Merge pull request #4 from tunacinsoy/dev

Dev To Prod -
tunacinsoy · Oct 24, 2024 · 9930340 · 9930340
2 parents df03c01 + cfca85f
commit 9930340
Show file tree

Hide file tree

Showing 35 changed files with 3,568 additions and 207 deletions.
diff --git a/.github/workflows/attest-images.yml b/.github/workflows/attest-images.yml
@@ -7,15 +7,18 @@ jobs:
       run:
         working-directory: .
     steps:
-    - uses: actions/checkout@v2
+    # checkout@v4 is the latest version
+    - uses: actions/checkout@v4
     - id: gcloud-auth
       name: Authenticate with gcloud
-      uses: 'google-github-actions/auth@v1'
+    # auth@v2 is the latest version
+      uses: 'google-github-actions/auth@v2'
       with:
         credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
     - name: Set up Cloud SDK
       id: setup-gcloud-sdk
-      uses: 'google-github-actions/setup-gcloud@v1'
+    # setup-gcloud@v2 is the latest version
+      uses: 'google-github-actions/setup-gcloud@v2'
     - name: Install gcloud beta
       id: install-gcloud-beta
       run: gcloud components install beta
@@ -41,6 +44,7 @@ jobs:
           fi
           echo "Processing $image"
           attestation_present=$(gcloud beta container binauthz attestations list --attestor-project="${{ secrets.PROJECT_ID }}" --attestor="${{ secrets.ATTESTOR_NAME }}" --artifact-url="${image_to_attest}")
+          # If the attestation is not present, then attestation should be done
           if [ -z "${attestation_present// }" ]; then
             gcloud beta container binauthz attestations sign-and-create --artifact-url="${image_to_attest}" --attestor="${{ secrets.ATTESTOR_NAME }}" --attestor-project="${{ secrets.PROJECT_ID }}" --keyversion-project="${{ secrets.PROJECT_ID }}" --keyversion-location="${{ secrets.KMS_KEY_LOCATION }}" --keyversion-keyring="${{ secrets.KMS_KEYRING_NAME }}" --keyversion-key="${{ secrets.KMS_KEY_NAME }}" --keyversion="${{ secrets.KMS_KEY_VERSION }}"
           fi

diff --git a/.github/workflows/create-cluster.yml b/.github/workflows/create-cluster.yml
@@ -7,13 +7,15 @@ jobs:
       run:
         working-directory: ./terraform
     steps:
-    - uses: actions/checkout@v2
+    # checkout@v4 is the latest version
+    - uses: actions/checkout@v4
+    # Reformats argocd apps yaml file with the current branch
     - name: Reformat argocd applicationset config
       id: reformat-argocd-applicationset
       run: sed -i "s/HEAD/${GITHUB_REF##*/}/g" ../manifests/argocd/apps.yaml
-    # Only necessary if we use external-secrets
-    - name: Reformat external-secrets manifests
-      run: sed -i "s/SECRET_ACCESS_CREDS_PH/$(echo '${{ secrets.GCP_SM_CREDENTIALS }}' | base64 -w 0)/g" ../manifests/argocd/gcpsm-secret.yaml; sed -i "s/PROJECT_ID_PH/${{ secrets.PROJECT_ID }}/g" ../manifests/argocd/cluster-secret-store.yaml
+    # # Only necessary if we use external-secrets
+    # - name: Reformat external-secrets manifestss
+    #   run: sed -i "s/SECRET_ACCESS_CREDS_PH/$(echo '${{ secrets.GCP_SM_CREDENTIALS }}' | base64 -w 0)/g" ../manifests/argocd/gcpsm-secret.yaml; sed -i "s/PROJECT_ID_PH/${{ secrets.PROJECT_ID }}/g" ../manifests/argocd/cluster-secret-store.yaml
     - name: Install Terraform
       id: install-terraform
       run: wget -O terraform.zip https://releases.hashicorp.com/terraform/1.9.5/terraform_1.9.5_linux_amd64.zip && unzip terraform.zip && chmod +x terraform && sudo mv terraform /usr/local/bin

diff --git a/.github/workflows/dev-cd-workflow.yml b/.github/workflows/dev-cd-workflow.yml
@@ -1,24 +1,29 @@
-name: Dev Env Continuous Deployment Workflow
-on:
-  push:
-    branches: [ dev ]
-jobs:
-  create-environment-and-deploy-app:
-    name: Create Environment and Deploy the Application
-    uses: ./.github/workflows/create-cluster.yml
-    secrets: inherit
-  run-tests:
-    name: Run Integration Tests
-    needs: [create-environment-and-deploy-app]
-    uses: ./.github/workflows/run-tests.yml
-    secrets: inherit
-  binary-auth:
-    name: Attest Images
-    needs: [run-tests]
-    uses: ./.github/workflows/attest-images.yml
-    secrets: inherit
-  raise-pull-request:
-    name: Raise PR to prod branch
-    needs: [binary-auth]
-    uses: ./.github/workflows/raise-pr.yml
-    secrets: inherit
+# name: Dev Env Continuous Deployment Workflow
+# on:
+#   push:
+#     branches: [ dev ]
+# jobs:
+#   create-environment-and-deploy-app:
+#     name: Create Environment and Deploy the Application
+#     uses: ./.github/workflows/create-cluster.yml
+#     secrets: inherit
+#   run-tests:
+#     name: Run Integration Tests
+#     needs: [create-environment-and-deploy-app]
+#     uses: ./.github/workflows/run-tests.yml
+#     secrets: inherit
+#   format-images:
+#     name: Format Images into SHA256 Digest Format
+#     needs: [run-tests]
+#     uses: ./.github/workflows/format-images.yml
+#     secrets: inherit
+#   binary-auth:
+#     name: Attest Images
+#     needs: [format-images]
+#     uses: ./.github/workflows/attest-images.yml
+#     secrets: inherit
+#   raise-pull-request:
+#     name: Raise PR to Prod Branch
+#     needs: [binary-auth]
+#     uses: ./.github/workflows/raise-pr.yml
+#     secrets: inherit
diff --git a/.github/workflows/format-images.yml b/.github/workflows/format-images.yml
@@ -0,0 +1,15 @@
+name: Format Images into SHA256 Digest
+on: [workflow_call]
+jobs:
+  format-images:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+      - name: Login to Docker Hub
+        run: docker login -u ${{ secrets.DOCKER_USER }} -p ${{ secrets.DOCKER_PASSWORD }}
+      - name: Run Bash Script
+        working-directory: ./scripts
+        run: |
+          chmod +x convert-images-into-sha256-format.sh
+          ./convert-images-into-sha256-format.sh
diff --git a/.github/workflows/prod-cd-workflow.yml b/.github/workflows/prod-cd-workflow.yml
@@ -1,14 +1,14 @@
-name: Prod Continuous Deployment Workflow
-on:
-  push:
-    branches: [ prod ]
-jobs:
-  create-environment-and-deploy-app:
-    name: Create Environment and Deploy App
-    uses: ./.github/workflows/create-cluster.yml
-    secrets: inherit
-  run-tests:
-    name: Run Integration Tests
-    needs: [create-environment-and-deploy-app]
-    uses: ./.github/workflows/run-tests.yml
-    secrets: inherit
+# name: Prod Continuous Deployment Workflow
+# on:
+#   push:
+#     branches: [ prod ]
+# jobs:
+#   create-environment-and-deploy-app:
+#     name: Create Environment and Deploy App
+#     uses: ./.github/workflows/create-cluster.yml
+#     secrets: inherit
+#   run-tests:
+#     name: Run Integration Tests
+#     needs: [create-environment-and-deploy-app]
+#     uses: ./.github/workflows/run-tests.yml
+#     secrets: inherit
diff --git a/.github/workflows/raise-pr.yml b/.github/workflows/raise-pr.yml
@@ -7,7 +7,8 @@ jobs:
       run:
         working-directory: .
     steps:
-      - uses: actions/checkout@v2
+    # checkout@v4 is the latest version for the time being
+      - uses: actions/checkout@v4
       - name: Raise a Pull Request
         id: pull-request
         uses: repo-sync/pull-request@v2

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -7,27 +7,32 @@ jobs:
       run:
         working-directory: ./tests
     steps:
-    - uses: actions/checkout@v2
+    # checkout@v4 is the latest version
+    - uses: actions/checkout@v4
     - name: Extract branch name
       run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
       id: extract_branch
     - id: gcloud-auth
       name: Authenticate with gcloud
-      uses: 'google-github-actions/auth@v1'
+      # auth@v2 is the latest version
+      uses: 'google-github-actions/auth@v2'
       with:
         credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
     - name: Set up Cloud SDK
       id: setup-gcloud-sdk
-      uses: 'google-github-actions/setup-gcloud@v1'
+      # setup-gcloud@v2 is the latest version
+      uses: 'google-github-actions/setup-gcloud@v2'
     - name: Get kubectl credentials
       id: 'get-credentials'
-      uses: 'google-github-actions/get-gke-credentials@v1'
+      # get-gke-credentials@v2 is the latest version
+      uses: 'google-github-actions/get-gke-credentials@v2'
       with:
         cluster_name: sba-cluster-${{ steps.extract_branch.outputs.branch }}
         location: ${{ secrets.CLUSTER_LOCATION }}
     - name: Compute Application URL
       id: compute-application-url
-      run: external_ip=$(kubectl get svc -n blog-app frontend --output jsonpath='{.status.loadBalancer.ingress[0].ip}') && echo ${external_ip} && sed -i "s/localhost/${external_ip}/g" integration-test.py
+      # We stopped using frontend svc as LoadBalancer after we deployed istio-ingress, so we need to update the command
+      run: external_ip=$(kubectl get svc istio-ingress -n istio-ingress --output jsonpath='{.status.loadBalancer.ingress[0].ip}') && echo ${external_ip} && sed -i "s/localhost/${external_ip}/g" integration-test.py
     - id: run-integration-test
       name: Run Integration Test
       run: python3 integration-test.py
diff --git a/.gitignore b/.gitignore
@@ -36,9 +36,11 @@ terraform.rc
 # manifests/argocd/external-secrets.yaml
 # manifests/argocd/gcpsm-secret.yaml
 
-# If we want to use external-secrets, these lines should be here.
+# If we want to use external-secrets, these lines should be here
 # However, if they are already being tracked, firstly they should be untracked using:
 # git rm --cached <file>
 # manifests/sealed-secrets/*
 # manifests/sealed-secrets/controller.yaml
-# manifests/blog-app/mongodb-creds-sealed.yaml
+# manifests/blog-app/mongodb-creds-sealed.yaml
+
+letsencrypt.txt
diff --git a/manifests/argocd/cluster-secret-store.yaml b/manifests/argocd/cluster-secret-store.yaml
diff --git a/manifests/argocd/external-secrets.yaml b/manifests/argocd/external-secrets.yaml
diff --git a/manifests/argocd/gcpsm-secret.yaml b/manifests/argocd/gcpsm-secret.yaml
diff --git a/manifests/argocd/install.yaml b/manifests/argocd/install.yaml
@@ -1,4 +1,5 @@
-# Within this file, argoCD generates the necessary permissions to be able to generate resources within kubernetes cluster.
+# Within this file, argoCD is installed, and also this manifest file generates the necessary permissions
+# for argoCD so that it will be able to generate resources within kubernetes cluster.
 # This is an auto-generated file. DO NOT EDIT
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition

diff --git a/manifests/argocd/istio.yaml b/manifests/argocd/istio.yaml
@@ -0,0 +1,65 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: istio-base
+  namespace: argo
+spec:
+  project: default
+  source:
+    chart: base
+    repoURL: https://istio-release.storage.googleapis.com/charts
+    targetRevision: 1.23.0
+    helm:
+      releaseName: istio-base
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: istio-system
+  syncPolicy:
+    syncOptions:
+    - CreateNamespace=true
+    automated:
+      selfHeal: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: istiod
+  namespace: argo
+spec:
+  project: default
+  source:
+    chart: istiod
+    repoURL: https://istio-release.storage.googleapis.com/charts
+    targetRevision: 1.23.0
+    helm:
+      releaseName: istiod
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: istio-system
+  syncPolicy:
+    syncOptions:
+    - CreateNamespace=true
+    automated:
+      selfHeal: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: istio-ingress-helm
+  namespace: argo
+spec:
+  project: default
+  source:
+    chart: gateway
+    repoURL: https://istio-release.storage.googleapis.com/charts
+    targetRevision: 1.23.0
+    helm:
+      releaseName: istio-ingress
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: istio-ingress
+  syncPolicy:
+    syncOptions:
+    - CreateNamespace=true
+    automated:
+      selfHeal: true