first draft of moving ci bash to GHA (#126)

* first draft of moving ci bash to GHA * testing oidc setup for private ECR pulls
mozilla-it · Nov 29, 2021 · 26ce78c · 26ce78c
1 parent ad4182a
commit 26ce78c
Show file tree

Hide file tree

Showing 17 changed files with 179 additions and 329 deletions.
diff --git a/ci/ct.yaml → .github/ct.yaml b/ci/ct.yaml → .github/ct.yaml
@@ -2,7 +2,7 @@ remote: origin
 helm-extra-args: --timeout 600s
 check-version-increment: true
 validate-yaml: true
-validate-chart-schema: false
+validate-chart-schema: true
 validate-maintainers: false
 target-branch: main
 

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,123 @@
+name: Lint & Test Charts
+
+on: [ push, pull_request ]
+
+jobs:
+  lint-test:
+    env:
+      NAMESPACE: "chart-ci-e2e"
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      # helm/chart-testing-action requires python version 3.7
+      # see: https://github.com/helm/chart-testing-action/issues/65
+      - uses: actions/setup-python@v2
+        with:
+          python-version: 3.7
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@b0d4458c71155b54fcf33e11dd465dc923550009
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config .github/ct.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+      - name: Run chart-testing (lint)
+        run: ct lint --config .github/ct.yaml
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.2.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Install Dependencies
+        if: steps.list-changed.outputs.changed == 'true'
+        run: |
+          set -e
+
+          kubectl create ns ${{ env.NAMESPACE }}
+
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo update
+
+          #### CAREERS POSTGRES ####
+          helm upgrade --install \
+            --version 10.4.2 \
+            --namespace ${{ env.NAMESPACE }} \
+            --set postgresqlPassword=defaultpassword \
+            --set postgresqlUsername=careers \
+            --set postgresqlDatabase=careers \
+            --set fullnameOverride=careers-psql \
+            careers-psql bitnami/postgresql
+          
+          #### CTMS POSTGRES ####
+          helm upgrade --install \
+            --version 10.4.2 \
+            --namespace ${{ env.NAMESPACE }} \
+            --set postgresqlPassword=defaultpassword \
+            --set postgresqlUsername=ctms \
+            --set postgresqlDatabase=ctms \
+            --set fullnameOverride=postgres \
+            postgresql bitnami/postgresql
+
+          #### DISCOURSE MYSQL, REDIS ####
+          helm upgrade --install \
+            --version 10.8.0 \
+            --namespace ${{ env.NAMESPACE }} \
+            --set fullnameOverride=discourse-psql \
+            --set persistence.enabled=false \
+            --set postgresqlDatabase=discourse \
+            --set postgresqlPassword=discourse-psql-password \
+            --set postgresqlUsername=postgres \
+            postgresql-discourse bitnami/postgresql
+          helm upgrade --install \
+            --version 14.8.6 \
+            --namespace ${{ env.NAMESPACE }} \
+            --set auth.enabled=true \
+            --set auth.password=discourse-redis-password \
+            --set fullnameOverride=discourse-redis \
+            --set persistence.enabled=false \
+            redis-discourse bitnami/redis
+
+      - name: Configure AWS credentials
+        if: steps.list-changed.outputs.changed == 'true'
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: arn:aws:iam::783633885093:role/ecr-readonly-iam
+          aws-region: us-west-2
+
+      - name: Install ECR Secret
+        if: steps.list-changed.outputs.changed == 'true'
+        run: |
+          # Gets a valid token to pull from ECR and creates a secret with it
+          REGION=us-west-2
+          SECRET_NAME=ecr-registry
+          EMAIL=itse@mozilla.com
+
+          # Fetch token (which will expire in 12 hours)
+          TOKEN=$(aws ecr --region=${REGION} get-authorization-token --output text --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2)
+
+          # Create or replace secret
+          kubectl delete secret -n ${{ env.NAMESPACE }} --ignore-not-found "$SECRET_NAME"
+          kubectl create secret -n ${{ env.NAMESPACE }} docker-registry "$SECRET_NAME" \
+          --docker-server="https://783633885093.dkr.ecr.${REGION}.amazonaws.com" \
+          --docker-username=AWS \
+          --docker-password="${TOKEN}" \
+          --docker-email="${EMAIL}"
+           
+      - name: Run chart-testing (install)
+        run: ct install --config .github/ct.yaml --namespace=${{ env.NAMESPACE }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,40 @@
+name: Release Charts
+
+on: 
+  push:
+    branches:
+      - main
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "itse-automation"
+          git config user.email "itse-automation@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      # https://github.com/helm/chart-releaser/issues/114
+      - name: Add Helm Repos for Dependencies
+        run: |
+          helm repo add elastic https://helm.elastic.co
+          helm repo add jetstack https://charts.jetstack.io
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.2.1
+        with:
+          charts_dir: charts
+          charts_repo_url: https://mozilla-it.github.io/helm-charts/
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.travis.yml b/.travis.yml
diff --git a/README.md b/README.md
@@ -10,18 +10,18 @@ This repository contains a collection of Helm charts curated by Mozilla's Servic
 
 ## Referencing images in ECR
 Charts referencing Docker Images stored in an ECR repo under `itsre-apps` subaccount can't be pulled without credentials.   
-Travis is configured to get Pull credentials for repositories inside that account.  
-In order to instruct the testing suite to
-use those credentials you have to create a folder named `ci` inside your chart, a file `test-values.yaml` inside it with the next content:
+
+GitHub Actions is configured to get Pull credentials for repositories inside that account.  
+
+In order to instruct the testing suite to use those credentials you have to create a folder named `ci` inside your chart, a file `test-values.yaml` inside it with the next content:
 ```
 imagePullSecrets:
   - name: ecr-registry
 ```
 Check [here](https://github.com/mozilla-it/helm-charts/pull/39/commits/1a0fbfed5810a6d6875ca0172adac5065ee03b74#diff-245000fef8fab28267cb8040d6a3d7f6) for an example.
 
 ## Installing Helm Charts from this repository
-This repository is serving Helm Charts using the webserver provided by Github pages. In order to install Helm charts in your cluster
-add this repository to your helm repository list running `helm repo add mozilla-helm-charts https://mozilla-it.github.io/helm-charts/`
+This repository is serving Helm Charts using the webserver provided by Github pages. In order to install Helm charts in your cluster add this repository to your helm repository list running `helm repo add mozilla-helm-charts https://mozilla-it.github.io/helm-charts/`
 
 ## Debug a Chart deployment
 This section describes how to verify that your chart is installed correctly as well as what to do if it is not.

diff --git a/charts/etherpad/Chart.yaml b/charts/etherpad/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: etherpad
 description: A Helm chart for the Mozilla Etherpad application
 type: application
-version: 1.0.0
+version: 1.0.1
 
 keywords:
   - Mozilla

diff --git a/charts/etherpad/ci/test-values.yaml b/charts/etherpad/ci/test-values.yaml
@@ -11,6 +11,15 @@ configMap:
     ETHERPAD_API_KEY: dumberetherpadapikey
     ETHERPAD_SESSION_KEY: dumbetherpadsecretkey
 
+deployment:
+  resources:
+    requests:
+      cpu: 250m
+      memory: 1Gi
+    limits:
+      cpu: 1
+      memory: 2Gi
+
 image:
   tag: stg-9922b5f
 

diff --git a/ci/deps/careers/install.sh b/ci/deps/careers/install.sh
diff --git a/ci/deps/ctms/install.sh b/ci/deps/ctms/install.sh
diff --git a/ci/deps/discourse/install.sh b/ci/deps/discourse/install.sh
diff --git a/ci/deps/install.sh b/ci/deps/install.sh