diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 000000000..a81f27a3f --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,47 @@ +name: Build and Push image +on: + workflow_call: + inputs: + ECR_REGION: + required: true + type: string + ECR_REPOSITORY: + required: true + type: string + secrets: + ECR_ROLE_TO_ASSUME: + required: true + + +jobs: + build-and-push-to-ecr: + name: Build and Push + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Assume role in Cloud Platform + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }} + aws-region: ${{ inputs.ECR_REGION }} + + - name: Login to container repository + uses: aws-actions/amazon-ecr-login@v2 + id: login-ecr + with: + mask-password: true + + - name: Build and push a Docker image to the container repository + id: docker-build + run: | + docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG . + docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG + env: + REGISTRY: ${{ steps.login-ecr.outputs.registry }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + IMAGE_TAG: ${{ github.sha }} diff --git a/.github/workflows/cleanup-release.yml b/.github/workflows/cleanup-release.yml new file mode 100644 index 000000000..49b226c76 --- /dev/null +++ b/.github/workflows/cleanup-release.yml @@ -0,0 +1,37 @@ +# Uninstalls the dev helm chart when a PR is merged, or closed +name: Clean up the dev release + +run-name: Clean up ${{ github.head_ref || github.ref_name }} + +on: + pull_request: + types: + - closed + +jobs: + clean-up-release: + name: Clean up release + environment: dev + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Uninstall the helm chart + env: + # head_ref is set if the workflow was triggered by a PR, ref_name is used if the workflow was trigged by a push. + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} + run: | + export CLEANED_BRANCH_NAME=$(echo ${BRANCH_NAME} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') + helm uninstall ${CLEANED_BRANCH_NAME} diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml new file mode 100644 index 000000000..f46bd5741 --- /dev/null +++ b/.github/workflows/deploy-dev.yml @@ -0,0 +1,73 @@ +name: Deploy image to the dev environment +on: + workflow_call: + inputs: + environment: + required: true + type: string + ECR_REGION: + required: true + type: string + ECR_REPOSITORY: + required: true + type: string + secrets: + ECR_ROLE_TO_ASSUME: + required: true + KUBE_CERT: + required: true + KUBE_CLUSTER: + required: true + KUBE_NAMESPACE: + required: true + KUBE_TOKEN: + required: true + + +jobs: + deploy: + name: Deploy + environment: ${{ inputs.environment }} + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REGISTRY: ${{ secrets.ECR_REGISTRY }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" + DEV_HOST: "access-cla.cloud-platform.service.justice.gov.uk" + # head_ref is set if the workflow was triggered by a PR, ref_name is used if the workflow was trigged by a push. + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} + run: | + export CLEANED_BRANCH_NAME=$(echo ${BRANCH_NAME} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') + export HOST_NAME=${CLEANED_BRANCH_NAME}-${DEV_HOST} + + helm upgrade ${CLEANED_BRANCH_NAME} \ + ${HELM_DIR} \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \ + --set image.repository=${REGISTRY}/${REPOSITORY} \ + --set image.tag=${IMAGE_TAG} \ + --set fullnameOverride=${CLEANED_BRANCH_NAME} \ + --set ingress.hosts[0].host=${HOST_NAME} \ + --set ingress.tls[0].hosts[0]=${HOST_NAME} \ + --force \ + --install diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 000000000..e5e31dc25 --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,64 @@ +name: Deploy to a Cloud Platform environment +on: + workflow_call: + inputs: + environment: + required: true + type: string + ECR_REGION: + required: true + type: string + ECR_REPOSITORY: + required: true + type: string + secrets: + ECR_ROLE_TO_ASSUME: + required: true + KUBE_CERT: + required: true + KUBE_CLUSTER: + required: true + KUBE_NAMESPACE: + required: true + KUBE_TOKEN: + required: true + + +jobs: + deploy: + name: Deploy + environment: ${{ inputs.environment }} + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REGISTRY: ${{ secrets.ECR_REGISTRY }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" + run: | + helm upgrade laa-access-civil-legal-aid \ + ${HELM_DIR} \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \ + --set image.repository=${REGISTRY}/${REPOSITORY} \ + --set image.tag=${IMAGE_TAG} \ + --force \ + --install diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml new file mode 100644 index 000000000..d337d460f --- /dev/null +++ b/.github/workflows/feature-branch.yml @@ -0,0 +1,60 @@ +name: Feature Branch + +run-name: Feature - ${{ github.head_ref || github.ref_name }} + +on: + push: + branches-ignore: + - main + pull_request: + types: + - reopened + +jobs: + static-analysis: + name: Static Analysis + uses: ./.github/workflows/static-analysis.yml + + test: + name: Test + uses: ./.github/workflows/test.yml + + build-and-push: + name: Build + uses: ./.github/workflows/build.yml + needs: static-analysis + with: + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + + deploy-dev: + name: Dev + uses: ./.github/workflows/deploy-dev.yml + needs: build-and-push + with: + environment: dev + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + + deploy-uat: + name: UAT + uses: ./.github/workflows/deploy.yml + needs: [build-and-push, test] + with: + environment: uat + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} diff --git a/.github/workflows/main-branch.yml b/.github/workflows/main-branch.yml new file mode 100644 index 000000000..fc1474b1d --- /dev/null +++ b/.github/workflows/main-branch.yml @@ -0,0 +1,57 @@ +name: Release + +run-name: Release - ${{ github.ref_name }} + +on: + push: + branches: + - main + +jobs: + static-analysis: + name: Static Analysis + uses: ./.github/workflows/static-analysis.yml + + test: + name: Test + uses: ./.github/workflows/test.yml + + build-and-push: + name: Build + uses: ./.github/workflows/build.yml + needs: [static-analysis, test] + with: + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + + deploy-staging: + name: Staging + uses: ./.github/workflows/deploy.yml + needs: build-and-push + with: + environment: staging + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + + deploy-production: + name: Production + uses: ./.github/workflows/deploy.yml + needs: deploy-staging + with: + environment: production + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml new file mode 100644 index 000000000..c281a783b --- /dev/null +++ b/.github/workflows/static-analysis.yml @@ -0,0 +1,13 @@ +name: Static Analysis +on: workflow_call + +jobs: + lint: + name: Ruff + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: chartboost/ruff-action@v1 + with: + args: check --output-format=github + src: './src' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 000000000..afebd1f71 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,33 @@ +name: Test + +on: workflow_call + +jobs: + test: + name: Pytest + runs-on: ubuntu-latest + steps: + - name: Checkout the repository + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.12' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + + - name: Test with pytest + run: | + pip install pytest pytest-cov + pytest tests.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html + + - name: Upload pytest test results + uses: actions/upload-artifact@v4 + with: + name: pytest-results + path: junit/test-results.xml + # Use always() to always run this step to publish test results when there are test failures + if: ${{ always() }} diff --git a/.gitignore b/.gitignore index aa69ef32f..00dcd188e 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ env/ *.code-workspace *.sha256 terraform.tfstate +.idea diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 000000000..76edc60c2 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,28 @@ +FROM python:3.12-slim + +ENV FLASK_RUN_HOST=0.0.0.0 +ENV FLASK_RUN_PORT=8000 + +# Set the working directory in the container +WORKDIR /usr/src/app + +# Change ownership of the working directory to the non-root user +RUN chown -R 1000:1000 /usr/src/app + +# Copy the dependencies file to the working directory +COPY requirements.in ./ + +# Install any needed dependencies +RUN pip install --no-cache-dir -r requirements.in + +# Copy the project code into the working directory +COPY . . + +# Switch to the non-root user +USER 1000 + +# Expose the Flask port +EXPOSE 8000 + +# Run the Flask application for development +CMD ["flask", "run"] \ No newline at end of file diff --git a/app.py b/app.py new file mode 100644 index 000000000..924d3eb22 --- /dev/null +++ b/app.py @@ -0,0 +1,8 @@ +from flask import Flask + +app = Flask(__name__) + + +@app.route("/") +def hello_world(): + return "

Hello, World!

" diff --git a/helm_deploy/laa-access-civil-legal-aid/.helmignore b/helm_deploy/laa-access-civil-legal-aid/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm_deploy/laa-access-civil-legal-aid/Chart.yaml b/helm_deploy/laa-access-civil-legal-aid/Chart.yaml new file mode 100644 index 000000000..02f6a1059 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +name: laa-access-civil-legal-aid +description: A web service used by the public to get access to civil legal aid services. + +# A chart can be either an 'application' or a 'library' chart. +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/NOTES.txt b/helm_deploy/laa-access-civil-legal-aid/templates/NOTES.txt new file mode 100644 index 000000000..80e9f863a --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "laa-access-civil-legal-aid.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "laa-access-civil-legal-aid.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "laa-access-civil-legal-aid.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "laa-access-civil-legal-aid.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl b/helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl new file mode 100644 index 000000000..32a3aad65 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl @@ -0,0 +1,66 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "laa-access-civil-legal-aid.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "laa-access-civil-legal-aid.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "laa-access-civil-legal-aid.whitelist" -}} +{{ join "," .Values.ingress.whitelist }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "laa-access-civil-legal-aid.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "laa-access-civil-legal-aid.labels" -}} +helm.sh/chart: {{ include "laa-access-civil-legal-aid.chart" . }} +{{ include "laa-access-civil-legal-aid.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "laa-access-civil-legal-aid.selectorLabels" -}} +app.kubernetes.io/name: {{ include "laa-access-civil-legal-aid.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "laa-access-civil-legal-aid.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "laa-access-civil-legal-aid.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml new file mode 100644 index 000000000..0ebaa1138 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "laa-access-civil-legal-aid.fullname" . }} + labels: + {{- include "laa-access-civil-legal-aid.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "laa-access-civil-legal-aid.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "laa-access-civil-legal-aid.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "laa-access-civil-legal-aid.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.image.containerPort }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml new file mode 100644 index 000000000..82ec81bcc --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "laa-access-civil-legal-aid.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "laa-access-civil-legal-aid.labels" . | nindent 4 }} + annotations: + {{- if .Values.ingress.cluster.name }} + external-dns.alpha.kubernetes.io/set-identifier: "{{ $fullName }}-{{ .Release.Namespace }}-{{- .Values.ingress.cluster.name -}}" + external-dns.alpha.kubernetes.io/aws-weight: "{{- .Values.ingress.cluster.weight -}}" + nginx.ingress.kubernetes.io/whitelist-source-range: "{{ include "laa-access-civil-legal-aid.whitelist" . }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.className }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml new file mode 100644 index 000000000..bddc98272 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "laa-access-civil-legal-aid.fullname" . }} + labels: + {{- include "laa-access-civil-legal-aid.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "laa-access-civil-legal-aid.selectorLabels" . | nindent 4 }} diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/tests/test-connection.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/tests/test-connection.yaml new file mode 100644 index 000000000..1cac5b58b --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "laa-access-civil-legal-aid.fullname" . }}-test-connection" + labels: + {{- include "laa-access-civil-legal-aid.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "laa-access-civil-legal-aid.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml new file mode 100644 index 000000000..18e3096c2 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -0,0 +1,64 @@ +# Default values for laa-access-civil-legal-aid. +# These can be overwritten by values defined in environment specific values files. +replicaCount: 1 + +image: + repository: laa-access-civil-legal-aid + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: latest + containerPort: 8000 + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # We already have a serviceaccount so we don't want to create another. + create: false + +podAnnotations: {} +podLabels: {} + +podSecurityContext: {} + +securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "default" + annotations: {} + cluster: + name: green + weight: '100' + tls: [] + whitelist: + # GlobalProtect VPN (Digital Mac) + - 18.169.147.172/32 + - 35.176.93.186/32 + - 18.130.148.126/32 + - 35.176.148.126/32 + +resources: {} + +autoscaling: + enabled: false + +volumes: [] + +volumeMounts: [] +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml new file mode 100644 index 000000000..ec39c9deb --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml @@ -0,0 +1,20 @@ +# Default values for laa-access-civil-legal-aid in the dev environment. +# The laa-access-civil-legal-aid-dev namespace installs an new helm release per feature branch +# this is then uninstalled when the branch is merged. +environment: "dev" + +ingress: + enabled: true + tls: + - hosts: + - "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" + hosts: + - host: "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" + paths: + - path: / + pathType: ImplementationSpecific + +# Lists don't deep merge, so this list of envVars overrides anything defined in an earlier values file +envVars: + DEBUG: + value: "True" diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-production.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-production.yaml new file mode 100644 index 000000000..81297d9ef --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-production.yaml @@ -0,0 +1,10 @@ +# Default values for cla-backend in the production environment. +environment: "production" + +ingress: + enabled: true + hosts: + - host: "access-civil-legal-aid.cloud-platform.service.justice.gov.uk" + paths: + - path: / + pathType: ImplementationSpecific diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-staging.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-staging.yaml new file mode 100644 index 000000000..256ccef37 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-staging.yaml @@ -0,0 +1,10 @@ +# Default values for cla-backend in the staging environment. +environment: "staging" + +ingress: + enabled: true + hosts: + - host: "access-civil-legal-aid-staging.cloud-platform.service.justice.gov.uk" + paths: + - path: / + pathType: ImplementationSpecific diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-uat.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-uat.yaml new file mode 100644 index 000000000..c971156b5 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-uat.yaml @@ -0,0 +1,15 @@ +# Default values for laa-access-civil-legal-aid in the uat environment. +environment: "uat" + +ingress: + enabled: true + hosts: + - host: "access-civil-legal-aid-uat.cloud-platform.service.justice.gov.uk" + paths: + - path: / + pathType: ImplementationSpecific + +# Lists don't deep merge, so this list of envVars overrides anything defined in an earlier values file +envVars: + DEBUG: + value: "True" diff --git a/requirements.in b/requirements.in new file mode 100644 index 000000000..e3e9a71d9 --- /dev/null +++ b/requirements.in @@ -0,0 +1 @@ +Flask diff --git a/src/test.py b/src/test.py new file mode 100644 index 000000000..e69de29bb diff --git a/tests.py b/tests.py new file mode 100644 index 000000000..0723c2466 --- /dev/null +++ b/tests.py @@ -0,0 +1,3 @@ +def test_coverage(): + # Test Pytest coverage + pass