Merge pull request #1416 from swisstopo/feature/asset-1370-deployment-der-applikation

Feature 1370: Deployment der Applikation

Author: daniel-va

.github/workflows/code-quality.yml

@@ -6,7 +6,6 @@ on:
     branches:
       - "**"
       - "!main"
-
 env:
   NODE_VERSION: "22.5.1"
   RUST_VERSION: "1.82"

.github/workflows/deploy.yml

@@ -0,0 +1,65 @@
+name: Deploy
+
+on:
+  workflow_dispatch:
+    inputs:
+      env:
+        type: choice
+        description: The environment to which the Kubernetes config is deployed.
+        options:
+          - dev
+          - int
+          - prod
+
+env:
+  APP_ENV: ${{ github.event.inputs.env }}
+
+jobs:
+  publish-helm:
+    name: "publish helm"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: "Load secrets"
+        id: load-secrets
+        uses: hashicorp/vault-action@v3
+        with:
+          url: https://swisstopo-vault-public-vault-d680830d.382257a9.z1.hashicorp.cloud:8200
+          caCertificate: ${{ secrets.VAULT_CA_CERT }}
+          method: jwt
+          role: ${{ secrets.VAULT_ROLE }}
+          namespace: admin/igi/igi-cloud/swisstopo-ngm
+          secrets: |
+            kv/data/${{ env.APP_ENV }}/k8s kubeconfig   | KUBECONFIG;
+            kv/data/${{ env.APP_ENV }}/k8s helm_values  | HELM_VALUES;
+            kv/data/${{ env.APP_ENV }}/k8s helm_secrets | HELM_SECRETS;
+      - name: "Checkout repository"
+        uses: actions/checkout@v4
+      - name: "Setup kubectl"
+        uses: azure/setup-kubectl@v4
+      - name: "Install helm"
+        uses: azure/setup-helm@v4
+      - name: "Configure AWS credentials from AWS account"
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-session-name: GitHub-OIDC
+          retry-max-attempts: 3
+      - name: "Write kubeconfig file"
+        run: |
+          echo "${{ env.HELM_VALUES }}" > ./k8s/values.yaml
+          echo "${{ env.HELM_SECRETS }}" > ./k8s/secrets.yaml
+          echo "${{ env.KUBECONFIG }}" > kubeconfig.yaml
+      - name: "Deploy helm charts"
+        env:
+          KUBECONFIG: ./kubeconfig.yaml
+        run: |
+          helm upgrade --install swissgeol-viewer ./k8s \
+            --values ./k8s/values.yaml \
+            --values ./k8s/secrets.yaml \
+            --kubeconfig $(pwd)/kubeconfig.yaml \
+            --namespace ngm
+

k8s/.gitignore

@@ -0,0 +1,2 @@
+values-*.yaml
+secrets-*.yaml

k8s/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

k8s/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: swissgeol-viewer
+description:
+type: application
+version: 1.0.0
+appVersion: 1.0.0

k8s/secrets.template.yaml

@@ -0,0 +1,11 @@
+# Template for secret values used by the Helm files.
+
+# Note that every secret needs to be nested below this `secret` key
+# so that we can properly encode them in template/secrets.yaml.
+secrets:
+  # Database
+  database_password:
+
+  # S3
+  s3_access_key:
+  s3_secret_key:

k8s/templates/NOTES.txt

@@ -0,0 +1 @@
+*** {{ .Chart.Name }} is successfully installed ***

k8s/templates/deployment.api.yaml

@@ -0,0 +1,81 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-api
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    keel.sh/policy: force
+    keel.sh/match-tag: 'true'
+    keel.sh/trigger: poll
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-api
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-api
+    spec:
+      serviceAccountName: api
+      containers:
+      - name: {{ .Release.Name }}-api
+        image: {{ .Values.docker.api_image }}
+        imagePullPolicy: Always
+        ports:
+          - containerPort: 3000
+        livenessProbe:
+          httpGet:
+            path: /api/health_check
+            port: 3000
+        readinessProbe:
+          httpGet:
+            path: /api/health_check
+            port: 3000
+        env:
+          - name: APP_PORT
+            value: '3000'
+          - name: ENV
+            value: prod
+
+          # Database
+          - name: PGHOST
+            value: "{{ .Values.database.host }}"
+          - name: PGPORT
+            value: "{{ .Values.database.port }}"
+          - name: PGDATABASE
+            value: "{{ .Values.database.name }}"
+          - name: PGUSER
+            value: "{{ .Values.database.user }}"
+          - name: PG_SSL_MODE
+            value: 'require'
+          - name: PGPASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Release.Name }}-secrets
+                key: database_password
+
+          # S3
+          - name: S3_AWS_REGION
+            value: "{{ .Values.s3.region }}"
+          - name: S3_BUCKET
+            value: "{{ .Values.s3.bucket }}"
+          - name: PROJECTS_S3_BUCKET
+            value: "{{ .Values.s3.projects_bucket }}"
+
+          # Cognito
+          - name: COGNITO_AWS_REGION
+            value: "{{ .Values.cognito.region }}"
+          - name: COGNITO_CLIENT_ID
+            value: "{{ .Values.cognito.client_id }}"
+          - name: COGNITO_POOL_ID
+            value: "{{ .Values.cognito.pool_id }}"
+          - name: COGNITO_IDENTITY_POOL_ID
+            value: "{{ .Values.cognito.identity_pool_id }}"
+
+          # ION
+          - name: ION_DEFAULT_ACCESS_TOKEN
+            value: "{{ .Values.ion.default_access_token }}"
+
+      imagePullSecrets:
+      - name: {{ .Release.Namespace }}-registry

k8s/templates/deployment.ui.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-ui
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    keel.sh/policy: force
+    keel.sh/match-tag: 'true'
+    keel.sh/trigger: poll
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-ui
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-ui
+    spec:
+      containers:
+      - name: {{ .Release.Name }}-ui
+        image: {{ .Values.docker.ui_image }}
+        imagePullPolicy: Always
+        ports:
+          - containerPort: 80
+      imagePullSecrets:
+      - name: {{ .Release.Namespace }}-registry
+      
+
+

k8s/templates/ingress-route.yaml

@@ -0,0 +1,21 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ .Release.Name }}-routes
+  namespace: {{ .Release.Namespace }}
+spec:
+  entryPoints:
+    - web
+  routes:
+    - kind: Rule
+      match: Host(`{{ .Values.host }}`)
+      priority: 100
+      services:
+        - name: {{ .Release.Name }}-ui
+          port: 80
+    - kind: Rule
+      match: Host(`api.{{ .Values.host }}`) && PathPrefix(`/api`)
+      priority: 120
+      services:
+        - name: {{ .Release.Name }}-api
+          port: 3000

k8s/templates/secrets.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-secrets
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+stringData:
+  {{- range $key, $value := .Values.secrets }}
+  {{ $key }}: {{ $value | quote }}
+  {{- end }}

k8s/templates/service-account.api.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: api
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .Values.service_roles.s3 }}

k8s/templates/service.api.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: {{ .Release.Name }}-api
+  ports:
+    - protocol: TCP
+      port: 3000

k8s/templates/service.ui.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-ui
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: {{ .Release.Name }}-ui
+  ports:
+    - protocol: TCP
+      port: 80

k8s/values.template.yaml

@@ -0,0 +1,26 @@
+host:
+
+docker:
+  api_image:
+  ui_image:
+
+database:
+  host:
+  port:
+  name:
+  user:
+
+s3:
+  endpoint:
+  region:
+  bucket:
+  project_bucket:
+
+cognito:
+  region:
+  client_id:
+  pool_id:
+  identity_pool_id:
+
+ion:
+  default_access_token: