From 6c76faf6d02eed8cb62118f3238d72e9fafb8aa8 Mon Sep 17 00:00:00 2001
From: Andrew Pepler <andrew.pepler@digital.justice.gov.uk>
Date: Tue, 23 Apr 2024 16:36:33 +0100
Subject: [PATCH 1/6] Add permissions for each deploy step

---
 .github/workflows/deploy.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 86425117..88e48f64 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -61,6 +61,10 @@ jobs:
     needs: build
     environment: staging
 
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+
     env:
       KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
 
@@ -144,6 +148,10 @@ jobs:
     needs: build
     environment: qa
 
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+
     env:
       KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
 
@@ -228,6 +236,10 @@ jobs:
     if: ${{ github.ref == 'refs/heads/main' }}
     environment: production
 
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+
     env:
       KUBE_NAMESPACE: ${{ secrets.KUBE_PROD_NAMESPACE }}
 

From d41cfc8bc021c73a1a28ebf7c82787b3b343adb7 Mon Sep 17 00:00:00 2001
From: Andrew Pepler <andrew.pepler@digital.justice.gov.uk>
Date: Tue, 23 Apr 2024 17:09:38 +0100
Subject: [PATCH 2/6] Pull image first

---
 .github/workflows/deploy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 88e48f64..6614baa1 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -92,6 +92,7 @@ jobs:
 
       - name: Tag build and push to ECR
         run: |
+          docker pull ${{ vars.ECR_URL }}:$SHA
           docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:staging.latest
           docker push ${{ vars.ECR_URL }}:staging.latest
 
@@ -179,6 +180,7 @@ jobs:
 
       - name: Tag build and push to ECR
         run: |
+          docker pull ${{ vars.ECR_URL }}:$SHA
           docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:qa.latest
           docker push ${{ vars.ECR_URL }}:qa.latest
 
@@ -267,6 +269,7 @@ jobs:
 
       - name: Tag build and push to ECR
         run: |
+          docker pull ${{ vars.ECR_URL }}:$SHA
           docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:production.latest
           docker push ${{ vars.ECR_URL }}:production.latest
 

From 62bef53292c9f5563d3be39d50b67cf7bd9e3549 Mon Sep 17 00:00:00 2001
From: Andrew Pepler <andrew.pepler@digital.justice.gov.uk>
Date: Wed, 24 Apr 2024 10:46:46 +0100
Subject: [PATCH 3/6] Change name

---
 config/kubernetes/production/deployment.yml | 2 +-
 config/kubernetes/qa/deployment.yml         | 8 ++++----
 config/kubernetes/staging/deployment.yml    | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/kubernetes/production/deployment.yml b/config/kubernetes/production/deployment.yml
index 5be37916..ae66d17c 100644
--- a/config/kubernetes/production/deployment.yml
+++ b/config/kubernetes/production/deployment.yml
@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: disclosure-checker-deployment-production
+  name: disclosure-checker-production
   namespace: disclosure-checker-production
 spec:
   replicas: 2
diff --git a/config/kubernetes/qa/deployment.yml b/config/kubernetes/qa/deployment.yml
index 9b7bbda8..29dc6769 100644
--- a/config/kubernetes/qa/deployment.yml
+++ b/config/kubernetes/qa/deployment.yml
@@ -1,10 +1,10 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: disclosure-checker-deployment-qa
+  name: disclosure-checker-qa
   namespace: disclosure-checker-qa
 spec:
-  replicas: 2
+  replicas: 1
   revisionHistoryLimit: 5
   strategy:
     type: RollingUpdate
@@ -35,7 +35,7 @@ spec:
             memory: 1Gi
         readinessProbe:
           httpGet:
-            path: /ping.json
+            path: /health
             port: 3000
             httpHeaders:
               - name: X-Forwarded-Proto
@@ -46,7 +46,7 @@ spec:
           periodSeconds: 10
         livenessProbe:
           httpGet:
-            path: /ping.json
+            path: /health
             port: 3000
             httpHeaders:
               - name: X-Forwarded-Proto
diff --git a/config/kubernetes/staging/deployment.yml b/config/kubernetes/staging/deployment.yml
index f0327b37..d8a65a8c 100644
--- a/config/kubernetes/staging/deployment.yml
+++ b/config/kubernetes/staging/deployment.yml
@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: disclosure-checker-deployment-staging
+  name: disclosure-checker-staging
   namespace: disclosure-checker-staging
 spec:
   replicas: 2

From 115998732061ab03b4f092f2212a13a6e9a48ab1 Mon Sep 17 00:00:00 2001
From: Andrew Pepler <andrew.pepler@digital.justice.gov.uk>
Date: Wed, 24 Apr 2024 10:48:05 +0100
Subject: [PATCH 4/6] Change secrets used

---
 .github/workflows/deploy.yml | 32 +++++++++++++-------------------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 6614baa1..9de598d2 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -67,6 +67,9 @@ jobs:
 
     env:
       KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+      KUBE_CERT: ${{ secrets.KUBE_CERT }}
+      KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }}
+      KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
 
     steps:
       - name: Checkout
@@ -92,15 +95,10 @@ jobs:
 
       - name: Tag build and push to ECR
         run: |
-          docker pull ${{ vars.ECR_URL }}:$SHA
           docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:staging.latest
           docker push ${{ vars.ECR_URL }}:staging.latest
 
       - name: Authenticate to the cluster
-        env:
-          KUBE_CERT: ${{ secrets.KUBE_CERT }}
-          KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }}
-          KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
         run: |
           echo "${KUBE_CERT}" > ca.crt
           kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
@@ -111,7 +109,7 @@ jobs:
       - name: Rollout restart deployment
         run: |
           kubectl set image -n ${KUBE_NAMESPACE} \
-          config/kubernetes/staging \
+          deployment/disclosure-checker-staging \
           webapp="${{ vars.ECR_URL }}:$SHA"
 
       - name: Send deploy notification to product Slack channel
@@ -155,6 +153,9 @@ jobs:
 
     env:
       KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+      KUBE_CERT: ${{ secrets.KUBE_CERT }}
+      KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }}
+      KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
 
     steps:
       - name: Checkout
@@ -180,15 +181,10 @@ jobs:
 
       - name: Tag build and push to ECR
         run: |
-          docker pull ${{ vars.ECR_URL }}:$SHA
           docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:qa.latest
           docker push ${{ vars.ECR_URL }}:qa.latest
 
       - name: Authenticate to the cluster
-        env:
-          KUBE_CERT: ${{ secrets.KUBE_CERT }}
-          KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }}
-          KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
         run: |
           echo "${KUBE_CERT}" > ca.crt
           kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
@@ -199,7 +195,7 @@ jobs:
       - name: Rollout restart deployment
         run: |
           kubectl set image -n ${KUBE_NAMESPACE} \
-          config/kubernetes/qa \
+          deployment/disclosure-checker-qa \
           webapp="${{ vars.ECR_URL }}:$SHA"
 
       - name: Send deploy notification to product Slack channel
@@ -243,7 +239,10 @@ jobs:
       contents: read  # This is required for actions/checkout
 
     env:
-      KUBE_NAMESPACE: ${{ secrets.KUBE_PROD_NAMESPACE }}
+      KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+      KUBE_CERT: ${{ secrets.KUBE_CERT }}
+      KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }}
+      KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
 
     steps:
       - name: Checkout
@@ -269,15 +268,10 @@ jobs:
 
       - name: Tag build and push to ECR
         run: |
-          docker pull ${{ vars.ECR_URL }}:$SHA
           docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:production.latest
           docker push ${{ vars.ECR_URL }}:production.latest
 
       - name: Authenticate to the cluster
-        env:
-          KUBE_CERT: ${{ secrets.KUBE_PROD_CERT }}
-          KUBE_TOKEN: ${{ secrets.KUBE_PROD_TOKEN }}
-          KUBE_CLUSTER: ${{ secrets.KUBE_PROD_CLUSTER }}
         run: |
           echo "${KUBE_CERT}" > ca.crt
           kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
@@ -288,7 +282,7 @@ jobs:
       - name: Rollout restart deployment
         run: |
           kubectl set image -n ${KUBE_NAMESPACE} \
-          config/kubernetes/production \
+          deployment/disclosure-checker-production \
           webapp="${{ vars.ECR_URL }}:$SHA"
 
       - name: Send deploy notification to product Slack channel

From 817404ea785161491972e0659de9b87a1df7095f Mon Sep 17 00:00:00 2001
From: Andrew Pepler <andrew.pepler@digital.justice.gov.uk>
Date: Wed, 24 Apr 2024 11:11:29 +0100
Subject: [PATCH 5/6] pull image

---
 .github/workflows/deploy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 9de598d2..85fe9b36 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -95,6 +95,7 @@ jobs:
 
       - name: Tag build and push to ECR
         run: |
+          docker pull ${{ vars.ECR_URL }}:$SHA
           docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:staging.latest
           docker push ${{ vars.ECR_URL }}:staging.latest
 
@@ -181,6 +182,7 @@ jobs:
 
       - name: Tag build and push to ECR
         run: |
+          docker pull ${{ vars.ECR_URL }}:$SHA
           docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:qa.latest
           docker push ${{ vars.ECR_URL }}:qa.latest
 
@@ -268,6 +270,7 @@ jobs:
 
       - name: Tag build and push to ECR
         run: |
+          docker pull ${{ vars.ECR_URL }}:$SHA
           docker tag ${{ vars.ECR_URL }}:$SHA ${{ vars.ECR_URL }}:production.latest
           docker push ${{ vars.ECR_URL }}:production.latest
 

From 0d4621ba221afc41e449cca1a0cdc32dda6ebf94 Mon Sep 17 00:00:00 2001
From: Andrew Pepler <andrew.pepler@digital.justice.gov.uk>
Date: Wed, 24 Apr 2024 11:46:41 +0100
Subject: [PATCH 6/6] Update replica numbers

---
 config/kubernetes/production/deployment.yml | 2 +-
 config/kubernetes/staging/deployment.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/kubernetes/production/deployment.yml b/config/kubernetes/production/deployment.yml
index ae66d17c..37aaeae2 100644
--- a/config/kubernetes/production/deployment.yml
+++ b/config/kubernetes/production/deployment.yml
@@ -4,7 +4,7 @@ metadata:
   name: disclosure-checker-production
   namespace: disclosure-checker-production
 spec:
-  replicas: 2
+  replicas: 3
   revisionHistoryLimit: 5
   strategy:
     type: RollingUpdate
diff --git a/config/kubernetes/staging/deployment.yml b/config/kubernetes/staging/deployment.yml
index d8a65a8c..d671398c 100644
--- a/config/kubernetes/staging/deployment.yml
+++ b/config/kubernetes/staging/deployment.yml
@@ -4,7 +4,7 @@ metadata:
   name: disclosure-checker-staging
   namespace: disclosure-checker-staging
 spec:
-  replicas: 2
+  replicas: 1
   revisionHistoryLimit: 5
   strategy:
     type: RollingUpdate