diff --git a/.env b/.env index 075bd38..9ac9d4e 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ -TESSERACT_BACKEND=clickhouse://:@:/ +TESSERACT_BACKEND=clickhouse://default:4ZgFMJZNa4s9K7QoUJsUAQMztpd9Bg@34.123.11.240:9000/bls_db TESSERACT_SCHEMA=schema TESSERACT_DEBUG=true diff --git a/.gcloudignore b/.gcloudignore new file mode 100644 index 0000000..ce8a8f6 --- /dev/null +++ b/.gcloudignore @@ -0,0 +1,5 @@ +.git +dist +node_modules +vendor +*.jar \ No newline at end of file diff --git a/.github/workflows/google-gke-prod.yaml b/.github/workflows/google-gke-prod.yaml new file mode 100644 index 0000000..7e677f8 --- /dev/null +++ b/.github/workflows/google-gke-prod.yaml @@ -0,0 +1,135 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch +# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled in the project: +# +# Cloud Build cloudbuild.googleapis.com +# Kubernetes Engine API container.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create a service account (if you don't have one) with the following fields: +# +# Service Account Name -github-actions +# Service Account ID -github-actions +# +# 3. Ensure the service account have the required IAM permissions granted: +# +# Kubernetes Engine Developer +# roles/container.developer (kubernetes engine developer) +# +# Artifact Registry +# roles/artifactregistry.repoAdmin (artifact registry repository administrator) +# roles/artifactregistry.admin (artifact registry administrator) +# +# Service Account +# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) +# +# Basic Roles +# roles/viewer (viewer) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Ensure you have the following GitHub Secrets and Variables: +# +# GitHub Secrets +# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets +# +# GitHub Variables +# GCP_PROJECT_ID (Google Cloud Project ID) +# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) +# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) +# +# 5. Ensure you have the following GitHub Variables for each environment that you will set up: +# +# GitHub Variables +# GCP_IMAGE_NAME (Docker Image Name) +# GKE_APP_NAME (Google Kubernetes Engine Deployment Name) +# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace) +# GKE_CLUSTER (Google Kubernetes Engine Cluster Name) +# GKE_ZONE (Google Kubernetes Engine Cluster Zone) +# +# Further reading: +# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun +name: "[GCP][PROD] Deploy to GKE via Helm" + +on: + workflow_dispatch: + inputs: + release: + description: 'Production Release Name' + required: true + type: string + update_release: + description: 'Check if you are updating the production release name of the latest image' + required: true + type: boolean + +env: + GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} + GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} + GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} + GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} + GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} + GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} + GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} + GKE_ZONE: ${{ vars.GKE_ZONE }} + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + +jobs: + deploy: + environment: production + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Authentication via credentials json + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ vars.GCP_PROJECT_ID }}' + credentials_json: '${{ secrets.GCP_SA_KEY }}' + + # Get google kubernetes engine credentials + - name: Get GKE Credentials + uses: google-github-actions/get-gke-credentials@v2 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + + # Retag latest image + - name: Retag Image to Production Release + if: ${{ inputs.update_release }} + run: |- + gcloud beta artifacts docker tags add \ + --quiet \ + ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ env.GKE_APP_NAMESPACE }} \ + ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ inputs.release }} + + # Transform GitHub secrets to base64 encoded + - name: Set encoded secret values + run: | + echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV + + # Install Helm chart + - name: Helm install + uses: WyriHaximus/github-action-helm3@v2 + with: + exec: | + helm upgrade --install --create-namespace \ + --namespace ${{ env.GKE_APP_NAMESPACE }} \ + --set app.environment=${{ env.GKE_APP_NAMESPACE }} \ + --set app.release=${{ env.GKE_APP_NAMESPACE }} \ + --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \ + --set image.tag=${{ inputs.release }} \ + --set nameOverride=${{ env.GKE_APP_NAME }} \ + --set fullnameOverride=${{ env.GKE_APP_NAME }} \ + --set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \ + ${{ env.GKE_APP_NAME }} --values=./helm/production.yaml ./helm \ No newline at end of file diff --git a/.github/workflows/google-registry-gke-dev.yaml b/.github/workflows/google-registry-gke-dev.yaml new file mode 100644 index 0000000..2c732ad --- /dev/null +++ b/.github/workflows/google-registry-gke-dev.yaml @@ -0,0 +1,198 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch +# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled in the project: +# +# Cloud Build cloudbuild.googleapis.com +# Kubernetes Engine API container.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create a service account (if you don't have one) with the following fields: +# +# Service Account Name -github-actions +# Service Account ID -github-actions +# +# 3. Ensure the service account have the required IAM permissions granted: +# +# Kubernetes Engine Developer +# roles/container.developer (kubernetes engine developer) +# +# Artifact Registry +# roles/artifactregistry.repoAdmin (artifact registry repository administrator) +# roles/artifactregistry.admin (artifact registry administrator) +# +# Service Account +# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) +# +# Basic Roles +# roles/viewer (viewer) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Ensure you have the following GitHub Secrets and Variables: +# +# GitHub Secrets +# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets +# +# GitHub Variables +# GCP_PROJECT_ID (Google Cloud Project ID) +# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) +# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) +# +# 5. Ensure you have the following GitHub Variables for each environment that you will set up: +# +# GitHub Variables +# GCP_IMAGE_NAME (Docker Image Name) +# GKE_APP_NAME (Google Kubernetes Engine Deployment Name) +# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace) +# GKE_CLUSTER (Google Kubernetes Engine Cluster Name) +# GKE_ZONE (Google Kubernetes Engine Cluster Zone) +# +# Further reading: +# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun +name: "[GCP][DEV] Build API to Registry and Deploy via Helm" + +on: + push: + branches: [ "develop" ] + paths: + - .github/workflows/google-registry-gke-dev.yaml + - helm/development.yaml + - schema/** + +env: + GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} + GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} + GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} + GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} + GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} + GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} + GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} + GKE_ZONE: ${{ vars.GKE_ZONE }} + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + +jobs: + build: + environment: development + runs-on: ubuntu-latest + if: ${{ !contains(github.event.head_commit.message, '#update') }} + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Authentication via credentials json + - name: Google Auth + id: auth + uses: google-github-actions/auth@v2 + with: + project_id: ${{ env.GCP_PROJECT_ID }} + credentials_json: ${{ secrets.GCP_SA_KEY }} + + # Install Cloud SDK + - name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@v1 + with: + install_components: beta + + # Build image on Google Cloud Artifact Registry + - name: Build Docker Image + run: |- + gcloud builds submit \ + --quiet \ + --timeout=40m \ + --config=cloudbuild.yml \ + --substitutions=_GCP_PROJECT_ID=${{ env.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ env.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_ARTIFACT_REGISTRY_LOCATION=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_IMAGE_NAME=${{ env.GCP_IMAGE_NAME }},_GCP_IMAGE_TAG=${{ github.sha }},_GCP_IMAGE_ENVIRONMENT=${{ env.GKE_APP_NAMESPACE }} + + deploy: + needs: build + environment: development + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Authentication via credentials json + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ vars.GCP_PROJECT_ID }}' + credentials_json: '${{ secrets.GCP_SA_KEY }}' + + # Get google kubernetes engine credentials + - name: Get GKE Credentials + uses: google-github-actions/get-gke-credentials@v2 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + + # Transform GitHub secrets to base64 encoded + - name: Set encoded secret values + run: | + echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV + + # Install Helm chart + - name: Helm install + uses: WyriHaximus/github-action-helm3@v2 + with: + exec: | + helm upgrade --install --create-namespace \ + --namespace ${{ env.GKE_APP_NAMESPACE }} \ + --set app.environment=${{ env.GKE_APP_NAMESPACE }} \ + --set app.release=${{ env.GKE_APP_NAMESPACE }} \ + --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \ + --set image.tag=${{ github.sha }} \ + --set nameOverride=${{ env.GKE_APP_NAME }} \ + --set fullnameOverride=${{ env.GKE_APP_NAME }} \ + --set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \ + ${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm + + update: + runs-on: ubuntu-latest + environment: development + if: ${{ contains(github.event.head_commit.message, '#update') }} + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Authentication via credentials json + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ vars.GCP_PROJECT_ID }}' + credentials_json: '${{ secrets.GCP_SA_KEY }}' + + # Get google kubernetes engine credentials + - name: Get GKE Credentials + uses: google-github-actions/get-gke-credentials@v2 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + + # Transform GitHub secrets to base64 encoded + - name: Set encoded secret values + run: | + echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV + + # Install Helm chart + - name: Helm install + uses: WyriHaximus/github-action-helm3@v2 + with: + exec: | + helm upgrade --install --create-namespace \ + --namespace ${{ env.GKE_APP_NAMESPACE }} \ + --set app.environment=${{ env.GKE_APP_NAMESPACE }} \ + --set app.release=${{ env.GKE_APP_NAMESPACE }} \ + --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \ + --set image.tag=${{ env.GKE_APP_NAMESPACE }} \ + --set nameOverride=${{ env.GKE_APP_NAME }} \ + --set fullnameOverride=${{ env.GKE_APP_NAME }} \ + --set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \ + ${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm \ No newline at end of file diff --git a/.github/workflows/google-registry-gke.yml b/.github/workflows/google-registry-gke.yml deleted file mode 100644 index 2dec9e3..0000000 --- a/.github/workflows/google-registry-gke.yml +++ /dev/null @@ -1,136 +0,0 @@ -# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the "develop" branch -# -# To configure this workflow: -# -# 1. Ensure the required Google Cloud APIs are enabled in the project: -# -# Cloud Build cloudbuild.googleapis.com -# Artifact Registry artifactregistry.googleapis.com -# -# 2. Create a service account (if you don't have one) with the following fields: -# -# Service Account Name -github-actions -# Service Account ID -github-actions -# -# 3. Ensure the service account have the required IAM permissions granted: -# -# Cloud Build -# roles/cloudbuild.builds.editor (cloud build editor) -# roles/cloudbuild.builds.builder (cloud build service account) -# -# Artifact Registry -# roles/artifactregistry.repoAdmin (artifact registry repository administrator) -# roles/artifactregistry.admin (artifact registry administrator) -# -# Service Account -# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) -# -# Basic Roles -# roles/viewer (viewer) -# -# NOTE: You should always follow the principle of least privilege when assigning IAM roles -# -# 4. Ensure you have the following GitHub Secrets and Variables: -# -# GitHub Secrets -# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets -# -# GitHub Variables -# GCP_PROJECT_ID (Google Cloud Project ID) -# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) -# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) -# -# 5. Ensure you have the following GitHub Vatiables for each environment that you will set up: -# -# GitHub Variables -# GCP_IMAGE_NAME (Docker Image Name) -# GKE_APP_NAME (Kubernetes Application Name) -# GKE_APP_RELEASE (Kubernetes Application Release Version) -# GKE_APP_NAMESPACE (Kubernetes Application Namespace) -# GKE_CLUSTER (Kubernetes Cluster Name) -# GKE_ZONE (Kubernetes Cluster Location) -# -# Further reading: -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying -# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles -# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege -# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun -name: Build to Artifact Registry and Deploy to GKE - -on: - push: - branches: [ "develop" ] - -env: - GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} - GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} - GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} - GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} - GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} - GKE_APP_RELEASE: ${{ vars.GKE_APP_RELEASE }} - GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} - GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} - GKE_ZONE: ${{ vars.GKE_ZONE }} - -jobs: - build: - runs-on: ubuntu-latest - environment: development - steps: - - name: Checkout - uses: actions/checkout@v3 - - # Authentication via credentials json - - name: Google Auth - id: auth - uses: google-github-actions/auth@v0 - with: - project_id: ${{ env.GCP_PROJECT_ID }} - credentials_json: ${{ secrets.GCP_SA_KEY }} - - # Build image on Google Cloud Artifact Registry - - name: Build Docker Image - run: |- - gcloud builds submit \ - --quiet \ - --timeout=30m \ - --config=cloudbuild.yml \ - --substitutions=_GCP_ARTIFACT_REGISTRY_LOCATION=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_PROJECT_ID=${{ env.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ env.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_IMAGE_NAME=${{ env.GCP_IMAGE_NAME }},_GITHUB_SHA=${{ github.sha }} - - # Uncomment for adding the latest tag to the latest image created - - name: Add 'Latest' Tag to Development Environments - run: |- - gcloud beta artifacts docker tags add \ - --quiet \ - ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ github.sha }} \ - ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:latest - - deploy: - needs: build - runs-on: ubuntu-latest - environment: development - steps: - - name: Checkout - uses: actions/checkout@v3 - - # Authentication via credentials json - - name: Google Auth - id: auth - uses: google-github-actions/auth@v0 - with: - project_id: ${{ env.GCP_PROJECT_ID }} - credentials_json: ${{ secrets.GCP_SA_KEY }} - - # Get google kubernetes engine credentials - - name: Get GKE Credentials - uses: google-github-actions/get-gke-credentials@v0 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - - # Install Helm chart - - name: Helm install - uses: WyriHaximus/github-action-helm3@v2 - with: - exec: helm upgrade --install --create-namespace --namespace ${{ env.GKE_APP_NAMESPACE }} --set app.environment=${{ env.GKE_APP_NAMESPACE }} --set app.release=${{ env.GKE_APP_RELEASE }} --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} --set image.tag=${{ github.sha }} --set nameOverride=${{ env.GKE_APP_NAME }} --set fullnameOverride=${{ env.GKE_APP_NAME }} ${{ env.GKE_APP_NAME }} ./helm --values=./helm/values.yaml \ No newline at end of file diff --git a/.github/workflows/google-registry-prod.yaml b/.github/workflows/google-registry-prod.yaml new file mode 100644 index 0000000..0c38772 --- /dev/null +++ b/.github/workflows/google-registry-prod.yaml @@ -0,0 +1,108 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch +# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled in the project: +# +# Cloud Build cloudbuild.googleapis.com +# Kubernetes Engine API container.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create a service account (if you don't have one) with the following fields: +# +# Service Account Name -github-actions +# Service Account ID -github-actions +# +# 3. Ensure the service account have the required IAM permissions granted: +# +# Kubernetes Engine Developer +# roles/container.developer (kubernetes engine developer) +# +# Artifact Registry +# roles/artifactregistry.repoAdmin (artifact registry repository administrator) +# roles/artifactregistry.admin (artifact registry administrator) +# +# Service Account +# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) +# +# Basic Roles +# roles/viewer (viewer) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Ensure you have the following GitHub Secrets and Variables: +# +# GitHub Secrets +# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets +# +# GitHub Variables +# GCP_PROJECT_ID (Google Cloud Project ID) +# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) +# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) +# +# 5. Ensure you have the following GitHub Variables for each environment that you will set up: +# +# GitHub Variables +# GCP_IMAGE_NAME (Docker Image Name) +# GKE_APP_NAME (Google Kubernetes Engine Deployment Name) +# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace) +# GKE_CLUSTER (Google Kubernetes Engine Cluster Name) +# GKE_ZONE (Google Kubernetes Engine Cluster Zone) +# +# Further reading: +# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun +name: "[GCP][PROD] Build API to Google Registry" + +on: + push: + branches: [ "main" ] + paths: + - schema/** + +env: + GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} + GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} + GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} + GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} + GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} + GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} + GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} + GKE_ZONE: ${{ vars.GKE_ZONE }} + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + +jobs: + build: + environment: production + runs-on: ubuntu-latest + # runs-on: self-hosted + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Authentication via credentials json + - name: Google Auth + id: auth + uses: google-github-actions/auth@v2 + with: + project_id: ${{ env.GCP_PROJECT_ID }} + credentials_json: ${{ secrets.GCP_SA_KEY }} + + # Install Cloud SDK + - name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@v1 + with: + install_components: beta + + # Build image on Google Cloud Artifact Registry + - name: Build Docker Image + run: |- + gcloud builds submit \ + --quiet \ + --timeout=40m \ + --config=cloudbuild.yml \ + --substitutions=_GCP_PROJECT_ID=${{ env.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ env.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_ARTIFACT_REGISTRY_LOCATION=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_IMAGE_NAME=${{ env.GCP_IMAGE_NAME }},_GCP_IMAGE_TAG=${{ github.sha }},_GCP_IMAGE_ENVIRONMENT=${{ env.GKE_APP_NAMESPACE }} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 835003c..d430ec0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,42 +1,42 @@ FROM python:3.9 -# install required dependencies +# Install api pre requirements RUN pip install -U pip setuptools wheel -# allow statements and log messages to immediately appear in the Knative logs -ENV PYTHONUNBUFFERED True - -# define work directory +# Define api directory ENV APP_HOME /usr/src/app WORKDIR $APP_HOME -# transfer python requirements +# Allow that statements and log messages appear in the Knative logs +ENV PYTHONUNBUFFERED True + +# Transfer api requirements COPY requirements.txt ./ -# install python requirements on environment +# Install api requirements RUN useradd -m -r tesseract &&\ chown tesseract $APP_HOME &&\ pip install --no-cache-dir -r requirements.txt -# transfer app files -COPY . . +# Transfer app files +COPY --chown=tesseract:tesseract . . +RUN chown -R tesseract $APP_HOME -# define git hash +# Define api required env vars ARG GIT_HASH ENV GIT_HASH=${GIT_HASH:-dev} -# change user to tesseract user +# Change unix user to tesseract USER tesseract -# expose the required port +# Expose api port ENV PORT 7777 EXPOSE 7777 -# setup host and port for cloudrun +# Setup host and port +# Uncomment this line for a cloudrun instance #ENV HOST 0.0.0.0 -# define startup commands -# CMD ["python", "app.py"] - +# Define startup commands CMD ["app.py"] ENTRYPOINT ["python"] \ No newline at end of file diff --git a/cloudbuild.yml b/cloudbuild.yml index eb26c74..8d44495 100644 --- a/cloudbuild.yml +++ b/cloudbuild.yml @@ -1,9 +1,19 @@ steps: # [START cloudbuild_image_yaml] - # Docker Build using Kaniko Cache (Google) - - name: 'gcr.io/kaniko-project/executor:latest' - args: - - --destination=$_GCP_ARTIFACT_REGISTRY_LOCATION-docker.pkg.dev/$_GCP_PROJECT_ID/$_GCP_ARTIFACT_REGISTRY_NAME/$_GCP_IMAGE_NAME:$_GITHUB_SHA - - --cache=true - - --cache-ttl=336h - # [END cloudbuild_image_yaml] \ No newline at end of file + # Start from previous build + - name: "gcr.io/cloud-builders/docker" + entrypoint: "bash" + args: ["-c", "docker pull ${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_ENVIRONMENT} || exit 0"] + # Docker Build + - name: "gcr.io/cloud-builders/docker" + args: [ + "build", + "-t", "${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_TAG}", + "-t", "${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_ENVIRONMENT}", + "--cache-from", "${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_ENVIRONMENT}", + "." + ] + # [END cloudbuild_image_yaml] +images: + - "${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_TAG}" + - "${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_ENVIRONMENT}" \ No newline at end of file diff --git a/helm/values.yaml b/helm/development.yaml similarity index 73% rename from helm/values.yaml rename to helm/development.yaml index 7344f22..dfbcaae 100644 --- a/helm/values.yaml +++ b/helm/development.yaml @@ -7,19 +7,19 @@ imagePullSecrets: replicaCount: 1 autoscaling: - enabled: false - # minReplicas: 1 - # maxReplicas: 10 - # targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 120 + enabled: true + minReplicas: 1 + maxReplicas: 4 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 120 resources: requests: - cpu: 0.5 - memory: 1Gi + cpu: 500m + memory: 2Gi limits: - cpu: 1 - memory: 1Gi + cpu: 1000m + memory: 8Gi livenessProbe: failureThreshold: 3 @@ -27,9 +27,9 @@ livenessProbe: path: / port: 7777 scheme: HTTP - initialDelaySeconds: 15 - periodSeconds: 10 - timeoutSeconds: 10 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 30 successThreshold: 1 readinessProbe: @@ -38,9 +38,9 @@ readinessProbe: path: / port: 7777 scheme: HTTP - initialDelaySeconds: 15 - periodSeconds: 10 - timeoutSeconds: 10 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 30 successThreshold: 2 service: @@ -60,8 +60,8 @@ configMap: TESSERACT_DEBUG: "true" TESSERACT_SCHEMA: "schema" -secrets: - TESSERACT_BACKEND: Y2xpY2tob3VzZTovL2RlZmF1bHQ6NFpnRk1KWk5hNHM5SzdRb1VKc1VBUU16dHBkOUJnQGRiLWRldi5kYXRhdXNhLmlvOjkwMDAvYmxzX2Ri +# secrets: +# TESSERACT_BACKEND: ingress: enabled: true @@ -83,4 +83,4 @@ ingress: tls: - secretName: tesseract-api-ingress-tls hosts: - - api-dev.datausa.io \ No newline at end of file + - api-dev.datausa.io diff --git a/helm/production.yaml b/helm/production.yaml index 51edaed..fdda1a8 100644 --- a/helm/production.yaml +++ b/helm/production.yaml @@ -7,19 +7,19 @@ imagePullSecrets: replicaCount: 1 autoscaling: - enabled: false - # minReplicas: 1 - # maxReplicas: 10 - # targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 120 + enabled: true + minReplicas: 1 + maxReplicas: 4 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 120 resources: requests: - cpu: 0.5 - memory: 1Gi + cpu: 500m + memory: 2Gi limits: - cpu: 1 - memory: 1Gi + cpu: 1000m + memory: 8Gi livenessProbe: failureThreshold: 3 @@ -27,9 +27,9 @@ livenessProbe: path: / port: 7777 scheme: HTTP - initialDelaySeconds: 15 - periodSeconds: 10 - timeoutSeconds: 10 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 30 successThreshold: 1 readinessProbe: @@ -38,9 +38,9 @@ readinessProbe: path: / port: 7777 scheme: HTTP - initialDelaySeconds: 15 - periodSeconds: 10 - timeoutSeconds: 10 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 30 successThreshold: 2 service: @@ -60,8 +60,8 @@ configMap: TESSERACT_DEBUG: "true" TESSERACT_SCHEMA: "schema" -secrets: - TESSERACT_BACKEND: Y2xpY2tob3VzZTovL2RlZmF1bHQ6NFpnRk1KWk5hNHM5SzdRb1VKc1VBUU16dHBkOUJnQGRiLXByb2QuZGF0YXVzYS5pbzo5MDAwL2Jsc19kYg== +# secrets: +# TESSERACT_BACKEND: ingress: enabled: true diff --git a/schema/dim_shared_cip.xml b/schema/dim_shared_cip.xml new file mode 100644 index 0000000..25d915d --- /dev/null +++ b/schema/dim_shared_cip.xml @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/schema/dim_shared_pums.xml b/schema/dim_shared_pums.xml new file mode 100644 index 0000000..a7d3872 --- /dev/null +++ b/schema/dim_shared_pums.xml @@ -0,0 +1,11 @@ + + + +
+ + + + + + + \ No newline at end of file diff --git a/schema/dim_shared_skill.xml b/schema/dim_shared_skill.xml new file mode 100644 index 0000000..d35f677 --- /dev/null +++ b/schema/dim_shared_skill.xml @@ -0,0 +1,9 @@ + + + +
+ + + + + \ No newline at end of file diff --git a/schema/onet_by_cip.xml b/schema/onet_by_cip.xml new file mode 100644 index 0000000..9584daf --- /dev/null +++ b/schema/onet_by_cip.xml @@ -0,0 +1,42 @@ + + + O*NET Online + The O*Net Skills is a dataset containing detailed descriptions of the required and used skills for specific occupations. The O*Net dataset is sponsored by the United States Department of Labor. + O*NET by Classification of Instructional Programs + http://www.onetonline.org/ + Education + Skills + +
+ + + + + + TIME + + + + + + + NONE + NONE + Not used for presentation + true + + + + NONE + NONE + Not used for presentation + true + + + + NONE + NONE + Calculated by IM Value * LV Value + + + \ No newline at end of file diff --git a/schema/onet_by_pums.xml b/schema/onet_by_pums.xml new file mode 100644 index 0000000..00263e9 --- /dev/null +++ b/schema/onet_by_pums.xml @@ -0,0 +1,48 @@ + + + O*NET Online + The O*Net Skills is a dataset containing detailed descriptions of the required and used skills for specific occupations. The O*Net dataset is sponsored by the United States Department of Labor. + O*NET by PUMS Occupation + http://www.onetonline.org/ + Economy + Skills + +
+ + + + + + TIME + + + + + + + + NONE + NONE + Not used for presentation + true + + + + + + NONE + NONE + Not used for presentation + true + + + + + + NONE + NONE + Calculated by IM Value * LV Value + + + + \ No newline at end of file