Merge branch 'master' into disable-gcloudignore-config

actions/cdn-upload/v2/action.yaml

@@ -18,6 +18,9 @@ inputs:
     description: "Keep parent directory name when uploading"
     required: false
     default: "true"
+  headers:
+    description: "Set headers on the uploaded files"
+    required: false
   cache_invalidation:
     description: "Cache invalidation"
     required: false
@@ -115,6 +118,7 @@ runs:
         parent: '${{ inputs.source_keep_parent_name }}'
         destination: "${{ env.BUCKET_NAME }}/${{ inputs.team }}/${{ inputs.destination }}"
         process_gcloudignore: false
+        headers: "${{ inputs.headers }}"
 
     # Invalidate cache if cache_invalidation is set to true
     - name: "Set up Cloud SDK"

actions/deploy/README.md

@@ -21,6 +21,7 @@ The available configuration options for the NAIS deploy GitHub action.
 | RESOURCE             | \(required\)             | Comma-separated list of files containing Kubernetes resources. Must be JSON or YAML format.                                                                                                                                 |
 | RETRY                | `true`                   | Automatically retry deploying if deploy service is unavailable.                                                                                                                                                             |
 | TEAM                 | \(auto-detect\)          | Team making the deployment.                                                                                                                                                                                                 |
+| TELEMETRY            |                          | Lets nais/docker-build-push send telemetry that is used to calculate more precise lead time for deploy.                                                                                                                     |
 | TIMEOUT              | `10m`                    | Time to wait for deployment completion, especially when using `WAIT`.                                                                                                                                                       |
 | VAR                  |                          | Comma-separated list of template variables in the form `key=value`. Will overwrite any identical template variable in the `VARS` file.                                                                                      |
 | VARS                 | `/dev/null`              | File containing template variables. Will be interpolated with the `$RESOURCE` file. Must be JSON or YAML format.                                                                                                            |

actions/deploy/entrypoint.sh

@@ -58,4 +58,7 @@ fi
 
 export ACTIONS="true"
 
+# All of our users live in Norway, so why not. GitHub defaults to UTC.
+export TZ="Europe/Oslo"
+
 /app/deploy

actions/spa-setup-task/__tests__/k8s.test.ts

@@ -15,13 +15,24 @@ test('ingressAnnotations()', () => {
 
   const annotations = k8s.ingressAnnotations(bucketPath, bucketVhost) || {}
 
-  expect(Object.keys(annotations || {}).length).toBe(6)
+  expect(Object.keys(annotations || {}).length).toBe(5)
   expect(annotations['nginx.ingress.kubernetes.io/upstream-vhost']).toBe(
     bucketVhost
   )
   expect(annotations['nginx.ingress.kubernetes.io/backend-protocol']).toBe(
     'https'
   )
+  expect(annotations['nginx.ingress.kubernetes.io/configuration-snippet']).toBe(
+    `more_set_headers "Cache-Control: public,max-age=0";
+rewrite ^(.*)/$ ${bucketPath}/index.html break;
+rewrite ^/(.*)$ ${bucketPath}/$1 break;
+proxy_intercept_errors on;
+error_page 404 = /index.html;`
+  )
+  expect(annotations['nginx.ingress.kubernetes.io/from-to-www-redirect']).toBe(
+    'true'
+  )
+  expect(annotations['nginx.ingress.kubernetes.io/use-regex']).toBe('true')
   Object.keys(annotations || {}).forEach(key => {
     expect(key.startsWith('nginx.ingress.kubernetes.io')).toBe(true)
   })

actions/spa-setup-task/src/k8s.ts

@@ -12,11 +12,11 @@ export function ingressAnnotations(
     'nginx.ingress.kubernetes.io/from-to-www-redirect': 'true',
     'nginx.ingress.kubernetes.io/use-regex': 'true',
     'nginx.ingress.kubernetes.io/backend-protocol': 'https',
-    'nginx.ingress.kubernetes.io/server-snippet': `proxy_intercept_errors on;
-error_page 404 = /index.html;`,
     'nginx.ingress.kubernetes.io/configuration-snippet': `more_set_headers "Cache-Control: public,max-age=0";
 rewrite ^(.*)/$ ${bucketPath}/index.html break;
-rewrite ^/(.*)$ ${bucketPath}/$1 break;`
+rewrite ^/(.*)$ ${bucketPath}/$1 break;
+proxy_intercept_errors on;
+error_page 404 = /index.html;`
   }
 }
 

charts/deployd/Feature.yaml

@@ -65,3 +65,6 @@ values:
     config:
       type: string
       secret: true
+  otelExporterOtlpEndpoint:
+    config:
+      type: string

charts/deployd/templates/secret.yaml

@@ -15,6 +15,7 @@ stringData:
   DEPLOYD_LOG_LEVEL: trace
   DEPLOYD_METRICS_LISTEN_ADDRESS: "0.0.0.0:8080"
   DEPLOYD_METRICS_PATH: "/metrics"
+  OTEL_EXPORTER_OTLP_ENDPOINT: "{{ .Values.otelExporterOtlpEndpoint }}"
 ---
 {{- if eq .Values.cluster "prod-fss" }}
 apiVersion: v1
@@ -34,5 +35,5 @@ stringData:
   DER_VERA_URL: "{{ .Values.deploymentEventRelays.vera.url }}"
   DER_NULL_ENABLED: "{{ .Values.deploymentEventRelays.nullEnabled }}"
   DER_KAFKA_TOPIC: "{{ .Values.deploymentEventRelays.kafka.topic }}"
-  DER_KAFKA_GROUP_ID_PREFIX: "{{ .Values.deploymentEventRelays.kafka.groupIdPrefix }}" 
+  DER_KAFKA_GROUP_ID_PREFIX: "{{ .Values.deploymentEventRelays.kafka.groupIdPrefix }}"
 {{- end }}

charts/deployd/values.yaml

@@ -60,3 +60,5 @@ deploymentEventRelays:
     topic: "aura.dev-rapid"
 
 canaryAlert: true
+
+otelExporterOtlpEndpoint: # mapped by fasit

charts/hookd/Feature.yaml

@@ -42,6 +42,9 @@ values:
   logLinkFormatter:
     config:
       type: string
+  otelExporterOtlpEndpoint:
+    config:
+      type: string
   provisionKey:
     computed:
       template: '"{{.Management.hookd_provision_key}}"'

charts/hookd/templates/fqdn-netpol.yaml

@@ -21,6 +21,7 @@ spec:
       - token.actions.githubusercontent.com
       - accounts.google.com
       - private.googleapis.com
+      - collector-internet.external.prod-gcp.nav.cloud.nais.io
   podSelector:
     matchLabels:
       {{- include "hookd.selectorLabels" . | nindent 6 }}

charts/hookd/templates/netpol.yaml

@@ -6,6 +6,9 @@ metadata:
     {{- include "hookd.labels" . | nindent 4 }}
 spec:
   egress:
+  # All 34.88.0.0/16 IP addresses in this list
+  # point to Postgres databases in management projects.
+  # FIXME: provision elsewhere?
   - to:
     - ipBlock:
         cidr: 34.88.176.78/32

charts/hookd/templates/secret.yaml

@@ -27,3 +27,4 @@ stringData:
   HOOKD_PROVISION_KEY: "{{ .Values.provisionKey }}"
   HOOKD_NAIS_API_ADDRESS: "{{ .Values.naisAPI.address }}"
   HOOKD_NAIS_API_INSECURE_CONNECTION: "{{ .Values.naisAPI.insecureConnection }}"
+  OTEL_EXPORTER_OTLP_ENDPOINT: "{{ .Values.otelExporterOtlpEndpoint }}"

charts/hookd/values.yaml

@@ -12,6 +12,7 @@ googleClient:
   secret: # mapped by fasit
 
 logLinkFormatter: "GCP"
+otelExporterOtlpEndpoint: # mapped by fasit
 googleServiceAccountName: # mapped by fasit
 googleClusterProjects: # mapped by fasit
 provisionKey: # mapped by fasit

cmd/deploy/main.go

@@ -2,12 +2,16 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 
 	"github.com/nais/deploy/pkg/deployclient"
 	"github.com/nais/deploy/pkg/pb"
+	"github.com/nais/deploy/pkg/telemetry"
 	"github.com/nais/deploy/pkg/version"
+	"go.opentelemetry.io/otel/attribute"
+	otrace "go.opentelemetry.io/otel/trace"
 	"google.golang.org/protobuf/encoding/protojson"
 
 	log "github.com/sirupsen/logrus"
@@ -39,10 +43,65 @@ func run() error {
 
 	// Welcome
 	log.Infof("NAIS deploy %s", version.Version())
+
+	err := cfg.Validate()
+	if err != nil {
+		if !errors.Is(err, deployclient.ErrInvalidTelemetryFormat) {
+			if !cfg.DryRun {
+				return deployclient.ErrorWrap(deployclient.ExitInvocationFailure, err)
+			}
+			log.Warnf("Configuration did not pass validation: %s", err)
+		} else {
+			log.Warnf("Telemetry configuration did not pass validation: %s", err)
+		}
+	}
+
+	// OpenTelemetry
+	tracerProvider, err := telemetry.New(ctx, "deploy", cfg.OpenTelemetryCollectorURL)
+	if err != nil {
+		return fmt.Errorf("Setup OpenTelemetry: %w", err)
+	}
+
+	// Clean shutdown for OT
+	defer func() {
+		err := tracerProvider.Shutdown(ctx)
+		if err != nil {
+			log.Errorf("Shutdown OpenTelemetry: %s", err)
+		}
+	}()
+
+	// Inherit traceparent from pipeline, if any.
+	// If TRACEPARENT is set, ignore the TELEMETRY value.
+	// If not, start a new top-level trace using the TELEMETRY variable.
+	var span otrace.Span
+	if len(cfg.Traceparent) > 0 {
+		log.Infof("Using traceparent header %s", cfg.Traceparent)
+		ctx = telemetry.WithTraceParent(ctx, cfg.Traceparent)
+	} else if cfg.Telemetry != nil {
+		log.Infof("Importing pipeline telemetry data as this request's top-level trace")
+		ctx, span = cfg.Telemetry.StartTracing(ctx)
+		defer span.End()
+	} else {
+		log.Infof("No top-level trace detected, starting a new one.")
+	}
+
+	// Start the deploy client's top level trace.
+	ctx, span = telemetry.Tracer().Start(ctx, "NAIS deploy", otrace.WithSpanKind(otrace.SpanKindClient))
+	defer span.End()
+
+	// Print version
 	ts, err := version.BuildTime()
 	if err == nil {
+		span.SetAttributes(attribute.KeyValue{
+			Key:   "deploy.client.build-time",
+			Value: attribute.StringValue(ts.Local().String()),
+		})
 		log.Infof("This version was built %s", ts.Local())
 	}
+	span.SetAttributes(attribute.KeyValue{
+		Key:   "deploy.client.version",
+		Value: attribute.StringValue(version.Version()),
+	})
 
 	// Prepare request
 	request, err := deployclient.Prepare(ctx, cfg)

cmd/deployd/main.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/nais/liberator/pkg/conftools"
 	log "github.com/sirupsen/logrus"
+	ocodes "go.opentelemetry.io/otel/codes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
@@ -27,7 +28,9 @@ import (
 	presharedkey_interceptor "github.com/nais/deploy/pkg/grpc/interceptor/presharedkey"
 	"github.com/nais/deploy/pkg/logging"
 	"github.com/nais/deploy/pkg/pb"
+	"github.com/nais/deploy/pkg/telemetry"
 	"github.com/nais/deploy/pkg/version"
+	otrace "go.opentelemetry.io/otel/trace"
 )
 
 const (
@@ -57,6 +60,23 @@ func run() error {
 		log.Infof("This version was built %s", ts.Local())
 	}
 
+	programContext, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// OpenTelemetry
+	tracerProvider, err := telemetry.New(programContext, "deployd", cfg.OpenTelemetryCollectorURL)
+	if err != nil {
+		return fmt.Errorf("Setup OpenTelemetry: %w", err)
+	}
+
+	// Clean shutdown for OT
+	defer func() {
+		err := tracerProvider.Shutdown(programContext)
+		if err != nil {
+			log.Errorf("Shutdown OpenTelemetry: %s", err)
+		}
+	}()
+
 	for _, line := range conftools.Format(maskedConfig) {
 		log.Info(line)
 	}
@@ -120,7 +140,7 @@ func run() error {
 		for {
 			time.Sleep(requestBackoff)
 
-			deploymentStream, err := grpcClient.Deployments(context.Background(), &pb.GetDeploymentOpts{
+			deploymentStream, err := grpcClient.Deployments(programContext, &pb.GetDeploymentOpts{
 				Cluster:     cfg.Cluster,
 				StartupTime: pb.TimeAsTimestamp(startupTime),
 			})
@@ -146,9 +166,13 @@ func run() error {
 
 	deploy := func(req *pb.DeploymentRequest) {
 		ctx, cancel := req.Context()
+		ctx = telemetry.WithTraceParent(ctx, req.TraceParent)
+		ctx, span := telemetry.Tracer().Start(ctx, "Deploy to Kubernetes", otrace.WithSpanKind(otrace.SpanKindServer))
 
 		client, err := kube.Impersonate(req.GetTeam())
 		if err != nil {
+			span.SetStatus(ocodes.Error, err.Error())
+			span.End()
 			cancel()
 			statusChan <- pb.NewErrorStatus(req, err)
 			return
@@ -161,6 +185,7 @@ func run() error {
 			Cancel:     cancel,
 			Logger:     logger,
 			Request:    req,
+			Trace:      span,
 			StatusChan: statusChan,
 		}
 
@@ -184,7 +209,7 @@ func run() error {
 			logger.Infof(st.GetMessage())
 		}
 
-		_, err = grpcClient.ReportStatus(context.Background(), st)
+		_, err = grpcClient.ReportStatus(programContext, st)
 
 		return err
 	}

cmd/hookd/main.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	grpc_prometheus "github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus"
+	"github.com/nais/deploy/pkg/telemetry"
 	"github.com/nais/liberator/pkg/conftools"
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
@@ -68,6 +69,24 @@ func run() error {
 		log.Infof("This version was built %s", ts.Local())
 	}
 
+	// Main program context
+	programContext, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// OpenTelemetry
+	tracerProvider, err := telemetry.New(programContext, "hookd", cfg.OpenTelemetryCollectorURL)
+	if err != nil {
+		return fmt.Errorf("Setup OpenTelemetry: %w", err)
+	}
+
+	// Clean shutdown for OT
+	defer func() {
+		err := tracerProvider.Shutdown(programContext)
+		if err != nil {
+			log.Errorf("Shutdown OpenTelemetry: %s", err)
+		}
+	}()
+
 	for _, line := range conftools.Format(maskedConfig) {
 		log.Info(line)
 	}
@@ -82,7 +101,7 @@ func run() error {
 		return err
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), cfg.DatabaseConnectTimeout)
+	ctx, cancel := context.WithTimeout(programContext, cfg.DatabaseConnectTimeout)
 	for {
 		log.Infof("Connecting to database...")
 		db, err = database.New(ctx, cfg.DatabaseURL, dbEncryptionKey)
@@ -101,7 +120,9 @@ func run() error {
 		return fmt.Errorf("setup postgres connection: %s", err)
 	}
 
-	err = db.Migrate(context.Background())
+	ctx, cancel = context.WithTimeout(programContext, cfg.DatabaseConnectTimeout)
+	err = db.Migrate(ctx)
+	cancel()
 	if err != nil {
 		return fmt.Errorf("migrating database: %s", err)
 	}

doc/sequence.puml

@@ -14,9 +14,9 @@ developer -> github: git push
 github -> ci: Start build
 ci -> registry: Push image
 
-==/api/v1/deploy==
+==Prepare deploy==
 ci -> hookd: Start deployment
-note right: Authenticate with team API key
+note right: Authenticate with team API key or Github token
 hookd -> db: Create deployment
 hookd -> github: Create deployment
 note right: if enabled