CD: build namex API in GCP

bcgov · Oct 29, 2024 · 1f37595 · 1f37595
1 parent 34281e5
commit 1f37595
Show file tree

Hide file tree

Showing 4 changed files with 144 additions and 191 deletions.
diff --git a/.github/workflows/namex-api-cd.yml b/.github/workflows/namex-api-cd.yml
@@ -1,4 +1,4 @@
-name: Namex API CD
+name: NameX API CD
 
 on:
   push:
@@ -8,106 +8,23 @@ on:
       - "api/**"
   workflow_dispatch:
     inputs:
-      environment:
-        description: "Environment (dev/test/prod)"
+      target:
+        description: "Deploy To"
         required: true
-        default: "dev"
-
-defaults:
-  run:
-    shell: bash
-    working-directory: ./api
-
-env:
-  APP_NAME: "namex-api"
-  TAG_NAME: "dev"
+        type: choice
+        options:
+        - dev
+        - test
+        - sandbox
+        - prod
 
 jobs:
-  namex-api-cd-by-push:
-    runs-on: ubuntu-20.04
-
-    if: github.event_name == 'push' && github.repository == 'bcgov/namex'
-    environment:
-      name: "dev"
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Login Openshift
-        shell: bash
-        run: |
-          oc login --server=${{secrets.OPENSHIFT4_LOGIN_REGISTRY}} --token=${{secrets.OPENSHIFT4_SA_TOKEN}}
-
-      - name: CD Flow
-        shell: bash
-        env:
-          OPS_REPOSITORY: ${{ secrets.OPS_REPOSITORY }}
-          OPENSHIFT_DOCKER_REGISTRY: ${{ secrets.OPENSHIFT4_DOCKER_REGISTRY }}
-          OPENSHIFT_SA_NAME: ${{ secrets.OPENSHIFT4_SA_NAME }}
-          OPENSHIFT_SA_TOKEN: ${{ secrets.OPENSHIFT4_SA_TOKEN }}
-          OPENSHIFT_REPOSITORY: ${{ secrets.OPENSHIFT4_REPOSITORY }}
-          TAG_NAME: ${{ env.TAG_NAME }}
-        run: |
-          make cd
-
-      - name: Watch new rollout (trigger by image change in Openshift)
-        shell: bash
-        run: |
-          oc rollout status dc/${{ env.APP_NAME }}-${{ env.TAG_NAME }} -n ${{ secrets.OPENSHIFT4_REPOSITORY }}-${{ env.TAG_NAME }} -w
-
-      - name: Rocket.Chat Notification
-        uses: RocketChat/Rocket.Chat.GitHub.Action.Notification@master
-        if: failure()
-        with:
-          type: ${{ job.status }}
-          job_name: "*Namex API Built and Deployed to ${{env.TAG_NAME}}*"
-          channel: "#registries-bot"
-          url: ${{ secrets.ROCKETCHAT_WEBHOOK }}
-          commit: true
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-  namex-api-cd-by-dispatch:
-    runs-on: ubuntu-20.04
-
-    if: github.event_name == 'workflow_dispatch' && github.repository == 'bcgov/namex'
-    environment:
-      name: "${{ github.event.inputs.environment }}"
-
-    steps:
-      - uses: actions/checkout@v3
-      - name: Set env by input
-        run: |
-          echo "TAG_NAME=${{ github.event.inputs.environment }}" >> $GITHUB_ENV
-
-      - name: Login Openshift
-        shell: bash
-        run: |
-          oc login --server=${{secrets.OPENSHIFT4_LOGIN_REGISTRY}} --token=${{secrets.OPENSHIFT4_SA_TOKEN}}
-
-      - name: CD Flow
-        shell: bash
-        env:
-          OPS_REPOSITORY: ${{ secrets.OPS_REPOSITORY }}
-          OPENSHIFT_DOCKER_REGISTRY: ${{ secrets.OPENSHIFT4_DOCKER_REGISTRY }}
-          OPENSHIFT_SA_NAME: ${{ secrets.OPENSHIFT4_SA_NAME }}
-          OPENSHIFT_SA_TOKEN: ${{ secrets.OPENSHIFT4_SA_TOKEN }}
-          OPENSHIFT_REPOSITORY: ${{ secrets.OPENSHIFT4_REPOSITORY }}
-          TAG_NAME: ${{ env.TAG_NAME }}
-        run: |
-          make cd
-
-      - name: Watch new rollout (trigger by image change in Openshift)
-        shell: bash
-        run: |
-          oc rollout status dc/${{ env.APP_NAME }}-${{ env.TAG_NAME }} -n ${{ secrets.OPENSHIFT4_REPOSITORY }}-${{ env.TAG_NAME }} -w
-
-      - name: Rocket.Chat Notification
-        uses: RocketChat/Rocket.Chat.GitHub.Action.Notification@master
-        if: failure()
-        with:
-          type: ${{ job.status }}
-          job_name: "*Namex API Built and Deployed to ${{env.TAG_NAME}}*"
-          channel: "#registries-bot"
-          url: ${{ secrets.ROCKETCHAT_WEBHOOK }}
-          commit: true
-          token: ${{ secrets.GITHUB_TOKEN }}
+  namex-api-cd:
+    uses: bcgov/bcregistry-sre/.github/workflows/backend-cd.yaml@main
+    with:
+      target: ${{ inputs.target }}
+      app_name: "namex-api"
+      working_directory: "./api"
+    secrets:
+      WORKLOAD_IDENTIFY_POOLS_PROVIDER: ${{ secrets.WORKLOAD_IDENTIFY_POOLS_PROVIDER }}
+      GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}
diff --git a/.github/workflows/namex-api-ci.yml b/.github/workflows/namex-api-ci.yml
@@ -1,8 +1,7 @@
-name: Namex API CI
+name: NameX API CI
 
 on:
   pull_request:
-    types: [assigned, synchronize]
     paths:
       - "api/**"
   workflow_dispatch:
@@ -13,91 +12,11 @@ defaults:
     working-directory: ./api
 
 jobs:
-  setup-job:
-    runs-on: ubuntu-20.04
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: setup check
-        run: |
-          echo "setup check pass."
-
-  linting:
-    needs: setup-job
-    runs-on: ubuntu-20.04
-
-    strategy:
-      matrix:
-        python-version: ["3.12"]
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v1
-        with:
-          python-version: ${{ matrix.python-version }}
-      - name: Install dependencies
-        run: |
-          make setup
-      - name: Lint with flake8
-        id: flake8
-        run: |
-          poetry run flake8
-
-  testing:
-    needs: setup-job
-    env:
-      DATABASE_TEST_USERNAME: postgres
-      DATABASE_TEST_PASSWORD: postgres
-      DATABASE_TEST_NAME: postgres
-      DATABASE_TEST_HOST: localhost
-
-    runs-on: ubuntu-20.04
-
-    strategy:
-      matrix:
-        python-version: ["3.12"]
-
-    services:
-      postgres:
-        image: postgres:12
-        env:
-          POSTGRES_USER: postgres
-          POSTGRES_PASSWORD: postgres
-          POSTGRES_DB: postgres
-        ports:
-          - 5432:5432
-        # needed because the postgres container does not provide a healthcheck
-        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v1
-        with:
-          python-version: ${{ matrix.python-version }}
-      - name: Install dependencies
-        run: |
-          make setup
-      - name: Test with pytest
-        id: test
-        run: |
-          poetry run pytest
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3
-        with:
-          file: ./api/coverage.xml
-          flags: namexapi
-          name: codecov-namex-api
-          fail_ci_if_error: true
-
-  build-check:
-    needs: setup-job
-    runs-on: ubuntu-20.04
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: build to check strictness
-        id: build
-        run: |
-          make build-nc
+  namex-api-ci:
+    uses: bcgov/bcregistry-sre/.github/workflows/backend-ci.yaml@main
+    with:
+      app_name: "namex-api"
+      working_directory: "./api"
+      codecov_flag: "namexapi"
+      skip_isort: "true"
+      skip_black: "true"
diff --git a/api/devops/gcp/clouddeploy.yaml b/api/devops/gcp/clouddeploy.yaml
@@ -0,0 +1,75 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: deploy.cloud.google.com/v1
+kind: DeliveryPipeline
+metadata:
+ name: namex-api-pipeline
+description: Deployment pipeline
+serialPipeline:
+ stages:
+ - targetId: a083gt-dev
+   profiles: [dev]
+   strategy:
+    standard:
+      verify: false
+   deployParameters:
+   - values:
+      deploy-env: "development"
+      deploy-project-id: "a083gt-dev"
+      service-name: "namex-api-dev"
+      container-name: "namex-api-dev"
+      service-account: "[email protected]"
+      cloudsql-instances: ""
+ - targetId: a083gt-test
+   profiles: [test]
+   strategy:
+    standard:
+      verify: false
+   deployParameters:
+   - values:
+      deploy-env: "test"
+      deploy-project-id: "a083gt-test"
+      service-name: "namex-api-test"
+      container-name: "namex-api-test"
+      service-account: "[email protected]"
+      cloudsql-instances: ""
+ - targetId: a083gt-sandbox
+   profiles: [sandbox]
+   strategy:
+    standard:
+      verify: false
+   deployParameters:
+   - values:
+      deploy-env: "sandbox"
+      deploy-project-id: "a083gt-integration"
+      service-name: "namex-api-sandbox"
+      container-name: "namex-api-sandbox"
+      service-account: "[email protected]"
+      cloudsql-instances: ""
+ - targetId: a083gt-prod
+   profiles: [prod]
+   strategy:
+    standard:
+      verify: false
+   deployParameters:
+   - values:
+      deploy-env: "production"
+      deploy-project-id: "a083gt-prod"
+      service-name: "namex-api-prod"
+      container-name: "namex-api-prod"
+      service-account: "[email protected]"
+      max-scale: "10"
+      container-concurrency: "20"
+      cloudsql-instances: ""
diff --git a/api/devops/vaults.gcp.env b/api/devops/vaults.gcp.env
@@ -0,0 +1,42 @@
+SENTRY_ENABLE="op://sentry/$APP_ENV/examination/SENTRY_ENABLE"
+SENTRY_DSN="op://sentry/$APP_ENV/examination/SENTRY_DSN"
+COLIN_SVC_URL="op://API/$APP_ENV/colin-api-entity/COLIN_SVC_URL"
+COLIN_SVC_VERSION="op://API/$APP_ENV/colin-api-entity/COLIN_SVC_VERSION"
+PAY_API_URL="op://API/$APP_ENV/pay-api/PAY_API_URL"
+PAY_API_VERSION="op://API/$APP_ENV/pay-api/PAY_API_VERSION"
+REPORT_API_URL="op://API/$APP_ENV/report-api/REPORT_API_URL"
+REPORT_API_VERSION="op://API/$APP_ENV/report-api/REPORT_API_VERSION"
+AUTH_API_URL="op://API/$APP_ENV/auth-api/AUTH_API_URL"
+AUTH_API_VERSION="op://API/$APP_ENV/auth-api/AUTH_API_VERSION"
+SOLR_SYNONYMS_API_URL="op://API/$APP_ENV/solr-synonyms-api/SOLR_SYNONYMS_API_URL"
+SOLR_SYNONYMS_API_VERSION="op://API/$APP_ENV/solr-synonyms-api/SOLR_SYNONYMS_API_VERSION"
+MRAS_SVC_URL="op://API/$APP_ENV/mras-api/MRAS_SVC_URL"
+MRAS_SVC_API_KEY="op://API/$APP_ENV/mras-api/MRAS_SVC_API_KEY"
+LEGAL_API_URL="op://API/$APP_ENV/legal-api/LEGAL_API_URL"
+LEGAL_API_VERSION="op://API/$APP_ENV/legal-api/LEGAL_API_VERSION"
+NAMEX_DATABASE_USERNAME="op://namex/$APP_ENV/postgres-namex/DATABASE_USERNAME"
+NAMEX_DATABASE_PASSWORD="op://namex/$APP_ENV/postgres-namex/DATABASE_PASSWORD"
+NAMEX_DATABASE_NAME="op://namex/$APP_ENV/postgres-namex/DATABASE_NAME"
+NAMEX_DATABASE_HOST="op://namex/$APP_ENV/postgres-namex/DATABASE_HOST"
+NAMEX_DATABASE_PORT="op://namex/$APP_ENV/postgres-namex/DATABASE_PORT"
+KEYCLOAK_AUTH_TOKEN_URL="op://keycloak/$APP_ENV/base/KEYCLOAK_AUTH_TOKEN_URL"
+JWT_OIDC_WELL_KNOWN_CONFIG="op://keycloak/$APP_ENV/jwt-base/JWT_OIDC_WELL_KNOWN_CONFIG"
+JWT_OIDC_ALOGORITHMS="op://keycloak/$APP_ENV/jwt-base/JWT_OIDC_ALGORITHMS"
+JWT_OIDC_ISSUER="op://keycloak/$APP_ENV/jwt-base/JWT_OIDC_ISSUER"
+JWT_OIDC_CACHING_ENABLED="op://keycloak/$APP_ENV/jwt-base/JWT_OIDC_CACHING_ENABLED"
+JWT_OIDC_JWKS_CACHE_TIMEOUT="op://keycloak/$APP_ENV/jwt-base/JWT_OIDC_JWKS_CACHE_TIMEOUT"
+NAME_REQUEST_SERVICE_ACCOUNT_CLIENT_ID="op://keycloak/$APP_ENV/name-request-service-account/NAME_REQUEST_SERVICE_ACCOUNT_CLIENT_ID"
+NAME_REQUEST_SERVICE_ACCOUNT_CLIENT_SECRET="op://keycloak/$APP_ENV/name-request-service-account/NAME_REQUEST_SERVICE_ACCOUNT_CLIENT_SECRET"
+JWT_OIDC_AUDIENCE="op://namex/$APP_ENV/jwt/JWT_OIDC_AUDIENCE"
+COLIN_URL="op://web-url/$APP_ENV/bcregistry/COLIN_URL"
+BUSINESS_URL="op://web-url/$APP_ENV/bcregistry/BUSINESS_URL"
+SOCIETIES_URL="op://web-url/$APP_ENV/bcregistry/SOCIETIES_URL"
+BUSINESS_CHANGES_URL="op://web-url/$APP_ENV/bcregistry/BUSINESS_CHANGES_URL"
+CORP_FORMS_URL="op://web-url/$APP_ENV/bcregistry/CORP_FORMS_URL"
+DECIDE_BUSINESS_URL="op://web-url/$APP_ENV/bcregistry/CORP_FORMS_URL"
+NAME_REQUEST_URL="op://web-url/$APP_ENV/name-request/NAME_REQUEST_URL"
+BUSINESS_GCP_AUTH_KEY="op://gcp-queue/$APP_ENV/a083gt/BUSINESS_GCP_AUTH_KEY"
+AUDIENCE="op://gcp-queue/$APP_ENV/base/AUDIENCE"
+PUBLISHER_AUDIENCE="op://gcp-queue/$APP_ENV/base/PUBLISHER_AUDIENCE"
+NAMEX_MAILER_TOPIC="op://gcp-queue/$APP_ENV/topics/NAMEX_MAILER_TOPIC"
+NAMEX_NR_STATE_TOPIC="op://gcp-queue/$APP_ENV/topics/NAMEX_NR_STATE_TOPIC"