From 55f1cddb359fa6980ebfe304ddf573e0cf2c43d6 Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Tue, 14 Mar 2023 02:01:41 +0100 Subject: [PATCH] initial draft of deploy script, newly encrypted secrets --- .github/workflows/deploy.yml | 99 +++++++++++++++++++++++++++++++++ kubeconfig.yaml.enc | Bin 1517 -> 1519 bytes kubernetes/dns.values.yaml.enc | 5 +- kubernetes/values.yaml.enc | Bin 1754 -> 1757 bytes 4 files changed, 102 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/deploy.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 0000000..fda1ef2 --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,99 @@ +name: deploy + +on: + push: + branches: + - master + +jobs: + deploy: + # see example https://github.com/do-community/example-doctl-action + # see example https://github.com/do-community/example-doctl-action/blob/main/.github/workflows/workflow.yaml + name: Deploy defined version to stage.ocelot.social cluster at DigitalOcean + runs-on: ubuntu-latest + env: + SECRET: ${{ secrets.SECRET }} + CONFIGURATION: "this" + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Decrypt .env + run: gpg --quiet --batch --yes --decrypt --passphrase="${SECRET}" --output .env .env.enc + - name: Load .env + uses: aarcangeli/load-dotenv@v1.0.0 + with: + quiet: false + - name: Checkout Ocelot code + uses: actions/checkout@v3 + with: + repository: 'Ocelot-Social-Community/Ocelot-Social' + ref: '${OCELOT_SOCIAL_TAG}' + path: 'ocelot/' + - name: Checkout code + uses: actions/checkout@v3 + with: + path: 'ocelot/deployment/configurations/${CONFIGURATION}' + - name: Decrypt all secrets + run: ocelot/deployment/scripts/secrets.decrypt.sh + - name: Upgrade Cluster + run: ocelot/deployment/scripts/cluster.upgrade.sh + + # ########################################################################## + # # SET ENVS ############################################################### + # ########################################################################## + # - name: ENV - VERSION + # run: echo "VERSION=$(node -p -e "require('./package.json').version")" >> $GITHUB_ENV + # - name: ENV - BUILD_VERSION + # run: echo "BUILD_VERSION=${VERSION}-${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV + # ########################################################################## + # # Install DigitalOceans doctl and set kubeconfig ######################### + # ########################################################################## + # - name: Install doctl + # uses: digitalocean/action-doctl@v2 + # with: + # token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} + # - name: Save DigitalOcean kubeconfig with short-lived credentials + # run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 cluster-stage-ocelot-social + # ########################################################################## + # # Deploy new Docker images to DigitalOcean Kubernetes cluster ############ + # ########################################################################## + # # - name: Deploy 'latest' to DigitalOcean Kubernetes + # # run: | + # # kubectl -n default set image deployment/ocelot-webapp container-ocelot-webapp=ocelotsocialnetwork/webapp:latest + # # kubectl -n default rollout restart deployment/ocelot-webapp + # # kubectl -n default set image deployment/ocelot-backend container-ocelot-backend=ocelotsocialnetwork/backend:latest + # # kubectl -n default rollout restart deployment/ocelot-backend + # # kubectl -n default set image deployment/ocelot-maintenance container-ocelot-maintenance=ocelotsocialnetwork/maintenance:latest + # # kubectl -n default rollout restart deployment/ocelot-maintenance + # # kubectl -n default set image deployment/ocelot-neo4j container-ocelot-neo4j=ocelotsocialnetwork/neo4j-community:latest + # # kubectl -n default rollout restart deployment/ocelot-neo4j + # - name: Deploy actual version '$BUILD_VERSION' to DigitalOcean Kubernetes + # run: | + # kubectl -n default set image deployment/ocelot-webapp container-ocelot-webapp=ocelotsocialnetwork/webapp:$BUILD_VERSION + # kubectl -n default rollout restart deployment/ocelot-webapp + # kubectl -n default set image deployment/ocelot-backend container-ocelot-backend=ocelotsocialnetwork/backend:$BUILD_VERSION + # kubectl -n default rollout restart deployment/ocelot-backend + # kubectl -n default set image deployment/ocelot-maintenance container-ocelot-maintenance=ocelotsocialnetwork/maintenance:$BUILD_VERSION + # kubectl -n default rollout restart deployment/ocelot-maintenance + # kubectl -n default set image deployment/ocelot-neo4j container-ocelot-neo4j=ocelotsocialnetwork/neo4j-community:$BUILD_VERSION + # kubectl -n default rollout restart deployment/ocelot-neo4j + # # because this step 'kubectl -n default rollout status deployment/* --timeout=600s' does not work as expected + # # and we need the pods to be up again for cleaning and seeding the Neo4j database and the backend. + # # !!! this is not a perfect solution !!! + # # deployments are regularly up again after 3 minutes and 10 seconds + # - name: Sleep for 4 minutes, means 240 seconds + # run: sleep 240s + # shell: bash + # - name: Verify deployment and wait for the pods of each deployment to get ready for cleaning and seeding of the database + # run: | + # kubectl -n default rollout status deployment/ocelot-backend --timeout=600s + # kubectl -n default rollout status deployment/ocelot-neo4j --timeout=600s + # kubectl -n default rollout status deployment/ocelot-maintenance --timeout=600s + # kubectl -n default rollout status deployment/ocelot-webapp --timeout=600s + # - name: Run migrations for Neo4j database via backend for staging + # run: | + # kubectl -n default exec -it $(kubectl -n default get pods | grep ocelot-backend | awk '{ print $1 }') -- /bin/sh -c "yarn prod:migrate up" + # - name: Reset and seed Neo4j database via backend for staging + # # db cleaning and seeding is only possible in production if env 'PRODUCTION_DB_CLEAN_ALLOW=true' is set in deployment + # run: | + # kubectl -n default exec -it $(kubectl -n default get pods | grep ocelot-backend | awk '{ print $1 }') -- /bin/sh -c "node --experimental-repl-await dist/db/clean.js && node --experimental-repl-await dist/db/seed.js" \ No newline at end of file diff --git a/kubeconfig.yaml.enc b/kubeconfig.yaml.enc index 91d9d02f8892ba1e634fefcc0cb4a8642b72ca26..46d3c7ec5cc8577697d3a0d3e59990012f733167 100644 GIT binary patch literal 1519 zcmV%A{KK`b1Lce8l?#f*Ld@(ITNwk z((ayJ)q$c<c0Sw`&g|J zTIMEc%St6nQJzctgM;#ZDvX#uLGkOVq2f`YP;v*zg27%yZlb?|0LA{+x2c@UG8G8Z zn0Td_^rNv|;>QkiCNrsP;jZ$BJY|Q3*vm_-oo076YRS`rM0y$U>M){ik_(@X}iJh$55i{{k`blRR**7o{BZ_fdf9fRaSW_fBvky+VGvw*5eLPJ+29H5uaq6hnb$R-m4mS9_O+ZpRKu7Z&*o0~b0w0W+FykWyV}3n z`AC#D*vcJ-9Hn_GF`_^T1bsHy6&Gm}VpHVa*^;3F za5S-J8XAd%`0B;d{g)Wv+9NvM z2dZ-*sOUwbt+K@H=aHXzqUg9?C9s=*(H9HH0y7WjZDFuL2fhurT~W6#b@LyGu32cn zn=-k};8>!%8pcrQZi#nPqbqf%?6guvHUjY_$Bh2WaiGs7Lb@n?&KeK>A^HmV4#jF} z%(L>27a+H2!5r;cW8NF_y-Hi|IMDBv+?@T=B=XUjnMQEri%a---nEL$sW*FBLl5;; zl{UoRiFJ zo*c`bbrh95f&%I)A09aV{X5;omwzei6HMhm{!&l(*Lw7+{Ju>A2avB{Q7}hJ~ z#IQ@E_Zb^8bD@|O@FghwrV)GK*eX)}l&%v@ss>#i6df!)CeEzPu4}W@IS60;5emj> z(;NPTuizJVr|9f(y^f0ez}7_g!)l-k&~@wv=r)w>2=sy+b?7XUb?iUr@A)^HqnZ4K z?K0(QRxCtm|9gD$DmVQL=Ih5s+v%GW;r6QUlCXC)`Y$g~6YdfK$n!i&3fKA1n0a5#e-V2E(xZnMalft;NH#=EXzO7oJgQV0^wA8KQMK>#sP4H+XOBVxFU6fikBwSXYLfxWyZUDnjU$ zS4o-xh~+;EAwm4Axx=%zXrmiXSqkOI9IpZ-u6;~D{qG(UtW`n71mitAk}|1c<)ZV& z#y~T&FW=I8y;z}>9;MEz#k_E1@)jXc!3@(nDkb9T3MZ9c?!~JQE16U+JE{ougiv~%Ey*sRPr`%7lGuJ0?F!F-6z5XNGC$GYWh5qG~IZIyY{Zv$*1kZ@+^ z^jtPm=xVjC*s=sY;I~r>FKefcJ%tUn1|n-#$_%|xbQM4~e6PPA=E1kSXN@O8GcOTo zIsBZFAbhtA31h|9O5?Her1Gq%97Q?Ya9szcv3G{cDBEnaS4TvajKmQjNO(!tS4PWP)Cf!e_+ zt$v(Ur_etv8ce}aUgyXYChcqM*GQEPc-LXDwCc#Mi8;50fANZ_uZCysAH%v}AYCN~ zqsMh5?0vfFz4R@t)Eo2mSzH{RO;&ww3481KA>ab9v*2S@(iZJ?0>jIc4Y@(jRI|<- z@8b=~|9*V8nHOYmIqBVdMo4-n!e>xI-=IvBv;`hG?pKiJSdqJ{wW`MOB}XQjyKX$6 zOFbG=Q8mUs^1OEagy014zFp^{L-ivh9(E3?`NEZxs!a-Xs_`Eq;6mR@6(nX|Wkb|p z#sjjiRdM)J-8mYm=LC@|9*Gi#Kqe=UflP{O=ytfk;bHy4e$|y>u0oM6OdD(+?r;c( z9*i2b50E+w9rpR!_CT9lP6&)zdR(m&o@Rpsj(LNX zD)UA|;to3W6(ek0GsW)gPx;DGV^rgxHJ(xNi^$z`)8Kv%Qp!zhuUKcBQ1)Pv};6e{{b6 zX6lDc%WQ=DcebK$S2Z27?&abN&k5k!k=v)N85D$(9JisQi5 zzpv@)d%zsW{|f2q>g15?x=NBlc-03dw3)mGS3ABXj+@XKT_9Zf&Pn|9w9Nhq1$-uw zXimI7#HB=x;*af@D{dR&7&$w%RZO#1Kr6+$sen2!$5+gO_zn(hYmCGndOA(XF+&;y z<)fjf_(o=}9MnNo{E8r1A~N+-9?n`V?;yNAr>%Y4W%mU7as;w9 <]ɶÕQ†AJ fÿ—³•ï@êÊëÛTKŠȤ¾}ø“wÀ×þÈÊÌJ,³¬L–Â@¶ fº \ No newline at end of file +Œ  nŸ©®Täm0öÒÀe6øØñ« Zfü´úè2èùS_¿2 òû'!Ü™ý¾ f qm¥-ö¤j{cÞ±øKvc!m»N®'=£Üw¹ÛÒ½|J Ô[ɯ€,ë•=|òá?$ÍW¼ ˆ==ù +2pVªÁœk«ÐH"tÁ5êh|‚*+F½¦*"yÉ„)U¸žpŠi6€¨p“²Ï¢—™ªÒçç8Jkɉ î*¡–Zm-í;Ëô»*eéý½“›zO\.å³3ä·&Vj»“øÂÆ=£ó!°a&'÷°cí|Õ•&ìve¶„^ÑÒ´€®(Ãã+ð"ÿdè¬Ç›%ì:Ö +¸/Ͳn·&ygõ°§ì°ª…įÄ[ƦQ¨²Zº \ No newline at end of file diff --git a/kubernetes/values.yaml.enc b/kubernetes/values.yaml.enc index 388a8c4fd187bcce76b6fe6eac2d0afa1f9947f0..384c4e6a97ffb396a25d60eef5f77bc33e4f86a6 100644 GIT binary patch literal 1757 zcmV<31|s>44Fm}T0yv*hz{XAU686&S0mbgDkP05UYP*IH2;~T`W5+N8(c6?-IV)}{ zUFL-+{|{3)cAn4sWw5vlw`%y*`*HY!&L~cW9k6Yuwp#5^i}ArqFm3L@=y!(9!a7mn zDt@)h)|J$$yH82(>l@oWyq019N%;PQ;?Q967eY}mi@?e8Rk)$+#)W)IiwbER(1-~I zQ68A&CEv3f4GZ}(s0mn5sHk)n+MM5HFS%_;lf>W02y}DN{Gh)`zRD~f?_J3zRapbC z1e)}c(@I)hfszhfMn|czo>0=gyoJGLEdMTd6V$bUe}?l_ywiuTi-iBM3d` z`vmi5MAT3Q1jdp7#z(nGs_TGb|=@p`p6(P$&)sNraCwD3zIm@ zKa4D!<2r_!*BkL}4{2LWU&yE+Szmcke&U2erysNih%DTNIDne!|0+RlW5h?tees1p z+Bh5uoRIu+=oP!-OF|7KLP>l2YN>Y$NptWOCW8t&^Na6pMX_18uLI!+a9=2Jx5=39 z_1{pQr3%ee9WsT#%2S}WZ;m1E{d2E}{0OhrwUancM|g-jk7Zu&bt!`WB~c@%7_?3b zWTJXgpP_ziPhv{BTV~*3em}ap5rWX(jYCP)?6cM+oH;?Njz%}fnbBrzxaca>^OYuExGk9M9)#G-wrBesg%LFw=HBaA9f*W zS5fHtXiZI)V{&MhZOMEOr^uSDoOi3oZ&X>k~nvmRg`q& zn$XQv^Y%jPTavhlbAvEP?sj=CRWq+OS5!{Q*k{C@pn<(EZr8nBA~Zs8k2fl#w2j`! zJevbk>u4%dz16zfXT2ytM}**O;X zaV%crH@b1UUHP&5G%|_D-C$erPk8n1Z3WEaCUI6usOMO4ru=(|0Tb znu%adW*EfxvmJ{$mxt2GhgTdXZqdvqjGRl<4Gk`hP3)6q3@W68C0vD@mR}~hlzbE9 zlRaf+z-?^D)T~3jBY+AlX5rgD0`B$mt!@_cLgjSf%iMMrS~f6FQG~lpmeU15EWV5D zRVatN+svt_)0*}YC>VD<0~~N&&CM6LddEi!TsCkF0WTC3JY?%?T;OJL0wE~!E<0z# zcQ>QUw^6rD0Fm{7n=^KdCxd=DNvC;TK``1HHkRN469k zw7>}q-p>t@rWfG5AvKM*Q8j_X>)1zij&ium=p;9!zLt>Ilqx;$#WXOSgN$C+14XL6 zr{*XuDA9+K4PuCe{HCx?uOzK^c{2!$PN%-<_QJ8u-N3Q0Pwv{Ge@!Yhr~UkUV_jx0 zBeTfFEXWtl=&Q-m-&%$IF_P6fq^TfxeT&;La&76nHMIa{o=%Pnd+Lk(@O@vMMVn-C zNF4p%dWJgmt>cG#s`!nT8!`j2Y=%4tHl{i;i)!-{_2ZS~6SNJ$vqdi>o#N%>` literal 1754 zcmV<01||874Fm}T0x@uxM#RF*AokMg0YOY|{OrTnr?QT0y-m=o#kd~yl7twHc>vo= z0XqJI!@m0w*FRkE3lCX3NG;4;hCR_~x5`;v^$VQ}IUedBMK9&}*yKh%Pu9eiokdQh ztQ6VoV^uEYIvp~vDLFDvwwxO7e6D-H-UD5a67P>F*F4Fm zLoEQ)k4jvgh-ZaYLYTY!QsZ7R{^($YhW6_TSe5L7c_{&UkXoW+x+~#lw^TK-%n`d1 zh_9LO)<%wjAMZB{{ai+OPPljZMAguwxe}mi73@~+2gt*z1gWk&qS0k)vrY5~Kn2lR zL^dfq&sm@?a|N&)+(qC84|x}N-{>nffJbW?27rJEW)u$m1zL~rh*_5qr0=8&Sx*oz zT5Ipvoc7;&Ot=)T4mTO9OM!uGwU`E&Fm~lP6>;OtU`yM8xmEe!dzrSy=stNS*Hg6F zl=N?b+IF1MZ2|wg*whOb+|{*RVV}g2aTdAM4<>|UR!vaYS@Wjphz!BHm(7*t0f>P1 zN5X+)!#IyzkyTuc_>sGuMTpb4-h>=Sa&fWV1`aGrvft!RDBjyx&?0?b*)$+$hi6XK zq+eEZf%vOk9z(7UfUnUv5}Nf8f6ByXS*fP2Rbb4X$IIrzXI*he9mW3ezTiqF3m(-~ z0ZngkfIav1_S)keaFM>@SDac+Ak0NVZER5KZ6hNnA|B+LZ%;2wDK#FkQM_ocpcN(> za)nJ$x5Jy$OzW*zIJ$PL4>3zfRuv;PfM4=iIBZIITH)1Iy(`fmsma{+*`686$<-ncy$Pls(x zY~F0G?RG`I>9SA_=bMXZmj5PeaPShS>!iOISkt%&4?@oa_v-^H4}J)pTV#!+G_>rq z_&!aNDv*hAxJmaGS0Cw9mivn@ta~ADS56q^5lag?yflcCJYOz0V)9<4bl9J^#+020 zd%{aXqI?@z2np4W>>+P7F1?#RZd42VI`z<8k&)>uL9a*Y7NFrXQzETt(>Z^)mhFQ? z;{v%2{5A;`c)FJdRF2`c)yBJR+lYb60pRdr#K5M=Xt@AH2}{tFk$vfoYMav(#C2NR zR8Fq80jz3+o!w2qxkPXlYT&}ntKLS`TWu18%ms9&y9&nB@B=x7$*HmTNhSj$jtqy^ z_Ig|?whW!VF`u1rrr!xop1EkLu>b`Kd5mJ{wOr)H>_oAA0(tI^g)-$=MYJ%q7l%9%*_E6(wJgH@rQV1Y40@ow} zLrPMueiOeuO@8G?Z5_t{x*uR1*xP-hw-qL#)E>#A~6B>B8<^pY>X*bcV2$u=R3&k9tM&4pOjmt?`$+?=u> zKEMVQIOYQx7k4+MzAnrAdDhnnO^N0U9zlz-(%eLnQ`FId46gpYjYBCk8{7_NitKLa z^ub)6QCXSn?{_rlGx``7b?0|XQMnOTS3Ui?`N(^*fKr@EG8E#@M*z6ikM`t=66m` wObu*(bDoc`i^`OyG}0w`yliu}qDds7$LIurMfb>tsvm2H-#?kpkpsAiPjU=rOaK4?