CD: build NameX Pay in GCP (#1590)

Author: EPortman

.github/workflows/namex-pay-cd.yml

@@ -3,111 +3,28 @@ name: Namex Pay CD
 on:
   push:
     branches:
-      - main
+      - feature-gcp-build
     paths:
       - "services/namex-pay/**"
   workflow_dispatch:
     inputs:
-      environment:
-        description: "Environment (dev/test/prod)"
+      target:
+        description: "Deploy To"
         required: true
-        default: "dev"
-
-defaults:
-  run:
-    shell: bash
-    working-directory: ./services/namex-pay
-
-env:
-  APP_NAME: "namex-pay"
-  TAG_NAME: "dev"
+        type: choice
+        options:
+        - dev
+        - test
+        - sandbox
+        - prod
 
 jobs:
-  namex-pay-cd-by-push:
-    runs-on: ubuntu-20.04
-
-    if: github.event_name == 'push' && github.repository == 'bcgov/namex'
-    environment:
-      name: "dev"
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Login Openshift
-        shell: bash
-        run: |
-          oc login --server=${{secrets.OPENSHIFT4_LOGIN_REGISTRY}} --token=${{secrets.OPENSHIFT4_SA_TOKEN}}
-
-      - name: CD Flow
-        shell: bash
-        env:
-          OPS_REPOSITORY: ${{ secrets.OPS_REPOSITORY }}
-          OPENSHIFT_DOCKER_REGISTRY: ${{ secrets.OPENSHIFT4_DOCKER_REGISTRY }}
-          OPENSHIFT_SA_NAME: ${{ secrets.OPENSHIFT4_SA_NAME }}
-          OPENSHIFT_SA_TOKEN: ${{ secrets.OPENSHIFT4_SA_TOKEN }}
-          OPENSHIFT_REPOSITORY: ${{ secrets.OPENSHIFT4_REPOSITORY }}
-          TAG_NAME: ${{ env.TAG_NAME }}
-        run: |
-          make cd
-
-      - name: Watch new rollout (trigger by image change in Openshift)
-        shell: bash
-        run: |
-          oc rollout status dc/${{ env.APP_NAME }}-${{ env.TAG_NAME }} -n ${{ secrets.OPENSHIFT4_REPOSITORY }}-${{ env.TAG_NAME }} -w
-
-      - name: Rocket.Chat Notification
-        uses: RocketChat/Rocket.Chat.GitHub.Action.Notification@master
-        if: failure()
-        with:
-          type: ${{ job.status }}
-          job_name: "*Namex Pay Built and Deployed to ${{env.TAG_NAME}}*"
-          channel: "#registries-bot"
-          url: ${{ secrets.ROCKETCHAT_WEBHOOK }}
-          commit: true
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-  namex-pay-cd-by-dispatch:
-    runs-on: ubuntu-20.04
-
-    if: github.event_name == 'workflow_dispatch' && github.repository == 'bcgov/namex'
-    environment:
-      name: "${{ github.event.inputs.environment }}"
-
-    steps:
-      - uses: actions/checkout@v3
-      - name: Set env by input
-        run: |
-          echo "TAG_NAME=${{ github.event.inputs.environment }}" >> $GITHUB_ENV
-
-      - name: Login Openshift
-        shell: bash
-        run: |
-          oc login --server=${{secrets.OPENSHIFT4_LOGIN_REGISTRY}} --token=${{secrets.OPENSHIFT4_SA_TOKEN}}
-
-      - name: CD Flow
-        shell: bash
-        env:
-          OPS_REPOSITORY: ${{ secrets.OPS_REPOSITORY }}
-          OPENSHIFT_DOCKER_REGISTRY: ${{ secrets.OPENSHIFT4_DOCKER_REGISTRY }}
-          OPENSHIFT_SA_NAME: ${{ secrets.OPENSHIFT4_SA_NAME }}
-          OPENSHIFT_SA_TOKEN: ${{ secrets.OPENSHIFT4_SA_TOKEN }}
-          OPENSHIFT_REPOSITORY: ${{ secrets.OPENSHIFT4_REPOSITORY }}
-          TAG_NAME: ${{ env.TAG_NAME }}
-        run: |
-          make cd
-
-      - name: Watch new rollout (trigger by image change in Openshift)
-        shell: bash
-        run: |
-          oc rollout status dc/${{ env.APP_NAME }}-${{ env.TAG_NAME }} -n ${{ secrets.OPENSHIFT4_REPOSITORY }}-${{ env.TAG_NAME }} -w
-
-      - name: Rocket.Chat Notification
-        uses: RocketChat/Rocket.Chat.GitHub.Action.Notification@master
-        if: failure()
-        with:
-          type: ${{ job.status }}
-          job_name: "*Namex Pay Built and Deployed to ${{env.TAG_NAME}}*"
-          channel: "#registries-bot"
-          url: ${{ secrets.ROCKETCHAT_WEBHOOK }}
-          commit: true
-          token: ${{ secrets.GITHUB_TOKEN }}
+  namex-pay-cd:
+    uses: bcgov/bcregistry-sre/.github/workflows/backend-cd.yaml@main
+    with:
+      target: ${{ inputs.target }}
+      app_name: "namex-pay"
+      working_directory: "./services/namex-pay"
+    secrets:
+      WORKLOAD_IDENTIFY_POOLS_PROVIDER: ${{ secrets.WORKLOAD_IDENTIFY_POOLS_PROVIDER }}
+      GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}

.github/workflows/namex-pay-ci.yml

@@ -2,106 +2,21 @@ name: Namex Pay CI
 
 on:
   pull_request:
-    types: [assigned, synchronize]
     paths:
       - "services/namex-pay/**"
   workflow_dispatch:
 
 defaults:
   run:
     shell: bash
-    working-directory: ./services/namex-pay
+    working-directory: "services/namex-pay"
 
 jobs:
-  setup-job:
-    runs-on: ubuntu-20.04
-
-    steps:
-      - uses: actions/checkout@v3
-      - name: setup check
-        run: |
-          echo "setup check pass."
-
-  linting:
-    needs: setup-job
-    runs-on: ubuntu-20.04
-
-    strategy:
-      matrix:
-        python-version: ["3.12"]
-
-    steps:
-      - uses: actions/checkout@v3
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v1
-        with:
-          python-version: ${{ matrix.python-version }}
-      - name: Install dependencies
-        run: |
-          make setup
-      - name: Lint with flake8
-        id: flake8
-        run: |
-          poetry run flake8
-
-  testing:
-    needs: setup-job
-    env:
-      DATABASE_TEST_USERNAME: postgres
-      DATABASE_TEST_PASSWORD: postgres
-      DATABASE_TEST_NAME: postgres
-      DATABASE_TEST_HOST: localhost
-      DATABASE_HOST: localhost
-      DATABASE_PASSWORD: postgres
-      
-      TEST_NATS_DOCKER: True
-
-    runs-on: ubuntu-20.04
-
-    strategy:
-      matrix:
-        python-version: ["3.12"]
-
-    services:
-      postgres:
-        image: postgres:12
-        env:
-          POSTGRES_USER: postgres
-          POSTGRES_PASSWORD: postgres
-          POSTGRES_DB: postgres
-        ports:
-          - 5432:5432
-        # needed because the postgres container does not provide a healthcheck
-        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
-
-    steps:
-      - uses: actions/checkout@v3
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v1
-        with:
-          python-version: ${{ matrix.python-version }}
-      - name: Install dependencies
-        run: |
-          make setup
-      - name: Test with pytest
-        id: test
-        run: |
-          poetry run pytest
-      - name: Temporarily save coverage.xml
-        uses: actions/upload-artifact@v2
-        with:
-          name: namex-pay-coverage
-          flags: namexpayapi
-          path: ./services/namex-pay/coverage.xml
-          retention-days: 1
-
-  build-check:
-    needs: setup-job
-    runs-on: ubuntu-20.04
-
-    steps:
-      - uses: actions/checkout@v3
-      - name: build to check strictness
-        id: build
-        run: |
-          make build-nc
+  namex-pay-ci:
+    uses: bcgov/bcregistry-sre/.github/workflows/backend-ci.yaml@main
+    with:
+      app_name: "namex-pay"
+      working_directory: "services/namex-pay"
+      codecov_flag: "namexpay"
+      skip_isort: "true"
+      skip_black: "true"

services/namex-pay/devops/gcp/clouddeploy.yaml

@@ -0,0 +1,71 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: deploy.cloud.google.com/v1
+kind: DeliveryPipeline
+metadata:
+ name: namex-pay-pipeline
+description: Deployment pipeline
+serialPipeline:
+ stages:
+ - targetId: a083gt-dev
+   profiles: [dev]
+   strategy:
+    standard:
+      verify: false
+   deployParameters:
+   - values:
+      deploy-env: "development"
+      deploy-project-id: "a083gt-dev"
+      service-name: "namex-pay-dev"
+      container-name: "namex-pay-dev"
+      service-account: "sa-api@a083gt-dev.iam.gserviceaccount.com"
+ - targetId: a083gt-test
+   profiles: [test]
+   strategy:
+    standard:
+      verify: false
+   deployParameters:
+   - values:
+      deploy-env: "test"
+      deploy-project-id: "a083gt-test"
+      service-name: "namex-pay-test"
+      container-name: "namex-pay-test"
+      service-account: "sa-api@a083gt-test.iam.gserviceaccount.com"
+ - targetId: a083gt-sandbox
+   profiles: [sandbox]
+   strategy:
+    standard:
+      verify: false
+   deployParameters:
+   - values:
+      deploy-env: "sandbox"
+      deploy-project-id: "a083gt-integration"
+      service-name: "namex-pay-sandbox"
+      container-name: "namex-pay-sandbox"
+      service-account: "sa-api@a083gt-integration.iam.gserviceaccount.com"
+ - targetId: a083gt-prod
+   profiles: [prod]
+   strategy:
+    standard:
+      verify: false
+   deployParameters:
+   - values:
+      deploy-env: "production"
+      deploy-project-id: "a083gt-prod"
+      service-name: "namex-pay-prod"
+      container-name: "namex-pay-prod"
+      service-account: "sa-api@a083gt-prod.iam.gserviceaccount.com"
+      max-scale: "10"
+      container-concurrency: "20"

services/namex-pay/devops/vaults.gcp.env

@@ -0,0 +1,24 @@
+SENTRY_ENABLE="op://sentry/$APP_ENV/examination/SENTRY_ENABLE"
+SENTRY_DSN="op://sentry/$APP_ENV/examination/SENTRY_DSN"
+
+PAY_API_URL="op://API/$APP_ENV/pay-api/PAY_API_URL"
+PAY_API_VERSION="op://API/$APP_ENV/pay-api/PAY_API_VERSION"
+
+NAMEX_DATABASE_USERNAME="op://database/$APP_ENV/namex-db/NAMEX_DATABASE_USERNAME"
+NAMEX_DATABASE_PASSWORD="op://database/$APP_ENV/namex-db/NAMEX_DATABASE_PASSWORD"
+NAMEX_DATABASE_NAME="op://database/$APP_ENV/namex-db/NAMEX_DATABASE_NAME"
+NAMEX_DATABASE_HOST="op://database/$APP_ENV/namex-db/NAMEX_DATABASE_HOST"
+NAMEX_DATABASE_PORT="op://database/$APP_ENV/namex-db/NAMEX_DATABASE_PORT"
+ORACLE_HOST="op://database/$APP_ENV/oracle-base/ORACLE_HOST"
+ORACLE_PORT="op://database/$APP_ENV/oracle-base/ORACLE_PORT"
+NRO_USER="op://database/$APP_ENV/oracle-namex-db/NRO_USER"
+NRO_PASSWORD="op://database/$APP_ENV/oracle-namex-db/NRO_PASSWORD"
+NRO_DB_NAME="op://database/$APP_ENV/oracle-namex-db/NRO_DB_NAME"
+
+AUDIENCE="op://gcp-queue/$APP_ENV/base/AUDIENCE"
+PUBLISHER_AUDIENCE="op://gcp-queue/$APP_ENV/base/PUBLISHER_AUDIENCE"
+NAMEX_MAILER_TOPIC="op://gcp-queue/$APP_ENV/topics/NAMEX_MAILER_TOPIC"
+NAMEX_NR_STATE_TOPIC="op://gcp-queue/$APP_ENV/topics/NAMEX_NR_STATE_TOPIC"
+BUSINESS_GCP_AUTH_KEY="op://gcp-queue/$APP_ENV/a083gt/BUSINESS_GCP_AUTH_KEY"
+PAY_SUB_AUDIENCE="op://gcp-queue/$APP_ENV/namex/PAY_SUB_AUDIENCE"
+AUTHPAY_SERVICE_ACCOUNT="op://gcp-queue/$APP_ENV/gtksf3/AUTHPAY_SERVICE_ACCOUNT"