From 460326776844849e98eed2858dcbc0f7924db340 Mon Sep 17 00:00:00 2001 From: AngeloCaporaso Date: Mon, 20 May 2024 14:49:41 +0200 Subject: [PATCH 1/2] [PAGOPA-1678] feat: Add helm config --- helm/.helmignore | 23 +++++++++ helm/Chart.yaml | 10 ++++ helm/values-dev.yaml | 109 ++++++++++++++++++++++++++++++++++++++++++ helm/values-prod.yaml | 109 ++++++++++++++++++++++++++++++++++++++++++ helm/values-uat.yaml | 109 ++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 360 insertions(+) create mode 100644 helm/.helmignore create mode 100644 helm/Chart.yaml create mode 100644 helm/values-dev.yaml create mode 100644 helm/values-prod.yaml create mode 100644 helm/values-uat.yaml diff --git a/helm/.helmignore b/helm/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/helm/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 0000000..5f999e6 --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: pagopa-shared-platform-authorizer +description: Microservice handling authorization caching for the Authorizer system +type: application +version: 0.88.0 +appVersion: 0.2.3 +dependencies: + - name: microservice-chart + version: 2.4.0 + repository: "https://pagopa.github.io/aks-microservice-chart-blueprint" diff --git a/helm/values-dev.yaml b/helm/values-dev.yaml new file mode 100644 index 0000000..3ee2353 --- /dev/null +++ b/helm/values-dev.yaml @@ -0,0 +1,109 @@ +microservice-chart: + namespace: "shared" + nameOverride: "" + fullnameOverride: "" + image: + repository: ghcr.io/pagopa/pagopa-platform-authorizer + tag: "0.2.3" + pullPolicy: Always + # https://github.com/Azure/azure-functions-host/blob/dev/src/WebJobs.Script.WebHost/Controllers/HostController.cs + livenessProbe: + httpGet: + path: /info + port: 80 + initialDelaySeconds: 60 + failureThreshold: 6 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /info + port: 80 + initialDelaySeconds: 60 + failureThreshold: 6 + periodSeconds: 10 + deployment: + create: true + serviceMonitor: + create: true + endpoints: + - interval: 10s #jmx-exporter + targetPort: 12345 + path: /metrics + ports: + - 80 #http + - 12345 #jmx-exporter + service: + type: ClusterIP + ports: + - 80 #http + - 12345 #jmx-exporter + ingress: + create: true + host: "weudev.shared.internal.dev.platform.pagopa.it" + path: /pagopa-shared-authorizer/(.*) + servicePort: 80 + serviceAccount: + create: false + annotations: {} + name: "" + podAnnotations: {} + podSecurityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "256Mi" + cpu: "0.25" + limits: + memory: "512Mi" + cpu: "0.5" + autoscaling: + enable: true + minReplica: 1 + maxReplica: 1 + pollingInterval: 10 # seconds + cooldownPeriod: 50 # seconds + triggers: + - type: cpu + metadata: + # Required + type: Utilization # Allowed types are 'Utilization' or 'AverageValue' + value: "75" + - type: memory + metadata: + # Required + type: Utilization # Allowed types are 'Utilization' or 'AverageValue' + value: "75" + fileConfig: {} + envConfig: + WEBSITE_SITE_NAME: "pagopa-d-shared-authorizer" # required to show cloud role name in application insights + FUNCTIONS_WORKER_RUNTIME: "java" + envFieldRef: + APP_NAME: "metadata.labels['app.kubernetes.io/instance']" + APP_VERSION: "metadata.labels['app.kubernetes.io/version']" + envSecret: + APPLICATIONINSIGHTS_CONNECTION_STRING: 'ai-d-connection-string' + keyvault: + name: "pagopa-d-shared-kv" + tenantId: "7788edaf-0346-4068-9d79-c868aed15b3d" + nodeSelector: {} + tolerations: [] + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node_type + operator: In + values: + - "user" + canaryDelivery: + create: false + deployment: + create: false + image: + repository: ghcr.io/pagopa/pagopa-platform-authorizer + tag: "0.2.3" + create: false diff --git a/helm/values-prod.yaml b/helm/values-prod.yaml new file mode 100644 index 0000000..d8cd816 --- /dev/null +++ b/helm/values-prod.yaml @@ -0,0 +1,109 @@ +microservice-chart: + namespace: "shared" + nameOverride: "" + fullnameOverride: "" + image: + repository: ghcr.io/pagopa/pagopa-platform-authorizer + tag: "0.2.3" + pullPolicy: Always + # https://github.com/Azure/azure-functions-host/blob/dev/src/WebJobs.Script.WebHost/Controllers/HostController.cs + livenessProbe: + httpGet: + path: /info + port: 80 + initialDelaySeconds: 60 + failureThreshold: 6 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /info + port: 80 + initialDelaySeconds: 60 + failureThreshold: 6 + periodSeconds: 10 + deployment: + create: true + serviceMonitor: + create: true + endpoints: + - interval: 10s #jmx-exporter + targetPort: 12345 + path: /metrics + ports: + - 80 #http + - 12345 #jmx-exporter + service: + type: ClusterIP + ports: + - 80 #http + - 12345 #jmx-exporter + ingress: + create: true + host: "weuprod.shared.internal.platform.pagopa.it" + path: /pagopa-shared-authorizer/(.*) + servicePort: 80 + serviceAccount: + create: false + annotations: {} + name: "" + podAnnotations: {} + podSecurityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "512Mi" + cpu: "0.25" + limits: + memory: "756Mi" + cpu: "0.5" + autoscaling: + enable: true + minReplica: 1 + maxReplica: 1 + pollingInterval: 10 # seconds + cooldownPeriod: 50 # seconds + triggers: + - type: cpu + metadata: + # Required + type: Utilization # Allowed types are 'Utilization' or 'AverageValue' + value: "75" + - type: memory + metadata: + # Required + type: Utilization # Allowed types are 'Utilization' or 'AverageValue' + value: "75" + fileConfig: {} + envConfig: + WEBSITE_SITE_NAME: "pagopa-p-shared-authorizer" # required to show cloud role name in application insights # TODO + FUNCTIONS_WORKER_RUNTIME: "java" + envFieldRef: + APP_NAME: "metadata.labels['app.kubernetes.io/instance']" + APP_VERSION: "metadata.labels['app.kubernetes.io/version']" + envSecret: + APPLICATIONINSIGHTS_CONNECTION_STRING: 'ai-p-connection-string' + keyvault: + name: "pagopa-p-shared-kv" + tenantId: "7788edaf-0346-4068-9d79-c868aed15b3d" + nodeSelector: {} + tolerations: [] + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node_type + operator: In + values: + - "user" + canaryDelivery: + create: false + deployment: + create: false + image: + repository: ghcr.io/pagopa/pagopa-platform-authorizer + tag: "0.2.3" + create: false diff --git a/helm/values-uat.yaml b/helm/values-uat.yaml new file mode 100644 index 0000000..6425bf1 --- /dev/null +++ b/helm/values-uat.yaml @@ -0,0 +1,109 @@ +microservice-chart: + namespace: "shared" + nameOverride: "" + fullnameOverride: "" + image: + repository: ghcr.io/pagopa/pagopa-platform-authorizer + tag: "0.2.3" + pullPolicy: Always + # https://github.com/Azure/azure-functions-host/blob/dev/src/WebJobs.Script.WebHost/Controllers/HostController.cs + livenessProbe: + httpGet: + path: /info + port: 80 + initialDelaySeconds: 60 + failureThreshold: 6 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /info + port: 80 + initialDelaySeconds: 60 + failureThreshold: 6 + periodSeconds: 10 + deployment: + create: true + serviceMonitor: + create: true + endpoints: + - interval: 10s #jmx-exporter + targetPort: 12345 + path: /metrics + ports: + - 80 #http + - 12345 #jmx-exporter + service: + type: ClusterIP + ports: + - 80 #http + - 12345 #jmx-exporter + ingress: + create: true + host: "weuuat.shared.internal.uat.platform.pagopa.it" + path: /pagopa-shared-authorizer/(.*) + servicePort: 80 + serviceAccount: + create: false + annotations: {} + name: "" + podAnnotations: {} + podSecurityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "256Mi" + cpu: "0.25" + limits: + memory: "512Mi" + cpu: "0.5" + autoscaling: + enable: true + minReplica: 1 + maxReplica: 1 + pollingInterval: 10 # seconds + cooldownPeriod: 50 # seconds + triggers: + - type: cpu + metadata: + # Required + type: Utilization # Allowed types are 'Utilization' or 'AverageValue' + value: "75" + - type: memory + metadata: + # Required + type: Utilization # Allowed types are 'Utilization' or 'AverageValue' + value: "75" + fileConfig: {} + envConfig: + WEBSITE_SITE_NAME: "pagopa-u-shared-authorizer" # required to show cloud role name in application insights + FUNCTIONS_WORKER_RUNTIME: "java" + envFieldRef: + APP_NAME: "metadata.labels['app.kubernetes.io/instance']" + APP_VERSION: "metadata.labels['app.kubernetes.io/version']" + envSecret: + APPLICATIONINSIGHTS_CONNECTION_STRING: 'ai-u-connection-string' + keyvault: + name: "pagopa-u-shared-kv" + tenantId: "7788edaf-0346-4068-9d79-c868aed15b3d" + nodeSelector: {} + tolerations: [] + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node_type + operator: In + values: + - "user" + canaryDelivery: + create: false + deployment: + create: false + image: + repository: ghcr.io/pagopa/pagopa-platform-authorizer + tag: "0.2.3" + create: false From de06755d834c7c1b3a7ba5c9a0bca99456025f6d Mon Sep 17 00:00:00 2001 From: AngeloCaporaso Date: Mon, 20 May 2024 15:14:56 +0200 Subject: [PATCH 2/2] [PAGOPA-1678] feat: Add helm config --- .../workflows/deploy_with_github_runner.yml | 83 ++++++++++ .github/workflows/release_deploy_aks.yml | 149 ++++++++++++++++++ CODEOWNERS | 2 +- 3 files changed, 233 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/deploy_with_github_runner.yml create mode 100644 .github/workflows/release_deploy_aks.yml diff --git a/.github/workflows/deploy_with_github_runner.yml b/.github/workflows/deploy_with_github_runner.yml new file mode 100644 index 0000000..c388c7b --- /dev/null +++ b/.github/workflows/deploy_with_github_runner.yml @@ -0,0 +1,83 @@ +name: Deploy on AKS + +on: + workflow_call: + inputs: + environment: + required: true + description: The name of the environment where to deploy + type: string + target: + required: true + description: The environment target of the job + type: string + +env: + APP_NAME: shared-authorizer-functions + + +permissions: + id-token: write + contents: read + +jobs: + create_runner: + name: Create Runner + runs-on: ubuntu-22.04 + environment: + name: ${{ inputs.environment }} + if: ${{ inputs.target == inputs.environment || inputs.target == 'all' }} + outputs: + runner_name: ${{ steps.create_github_runner.outputs.runner_name }} + steps: + - name: Create GitHub Runner + id: create_github_runner + # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action + uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main + with: + client_id: ${{ secrets.CLIENT_ID }} + tenant_id: ${{ secrets.TENANT_ID }} + subscription_id: ${{ secrets.SUBSCRIPTION_ID }} + container_app_environment_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_NAME }} + resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }} # RG of the runner + pat_token: ${{ secrets.BOT_TOKEN_GITHUB }} + + deploy: + needs: [ create_runner ] + runs-on: [ self-hosted, "${{ needs.create_runner.outputs.runner_name }}" ] + if: ${{ inputs.target == inputs.environment || inputs.target == 'all' }} + name: Deploy on AKS + environment: ${{ inputs.environment }} + steps: + - name: Deploy + uses: pagopa/github-actions-template/aks-deploy@main + with: + branch: ${{ github.ref_name }} + client_id: ${{ secrets.CLIENT_ID }} + subscription_id: ${{ secrets.SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.TENANT_ID }} + env: ${{ inputs.environment }} + namespace: ${{ vars.NAMESPACE }} + cluster_name: ${{ vars.CLUSTER_NAME }} + resource_group: ${{ vars.CLUSTER_RESOURCE_GROUP }} + app_name: ${{ env.APP_NAME }} + helm_upgrade_options: "--debug" + + cleanup_runner: + name: Cleanup Runner + needs: [ create_runner, deploy ] + if: ${{ success() || failure() && inputs.target == inputs.environment || inputs.target == 'all' }} + runs-on: ubuntu-22.04 + environment: ${{ inputs.environment }} + steps: + - name: Cleanup GitHub Runner + id: cleanup_github_runner + # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action + uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@0ee2f58fd46d10ac7f00bce4304b98db3dbdbe9a + with: + client_id: ${{ secrets.CLIENT_ID }} + tenant_id: ${{ secrets.TENANT_ID }} + subscription_id: ${{ secrets.SUBSCRIPTION_ID }} + resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }} + runner_name: ${{ needs.create_runner.outputs.runner_name }} + pat_token: ${{ secrets.BOT_TOKEN_GITHUB }} diff --git a/.github/workflows/release_deploy_aks.yml b/.github/workflows/release_deploy_aks.yml new file mode 100644 index 0000000..076f4b5 --- /dev/null +++ b/.github/workflows/release_deploy_aks.yml @@ -0,0 +1,149 @@ +#file: noinspection YAMLSchemaValidation +name: Release And Deploy Azure Kubernetes + +# Controls when the workflow will run +on: + pull_request: + types: [ closed ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + inputs: + environment: + required: true + type: choice + description: Select the Environment + options: + - dev + - uat + - prod + - all + beta: + required: false + type: boolean + description: deploy beta version on AKS + default: false + skip_release: + required: false + type: boolean + description: skip the release. Only deploy + default: false + + +permissions: + packages: write + contents: write + issues: write + id-token: write + actions: read + + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + setup: + name: Setup + runs-on: ubuntu-latest + outputs: + semver: ${{ steps.get_semver.outputs.semver }} + environment: ${{ steps.get_env.outputs.environment }} + steps: + - name: pull request rejected + if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged != true + run: | + echo "❌ PR was closed without a merge" + exit 1 + + # Set Semvar + - run: echo "SEMVER=patch" >> $GITHUB_ENV + + - if: ${{ (github.event.pull_request.merged && contains(github.event.pull_request.labels.*.name, 'breaking-change')) }} + run: echo "SEMVER=major" >> $GITHUB_ENV + + - if: ${{ inputs.environment == 'uat' }} + run: echo "SEMVER=minor" >> $GITHUB_ENV + + - if: ${{ inputs.environment == 'prod' }} + run: echo "SEMVER=skip" >> $GITHUB_ENV + + - if: ${{ github.ref_name != 'main' }} + run: echo "SEMVER=buildNumber" >> $GITHUB_ENV + + - if: ${{ inputs.skip_release }} + run: echo "SEMVER=skip" >> $GITHUB_ENV + + - id: get_semver + name: Set Output + run: echo "semver=${{env.SEMVER}}" >> $GITHUB_OUTPUT + + # Set Environment + - run: echo "ENVIRNOMENT=${{ inputs.environment}}" >> $GITHUB_ENV + + - if: ${{ inputs.environment == null }} + run: echo "ENVIRNOMENT=dev" >> $GITHUB_ENV + + - id: get_env + name: Set Output + run: echo "environment=${{env.ENVIRNOMENT}}" >> $GITHUB_OUTPUT + + + release: + name: Create a New Release + runs-on: ubuntu-latest + needs: [setup] + outputs: + version: ${{ steps.release.outputs.version }} + steps: + - name: Make Release + id: release + uses: pagopa/github-actions-template/maven-release@v1.5.4 + with: + semver: ${{ needs.setup.outputs.semver }} + github_token: ${{ secrets.BOT_TOKEN_GITHUB }} + beta: ${{ inputs.beta }} + skip_ci: false + + image: + needs: [ setup, release ] + name: Build and Push Docker Image + runs-on: ubuntu-latest + if: ${{ inputs.semver != 'skip' }} + steps: + - name: Build and Push + id: semver + uses: pagopa/github-actions-template/ghcr-build-push@v1.5.4 + with: + branch: ${{ github.ref_name}} + github_token: ${{ secrets.GITHUB_TOKEN }} + tag: ${{ needs.release.outputs.version }} + + deploy_aks: + name: Deploy on AKS + needs: [ setup, release, image ] + if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }} + strategy: + matrix: + environment: [ dev, uat, prod ] + uses: ./.github/workflows/deploy_with_github_runner.yml + with: + environment: ${{ matrix.environment }} + target: ${{ needs.setup.outputs.environment }} + secrets: inherit + + notify: + needs: [ setup, release, deploy_aks ] + runs-on: ubuntu-latest + name: Notify + if: always() + steps: + - name: Report Status + if: ${{ needs.setup.outputs.environment == 'prod' || needs.setup.outputs.environment == 'all' }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: ${{ needs.deploy_aks.result }} + token: ${{ secrets.GITHUB_TOKEN }} + notification_title: 'New Release on Production ${{ needs.release.outputs.version }} has {status_message}' + message_format: '{emoji} <{run_url}|{workflow}> {status_message} in <{repo_url}|{repo}>' + footer: 'Linked to <{workflow_url}| workflow file>' + icon_success: ':white_check_mark:' + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/CODEOWNERS b/CODEOWNERS index e514c2f..5b48eb8 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,3 @@ # see https://help.github.com/en/articles/about-code-owners#example-of-a-codeowners-file -* @pagopa/pagopa-tech +* @pagopa/pagopa-team-core