Move deployment config to repo and add QA environment (#744)

Author: vertism

.env.example

@@ -1,10 +1,2 @@
 DATABASE_URL=postgresql://postgres@db/disclosure-checker
 SESSION_EXPIRES_IN_MINUTES=60
-
-# Uncomment this line to enable http credentials site-wise.
-# HTTP_AUTH_ENABLED=1
-
-# Following are the credentials, also used in the back office.
-# Even if the `HTTP_AUTH_ENABLED` is disabled, the back office still will use them.
-HTTP_AUTH_USER=test
-HTTP_AUTH_PASSWORD=test

.github/workflows/deploy.yml

@@ -55,15 +55,13 @@ jobs:
 
       - name: Push to ECR
         run: |
-          docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:staging.latest
-          docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:production.latest
+          docker tag ${{ vars.ECR_URL }}:$SHA
           docker push ${{ vars.ECR_URL }}:$SHA
-          docker push ${{ vars.ECR_URL }}:staging.latest
-          docker push ${{ vars.ECR_URL }}:production.latest
 
   deploy-staging:
     runs-on: ubuntu-latest
     needs: build
+    environment: staging
 
     env:
       KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
@@ -80,6 +78,11 @@ jobs:
           build_tag=$PREFIX-$branch-$short_sha
           echo "build_tag=$build_tag" >> $GITHUB_OUTPUT
 
+      - name: Tag build and push to ECR
+        run: |
+          docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:staging.latest
+          docker push ${{ vars.ECR_URL }}:staging.latest
+
       - name: Authenticate to the cluster
         env:
           KUBE_CERT: ${{ secrets.KUBE_CERT }}
@@ -95,7 +98,7 @@ jobs:
       - name: Rollout restart deployment
         run: |
           kubectl set image -n ${KUBE_NAMESPACE} \
-          deployment/disclosure-checker-deployment-staging \
+          config/kubernetes/staging \
           webapp="${{ vars.ECR_URL }}:$SHA"
 
       - name: Send deploy notification to product Slack channel
@@ -128,6 +131,79 @@ jobs:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
           SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
 
+  deploy-qa:
+    runs-on: ubuntu-latest
+    needs: build
+    environment: qa
+
+    env:
+      KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Store build tag
+        id: vars
+        run: |
+          branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
+          short_sha=$(git rev-parse --short $SHA)
+          build_tag=$PREFIX-$branch-$short_sha
+          echo "build_tag=$build_tag" >> $GITHUB_OUTPUT
+
+      - name: Tag build and push to ECR
+        run: |
+          docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:qa.latest
+          docker push ${{ vars.ECR_URL }}:qa.latest
+
+      - name: Authenticate to the cluster
+        env:
+          KUBE_CERT: ${{ secrets.KUBE_CERT }}
+          KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }}
+          KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
+        run: |
+          echo "${KUBE_CERT}" > ca.crt
+          kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
+          kubectl config set-credentials deploy-user --token=${KUBE_TOKEN}
+          kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE}
+          kubectl config use-context ${KUBE_CLUSTER}
+
+      - name: Rollout restart deployment
+        run: |
+          kubectl set image -n ${KUBE_NAMESPACE} \
+          config/kubernetes/qa \
+          webapp="${{ vars.ECR_URL }}:$SHA"
+
+      - name: Send deploy notification to product Slack channel
+        uses: slackapi/slack-github-action@v1.25.0
+        with:
+          payload: |
+            {
+              "attachments": [
+                {
+                  "color": "#1d990c",
+                  "text": "${{ github.actor }} deployed *${{ steps.vars.outputs.build_tag }}* to *QA*",
+                  "fields": [
+                    {
+                      "title": "Project",
+                      "value": "Disclosure Checker",
+                      "short": true
+                    }
+                  ],
+                  "actions": [
+                    {
+                      "text": "Visit Job",
+                      "type": "button",
+                      "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+                    }
+                  ]
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+
   deploy-production:
     runs-on: ubuntu-latest
     needs: deploy-staging
@@ -149,6 +225,11 @@ jobs:
           build_tag=$PREFIX-$branch-$short_sha
           echo "build_tag=$build_tag" >> $GITHUB_OUTPUT
 
+      - name: Tag build and push to ECR
+        run: |
+          docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:production.latest
+          docker push ${{ vars.ECR_URL }}:production.latest
+
       - name: Authenticate to the cluster
         env:
           KUBE_CERT: ${{ secrets.KUBE_PROD_CERT }}
@@ -164,7 +245,7 @@ jobs:
       - name: Rollout restart deployment
         run: |
           kubectl set image -n ${KUBE_NAMESPACE} \
-          deployment/disclosure-checker-deployment-production \
+          config/kubernetes/production \
           webapp="${{ vars.ECR_URL }}:$SHA"
 
       - name: Send deploy notification to product Slack channel

config/kubernetes/production/config_map.yml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: disclosure-checker-configmap-production
+  namespace: disclosure-checker-production
+data:
+  EXTERNAL_URL: https://check-when-to-disclose-caution-conviction.service.gov.uk
+  RACK_ENV: production
+  RAILS_ENV: production
+  RAILS_MAX_THREADS: "3"
+  RAILS_SERVE_STATIC_FILES: enabled

config/kubernetes/production/cronjob.yml

@@ -0,0 +1,48 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: disclosure-checker-cronjob-production
+  namespace: disclosure-checker-production
+spec:
+  schedule: "0 3 * * *"
+  concurrencyPolicy: Forbid
+  startingDeadlineSeconds: 300
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 86400 # 24 hours
+      backoffLimit: 3
+      template:
+        metadata:
+          labels:
+            tier: worker
+        spec:
+          restartPolicy: Never
+          containers:
+          - name: cronjob-daily-tasks
+            image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/family-justice/disclosure-checker:production.latest
+            imagePullPolicy: Always
+            command: ['bin/rails', 'daily_tasks']
+            # non-secret env vars defined in `config_map.yaml`
+            envFrom:
+              - configMapRef:
+                  name: disclosure-checker-configmap-production
+            env:
+              # external secrets defined in `secrets.yml`
+              - name: SECRET_KEY_BASE
+                valueFrom:
+                  secretKeyRef:
+                    name: disclosure-checker-secrets-production
+                    key: secret_key_base
+              - name: SENTRY_DSN
+                valueFrom:
+                  secretKeyRef:
+                    name: disclosure-checker-secrets-production
+                    key: sentry_dsn
+              #
+              # secrets created by `terraform`
+              #
+              - name: DATABASE_URL
+                valueFrom:
+                  secretKeyRef:
+                    name: rds-instance-disclosure-checker-production
+                    key: url

config/kubernetes/production/deployment.yml

@@ -0,0 +1,81 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: disclosure-checker-deployment-production
+  namespace: disclosure-checker-production
+spec:
+  replicas: 2
+  revisionHistoryLimit: 5
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 100%
+  selector:
+    matchLabels:
+      app: disclosure-checker-web-production
+  template:
+    metadata:
+      labels:
+        app: disclosure-checker-web-production
+        tier: frontend
+    spec:
+      containers:
+      - name: webapp
+        image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/family-justice/disclosure-checker:production.latest
+        imagePullPolicy: Always
+        ports:
+          - containerPort: 3000
+        resources:
+          requests:
+            cpu: 125m
+            memory: 500Mi
+          limits:
+            cpu: 250m
+            memory: 1Gi
+        readinessProbe:
+          httpGet:
+            path: /ping.json
+            port: 3000
+            httpHeaders:
+              - name: X-Forwarded-Proto
+                value: https
+              - name: X-Forwarded-Ssl
+                value: "on"
+          initialDelaySeconds: 15
+          periodSeconds: 10
+        livenessProbe:
+          httpGet:
+            path: /ping.json
+            port: 3000
+            httpHeaders:
+              - name: X-Forwarded-Proto
+                value: https
+              - name: X-Forwarded-Ssl
+                value: "on"
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        # non-secret env vars defined in `config_map.yaml`
+        envFrom:
+          - configMapRef:
+              name: disclosure-checker-configmap-production
+        env:
+          # external secrets defined in `secrets.yml`
+          - name: SECRET_KEY_BASE
+            valueFrom:
+              secretKeyRef:
+                name: disclosure-checker-secrets-production
+                key: secret_key_base
+          - name: SENTRY_DSN
+            valueFrom:
+              secretKeyRef:
+                name: disclosure-checker-secrets-production
+                key: sentry_dsn
+          #
+          # secrets created by `terraform`
+          #
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: rds-instance-disclosure-checker-production
+                key: url

config/kubernetes/production/ingress.yml

@@ -0,0 +1,60 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: disclosure-checker-ingress-production
+  namespace: disclosure-checker-production
+  annotations:
+    external-dns.alpha.kubernetes.io/set-identifier: disclosure-checker-ingress-production-disclosure-checker-production-green
+    external-dns.alpha.kubernetes.io/aws-weight: "100"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location ~* \.(php|cgi|xml)$ {
+        deny all; access_log off;
+      }
+      if ($host ~* .justice.gov.uk$) {
+        return 301 https://check-when-to-disclose-caution-conviction.service.gov.uk$request_uri;
+      }
+      location = /.well-known/security.txt {
+        return 301 https://raw.githubusercontent.com/ministryofjustice/security-guidance/main/contact/vulnerability-disclosure-security.txt;
+      }
+spec:
+  ingressClassName: default
+  tls:
+  - hosts:
+    - disclosure-checker-production.apps.live.cloud-platform.service.justice.gov.uk
+  - hosts:
+    - check-when-to-disclose-caution-conviction.service.justice.gov.uk
+    secretName: disclosure-checker-tls-certificate
+  - hosts:
+    - check-when-to-disclose-caution-conviction.service.gov.uk
+    secretName: disclosure-checker-tls-certificate-gds
+  rules:
+  - host: disclosure-checker-production.apps.live.cloud-platform.service.justice.gov.uk
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: disclosure-checker-service-production
+            port:
+              number: 80
+  - host: check-when-to-disclose-caution-conviction.service.justice.gov.uk
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: disclosure-checker-service-production
+            port:
+              number: 80
+  - host: check-when-to-disclose-caution-conviction.service.gov.uk
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: disclosure-checker-service-production
+            port:
+              number: 80

config/kubernetes/production/service.yml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: disclosure-checker-service-production
+  namespace: disclosure-checker-production
+  labels:
+    app: disclosure-checker-web-production
+spec:
+  ports:
+  - port: 80
+    name: http
+    targetPort: 3000
+  selector:
+    app: disclosure-checker-web-production

config/kubernetes/qa/config_map.yml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: disclosure-checker-configmap-qa
+  namespace: disclosure-checker-qa
+data:
+  DEV_TOOLS_ENABLED: "1"
+  EXTERNAL_URL: https://disclosure-checker-qa.apps.live.cloud-platform.service.justice.gov.uk
+  RACK_ENV: production
+  RAILS_ENV: production
+  RAILS_MAX_THREADS: "3"
+  RAILS_SERVE_STATIC_FILES: enabled