diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 1e95691..bdf1221 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -207,6 +207,66 @@ jobs: username: ((slack-username)) icon_url: ((slack-icon-url)) +- name: deploy-concourse-pages-production + serial: true + interruptible: true + plan: + - in_parallel: + - get: concourse-deployment + passed: [deploy-concourse-staging] + - get: concourse-config + passed: [deploy-concourse-staging] + - get: terraform-yaml + - get: concourse-stemcell-jammy + passed: [deploy-concourse-staging] + - put: concourse-production-pages-deployment + params: + <<: *deploy-params + ops_files: + - concourse-deployment/cluster/operations/basic-auth.yml + - concourse-deployment/cluster/operations/build-log-retention.yml + - concourse-deployment/cluster/operations/scale.yml + - concourse-deployment/cluster/operations/enable-global-resources.yml + - concourse-config/operations/credhub.yml + - concourse-config/operations/iaas-worker.yml + - concourse-config/operations/postgres-production-pages.yml + - concourse-config/operations/external-postgres-tls.yml + - concourse-config/operations/driver.yml + - concourse-config/operations/config.yml + - concourse-config/operations/generic-oauth.yml + - concourse-config/operations/compliance.yml + - concourse-config/operations/prometheus.yml + - concourse-config/operations/set-garbage-collection.yml + - concourse-config/operations/base-resource-defaults.yml + - concourse-config/operations/max-containers.yml + - concourse-config/operations/bosh-dns-aliases.yml + - concourse-config/operations/enable-across-step.yml + - concourse-config/operations/container-placement.yml + - concourse-config/operations/iptables.yml + - concourse-config/operations/redact-secrets.yml + vars_files: + - concourse-deployment/versions.yml + - concourse-config/variables/production-pages.yml + - concourse-config/variables/postgres-tls.yml + - terraform-yaml/state.yml + on_failure: + put: slack + params: + text: | + :x: FAILED to deploy Concourse Pages on production + <$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME|View build details> + channel: '#cg-platform' + username: ((slack-username)) + icon_url: ((slack-icon-url)) + on_success: + put: slack + params: + text: | + :white_check_mark: Successfully deployed Concourse Pages on production + <$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME|View build details> + channel: '#cg-platform-news' + username: ((slack-username)) + icon_url: ((slack-icon-url)) # by having a different job for iptables, we should work around the issue # where the concourse deployment seems to fail because we lose our worker # so the iptables job never runs and dns breaks until we re-run the whole @@ -239,6 +299,30 @@ jobs: BOSH_CA_CERT: ((common_ca_cert_store)) BOSH_DEPLOYMENT: concourse-production +- name: iptables-production-pages + serial: true + interruptible: true + plan: + - task: iptables-iaas-worker-bosh-dns + config: + <<: *iptables-iaas-worker-bosh-dns + params: + BOSH_ENVIRONMENT: ((concourse-production-deployment-bosh-target)) + BOSH_CLIENT: ci + BOSH_CLIENT_SECRET: ((tooling_bosh_uaa_ci_client_secret)) + BOSH_CA_CERT: ((common_ca_cert_store)) + BOSH_DEPLOYMENT: concourse-production-pages + - task: iptables-worker-bosh-dns + tags: [iaas] + config: + <<: *iptables-worker-bosh-dns + params: + BOSH_ENVIRONMENT: ((concourse-production-deployment-bosh-target)) + BOSH_CLIENT: ci + BOSH_CLIENT_SECRET: ((tooling_bosh_uaa_ci_client_secret)) + BOSH_CA_CERT: ((common_ca_cert_store)) + BOSH_DEPLOYMENT: concourse-production-pages + - name: set-teams-production plan: - get: team-source @@ -254,6 +338,21 @@ jobs: concourse_username: ((basic-auth-username-production)) concourse_password: ((basic-auth-password-production)) +- name: set-teams-production-pages + plan: + - get: team-source + params: {depth: 1} + trigger: true + passed: [set-teams-staging] + - put: terraform-production + params: + env_name: production + terraform_source: team-source/teams + vars: + concourse_url: https://ci-pages.fr.cloud.gov + concourse_username: ((basic-auth-username-production-pages)) + concourse_password: ((basic-auth-password-production-pages)) + resources: - name: concourse-deployment type: git diff --git a/operations/postgres-production-pages.yml b/operations/postgres-production-pages.yml new file mode 100644 index 0000000..e9a00d9 --- /dev/null +++ b/operations/postgres-production-pages.yml @@ -0,0 +1,18 @@ +- type: replace + path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/host? + value: ((terraform_outputs.production_concourse_pages_rds_host)) + +- type: replace + path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/port? + value: ((terraform_outputs.production_concourse_pages_rds_port)) + +- type: replace + path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/role?/name? + value: ((terraform_outputs.production_concourse_pages_rds_username)) + +- type: replace + path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/role?/password? + value: ((terraform_outputs.production_concourse_pages_rds_password)) + +- type: remove + path: /variables/name=postgres_password diff --git a/variables/production-pages.yml b/variables/production-pages.yml new file mode 100644 index 0000000..5fa44ff --- /dev/null +++ b/variables/production-pages.yml @@ -0,0 +1,16 @@ +deployment_name: concourse-production-pages +external_url: https://ci-pages.fr.cloud.gov +azs: [z1] +web_vm_type: m6i.large.concourse.web +worker_vm_type: m6i.xlarge.concourse.worker +iaas_worker_vm_type: m6i.xlarge.concourse.worker +web_vm_extensions: [production-concourse-pages-lb] +worker_vm_extensions: [production-concourse-profile] +iaas_worker_vm_extensions: [production-concourse-iaas-profile] +network_name: production-concourse_pages +web_instances: 2 +worker_instances: 2 +iaas_worker_instances: 1 +build_logs_default: 25 +build_logs_maximum: 0 +max_active_containers_per_worker: 200 \ No newline at end of file