Merge branch 'develop' into staging

Author: hotzevzl

.github/workflows/deploy-to-kubernetes.yml

@@ -22,31 +22,31 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Wait for API image to be pushed to Docker Hub
-        uses: fountainhead/action-wait-for-check@v1.1.0
+        uses: fountainhead/action-wait-for-check@v1.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           checkName: Push API Docker image to Azure Container Registry
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
           intervalSeconds: 30
 
       - name: Wait for Geoprocessing image to be pushed to Docker Hub
-        uses: fountainhead/action-wait-for-check@v1.1.0
+        uses: fountainhead/action-wait-for-check@v1.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           checkName: Push Geoprocessing Docker image to Azure Container Registry
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
           intervalSeconds: 30
 
       - name: Wait for Client image to be pushed to Docker Hub
-        uses: fountainhead/action-wait-for-check@v1.1.0
+        uses: fountainhead/action-wait-for-check@v1.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           checkName: Push Client Docker image to Azure Container Registry
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
           intervalSeconds: 30
 
       - name: Wait for Webshot image to be pushed to Docker Hub
-        uses: fountainhead/action-wait-for-check@v1.1.0
+        uses: fountainhead/action-wait-for-check@v1.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           checkName: Push Webshot Docker image to Azure Container Registry
@@ -78,7 +78,7 @@ jobs:
 
       - name: Add custom host data
         run: |
-          sudo sh -c 'echo "127.0.0.1 ${{ secrets.AZURE_AKS_HOST }}" >> /etc/hosts'
+          sudo sh -c 'echo "127.0.0.1 ${{ env.AZURE_AKS_HOST }}" >> /etc/hosts'
 
       - name: Install kubectl
         uses: azure/setup-kubectl@v3
@@ -88,12 +88,12 @@ jobs:
       - name: Config kubectl
         run: |
           mkdir ~/.kube
-          az aks get-credentials --resource-group ${{ secrets.AZURE_RESOURCE_GROUP }} --name ${{ secrets.AZURE_AKS_CLUSTER_NAME }}
+          az aks get-credentials --resource-group ${{ env.AZURE_RESOURCE_GROUP }} --name ${{ env.AZURE_AKS_CLUSTER_NAME }}
           sed -i 's/\([[:alnum:]]\+\?.privatelink.[[:alnum:]]\+\?.azmk8s.io\):443/\1:4433/g' ~/.kube/config
 
       - name: Creating SSH tunnel
         run: |
-          ssh -i ~/.ssh/bastion.key -o StrictHostKeyChecking=no -N -L 4433:${{ secrets.AZURE_AKS_HOST }}:443 ${{ secrets.BASTION_USER }}@${{ secrets.BASTION_HOST }} -T &
+          ssh -i ~/.ssh/bastion.key -o StrictHostKeyChecking=no -N -L 4433:${{ env.AZURE_AKS_HOST }}:443 ${{ env.BASTION_USER }}@${{ env.BASTION_HOST }} -T &
 
       - name: Redeploy production pods
         if: ${{ github.ref == 'refs/heads/main' }}

.github/workflows/e2e-client.yml

@@ -41,7 +41,7 @@ jobs:
         path: playwright-report/
         retention-days: 30
       env:
-        NEXT_PUBLIC_MAPBOX_API_TOKEN: ${{ secrets.NEXT_PUBLIC_MAPBOX_API_TOKEN }}
+        NEXT_PUBLIC_MAPBOX_API_TOKEN: ${{ env.NEXT_PUBLIC_MAPBOX_API_TOKEN }}
         # Recommended: pass the GitHub token lets this action correctly
         # determine the unique run id necessary to re-run the checks
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish-marxan-docker-images.yml

@@ -33,7 +33,7 @@ jobs:
     steps:
       - name: Wait for API tests to run
         if: ${{ github.event.inputs.waitForTest == 'true' }}
-        uses: fountainhead/action-wait-for-check@v1.1.0
+        uses: fountainhead/action-wait-for-check@v1.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           checkName: API Tests
@@ -42,7 +42,7 @@ jobs:
 
       - name: Wait for Client tests to run
         if: ${{ github.event.inputs.waitForTest == 'true' }}
-        uses: fountainhead/action-wait-for-check@v1.1.0
+        uses: fountainhead/action-wait-for-check@v1.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           checkName: Client Tests
@@ -67,15 +67,15 @@ jobs:
       - name: Build and push image
         uses: azure/docker-login@v1
         with:
-          login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
+          login-server: ${{ env.REGISTRY_LOGIN_SERVER }}
+          username: ${{ env.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
       - run: |
           docker build ./api -f api/api.Dockerfile \
-            -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-api:${{ github.sha }} \
-            -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-api:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }}
-          docker push -a ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-api
+            -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-api:${{ github.sha }} \
+            -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-api:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }}
+          docker push -a ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-api
 
   push_geoprocessing_to_registry:
     name: Push Geoprocessing Docker image to Azure Container Registry
@@ -95,15 +95,15 @@ jobs:
       - name: Build and push image
         uses: azure/docker-login@v1
         with:
-          login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
+          login-server: ${{ env.REGISTRY_LOGIN_SERVER }}
+          username: ${{ env.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
       - run: |
           docker build ./api -f api/geo.Dockerfile \
-            -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing:${{ github.sha }} \
-            -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }}
-          docker push -a ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing
+            -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing:${{ github.sha }} \
+            -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }}
+          docker push -a ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing
 
   push_client_to_registry:
     name: Push Client Docker image to Azure Container Registry
@@ -124,19 +124,19 @@ jobs:
       - name: Build and push image
         uses: azure/docker-login@v1
         with:
-          login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
+          login-server: ${{ env.REGISTRY_LOGIN_SERVER }}
+          username: ${{ env.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
       - run: |
           docker build ./app \
-            -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-client:${{ github.sha }} \
-            -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-client:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }} \
-            --build-arg NEXT_PUBLIC_URL=${{ github.ref != 'refs/heads/main' && secrets.NEXT_PUBLIC_URL_STAGING || secrets.NEXT_PUBLIC_URL_PRODUCTION }} \
-            --build-arg NEXT_PUBLIC_API_URL=${{ github.ref != 'refs/heads/main' && secrets.NEXT_PUBLIC_API_URL_STAGING || secrets.NEXT_PUBLIC_API_URL_PRODUCTION }} \
-            --build-arg NEXTAUTH_URL=${{ github.ref != 'refs/heads/main' && secrets.NEXTAUTH_URL_STAGING || secrets.NEXTAUTH_URL_PRODUCTION }} \
-            --build-arg NEXT_PUBLIC_FEATURE_FLAGS=${{ github.ref != 'refs/heads/main' && secrets.NEXT_PUBLIC_FEATURE_FLAGS_STAGING || secrets.NEXT_PUBLIC_FEATURE_FLAGS_PRODUCTION }} \
-            --build-arg NEXT_PUBLIC_MAPBOX_API_TOKEN=${{ secrets.NEXT_PUBLIC_MAPBOX_API_TOKEN }} \
+            -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-client:${{ github.sha }} \
+            -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-client:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }} \
+            --build-arg NEXT_PUBLIC_URL=${{ github.ref != 'refs/heads/main' && env.NEXT_PUBLIC_URL_STAGING || env.NEXT_PUBLIC_URL_PRODUCTION }} \
+            --build-arg NEXT_PUBLIC_API_URL=${{ github.ref != 'refs/heads/main' && env.NEXT_PUBLIC_API_URL_STAGING || env.NEXT_PUBLIC_API_URL_PRODUCTION }} \
+            --build-arg NEXTAUTH_URL=${{ github.ref != 'refs/heads/main' && env.NEXTAUTH_URL_STAGING || env.NEXTAUTH_URL_PRODUCTION }} \
+            --build-arg NEXT_PUBLIC_FEATURE_FLAGS=${{ github.ref != 'refs/heads/main' && env.NEXT_PUBLIC_FEATURE_FLAGS_STAGING || env.NEXT_PUBLIC_FEATURE_FLAGS_PRODUCTION }} \
+            --build-arg NEXT_PUBLIC_MAPBOX_API_TOKEN=${{ env.NEXT_PUBLIC_MAPBOX_API_TOKEN }} \
             --build-arg ENABLE_MAINTENANCE_MODE=${{ github.event.inputs.enable_maintenance_mode }} \
-            --build-arg NEXT_PUBLIC_CONTACT_EMAIL=${{ secrets.NEXT_PUBLIC_CONTACT_EMAIL }}
-          docker push -a ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-client
+            --build-arg NEXT_PUBLIC_CONTACT_EMAIL=${{ env.NEXT_PUBLIC_CONTACT_EMAIL }}
+          docker push -a ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-client

.github/workflows/publish-webshot-docker-images.yml

@@ -34,12 +34,12 @@ jobs:
       - name: Build and push image
         uses: azure/docker-login@v1
         with:
-          login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
+          login-server: ${{ env.REGISTRY_LOGIN_SERVER }}
+          username: ${{ env.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
       - run: |
           docker build ./webshot \
-            -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-webshot:${{ github.sha }} \
-            -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-webshot:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }}
-          docker push -a ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-webshot
+            -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-webshot:${{ github.sha }} \
+            -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-webshot:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }}
+          docker push -a ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-webshot

infrastructure/README.md

@@ -97,23 +97,39 @@ the services on kubernetes, which is done by this plan.
 
 #### Github Actions
 
-As part of this infrastructure, Github Actions are used to automatically build and push Docker images to Azure ACR, and
-to redeploy Kubernetes pods once that happens. Said Github Actions depend on specific Github Secrets, that are listed below
-for reference. Said secrets are automatically created by the `base` Terraform project, and do not need to be created manually.
+As part of this infrastructure, Github Actions are used to automatically build
+and push Docker images to Azure ACR, and to redeploy Kubernetes pods once that
+happens. Said Github Actions depend on specific Github Secrets and Variables,
+that are listed below for reference.
+
+Secrets and variables listed below are automatically created by the `base`
+Terraform project, and do not need to be created manually. Their value often
+depends on the outputs of other Terraform modules, so configuring all these via
+Terraform (and avoiding to change them manually within the settings of the
+relevant GitHub repository) guarantees that values available to GitHub actions
+are always coherent with the state of the terraformed infrastructure.
+
+For example, AKS-related variables depend on settings for the cluster name as
+well as the hostname of the AKS API server, which is assigned by Azure upon
+creation of an AKS cluster.
+
+##### Secrets
 
-- `AZURE_AKS_CLUSTER_NAME`: The name of the AKS cluster. Get from `Base`'s `k8s_cluster_name`
-- `AZURE_AKS_HOST`: The AKS cluster hostname (without port or protocol). Get from `Base`'s `k8s_cluster_private_fqdn`
 - `AZURE_CLIENT_ID`: The hostname for the Azure ACT. Get from `Base`'s `container_registry_client_id`
-- `AZURE_RESOURCE_GROUP`: The AKS Resource Group name. Specified by you when setting up the infrastructure.
 - `AZURE_SUBSCRIPTION_ID`: The Azure Subscription Id. Get from `Base`'s `azure_subscription_id`
 - `AZURE_TENANT_ID`: The Azure Tenant Id. Get from `Base`'s `azure_tenant_id`
+- `BASTION_SSH_PRIVATE_KEY`: The ssh private key to access the bastion host. Get it by connection to the bastion host using SSH, and generating a new public/private SSH key pair.
+- `REGISTRY_PASSWORD`: The password to access the Azure. Get from `Base`'s `container_registry_password`
+
+##### Variables
+
+- `AZURE_AKS_CLUSTER_NAME`: The name of the AKS cluster. Get from `Base`'s `k8s_cluster_name`
+- `AZURE_AKS_HOST`: The AKS cluster hostname (without port or protocol). Get from `Base`'s `k8s_cluster_private_fqdn`
+- `AZURE_RESOURCE_GROUP`: The AKS Resource Group name. Specified by you when setting up the infrastructure.
 - `BASTION_HOST`: The hostname for the bastion machine. Get from `Base`'s `bastion_hostname`
 - `BASTION_USER`: By default this will be `ubuntu` if using the initial user created on bastion host instantiation. It is configurable in case infrastructure admins wish to configure a different user on the bastion host or the default distro user is renamed.
-- `BASTION_SSH_PRIVATE_KEY`: The ssh private key to access the bastion host. Get it by connection to the bastion host using SSH, and generating a new public/private SSH key pair.
 - `REGISTRY_LOGIN_SERVER`: The hostname for the Azure ACR. Get from `Base`'s `container_registry_hostname`
 - `REGISTRY_USERNAME`: The username for the Azure ACR. Get from `Base`'s `container_registry_client_id`
-- `REGISTRY_PASSWORD`: The password to access the Azure. Get from `Base`'s `container_registry_password`
-- `BASTION_SSH_PRIVATE_KEY`: The ssh private key to access the bastion host. Get it by connection to the bastion host using SSH, and generating a new public/private SSH key pair.
 
 Additional Github Actions Secrets are needed, as required by the [frontend application](../app/README.md#env-variables)
 and used by the corresponding [Github workflow](../.github/workflows/publish-marxan-docker-images.yml) that builds