Merge branch 'TUR-25' into 'master'

TUR-25: Switch to autodeployment using ArgoCD See merge request turniere/turniere-backend!26
2022-06-25 14:55:35 +00:00 · 2022-06-25 14:55:35 +00:00 · 19b552cb10
parent 6afc5a9e62 7285558c62
commit 19b552cb10
18 changed files with 248 additions and 164 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -3,74 +3,23 @@ stages:
  - test
  - deploy

-kaniko:
-  stage: build
-  image:
-    name: gcr.io/kaniko-project/executor:debug
-    entrypoint: [""]
-  script:
-    - mkdir -p /kaniko/.docker
-    - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":\"$(printf "%s:%s" "${CI_REGISTRY_USER}" "${CI_REGISTRY_PASSWORD}" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json
-    - |
-      for env in production development test; do
-        /kaniko/executor --context "${CI_PROJECT_DIR}" \
-        --dockerfile "${CI_PROJECT_DIR}/docker/${env}/Dockerfile" \
-        --destination "${CI_REGISTRY_IMAGE}/${env}:latest" \
-        --destination "${CI_REGISTRY_IMAGE}/${env}/commits:${CI_COMMIT_SHA}" \
-        --destination "${CI_REGISTRY_IMAGE}/${env}/refs:${CI_COMMIT_REF_SLUG}" \
-        --build-arg base_commit="$CI_COMMIT_SHA"
-      done
+include:
+  - project: 'turniere/turniere-infra'
+    file: '/ci/pipeline.yaml'

 rails spec:
  stage: test
  image: $CI_REGISTRY_IMAGE/test/commits:$CI_COMMIT_SHA
-  only:
-    changes:
-      - '**/*.rb'
-      - 'Gemfile'
-      - 'Gemfile.lock'
-  except:
-    variables:
-      - $SKIP_TEST
+  rules:
+    - if: $SKIP_TEST
+      when: never
+    - if: $CI_PIPELINE_SOURCE != "push"
+      when: never 
+    - changes:
+        - '**/*.rb'
+        - 'Gemfile'
+        - 'Gemfile.lock'
  script:
    - cd /app
    - bundle exec rails db:migrate
    - bundle exec rails spec
-
-kubernetes:
-  tags:
-    - turniere-deploy
-  stage: deploy
-  only:
-    refs:
-      - master
-    variables:
-      - $FORCE_DEPLOY
-  image: ruby
-  variables:
-    KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: gitlab-deploy
-  script:
-    - curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
-    - chmod +x kubectl
-    - mv kubectl /usr/bin/kubectl 
-    - kubectl config set-cluster k8s --server="https://kubernetes.default.svc" --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-    - kubectl config set-credentials sa --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
-    - kubectl config set-context local --cluster=k8s --user=sa --namespace=turniere-backend
-    - gem install krane
-    - krane render -f kubernetes --current-sha "$CI_COMMIT_SHA" | krane deploy turniere-backend local -f kubernetes/secrets.ejson -
-
-deploy_watchtower:
-  stage: deploy
-  only:
-    refs:
-      - master
-    variables:
-      - $FORCE_DEPLOY
-  image: docker
-  services:
-    - docker:dind
-  script:
-    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - docker pull $CI_REGISTRY_IMAGE/production/commits:$CI_COMMIT_SHA
-    - docker tag $CI_REGISTRY_IMAGE/production/commits:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE/production:deploy
-    - docker push $CI_REGISTRY_IMAGE/production:deploy
--- a/app/controllers/health_controller.rb
+++ b/app/controllers/health_controller.rb
@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class HealthController < ApplicationController
+  def index
+    errors = []
+    errors << 'database not conneected' unless database_connected?
+    status = errors.empty? ? :ok : :internal_server_error
+    render json: { errors: }, status:
+  end
+
+  private
+
+  def database_connected?
+    ApplicationRecord.connection.select_value('SELECT 1') == 1
+  rescue StandardError
+    false
+  end
+end
--- a/chart/.helmignore
+++ b/chart/.helmignore
@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@ -0,0 +1,6 @@
+apiVersion: v2
+name: turniere-backend
+description: turnie.re backend
+type: application
+version: 0.1.0
+appVersion: "latest"
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "chart.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "chart.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "chart.labels" -}}
+helm.sh/chart: {{ include "chart.chart" . }}
+{{ include "chart.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "chart.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "chart.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "chart.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "chart.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "chart.fullname" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "chart.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "chart.selectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          env:
+            - name: RAILS_MASTER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: rails-master-key
+                  key: master.key
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
--- a/chart/templates/ingress.yaml
+++ b/chart/templates/ingress.yaml
@ -0,0 +1,17 @@
+{{- $fullName := include "chart.fullname" . -}}
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ $fullName }}
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`{{ .Values.ingress.host }}`)
+      kind: Rule
+      services:
+        - name: {{ $fullName }}
+          port: {{ .Values.service.port }}
+  tls:
+    certResolver: leresolver
--- a/chart/templates/secret.yaml
+++ b/chart/templates/secret.yaml
@ -0,0 +1,17 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
+  creationTimestamp: null
+  name: rails-master-key
+spec:
+  encryptedData:
+    master.key: AgBzhjABvgqp0gRdbY6JS2I5s0ir/p9xp8/KSGRZY6Gcl+saGjF6ZIFP9Tm84WwkDOujn6qW8h2Me5vxA943b8lOHXwrPXCjuM7FRt5pGlXjS08zLB08fD1mZ6btrs50AUih0YeB92pDJ7yup3eE7jJA+n1vTnNTNh62iCzLOdqHpr3IgJKvJueWcgQLjB5Lwden649QKCdpwd82el+xYLRuuS/teUANKCbLxypzp4A+Wmgcw1KmO9F29/XjiYCOJ0b1oFyI9oMhF+dyh0c3XUqNOA4TtD6a2nFtfDlVN57DmrcwAnzuXAWVDZ/RDEm5c2LVGCxAe463XDA4a+ruNYoAlbpUz2Zaqi+nISN98y2nTpWQOYICN+etps0k/o8qx8xTfPQMUG6T1D207LvzNl0Df/S2mOIWDvlEmAUZTr0PY+5e4n3cLvsemDo0/ea1+edK4eW+qbHDUTb9QswsYxysQuvHHhVv0G45887YGR/zEZLQ0yRHPyk6LwOXQ7MQc7YU/ZF3bms+93E7bgDVJVS/WneM3EEa0iTAIWre14VvOS3F4nMS5+2fcz5Nh+l1XER4F4+NllJRpINGF0wdBQDEDoyw25/6sPS/R7zheGNH32kpJx/7eEMh5LJzjA/ZseYo4t2TpD1U/OpGnfyzrQ+D/dM6p5C+WG7GD4P2M8Oqarl2YxbBf3rM0YDn0aMGc/PWN+M/TvsR5WAabQV9VRspEfoHcKEvHLqtbeeIflVd7w==
+  template:
+    data: null
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: "true"
+      creationTimestamp: null
+      name: rails-master-key
--- a/chart/templates/service.yaml
+++ b/chart/templates/service.yaml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "chart.fullname" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "chart.selectorLabels" . | nindent 4 }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@ -0,0 +1,20 @@
+replicaCount: 1
+
+image:
+  repository: registry.gitlab.com/turniere/turniere-backend/production/commits
+  pullPolicy: IfNotPresent
+  tag: ""
+
+podAnnotations: {}
+
+securityContext: {}
+#  runAsNonRoot: true
+#  runAsUser: 1000
+
+service:
+  port: 8080
+
+ingress:
+  host: ""
+
+resources: {}
--- a/config/credentials.yml.enc
+++ b/config/credentials.yml.enc
@ -1 +1 @@
-ruZJ+91rINdvygAZmPntRDVcB5VHuv95KXN+XVt4V0xJZ73WeVqVvhFVBJDQtjona/2swLqI+dLwIgyYJHY8beW50yY/wFzcCHsBE6OYodB+d7X0aeqaz4lSkgu6n/rCq9ls7fCKYzUHp7CJie/U3K47opI37qgWaRt5rwggHefzmYEyUUBCVGlOFk0dEPqVaOwng4vcnD6UetJMeTBNH3lOE699qwMlNinAlUgSXGrZYmVat2aK9sO8QGVgOKR6qnMoKh0ZAluzseridO5SSrK7iaKyVI+72Gr8nOQ1ZYjYtolIe3xUMglbvdoB80hSIWsTZEP0sxz3ON/NYwFG2Nt2kuBTqn+RiG1AobgviaY/5YUb1umt7RGQEDQXblszouaI5w2MNqNMli5hN5dqs1aly/On+zzf/2Alveaq9DCIonVy9W6r/8aKt5hqmWrxT8ef5zJiwIr2flg0JXRruHXRTC2lcv9HKEs5N3B/Q62ra+KwcQyXE1tLoYqhjcGUXuN+NSet+SaGZdjn/Sbo1QfJ3IQipUiHPCDTZzf5IvDm+2zknPEDpgxjtXpwYRmVXrSMqpKDVyt80bgvto9tf/AbcjpnA1D18b+QHT8Dxg3wOuJ7l6mWPWFntQ33hnCKUxirpnMEGhRlhoEgX3hKnhJewoKN3UIb6mi+1iTaQCNNaYAK196uK7nPNsAGmcZOkgY3--lCxqjZEbmSLMKbsO--a59RgKSQDvXiB1pySy2jug==
+85AWF9g6oFzqO4ytbENY4TbLPPPoBO/nyY2APTzpxl2AKW2I/zkl5lupHQfN+hiHtpmcwcfnoEkTOlQEqDghc3bxh4dEt2m+T3Mk55EeNHfJFuOHdJFAC9fXyijXtXL3rkMh+tNRoikaAq5Hd1SA1gJonfQWUwnsCwbEc68INkkVjC5on1GxDT3xQHVhP5upRS9NGNPQoznswbkHym9PzEiQtlwU2UbXd/q/lG+2JHJIXlLC3HsjnfN1W2PH6QhK1Fd7KaUgEoCb0t97sW2yOoku7z2TA/wunTVvSB1480A2R8jehWjz5udz2mbzDfxuhdVXqFOfumvJFwUit4H7vAXvn82n6iFpJTsmLX48qqd+PyBO2Zqh9A9p1I8CcdL/2jyk2ISjXhbGocNRAFRNSOVfMU6EM3mChWweIIOdi/CCJHcWU+dWwpBYUTUdQYAou4hH+2dfgrkPoM+k7wVkFqYVpixave6k0KluONn47Oo9/75eZbGlW2PuzaGsOB2PgVVm1jle3cIQnkjjMr0omHXmYhYxrOdn/S/tzzUX+dvT3lExnt4PegjGOS817KklWK/HBGrGjcDkLiEvFyFzzR0SzRm9ViPG1oROL1Uw8IyB5NrfwctuSbhIhNL+J81gvm67EpwPPv+dN8gOV4d7YBrYAJm1xHSAi1i9KHGzNwV7OEB0tEZJunmKf4o6lokIxA==--ll7GLVG10R3rDecn--WOtP8uI0voEjTbs2DKhAKA==
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@ -79,7 +79,7 @@ Rails.application.configure do

  # Mail
  config.action_mailer.raise_delivery_errors = true
-  config.action_mailer.default_url_options = { host: 'api01.turnie.re' }
+  config.action_mailer.default_url_options = { host: 'backend.turnie.re' }
  config.action_mailer.delivery_method = :mailgun
  config.action_mailer.mailgun_settings = {
    api_key: Rails.application.credentials.dig(:mailgun, :api_key),
--- a/config/initializers/devise_token_auth.rb
+++ b/config/initializers/devise_token_auth.rb
@ -48,5 +48,5 @@ DeviseTokenAuth.setup do |config|
  # do so by enabling this flag. NOTE: This feature is highly experimental!
  # config.enable_standard_devise_support = false

-  config.default_confirm_success_url = 'https://frontend01.turnie.re'
+  config.default_confirm_success_url = 'https://turnie.re'
 end
--- a/config/routes.rb
+++ b/config/routes.rb
@ -17,4 +17,6 @@ Rails.application.routes.draw do
  end
  resources :match_scores, only: %i[show update]
  resources :groups, only: %i[show]
+
+  get 'healthz', to: 'health#index'
 end
--- a/kubernetes/deployment.yml.erb
+++ b/kubernetes/deployment.yml.erb
@ -1,28 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: backend-deployment
-  namespace: turniere-backend
-  labels:
-    app: turniere-backend
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: turniere-backend
-  template:
-    metadata:
-      labels:
-        app: turniere-backend
-    spec:
-      containers:
-      - name: backend-container
-        image: registry.gitlab.com/turniere/turniere-backend/production/commits:<%= current_sha %>
-        ports:
-        - containerPort: 3000
-        env:
-        - name: RAILS_MASTER_KEY
-          valueFrom:
-            secretKeyRef:
-              name: turniere-secret
-              key: master.key
--- a/kubernetes/rolebinding.yml
+++ b/kubernetes/rolebinding.yml
@ -1,13 +0,0 @@
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: gitlab-deploy-rb
-  namespace: turniere-backend
-subjects:
-  - kind: ServiceAccount
-    name: gitlab-deploy
-    namespace: gitlab
-roleRef:
-  kind: ClusterRole
-  name: gitlab-deploy-role
-  apiGroup: rbac.authorization.k8s.io
--- a/kubernetes/secrets.ejson
+++ b/kubernetes/secrets.ejson
@ -1,11 +0,0 @@
-{
-  "_public_key": "c837fba31b5cd2adb6809c23818e9ee1bc7a85f585f8bf9bca767f6e6e71db39",
-  "kubernetes_secrets": {
-    "turniere-secret": {
-      "_type": "Opaque",
-      "data": {
-        "master.key": "EJ[1:QEauT9a+p+4WLCIpVRIVafEN6KemhM544B3bx67Gyg4=:/2xjJ3RseqBy6JORX9vkaFv3pnhWYELB:KQvFX2W4aLBquluKJikYeO/sp2TOUROxGU8qj941EMk0vxapeGEh9CdQ9Rit1B+e]"
-      }
-    }
-  }
-}
--- a/kubernetes/service.yml
+++ b/kubernetes/service.yml
@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: backend-service
-  namespace: turniere-backend
-spec:
-  selector:
-    app: turniere-backend
-  ports:
-    - name: http
-      port: 3000
-      targetPort: 3000
---
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: backend-ingress-http
-  namespace: turniere-backend
-spec:
-  entryPoints:
-    - http
-  routes:
-    - match: Host(`api01.turnie.re`)
-      kind: Rule
-      services:
-        - name: backend-service
-          port: 3000
-      middlewares:
-        - name: redirect
---
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: backend-ingress-https
-  namespace: turniere-backend
-spec:
-  entryPoints:
-    - https
-  routes:
-    - match: Host(`api01.turnie.re`)
-      kind: Rule
-      services:
-        - name: backend-service
-          port: 3000
-  tls:
-    certResolver: default