From c5b24b202d47c05fd2870387dd7955fb5ff650ef Mon Sep 17 00:00:00 2001 From: John Ake Date: Fri, 5 Jan 2024 11:06:08 +0000 Subject: [PATCH] Clean up Faltrn --- .github/workflows/delete-review-app.yml | 24 ++++----- .../workflows/{deploy_aks.yml => deploy.yml} | 0 Makefile | 8 ++- README.md | 14 ++--- adr/00002-use-gov-paas.md | 22 -------- adr/00007-scheduled-jobs.md | 2 - app/views/static/privacy.md | 2 +- docs/ops-manual.md | 54 ++++--------------- docs/technical-architecture.md | 2 +- terraform/aks/application.tf | 4 +- terraform/aks/variables.tf | 5 +- 11 files changed, 41 insertions(+), 96 deletions(-) rename .github/workflows/{deploy_aks.yml => deploy.yml} (100%) delete mode 100644 adr/00002-use-gov-paas.md diff --git a/.github/workflows/delete-review-app.yml b/.github/workflows/delete-review-app.yml index 39b2535bd..56906ff7f 100644 --- a/.github/workflows/delete-review-app.yml +++ b/.github/workflows/delete-review-app.yml @@ -17,22 +17,22 @@ jobs: - name: Extract configuration from tfvars id: config run: | - KEY_VAULT_NAME=$(jq -r '.key_vault_name' $TFVARS) - PAAS_SPACE=$(jq -r '.paas_space' $TFVARS) - if [ -z "$KEY_VAULT_NAME" ]; then - echo "::error ::Failed to extract key_vault_name from $TFVARS" + APP_KEY_VAULT=$(jq -r '.app_key_vault' $TFVARS) + NAMESPACE=$(jq -r '.namespace' $TFVARS) + if [ -z "$APP_KEY_VAULT" ]; then + echo "::error ::Failed to extract app_key_vault from $TFVARS" exit 1 fi - if [ -z "$PAAS_SPACE" ]; then - echo "::error ::Failed to extract paas_space from $TFVARS" + if [ -z "$NAMESPACE" ]; then + echo "::error ::Failed to extract namespace from $TFVARS" exit 1 fi - echo ::set-output name=key_vault_name::$KEY_VAULT_NAME - echo ::set-output name=paas_space::$PAAS_SPACE + echo ::set-output name=app_key_vault::$APP_KEY_VAULT + echo ::set-output name=namespace::$NAMESPACE shell: bash env: TFVARS: workspace_variables/review.tfvars.json - working-directory: terraform/paas + working-directory: terraform/aks - uses: Azure/login@v1 with: @@ -41,7 +41,7 @@ jobs: - uses: Azure/get-keyvault-secrets@v1 id: get_secrets with: - keyvault: ${{ steps.config.outputs.key_vault_name }} + keyvault: ${{ steps.config.outputs.app_key_vault }} secrets: "TFSTATE-CONTAINER-ACCESS-KEY,PAAS-USER,PAAS-PASSWORD" - uses: hashicorp/setup-terraform@v2 @@ -57,7 +57,7 @@ jobs: echo "TF_STATE_FILE=$TF_STATE_FILE" >> $GITHUB_ENV pr_state_file=$(az storage blob list -c faltrn-tfstate \ --account-key ${{ steps.get_secrets.outputs.TFSTATE-CONTAINER-ACCESS-KEY }} \ - --account-name "s165d01faltrntfstatedv" \ + --account-name "s189t01faltrntfstatervsa" \ --prefix $TF_STATE_FILE --query "[].name" -o tsv) if [ -n "$pr_state_file" ]; then echo "TF_STATE_EXISTS=true" >> $GITHUB_ENV; fi; - name: Terraform @@ -77,4 +77,4 @@ jobs: run: | az storage blob delete -c faltrn-tfstate --name ${{ env.TF_STATE_FILE }} \ --account-key ${{ steps.get_secrets.outputs.TFSTATE-CONTAINER-ACCESS-KEY }} \ - --account-name "s165d01faltrntfstatedv" + --account-name "s189t01faltrntfstatervsa" diff --git a/.github/workflows/deploy_aks.yml b/.github/workflows/deploy.yml similarity index 100% rename from .github/workflows/deploy_aks.yml rename to .github/workflows/deploy.yml diff --git a/Makefile b/Makefile index 8bb81e776..3404f92c1 100644 --- a/Makefile +++ b/Makefile @@ -65,6 +65,9 @@ terrafile: bin/terrafile tags: ##Tags that will be added to resource group on it's creation in ARM template $(eval RG_TAGS=$(shell echo '{"Portfolio": "Early years and Schools Group", "Parent Business":"Teaching Regulation Agency", "Product" : "Find a Lost TRN", "Service Line": "Teaching Workforce", "Service": "Teacher Services", "Service Offering": "Find a Lost TRN", "Environment" : "$(ENV_TAG)"}' | jq . )) +clone: + $(eval CLONE_STRING=-clone) + ##@ Query parameter store to display environment variables. Requires Azure credentials set-azure-account: ${environment} echo "Logging on to ${AZURE_SUBSCRIPTION}" @@ -125,7 +128,7 @@ terraform-init: bin/terrafile [[ "${SP_AUTH}" != "true" ]] && az account set -s $(AZURE_SUBSCRIPTION) || true ./bin/terrafile -p terraform/aks/vendor/modules -f terraform/aks/workspace_variables/$(CONFIG)_Terrafile terraform -chdir=terraform/aks init -backend-config workspace_variables/$(CONFIG).backend.tfvars $(backend_config) -upgrade -reconfigure - $(if $(DOCKER_IMAGE), $(eval export TF_VAR_paas_app_docker_image=$(DOCKER_IMAGE)), $(error Missing environment variable "DOCKER_IMAGE")) + $(if $(DOCKER_IMAGE), $(eval export TF_VAR_app_docker_image=$(DOCKER_IMAGE)), $(error Missing environment variable "DOCKER_IMAGE")) terraform-plan: terraform-init terraform -chdir=terraform/aks plan -var-file workspace_variables/$(CONFIG).tfvars.json @@ -190,6 +193,9 @@ domains-infra-plan: domains-infra-init ## terraform plan for dns core resources domains-infra-apply: domains-infra-init ## terraform apply for dns core resources terraform -chdir=terraform/domains/infrastructure apply -var-file config/zones.tfvars.json ${AUTO_APPROVE} +get-cluster-credentials: set-azure-account ## make get-cluster-credentials [ENVIRONMENT=] + az aks get-credentials --overwrite-existing -g ${RESOURCE_GROUP_NAME} -n ${RESOURCE_PREFIX}-tsc-${ENVIRONMENT}${CLONE_STRING}-aks + ###################################### domains-init: bin/terrafile faltrn_domain set-azure-account ## terraform init for dns resources: make domains-init diff --git a/README.md b/README.md index 7b6cac59e..c9290ca79 100644 --- a/README.md +++ b/README.md @@ -6,12 +6,12 @@ A service that allows teachers to find their Teacher Reference Number (TRN). ### Links and application names -| Name | URL | Deployment | PaaS space | PaaS application | -| ---------- | ------------------------------------------------- | ---------- | ---------------- | ---------------------------- | -| Production | https://find-a-lost-trn.education.gov.uk/ | Automatic | `tra-production` | `find-a-lost-trn-production` | -| Preprod | https://preprod-find-a-lost-trn.education.gov.uk/ | Automatic | `tra-test` | `find-a-lost-trn-preprod` | -| Test | https://test-find-a-lost-trn.education.gov.uk/ | Automatic | `tra-test` | `find-a-lost-trn-test` | -| Dev | https://dev-find-a-lost-trn.education.gov.uk/ | Automatic | `tra-dev` | `find-a-lost-trn-dev` | +| Name | URL (Frontdoor) | Deployment | AKS namespace | Ingress URL | +| ------------- | ------------------------------------------------ | ---------- | ----------------- | ---------------------------------------------------------------- | +| Production | https://find-a-lost-trn.education.gov.uk | Automatic | `tra-production` | https://find-a-lost-trn-production.teacherservices.cloud | +| Preproduction | https://preprod.find-a-lost-trn.education.gov.uk | Automatic | `tra-test` | https://find-a-lost-trn-preproduction.test.teacherservices.cloud | +| Test | https://test.find-a-lost-trn.education.gov.uk | Automatic | `tra-test` | http://find-a-lost-trn-test.test.teacherservices.cloud | +| Dev | https://dev.find-a-lost-trn.education.gov.uk | Automatic | `tra-development` | https://find-a-lost-trn-development.test.teacherservices.cloud | All environments have continuous deployment, the state of which can be inspected in Github Actions. @@ -59,7 +59,7 @@ You can use this user to test that matching works against the preprod ## How the application works Find a lost TRN is a monolithic Rails app built with the GOVUK Design System and hosted on -GOVUK PaaS. +GOVUK AKS. We keep track of architecture decisions in [Architecture Decision Records (ADRs)](/adr/). diff --git a/adr/00002-use-gov-paas.md b/adr/00002-use-gov-paas.md deleted file mode 100644 index f8aef8589..000000000 --- a/adr/00002-use-gov-paas.md +++ /dev/null @@ -1,22 +0,0 @@ -# 2. Use GOV.UK PaaS - -Date: 2022-01-02 - -## Status - -Accepted - -## Context - -We have two main hosting options for the Find a lost service - GOV PaaS, or Azure CIP - -## Decision - -We will use the GOV PaaS platform to host the Find a lost TRN web application - -## Consequences - -- Cloud services are limited to that which are available on the GOV PaaS Platform -- Cloudfoundry to be used to operate platform -- AWS Shield ingress protection -- 24/7 Support available diff --git a/adr/00007-scheduled-jobs.md b/adr/00007-scheduled-jobs.md index d0035326a..60232f048 100644 --- a/adr/00007-scheduled-jobs.md +++ b/adr/00007-scheduled-jobs.md @@ -19,8 +19,6 @@ We have considered: Considering the effort to deploy and maintain the infrastructure to run the jobs, we think it's better to use sidekiq/sidekiq_cron. -The clockwork gem requires some workarounds to be able to run on PaaS. - #### Pros - The sidekiq/sidekiq_cron combination is a proven, stable and scalable combination which can take us all the way to public launch and beyond. diff --git a/app/views/static/privacy.md b/app/views/static/privacy.md index b5fef2571..d3cfb95ff 100644 --- a/app/views/static/privacy.md +++ b/app/views/static/privacy.md @@ -78,7 +78,7 @@ We also use Google’s G Suite to process some personal data. Google processes y ### Hosting services -We host our services on GOV.UK PaaS, which encrypts your data to prevent it being accessed by unauthorised people. +We host our services on AKS which encrypts your data to prevent it being accessed by unauthorised people. ### Auditors diff --git a/docs/ops-manual.md b/docs/ops-manual.md index e7565c9fc..a7fa5b4b3 100644 --- a/docs/ops-manual.md +++ b/docs/ops-manual.md @@ -2,55 +2,19 @@ ## SSHing to a live docker container -To SSH into a container, install the `cloudfoundry-cli`. Example using `asdf`: - -```bash -$ asdf plugin add cf -$ asdf cf install latest -$ asdf global cf latest -$ cf --version -cf version 8.3.0+e6f8a85.2022-03-11 -``` - -You'll need a PaaS account that has access to the -`tra-dev/tra-test/tra-production` space. Sign into your account using SSO: - -```bash -$ cf login -a api.london.cloud.service.gov.uk --sso -API endpoint: api.london.cloud.service.gov.uk - -Temporary Authentication Code ( Get one at https://login.london.cloud.service.gov.uk/passcode ): -Authenticating... -OK +To SSH into a container, install `kubectl` +- Configure the credentials using the `get-cluster-credentials`, run make command. Example: -Targeted org dfe. - -Select a space: -1. sandbox -2. tra-dev -3. tra-production -4. tra-test - -Space (enter to skip): 2 -Targeted space tra-dev. - -API endpoint: https://api.london.cloud.service.gov.uk -API version: 3.112.0 -user: 1XXXXXXXXXXXXXXXXXXXX -org: dfe -space: tra-dev ``` - -To SSH into the running docker container and go to the app directory: - -```bash -cf ssh find-a-lost-trn-dev -cd /app +make test get-cluster-credentials +make development get-cluster-credentials ENVIRONMENT=cluster1 ``` -**Note**: SSH access is monitored and logged as an event in the Events tab on -the PaaS website. +find-a-lost-trn-test-57556754f9-q5mfd +To SSH into a container, in the test cluster. Example ssh into a container named `find-a-lost-trn-test`, within the pod `find-a-lost-trn-test-57556754f9-q5mfd`: + +run `kubectl -n tra-test exec -it find-a-lost-trn-test-57556754f9-q5mfd -c find-a-lost-trn-test -- /bin/sh` ## Running a Rails console @@ -98,7 +62,7 @@ xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy 'digital.education.gov.uk' "tenantId": "xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy" } ], - "name": "s165-teachingqualificationsservice-development", + "name": "s189-teacher-services-cloud-test", "state": "Enabled", "tenantId": "xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy", "user": { diff --git a/docs/technical-architecture.md b/docs/technical-architecture.md index 737807cfb..7ee7a67e1 100644 --- a/docs/technical-architecture.md +++ b/docs/technical-architecture.md @@ -4,7 +4,7 @@ The Find a lost TRN service is a public facing web application that allows its users to retrieve their TRN by supplying personal information. It works by querying the DQT API with the supplied details, and returning them to the user. As a fallback, if the DQT API is unavailable, the Find a lost TRN service will create a ticket in a Zendesk system that the supporting team will then pick up, and handle manually. -The web primary web application in hosted in GOV.UK PaaS, uses a Postgres database for persistence and a Redis instance for retry logic for deferred executions of tasks. +The web primary web application in hosted in AKS, uses a Postgres database for persistence and a Redis instance for retry logic for deferred executions of tasks. ## Architecture Diagram diff --git a/terraform/aks/application.tf b/terraform/aks/application.tf index 8dd5acae8..f42e8d829 100644 --- a/terraform/aks/application.tf +++ b/terraform/aks/application.tf @@ -21,7 +21,7 @@ module "web_application" { kubernetes_config_map_name = module.application_configuration.kubernetes_config_map_name kubernetes_secret_name = module.application_configuration.kubernetes_secret_name - docker_image = var.paas_app_docker_image + docker_image = var.app_docker_image max_memory = var.memory_max replicas = var.replicas web_external_hostnames = var.gov_uk_host_names @@ -52,7 +52,7 @@ module "worker_application" { cluster_configuration_map = module.cluster_data.configuration_map kubernetes_config_map_name = module.application_configuration.kubernetes_config_map_name kubernetes_secret_name = module.application_configuration.kubernetes_secret_name - docker_image = var.paas_app_docker_image + docker_image = var.app_docker_image command = ["bundle", "exec", "sidekiq", "-C", "./config/sidekiq.yml"] probe_command = ["pgrep", "-f", "sidekiq"] max_memory = var.worker_memory_max diff --git a/terraform/aks/variables.tf b/terraform/aks/variables.tf index f5891e975..326fbea36 100644 --- a/terraform/aks/variables.tf +++ b/terraform/aks/variables.tf @@ -83,9 +83,8 @@ variable "gov_uk_host_names" { type = list(any) } -# PaaS variables -variable "paas_app_docker_image" { - description = "PaaS image name and version " +variable "app_docker_image" { + description = "image name and version " } variable "deploy_redis" {