Production Deploy 2024-11-04

.github/workflows/deploy.yml

@@ -7,8 +7,8 @@ on:
       - develop
 
 jobs:
-  deploy:
-    runs-on: ubuntu-20.04
+  build-push:
+    runs-on: ubuntu-22.04 # standard (not self-hosted) runner
     env:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -21,24 +21,82 @@ jobs:
         with:
           python-version: '3.10'
           cache: 'pip'
-          cache-dependency-path: 'requirements/*/**.txt'
+          cache-dependency-path: 'requirements/*/dev.txt'
       - name: Install dependencies
         id: pip-install
         run: |
           python -m pip install --upgrade pip wheel pip-tools
-          pip-sync requirements/base/base.txt requirements/dev/dev.txt
+          pip-sync requirements/dev/dev.txt
       - name: Login to Docker
         id: docker-login
         run: |
           inv aws.docker-login
-      - name: Build, tag, push, and deploy image
-        id: build-tag-push-deploy
+      - name: Set DOCKER_TAG and save to file for artifact upload
+        run: |
+          DOCKER_TAG=$(inv image.tag | grep 'Set config.tag to' | cut -d' ' -f4)
+          echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+          echo "$DOCKER_TAG" > docker-tag.txt
+      - name: Build, tag, and push image
+        id: build-tag-push
         run: |
           [ "$GITHUB_REF" = refs/heads/main ] &&
             ENV="production" ||
             ENV="staging"
           echo "env is $ENV"
-          inv $ENV image deploy --verbosity=0
+          export BUILDKIT_PROGRESS=plain
+          inv $ENV image.build --tag=${{ env.DOCKER_TAG }} image.push --tag=${{ env.DOCKER_TAG }}
+      - name: Upload docker tag from build-push job
+        uses: actions/upload-artifact@v4
+        with:
+          name: docker_tag
+          path: docker-tag.txt
+
+  # The deploy needs to run from within the cluster, since the cluster
+  # is not exposed to the public internet. This step is split out into
+  # its own job to reduce the amount of work done on the self-hosted runner
+  # and avoid the need to run a privileged docker container (with the
+  # capability of building a docker container itself).
+  deploy:
+    runs-on: arc-runner-set # K8s self-hosted runner
+    needs: [build-push]
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+      # https://github.com/marketplace/actions/slack-github-actions-slack-integration
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Download docker tag from build-push job
+        uses: actions/download-artifact@v4
+        with:
+          name: docker_tag
+      - name: Set variables
+        run: |
+          DOCKER_TAG=$(cat docker-tag.txt)
+          echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+      - name: Install apt packages
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y git
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+          cache-dependency-path: 'requirements/*/dev.txt'
+      - name: Install dependencies
+        id: pip-install
+        run: |
+          python -m pip install --upgrade pip wheel pip-tools
+          pip-sync requirements/dev/dev.txt
+      - name: Deploy the image
+        id: deploy
+        run: |
+          [ "$GITHUB_REF" = refs/heads/main ] &&
+            ENV="production" ||
+            ENV="staging"
+          echo "env is $ENV" --verbosity=0
+          inv $ENV deploy --tag=${{ env.DOCKER_TAG }} --verbosity=0
       - uses: act10ns/slack@v1
         with:
           status: ${{ job.status }}

.github/workflows/test.yml

@@ -2,13 +2,12 @@ name: Lint and Test code
 
 on:
   pull_request:
-  schedule:
-    # run once a week on early monday mornings
-    - cron: '22 2 * * 1'
+  push:
+    branches: [main, develop]
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04 # standard (not self-hosted) runner
     env:
       DJANGO_SETTINGS_MODULE: hip.settings.dev
     services:

Dockerfile

@@ -121,8 +121,8 @@ RUN groupadd --gid $USER_GID $USERNAME \
 #   openssh-client -- for git over SSH
 #   sudo -- to run commands as superuser
 #   vim -- enhanced vi editor for commits
-ENV KUBE_CLIENT_VERSION="v1.25.10"
-ENV HELM_VERSION="3.12.0"
+ENV KUBE_CLIENT_VERSION="v1.29.3"
+ENV HELM_VERSION="3.14.4"
 RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
     --mount=type=cache,mode=0755,target=/root/.cache/pip \
     set -ex \

README.md

@@ -193,7 +193,7 @@ These instructions assume that you will be working with dockerized services.
 First add the following line to your `.env` file:
 
 ```sh
-(hip)$ echo "DATABASE_URL=postgres://postgres@127.0.0.1:5433/hip" >> .env
+(hip)$ echo "DATABASE_URL=postgres://postgres@127.0.0.1:5432/hip" >> .env
 ```
 
 The `docker-compose.yml` sets up environment variables in a file, ``.postgres``.
@@ -294,3 +294,22 @@ To reset your local database from a deployed environment:
 As mentioned in the Database setup instructions, you may need to visit 
 [/cms/sites](http://localhost:8000/cms/sites/) and change the first entry's 
 `Hostname` field to `localhost` to enable page previews in the Wagtail admin.
+
+### GitHub Actions Runner
+
+There are [GitHub Actions self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) deployed in the Kubernetes cluster along side the application.
+
+Setup instructions:
+
+* Obtain a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with the `repo` scope that's valid for one week (it needs to be active only for the initial deployment). Add this to a local environment variable `RUNNER_CFG_PAT`:
+
+```sh
+export RUNNER_CFG_PAT="gh......"
+```
+
+* Run the playbook to deploy the runner:
+
+```sh
+cd deploy/
+ansible-playbook deploy-runner.yml
+```

apps/reports/tests/test_models.py

@@ -84,23 +84,28 @@ def test_datareportslistpage_context_only_external_reports(db, rf):
         "last_updated": date(year=2021, month=1, day=1),
         "external": True,
     }
+    external_reports_data = [
+        {
+            "type": "external_reports",  # Block type
+            "value": {
+                "title": external_report_hiv["title"],
+                "url": external_report_hiv["url"],
+                "update_frequency": external_report_hiv["update_frequency"],
+                "last_updated": external_report_hiv["last_updated"],
+            },
+        },
+        {
+            "type": "external_reports",
+            "value": {
+                "title": external_report_hep_a["title"],
+                "url": external_report_hep_a["url"],
+                "update_frequency": external_report_hep_a["update_frequency"],
+                "last_updated": external_report_hep_a["last_updated"],
+            },
+        },
+    ]
     reports_list_page = DataReportListPageFactory(
-        external_reports__0__external_reports__title=external_report_hiv["title"],
-        external_reports__0__external_reports__url=external_report_hiv["url"],
-        external_reports__0__external_reports__update_frequency=external_report_hiv[
-            "update_frequency"
-        ],
-        external_reports__0__external_reports__last_updated=external_report_hiv[
-            "last_updated"
-        ],
-        external_reports__1__external_reports__title=external_report_hep_a["title"],
-        external_reports__1__external_reports__url=external_report_hep_a["url"],
-        external_reports__1__external_reports__update_frequency=external_report_hep_a[
-            "update_frequency"
-        ],
-        external_reports__1__external_reports__last_updated=external_report_hep_a[
-            "last_updated"
-        ],
+        external_reports=external_reports_data
     )
 
     context = reports_list_page.get_context(rf.get("/someurl/"))
@@ -127,15 +132,19 @@ def test_datareportslistpage_context_internal_and_external_reports(db, rf):
         "last_updated": "2021-01-01",
         "external": True,
     }
+    external_reports_data = [
+        {
+            "type": "external_reports",
+            "value": {
+                "title": external_report_hiv["title"],
+                "url": external_report_hiv["url"],
+                "update_frequency": external_report_hiv["update_frequency"],
+                "last_updated": external_report_hiv["last_updated"],
+            },
+        },
+    ]
     reports_list_page = DataReportListPageFactory(
-        external_reports__0__external_reports__title=external_report_hiv["title"],
-        external_reports__0__external_reports__url=external_report_hiv["url"],
-        external_reports__0__external_reports__update_frequency=external_report_hiv[
-            "update_frequency"
-        ],
-        external_reports__0__external_reports__last_updated=external_report_hiv[
-            "last_updated"
-        ],
+        external_reports=external_reports_data
     )
     # Create  some internal reports (DataReportDetailPages) for the DataReportListPage.
     tuberculosis = DiseaseAndConditionDetailPageFactory(title="Tuberculosis")

deploy/deploy-cluster.yml

@@ -10,7 +10,7 @@
   tasks:
     - name: Add AWS for fluent bit helm chart (centralized logging)
       tags: fluentbit
-      community.kubernetes.helm:
+      kubernetes.core.helm:
         context: "{{ k8s_context|mandatory }}"
         kubeconfig: "{{ k8s_kubeconfig }}"
         chart_repo_url: "https://aws.github.io/eks-charts"
@@ -29,7 +29,7 @@
         wait: yes
     - name: Create Amazon CloudWatch Metrics namespace
       tags: cloudwatch
-      community.kubernetes.k8s:
+      kubernetes.core.k8s:
         context: "{{ k8s_context|mandatory }}"
         kubeconfig: "{{ k8s_kubeconfig }}"
         name: "{{ k8s_aws_cloudwatch_metrics_namespace }}"
@@ -38,7 +38,7 @@
         state: present
     - name: Add AWS CloudWatch Metrics helm chart (monitoring)
       tags: cloudwatch
-      community.kubernetes.helm:
+      kubernetes.core.helm:
         context: "{{ k8s_context|mandatory }}"
         kubeconfig: "{{ k8s_kubeconfig }}"
         chart_repo_url: "https://aws.github.io/eks-charts"
@@ -54,6 +54,7 @@
       tags: cloudwatch
       amazon.aws.cloudwatch_metric_alarm:
         state: present
+        aws_profile: "{{ aws_profile }}"
         region: us-east-1
         name: "{{ item.name }}"
         description: "{{ item.description }}"

deploy/deploy-runner.yml

@@ -0,0 +1,47 @@
+---
+- name: Install Actions Runner Controller and configure runner scale set
+  hosts: cluster
+  vars:
+    ansible_connection: local
+    ansible_python_interpreter: "{{ ansible_playbook_python }}"
+    runner_namespace: github-runner
+    chart_version: "0.9.3"
+  gather_facts: false
+  tasks:
+    # https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller
+    #
+    # Ansible task to automate:
+    # helm install arc \                      
+    # --namespace "${NAMESPACE}" \
+    # --create-namespace \
+    # oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller
+    - name: Installing Actions Runner Controller
+      kubernetes.core.helm:
+        context: "{{ k8s_context|mandatory }}"
+        chart_ref: oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller
+        chart_version: "{{ chart_version }}"
+        release_name: arc
+        release_namespace: "{{ runner_namespace }}"
+        create_namespace: true
+        wait: yes
+
+    # Ansible task to automate:
+    # helm install "${INSTALLATION_NAME}" \
+    # --namespace "${NAMESPACE}" \
+    # --create-namespace \
+    # --set githubConfigUrl="https://github.com/caktus/philly-hip" \
+    # --set githubConfigSecret.github_token="${RUNNER_CFG_PAT}" \
+    # oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set
+    - name: Configuring a runner scale set
+      kubernetes.core.helm:
+        context: "{{ k8s_context|mandatory }}"
+        chart_ref: oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set
+        chart_version: "{{ chart_version }}"
+        release_name: arc-runner-set
+        release_namespace: "{{ runner_namespace }}"
+        create_namespace: true
+        release_values:
+          githubConfigUrl: "https://github.com/caktus/philly-hip"
+          githubConfigSecret:
+            github_token: "{{ lookup('env', 'RUNNER_CFG_PAT') }}"
+        wait: yes