diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 86425117..85fe9b36 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -61,8 +61,15 @@ jobs: needs: build environment: staging + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + env: KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} steps: - name: Checkout @@ -88,14 +95,11 @@ jobs: - name: Tag build and push to ECR run: | + docker pull ${{ vars.ECR_URL }}:$SHA docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:staging.latest docker push ${{ vars.ECR_URL }}:staging.latest - name: Authenticate to the cluster - env: - KUBE_CERT: ${{ secrets.KUBE_CERT }} - KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} run: | echo "${KUBE_CERT}" > ca.crt kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} @@ -106,7 +110,7 @@ jobs: - name: Rollout restart deployment run: | kubectl set image -n ${KUBE_NAMESPACE} \ - config/kubernetes/staging \ + deployment/disclosure-checker-staging \ webapp="${{ vars.ECR_URL }}:$SHA" - name: Send deploy notification to product Slack channel @@ -144,8 +148,15 @@ jobs: needs: build environment: qa + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + env: KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} steps: - name: Checkout @@ -171,14 +182,11 @@ jobs: - name: Tag build and push to ECR run: | + docker pull ${{ vars.ECR_URL }}:$SHA docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:qa.latest docker push ${{ vars.ECR_URL }}:qa.latest - name: Authenticate to the cluster - env: - KUBE_CERT: ${{ secrets.KUBE_CERT }} - KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} run: | echo "${KUBE_CERT}" > ca.crt kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} @@ -189,7 +197,7 @@ jobs: - name: Rollout restart deployment run: | kubectl set image -n ${KUBE_NAMESPACE} \ - config/kubernetes/qa \ + deployment/disclosure-checker-qa \ webapp="${{ vars.ECR_URL }}:$SHA" - name: Send deploy notification to product Slack channel @@ -228,8 +236,15 @@ jobs: if: ${{ github.ref == 'refs/heads/main' }} environment: production + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + env: - KUBE_NAMESPACE: ${{ secrets.KUBE_PROD_NAMESPACE }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} steps: - name: Checkout @@ -255,14 +270,11 @@ jobs: - name: Tag build and push to ECR run: | + docker pull ${{ vars.ECR_URL }}:$SHA docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:production.latest docker push ${{ vars.ECR_URL }}:production.latest - name: Authenticate to the cluster - env: - KUBE_CERT: ${{ secrets.KUBE_PROD_CERT }} - KUBE_TOKEN: ${{ secrets.KUBE_PROD_TOKEN }} - KUBE_CLUSTER: ${{ secrets.KUBE_PROD_CLUSTER }} run: | echo "${KUBE_CERT}" > ca.crt kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} @@ -273,7 +285,7 @@ jobs: - name: Rollout restart deployment run: | kubectl set image -n ${KUBE_NAMESPACE} \ - config/kubernetes/production \ + deployment/disclosure-checker-production \ webapp="${{ vars.ECR_URL }}:$SHA" - name: Send deploy notification to product Slack channel diff --git a/config/kubernetes/production/deployment.yml b/config/kubernetes/production/deployment.yml index 5be37916..37aaeae2 100644 --- a/config/kubernetes/production/deployment.yml +++ b/config/kubernetes/production/deployment.yml @@ -1,10 +1,10 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: disclosure-checker-deployment-production + name: disclosure-checker-production namespace: disclosure-checker-production spec: - replicas: 2 + replicas: 3 revisionHistoryLimit: 5 strategy: type: RollingUpdate diff --git a/config/kubernetes/qa/deployment.yml b/config/kubernetes/qa/deployment.yml index 9b7bbda8..29dc6769 100644 --- a/config/kubernetes/qa/deployment.yml +++ b/config/kubernetes/qa/deployment.yml @@ -1,10 +1,10 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: disclosure-checker-deployment-qa + name: disclosure-checker-qa namespace: disclosure-checker-qa spec: - replicas: 2 + replicas: 1 revisionHistoryLimit: 5 strategy: type: RollingUpdate @@ -35,7 +35,7 @@ spec: memory: 1Gi readinessProbe: httpGet: - path: /ping.json + path: /health port: 3000 httpHeaders: - name: X-Forwarded-Proto @@ -46,7 +46,7 @@ spec: periodSeconds: 10 livenessProbe: httpGet: - path: /ping.json + path: /health port: 3000 httpHeaders: - name: X-Forwarded-Proto diff --git a/config/kubernetes/staging/deployment.yml b/config/kubernetes/staging/deployment.yml index f0327b37..d671398c 100644 --- a/config/kubernetes/staging/deployment.yml +++ b/config/kubernetes/staging/deployment.yml @@ -1,10 +1,10 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: disclosure-checker-deployment-staging + name: disclosure-checker-staging namespace: disclosure-checker-staging spec: - replicas: 2 + replicas: 1 revisionHistoryLimit: 5 strategy: type: RollingUpdate