Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Deployment GitHub Action, Helm Chart Modifications, and S3 Connections #6

Merged
merged 22 commits into from
Nov 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 75 additions & 0 deletions .github/workflows/friendly-umbrella-deploy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
name: Deploy Friendly-Umbrella
on:
push:
jobs:
build:
runs-on:
- codebuild-cfpb-cfgov-testing-gha-${{ github.run_id }}-${{ github.run_attempt }}
steps:
- name: Checkout Friendly-Umbrella
uses: actions/checkout@v2

- name: Retrieve Security Scan Secrets
uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: |
, ${{ secrets.SECURITY_SCAN_SECRET }}
parse-json-secrets: true

- name: Build Docker Image
run: |

# Build Friendly-Umbrella Image
docker build -t ${{ secrets.ECR_REPO }}:$GITHUB_SHA .

- name: Security Scan with Twistlock
run: |

curl -k -u "$TL_USER:$TL_PASSWORD" "$TL_CONSOLE_URL/api/v1/util/twistcli" --output twistcli
chmod +x twistcli

./twistcli images scan --details -address "${TL_CONSOLE_URL}" -u "${TL_USER}" -p "${TL_PASSWORD}" ${{ secrets.ECR_REPO }}:$GITHUB_SHA tee twistcli.log; EXITCODE=$?


- name: Push to ECR
run: |

# Login to ECR
aws ecr get-login-password --region ${{ secrets.AWS_REGION }} | docker login --username ${{ secrets.AWS_USERNAME }} --password-stdin ${{ secrets.ECR_REGISTRY }}

# Push to ECR
docker push ${{ secrets.ECR_REPO }}:$GITHUB_SHA

- name: Install K8s/Helm
run: |

# Install Helm
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

# Install kubectl
curl -o ./kubectl https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.14/2023-10-17/bin/linux/amd64/kubectl
curl -o ./kubectl.sha256 https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.14/2023-10-17/bin/linux/amd64/kubectl.sha256
(diff <(openssl sha256 kubectl | awk {'print $2'}) <(cat kubectl.sha256 | awk {'print $1'}) &&
echo 'kubectl checksum matches, enabling usage') || (echo 'kubectl checksum failed, exiting' && exit 1)
chmod +x kubectl
mkdir -p $HOME/bin && mv kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc
source ~/.bashrc
kubectl version --client

# Update kubeconfig to point to EKS Cluster
aws eks update-kubeconfig --name $CLUSTER_NAME --region us-east-1

- name: Install Helm Chart on EKS
run: >
helm upgrade --install friendly-umbrella ./helm
-n ${{ secrets.NAMESPACE }} -f ./helm/values.yaml
--set image.repository=${{ secrets.ECR_REPO }}
--set image.tag=$GITHUB_SHA
--set mapping.host=${{ secrets.HOST }}
--set serviceAccount.name=${{ secrets.K8S_SERVICE_ACCOUNT }}
--set config.AWS_STORAGE_BUCKET_NAME=${{ secrets.BUCKET_NAME }}
--set serviceAccount.name=${{ secrets.K8S_SERVICE_ACCOUNT }}
--set config.AWS_STORAGE_BUCKET_NAME=${{ secrets.BUCKET_NAME }}
20 changes: 7 additions & 13 deletions friendly_umbrella/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@

ALLOWED_HOSTS = ["*"]

CSRF_TRUSTED_ORIGINS = ["https://*.cfpb.gov"]

# Application definition

Expand Down Expand Up @@ -139,18 +140,11 @@

DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"


# If AWS credentials and a bucket are provided, use S3 for file upload storage
AWS_ACCESS_KEY_ID = os.getenv("AWS_ACCESS_KEY_ID")
AWS_SECRET_ACCESS_KEY = os.getenv("AWS_SECRET_ACCESS_KEY")
AWS_STORAGE_BUCKET_NAME = os.getenv("AWS_STORAGE_BUCKET_NAME")
if (
AWS_ACCESS_KEY_ID is not None
and AWS_SECRET_ACCESS_KEY is not None
and AWS_STORAGE_BUCKET_NAME is not None
):
# Use S3 for file storage if a bucket name is provided.
if _aws_s3_bucket := os.getenv("AWS_STORAGE_BUCKET_NAME"):
DEFAULT_FILE_STORAGE = "storages.backends.s3boto3.S3Boto3Storage"
AWS_STORAGE_BUCKET_NAME = _aws_s3_bucket

# Allow setting AWS_S3_ENDPOINT_URL to enable testing against a local S3
if os.getenv("AWS_S3_ENDPOINT_URL") is not None:
AWS_S3_ENDPOINT_URL = os.getenv("AWS_S3_ENDPOINT_URL")
# Allow testing against a mock S3 using Localstack and awslocal.
if _s3_endpoint_url := os.getenv("AWS_S3_ENDPOINT_URL"):
AWS_S3_ENDPOINT_URL = _s3_endpoint_url
10 changes: 10 additions & 0 deletions helm/templates/configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{{- if .Values.config }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-configmap
data:
{{- with .Values.config }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
3 changes: 3 additions & 0 deletions helm/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ spec:
image: "{{ .repository }}:{{ .tag }}"
imagePullPolicy: {{ .pullPolicy }}
{{- end }}
envFrom:
- configMapRef:
name: {{ .Release.Name }}-configmap
ports:
- name: http
containerPort: {{ .Values.service.port }}
Expand Down
16 changes: 16 additions & 0 deletions helm/templates/mapping.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if .Values.mapping.enabled }}
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
name: {{ include "friendly-umbrella.fullname" . }}
labels:
{{- include "friendly-umbrella.labels" . | nindent 4 }}
spec:
ambassador_id:
{{- toYaml .Values.mapping.ambassador_id | nindent 4 }}
host: {{ .Values.mapping.host }}
prefix: {{ .Values.mapping.prefix | default "/" }}
service: {{ include "friendly-umbrella.fullname" . }}:{{ .Values.service.port }}
timeout_ms: 0
{{- end }}
11 changes: 11 additions & 0 deletions helm/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,14 @@ service:

serviceAccount:
create: false
name: service-account-name

config:
AWS_STORAGE_BUCKET_NAME: bucket_name

mapping:
enabled: true
host: "friendly-umbrella.localhost"
ambassador_id:
- "--apiVersion-v3alpha1-only--default"
prefix: "/"