Add deploy workflow

Author: daniel-va

.github/workflows/code-quality.yml

@@ -6,7 +6,6 @@ on:
     branches:
       - "**"
       - "!main"
-
 env:
   NODE_VERSION: "22.5.1"
   RUST_VERSION: "1.82"

.github/workflows/deploy.yml

@@ -0,0 +1,65 @@
+name: Deploy
+
+on:
+  workflow_dispatch:
+    inputs:
+      env:
+        type: choice
+        description: The environment to which the Kubernetes config is deployed.
+        options:
+          - dev
+          - int
+          - prod
+
+env:
+  APP_ENV: ${{ github.event.inputs.env }}
+
+jobs:
+  publish-helm:
+    name: "publish helm"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: "Load secrets"
+        id: load-secrets
+        uses: hashicorp/vault-action@v3
+        with:
+          url: https://swisstopo-vault-public-vault-d680830d.382257a9.z1.hashicorp.cloud:8200
+          caCertificate: ${{ secrets.VAULT_CA_CERT }}
+          method: jwt
+          role: ${{ secrets.VAULT_ROLE }}
+          namespace: admin/igi/igi-cloud/swisstopo-ngm
+          secrets: |
+            kv/data/${{ env.APP_ENV }}/k8s kubeconfig   | KUBECONFIG;
+            kv/data/${{ env.APP_ENV }}/k8s helm_values  | HELM_VALUES;
+            kv/data/${{ env.APP_ENV }}/k8s helm_secrets | HELM_SECRETS;
+      - name: "Checkout repository"
+        uses: actions/checkout@v4
+      - name: "Setup kubectl"
+        uses: azure/setup-kubectl@v4
+      - name: "Install helm"
+        uses: azure/setup-helm@v4
+      - name: "Configure AWS credentials from AWS account"
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-session-name: GitHub-OIDC
+          retry-max-attempts: 3
+      - name: "Write kubeconfig file"
+        run: |
+          echo "${{ env.HELM_VALUES }}" > ./k8s/values.yaml
+          echo "${{ env.HELM_SECRETS }}" > ./k8s/secrets.yaml
+          echo "${{ env.KUBECONFIG }}" > kubeconfig.yaml
+      - name: "Deploy helm charts"
+        env:
+          KUBECONFIG: ./kubeconfig.yaml
+        run: |
+          helm upgrade --install swissgeol-viewer ./k8s \
+            --values ./k8s/values.yaml \
+            --values ./k8s/secrets.yaml \
+            --kubeconfig $(pwd)/kubeconfig.yaml \
+            --namespace ngm
+

k8s/README.md

@@ -17,6 +17,7 @@ spec:
       labels:
         app: {{ .Release.Name }}-api
     spec:
+      serviceAccountName: api
       containers:
       - name: {{ .Release.Name }}-api
         image: {{ .Values.docker.api_image }}
@@ -26,11 +27,11 @@ spec:
         livenessProbe:
           httpGet:
             path: /api/health_check
-            port: http
+            port: 3000
         readinessProbe:
           httpGet:
             path: /api/health_check
-            port: http
+            port: 3000
         env:
           - name: APP_PORT
             value: '3000'
@@ -39,52 +40,42 @@ spec:
 
           # Database
           - name: PGHOST
-            value: {{ .Values.database.host }}
+            value: "{{ .Values.database.host }}"
           - name: PGPORT
-            value: {{ .Values.database.port }}
+            value: "{{ .Values.database.port }}"
           - name: PGDATABASE
-            value: {{ .Values.database.name }}
+            value: "{{ .Values.database.name }}"
           - name: PGUSER
-            value: {{ .Values.database.user }}
+            value: "{{ .Values.database.user }}"
+          - name: PG_SSL_MODE
+            value: 'require'
           - name: PGPASSWORD
             valueFrom:
               secretKeyRef:
                 name: {{ .Release.Name }}-secrets
                 key: database_password
 
           # S3
-          - name: S3_ENDPOINT
-            value: {{ .Values.s3.endpoint }}
           - name: S3_AWS_REGION
-            value: {{ .Values.s3.region }}
+            value: "{{ .Values.s3.region }}"
           - name: S3_BUCKET
-            value: {{ .Values.s3.bucket }}
+            value: "{{ .Values.s3.bucket }}"
           - name: PROJECTS_S3_BUCKET
-            value: {{ .Values.s3.project_bucket }}
-          - name: AWS_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Release.Name }}-secrets
-                key: s3_access_key
-          - name: AWS_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Release.Name }}-secrets
-                key: s3_secret_key
+            value: "{{ .Values.s3.projects_bucket }}"
 
           # Cognito
           - name: COGNITO_AWS_REGION
-            value: {{ .Values.cognito.region }}
+            value: "{{ .Values.cognito.region }}"
           - name: COGNITO_CLIENT_ID
-            value: {{ .Values.cognito.client_id }}
+            value: "{{ .Values.cognito.client_id }}"
           - name: COGNITO_POOL_ID
-            value: {{ .Values.cognito.pool_id }}
+            value: "{{ .Values.cognito.pool_id }}"
           - name: COGNITO_IDENTITY_POOL_ID
-            value: {{ .Values.cognito.identity_pool_id }}
+            value: "{{ .Values.cognito.identity_pool_id }}"
 
           # ION
           - name: ION_DEFAULT_ACCESS_TOKEN
-            value: {{ .Values.ion.default_access_token }}
+            value: "{{ .Values.ion.default_access_token }}"
 
       imagePullSecrets:
       - name: {{ .Release.Namespace }}-registry

k8s/templates/deployment.api.yaml

@@ -2,7 +2,7 @@ apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: {{ .Release.Name }}-routes
-  namespace: {{ .Release.Namespace }}  
+  namespace: {{ .Release.Namespace }}
 spec:
   entryPoints:
     - web
@@ -14,7 +14,7 @@ spec:
         - name: {{ .Release.Name }}-ui
           port: 80
     - kind: Rule
-      match: Host(`{{ .Values.host }}`) && PathPrefix(`/api`)
+      match: Host(`api.{{ .Values.host }}`) && PathPrefix(`/api`)
       priority: 120
       services:
         - name: {{ .Release.Name }}-api

k8s/templates/ingress-route.yaml

@@ -6,5 +6,5 @@ metadata:
 type: Opaque
 stringData:
   {{- range $key, $value := .Values.secrets }}
-  {{ $key }}: {{ $value | b64enc | quote }}
+  {{ $key }}: {{ $value | quote }}
   {{- end }}

k8s/templates/secrets.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: api
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .Values.service_roles.s3 }}

k8s/templates/service-account.api.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ .Release.Name }}-app
+  name: {{ .Release.Name }}-ui
   namespace: {{ .Release.Namespace }}
 spec:
   selector:
-    app: {{ .Release.Name }}-app
+    app: {{ .Release.Name }}-ui
   ports:
     - protocol: TCP
       port: 80

k8s/templates/service.app.yaml renamed to k8s/templates/service.ui.yaml

@@ -1,3 +1,5 @@
+host:
+
 docker:
   api_image:
   ui_image: