/website.tf b/deployment/terraform/environments/oss-vdb-test/website.tf
diff --git a/deployment/terraform/modules/osv/website.tf b/deployment/terraform/modules/osv/website.tf
@@ -0,0 +1,35 @@
+resource "google_cloud_run_v2_service" "website" {
+  project  = var.project_id
+  name     = "osv-website"
+  location = "us-west2"
+
+  template {
+    containers {
+      image = "gcr.io/oss-vdb/osv-website:latest" # Placeholder image.
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      # To be managed by Cloud Deploy.
+      template,
+      traffic,
+      labels,
+      client
+    ]
+    prevent_destroy = true
+  }
+}
+
+# Allow unauthenticated access
+resource "google_cloud_run_service_iam_binding" "website" {
+  project  = var.project_id
+  location = google_cloud_run_v2_service.website.location
+  service  = google_cloud_run_v2_service.website.name
+  role     = "roles/run.invoker"
+  members = [
+    "allUsers"
+  ]
+}
+
+# TODO: Set up Google Cloud Load Balancing + Network Endpoint Group (NEG)
