k8s deploy (#87)

* k8s deploy * ServerName for redis tls config * fix * resource requests & limits * clear pending deploys * install cli in build step * color helm diff, support pending install & rollback clearing, silence perms warnings, cleanup on failure, 10m timeout * decrease system resource usage * k8s deploy becomes prod deploy --------- Co-authored-by: Josh Smith <[email protected]>
osuAkatsuki · Dec 30, 2023 · 83805a6 · 83805a6
1 parent ef1efba
commit 83805a6
Show file tree

Hide file tree

Showing 7 changed files with 121 additions and 39 deletions.
diff --git a/.env.example b/.env.example
@@ -28,6 +28,7 @@ REDIS_HOST=localhost
 REDIS_PORT=6379
 REDIS_PASS=
 REDIS_DB=0
+REDIS_USE_SSL=false
 
 AWS_REGION=ca-central-1
 AWS_ACCESS_KEY_ID=

diff --git a/.github/workflows/production-deploy.yml b/.github/workflows/production-deploy.yml
@@ -1,33 +1,89 @@
 name: production-deploy
+
 on:
   push:
     branches:
       - master
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  build:
-    name: Build
+  production-deploy:
     runs-on: ubuntu-latest
+
     steps:
-      - name: Extract branch name
-        shell: bash
-        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
-        id: extract_branch
+      - name: Check out latest commit
+        uses: actions/checkout@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: osuAkatsuki/hanayo
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: |
+            ${{ secrets.DOCKERHUB_USERNAME }}/hanayo:latest
+            ${{ secrets.DOCKERHUB_USERNAME }}/hanayo:${{ github.sha }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Get kubeconfig from github secrets
+        run: |
+            mkdir -p $HOME/.kube
+            echo "${{ secrets.KUBECONFIG }}" > $HOME/.kube/config
+            sudo chown $(id -u):$(id -g) $HOME/.kube/config
+            chmod 600 $HOME/.kube/config
+
+      - name: Install helm
+        uses: azure/setup-helm@v3
+        with:
+          version: "latest"
+          token: ${{ secrets.GITHUB_TOKEN }}
+        id: install
 
-      - name: Run deploy on production
-        uses: appleboy/[email protected]
+      - name: Install helm-diff
+        run: helm plugin install https://github.com/databus23/helm-diff
+
+      - name: Checkout common-helm-charts repo
+        uses: actions/checkout@v3
         with:
-          host: ${{ secrets.SSH_HOST }}
-          username: ${{ secrets.SSH_USERNAME }}
-          key: ${{ secrets.SSH_KEY }}
-          port: ${{ secrets.SSH_PORT }}
-          script_stop: true
-          script: |
-            cd /home/akatsuki/hanayo
-            git fetch origin
-            git checkout origin/${{ steps.extract_branch.outputs.branch }}
-            git pull origin ${{ steps.extract_branch.outputs.branch }}
-            docker build -t hanayo:latest .
-            cd /home/akatsuki/workbench
-            docker-compose stop hanayo-api
-            docker-compose up -d hanayo-api
+          repository: osuAkatsuki/common-helm-charts
+          token: ${{ secrets.COMMON_HELM_CHARTS_PAT }}
+          path: common-helm-charts
+
+      - name: Clear pending deployments
+        run: |
+          kubectl delete secret -l 'status in (pending-install, pending-upgrade, pending-rollback),name=hanayo-production'
+
+      - name: Show manifest diff since previous release
+        run: |
+          helm diff upgrade \
+          --allow-unreleased \
+          --color=true \
+          --values chart/values.yaml \
+          hanayo-production \
+          common-helm-charts/microservice-base/
+
+      - name: Deploy service to production cluster
+        run: |
+          helm upgrade \
+            --install \
+            --atomic \
+            --wait --timeout 10m \
+            --cleanup-on-fail \
+            --values chart/values.yaml \
+            hanayo-production \
+            common-helm-charts/microservice-base/
diff --git a/Dockerfile b/Dockerfile
@@ -11,6 +11,7 @@ RUN go mod download && go mod verify
 RUN git submodule init && git submodule update --remote --recursive --merge
 
 RUN apt install -y python3-pip
+RUN pip install -i https://pypi2.akatsuki.gg/cmyui/dev --break-system-packages akatsuki-cli
 
 RUN go build
 

diff --git a/app/states/settings/settings.go b/app/states/settings/settings.go
@@ -56,6 +56,7 @@ type Settings struct {
 	REDIS_PORT            int
 	REDIS_PASS            string
 	REDIS_DB              int
+	REDIS_USE_SSL         bool
 
 	AWS_REGION            string
 	AWS_ACCESS_KEY_ID     string
@@ -111,6 +112,7 @@ func LoadSettings() Settings {
 	settings.REDIS_PORT = strToInt(getEnv("REDIS_PORT"))
 	settings.REDIS_PASS = getEnv("REDIS_PASS")
 	settings.REDIS_DB = strToInt(getEnv("REDIS_DB"))
+	settings.REDIS_USE_SSL = strToBool(getEnv("REDIS_USE_SSL"))
 
 	settings.AWS_REGION = getEnv("AWS_REGION")
 	settings.AWS_ACCESS_KEY_ID = getEnv("AWS_ACCESS_KEY_ID")

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -1,11 +1,25 @@
-app:
-  name: hanayo
-  environment: staging
-  group: frontend
-  container:
-    image:
-      repository: registry.digitalocean.com/akatsuki/hanayo
-      tag: latest
-    imagePullSecrets:
-      - name: akatsuki
-    port: 80
+apps:
+  - name: hanayo-api
+    environment: production
+    codebase: hanayo
+    replicaCount: 1
+    container:
+      image:
+        repository: osuakatsuki/hanayo
+        tag: latest
+      port: 80
+      env:
+        - name: APP_COMPONENT
+          value: api
+      resources:
+        limits:
+          cpu: 300m
+          memory: 250Mi
+        requests:
+          cpu: 150m
+          memory: 150Mi
+      imagePullSecrets:
+        - name: osuakatsuki-registry-secret
+    service:
+      type: ClusterIP
+      port: 80
diff --git a/main.go b/main.go
@@ -6,6 +6,7 @@ package main
 // repo, but apparently, gin is dead.
 
 import (
+	"crypto/tls"
 	"encoding/gob"
 	"fmt"
 	"os"
@@ -107,11 +108,19 @@ func main() {
 		}
 	}
 
+	var tlsConfig *tls.Config
+	if settings.REDIS_USE_SSL {
+		tlsConfig = &tls.Config{
+			ServerName: "*.c.db.ondigitalocean.com",
+		}
+	}
+
 	// initialise redis
 	rd := redis.NewClient(&redis.Options{
-		Addr:     fmt.Sprintf("%s:%d", settings.REDIS_HOST, settings.REDIS_PORT),
-		Password: settings.REDIS_PASS,
-		DB:       settings.REDIS_DB,
+		Addr:      fmt.Sprintf("%s:%d", settings.REDIS_HOST, settings.REDIS_PORT),
+		Password:  settings.REDIS_PASS,
+		DB:        settings.REDIS_DB,
+		TLSConfig: tlsConfig,
 	})
 	services.RD = rd
 

diff --git a/scripts/start.sh b/scripts/start.sh
@@ -12,9 +12,8 @@ if [ -z "$APP_ENV" ]; then
 fi
 
 if [[ $PULL_SECRETS_FROM_VAULT -eq 1 ]]; then
-  # TODO: is there a better way to deal with this?
-  pip install --break-system-packages -i $PYPI_INDEX_URL akatsuki-cli
-  akatsuki vault get hanayo $APP_ENV -o .env
+  # TODO: revert to $APP_ENV
+  akatsuki vault get hanayo production-k8s -o .env
   source .env
 fi