add prod deployment

adaurat · adaurat · commit d4fed88b52a1 · 2025-02-28T13:52:19.000+01:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,39 @@
+---
+name: Build & Push Docker Image
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Declare image's tag
+        shell: bash
+        run: |
+          echo "sha_short=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV"
+      - name: Build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          tags: qmra:${{ env.sha_short }}
+          load: true
+      - name: Save
+        run: docker save qmra > img.tar
+      - name: Push
+        uses: appleboy/scp-action@v0.1.7
+        with:
+          host: ${{ secrets.DEPLOY_HOST }}
+          username: ${{ secrets.DEPLOY_USER }}
+          key: ${{ secrets.DEPLOY_SERVER_SSH_KEY }}
+          source: "img.tar"
+          target: ${{ secrets.DEPLOY_PATH }}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,38 @@
+---
+name: CICD Pipeline
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    name: test app
+    uses: ./.github/workflows/test.yaml
+  build-dev:
+    needs: test
+    name: build-dev
+    uses: ./.github/workflow/build.yaml
+    with:
+      environment: dev
+  deploy-dev:
+    needs: build-dev
+    name: deploy-dev
+    uses: ./.github/workflow/deploy.yaml
+    with:
+      environment: dev
+  build-prod:
+    needs: test
+    name: build-prod
+    uses: ./.github/workflow/build.yaml
+    with:
+      environment: prod
+  deploy-prod:
+    needs:
+      - build-prod
+      - deploy-dev
+    name: deploy-prod
+    uses: ./.github/workflow/deploy.yaml
+    with:
+      environment: prod
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -2,51 +2,16 @@
 name: Deploy Django Application
 
 on:
-  push:
-    branches:
-      - main
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
 jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-      with:
-        python-version: '3.11'
-    - name: Install dependencies
-      run: pip install -r requirements.txt && pip install -r requirements.test.txt
-    - name: Test
-      run: python manage.py test
   deploy:
-    needs: test
     runs-on: ubuntu-latest
-    environment: dev
+    environment: ${{ inputs.environment }}
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-    - name: Declare image's tag
-      shell: bash
-      run: |
-        echo "sha_short=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV"
-    - name: Build    
-      uses: docker/build-push-action@v6
-      with:
-        context: .
-        push: false
-        tags: qmra:${{ env.sha_short }}
-        load: true
-    - name: Save
-      run: docker save qmra > img.tar
-    - name: Push
-      uses: appleboy/scp-action@v0.1.7
-      with:
-        host: ${{ secrets.DEPLOY_HOST }}
-        username: ${{ secrets.DEPLOY_USER }}
-        key: ${{ secrets.DEPLOY_SERVER_SSH_KEY }}
-        source: "img.tar"
-        target: ${{ secrets.DEPLOY_PATH }}
     - name: Deploy
       uses: appleboy/ssh-action@v1.1.0
       with:
@@ -57,4 +22,4 @@ jobs:
           cd ${{ secrets.DEPLOY_PATH }} && git pull
           microk8s ctr image import img.tar && rm img.tar
           cd infra/helm
-          microk8s helm upgrade qmra ./qmra -n qmra --set app_secret_key.value=${{ secrets.APP_SECRET_KEY }},image.tag=${{ env.sha_short }}
+          microk8s helm upgrade -f ${{ inputs.environment }}.values.yaml qmra ./qmra -n qmra --set app_secret_key.value=${{ secrets.APP_SECRET_KEY }},image.tag=${{ env.sha_short }}
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -0,0 +1,18 @@
+---
+name: Test Django Application
+
+on:
+  workflow_call:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+    - name: Install dependencies
+      run: pip install -r requirements.txt && pip install -r requirements.test.txt
+    - name: Test
+      run: python manage.py test
diff --git a/infra/bootstrap-k8.sh b/infra/bootstrap-k8.sh
@@ -6,7 +6,7 @@ adduser k8admin
 usermod -aG sudo k8admin
 su - k8admin
 
-sudo apt update && apt upgrade -y
+sudo apt update && sudo apt upgrade -y
 
 # install microk8s
 sudo snap install microk8s --classic --channel=1.31
@@ -40,3 +40,13 @@ source .bash_aliases
 mk8 enable ingress cert-manager hostpath-storage metrics-server
 mk8 disable ha-cluster
 #observability dashboard hostpath-storage
+
+# firewall settings:
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+sudo ufw allow ssh
+sudo ufw allow https
+#ufw allow http #necessary for certbot to obtain certificate
+sudo ufw enable
+# needed by mk8s hostpath-provisionner:
+sudo ufw default allow routed
diff --git a/infra/helm/qmra/dev.values.yaml b/infra/helm/qmra/dev.values.yaml
diff --git a/infra/helm/qmra/prod.values.yaml b/infra/helm/qmra/prod.values.yaml
@@ -0,0 +1,57 @@
+# Default values for app.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+namespace: qmra
+domain: qmra.org
+monitoring_domain: monitoring.qmra.org
+replicaCount: 1
+
+app_secret_key:
+  secret_name: qmra-secret-key-secret
+  value: Y21WaGJHeDVYM05sWTNKbGRGOTJZV3gxWlRFSwo=
+configmap_name: qmra-configmap
+
+sqlite:
+  mount_path: /var/lib/qmra/qmra.db
+  hostpath: /var/lib/qmra/qmra.db
+
+static:
+  mount_path: /var/cache/qmra/static
+  hostpath: /var/cache/qmra/static
+
+image:
+  repository: qmra
+  tag: local
+  pullPolicy: Never
+livenessProbe:
+  httpGet:
+    path: /health
+    port: http
+readinessProbe:
+  httpGet:
+    path: /ready
+    port: http
+resources:
+  limits:
+    cpu: 500m
+    memory: 1Gi
+  requests:
+    cpu: 100m
+    memory: 256Mi
+
+ingress:
+  tlsSecretName: tls-secret-key-ref
+
+tls:
+  acme_email: antoine.daurat@kompetenz-wasser.de
+
+
+podAnnotations:
+  prometheus.io/scrape: "true"
+  prometheus.io/path: /metrics
+  prometheus.io/port: "8080"
+
+
+
+
