From df0376ed3017bb6f6c750bec5b7c34b0ff6db65e Mon Sep 17 00:00:00 2001 From: hermosillajelmy Date: Tue, 31 Oct 2023 09:41:41 -0300 Subject: [PATCH 01/11] update zircon string --- helm/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/values.yaml b/helm/values.yaml index 7344f22..656ef65 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -61,7 +61,7 @@ configMap: TESSERACT_SCHEMA: "schema" secrets: - TESSERACT_BACKEND: Y2xpY2tob3VzZTovL2RlZmF1bHQ6NFpnRk1KWk5hNHM5SzdRb1VKc1VBUU16dHBkOUJnQGRiLWRldi5kYXRhdXNhLmlvOjkwMDAvYmxzX2Ri + TESSERACT_BACKEND: Y2xpY2tob3VzZTovL2RlZmF1bHQ6NFpnRk1KWk5hNHM5SzdRb1VKc1VBUU16dHBkOUJnQDM1LjIzOC41LjY5OjkwMDAvYmxzX2Ri ingress: enabled: true From 7b502a571bd8f9bb7f6bfed36936380408d347b5 Mon Sep 17 00:00:00 2001 From: hermosillajelmy Date: Tue, 31 Oct 2023 09:56:16 -0300 Subject: [PATCH 02/11] update value string --- helm/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/values.yaml b/helm/values.yaml index 656ef65..98d53cc 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -61,7 +61,7 @@ configMap: TESSERACT_SCHEMA: "schema" secrets: - TESSERACT_BACKEND: Y2xpY2tob3VzZTovL2RlZmF1bHQ6NFpnRk1KWk5hNHM5SzdRb1VKc1VBUU16dHBkOUJnQDM1LjIzOC41LjY5OjkwMDAvYmxzX2Ri + TESSERACT_BACKEND: Y2xpY2tob3VzZTovL2RlZmF1bHQ6NFpnRk1KWk5hNHM5SzdRb1VKc1VBUU16dHBkOUJnQDM0LjEyMy4xMS4yNDA6OTAwMC9ibHNfZGI= ingress: enabled: true From eba40ca8715677db9ab01b3c06516bb4d0a23176 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=A1s=20P=C3=A9rez=20Mundaca?= <53226333+nspmx@users.noreply.github.com> Date: Tue, 31 Oct 2023 11:37:38 -0300 Subject: [PATCH 03/11] Add ram to values.yaml --- helm/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helm/values.yaml b/helm/values.yaml index 98d53cc..24d9d12 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -19,7 +19,7 @@ resources: memory: 1Gi limits: cpu: 1 - memory: 1Gi + memory: 8Gi livenessProbe: failureThreshold: 3 @@ -83,4 +83,4 @@ ingress: tls: - secretName: tesseract-api-ingress-tls hosts: - - api-dev.datausa.io \ No newline at end of file + - api-dev.datausa.io From 17abc8466194a5e7f480ca1cc8a2d6dcbcc59d33 Mon Sep 17 00:00:00 2001 From: nspmx Date: Tue, 31 Oct 2023 12:00:08 -0300 Subject: [PATCH 04/11] add recursiveness on docker chown user --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 835003c..84ae590 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ COPY requirements.txt ./ # install python requirements on environment RUN useradd -m -r tesseract &&\ - chown tesseract $APP_HOME &&\ + chown -R tesseract $APP_HOME &&\ pip install --no-cache-dir -r requirements.txt # transfer app files From 5885bd243db63d2afe6b251f2fe72352ed12fb84 Mon Sep 17 00:00:00 2001 From: nspmx Date: Tue, 31 Oct 2023 12:19:58 -0300 Subject: [PATCH 05/11] update connection string --- helm/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/values.yaml b/helm/values.yaml index 24d9d12..0794da5 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -61,7 +61,7 @@ configMap: TESSERACT_SCHEMA: "schema" secrets: - TESSERACT_BACKEND: Y2xpY2tob3VzZTovL2RlZmF1bHQ6NFpnRk1KWk5hNHM5SzdRb1VKc1VBUU16dHBkOUJnQDM0LjEyMy4xMS4yNDA6OTAwMC9ibHNfZGI= + TESSERACT_BACKEND: Y2xpY2tob3VzZTovL2RlZmF1bHQ6NFpnRk1KWk5hNHM5SzdRb1VKc1VBUU16dHBkOUJnQGRiLWRldi5kYXRhdXNhLmlvOjkwMDAvYmxzX2Ri ingress: enabled: true From 2dfc4123e0ae873ec82eaa7095e3018c96668764 Mon Sep 17 00:00:00 2001 From: nspmx Date: Tue, 31 Oct 2023 13:35:15 -0300 Subject: [PATCH 06/11] change ownership of files --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 84ae590..8ae5eff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,12 +19,14 @@ RUN useradd -m -r tesseract &&\ pip install --no-cache-dir -r requirements.txt # transfer app files -COPY . . +COPY --chown=tesseract:tesseract . . +RUN chown -R tesseract $APP_HOME # define git hash ARG GIT_HASH ENV GIT_HASH=${GIT_HASH:-dev} + # change user to tesseract user USER tesseract From 105841111aa12c90857e4cb953bacb2d0afec012 Mon Sep 17 00:00:00 2001 From: hermosillajelmy Date: Tue, 31 Oct 2023 17:59:07 -0300 Subject: [PATCH 07/11] add onet cubes --- schema/dim_shared_cip.xml | 19 +++++++++++++++ schema/dim_shared_pums.xml | 11 +++++++++ schema/dim_shared_skill.xml | 9 +++++++ schema/onet_by_cip.xml | 42 ++++++++++++++++++++++++++++++++ schema/onet_by_pums.xml | 48 +++++++++++++++++++++++++++++++++++++ 5 files changed, 129 insertions(+) create mode 100644 schema/dim_shared_cip.xml create mode 100644 schema/dim_shared_pums.xml create mode 100644 schema/dim_shared_skill.xml create mode 100644 schema/onet_by_cip.xml create mode 100644 schema/onet_by_pums.xml diff --git a/schema/dim_shared_cip.xml b/schema/dim_shared_cip.xml new file mode 100644 index 0000000..25d915d --- /dev/null +++ b/schema/dim_shared_cip.xml @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/schema/dim_shared_pums.xml b/schema/dim_shared_pums.xml new file mode 100644 index 0000000..a7d3872 --- /dev/null +++ b/schema/dim_shared_pums.xml @@ -0,0 +1,11 @@ + + + +
+ + + + + + + \ No newline at end of file diff --git a/schema/dim_shared_skill.xml b/schema/dim_shared_skill.xml new file mode 100644 index 0000000..d35f677 --- /dev/null +++ b/schema/dim_shared_skill.xml @@ -0,0 +1,9 @@ + + + +
+ + + + + \ No newline at end of file diff --git a/schema/onet_by_cip.xml b/schema/onet_by_cip.xml new file mode 100644 index 0000000..9584daf --- /dev/null +++ b/schema/onet_by_cip.xml @@ -0,0 +1,42 @@ + + + O*NET Online + The O*Net Skills is a dataset containing detailed descriptions of the required and used skills for specific occupations. The O*Net dataset is sponsored by the United States Department of Labor. + O*NET by Classification of Instructional Programs + http://www.onetonline.org/ + Education + Skills + +
+ + + + + + TIME + + + + + + + NONE + NONE + Not used for presentation + true + + + + NONE + NONE + Not used for presentation + true + + + + NONE + NONE + Calculated by IM Value * LV Value + + + \ No newline at end of file diff --git a/schema/onet_by_pums.xml b/schema/onet_by_pums.xml new file mode 100644 index 0000000..00263e9 --- /dev/null +++ b/schema/onet_by_pums.xml @@ -0,0 +1,48 @@ + + + O*NET Online + The O*Net Skills is a dataset containing detailed descriptions of the required and used skills for specific occupations. The O*Net dataset is sponsored by the United States Department of Labor. + O*NET by PUMS Occupation + http://www.onetonline.org/ + Economy + Skills + +
+ + + + + + TIME + + + + + + + + NONE + NONE + Not used for presentation + true + + + + + + NONE + NONE + Not used for presentation + true + + + + + + NONE + NONE + Calculated by IM Value * LV Value + + + + \ No newline at end of file From 0ce555dbb1aec529ca02abdb2bb068ff8ecc253f Mon Sep 17 00:00:00 2001 From: nspmx Date: Thu, 4 Jan 2024 16:16:23 -0300 Subject: [PATCH 08/11] update kubernetes workflow to latest version --- .env | 2 +- .gcloudignore | 5 + .../workflows/google-registry-gke-dev.yaml | 198 ++++++++++++++++++ .github/workflows/google-registry-gke.yml | 136 ------------ Dockerfile | 32 ++- cloudbuild.yml | 24 ++- helm/{values.yaml => development.yaml} | 32 +-- 7 files changed, 252 insertions(+), 177 deletions(-) create mode 100644 .gcloudignore create mode 100644 .github/workflows/google-registry-gke-dev.yaml delete mode 100644 .github/workflows/google-registry-gke.yml rename helm/{values.yaml => development.yaml} (75%) diff --git a/.env b/.env index 075bd38..9ac9d4e 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ -TESSERACT_BACKEND=clickhouse://:@:/ +TESSERACT_BACKEND=clickhouse://default:4ZgFMJZNa4s9K7QoUJsUAQMztpd9Bg@34.123.11.240:9000/bls_db TESSERACT_SCHEMA=schema TESSERACT_DEBUG=true diff --git a/.gcloudignore b/.gcloudignore new file mode 100644 index 0000000..ce8a8f6 --- /dev/null +++ b/.gcloudignore @@ -0,0 +1,5 @@ +.git +dist +node_modules +vendor +*.jar \ No newline at end of file diff --git a/.github/workflows/google-registry-gke-dev.yaml b/.github/workflows/google-registry-gke-dev.yaml new file mode 100644 index 0000000..f859d05 --- /dev/null +++ b/.github/workflows/google-registry-gke-dev.yaml @@ -0,0 +1,198 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch +# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled in the project: +# +# Cloud Build cloudbuild.googleapis.com +# Kubernetes Engine API container.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create a service account (if you don't have one) with the following fields: +# +# Service Account Name -github-actions +# Service Account ID -github-actions +# +# 3. Ensure the service account have the required IAM permissions granted: +# +# Kubernetes Engine Developer +# roles/container.developer (kubernetes engine developer) +# +# Artifact Registry +# roles/artifactregistry.repoAdmin (artifact registry repository administrator) +# roles/artifactregistry.admin (artifact registry administrator) +# +# Service Account +# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) +# +# Basic Roles +# roles/viewer (viewer) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Ensure you have the following GitHub Secrets and Variables: +# +# GitHub Secrets +# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets +# +# GitHub Variables +# GCP_PROJECT_ID (Google Cloud Project ID) +# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) +# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) +# +# 5. Ensure you have the following GitHub Variables for each environment that you will set up: +# +# GitHub Variables +# GCP_IMAGE_NAME (Docker Image Name) +# GKE_APP_NAME (Google Kubernetes Engine Deployment Name) +# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace) +# GKE_CLUSTER (Google Kubernetes Engine Cluster Name) +# GKE_ZONE (Google Kubernetes Engine Cluster Zone) +# +# Further reading: +# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun +name: "[GCP][DEV] Build API to Registry and Deploy via Helm" + +on: + push: + branches: [ "develop" ] + paths: + - .github/workflows/google-registry-gke-dev.yaml + - helm/development.yaml + - schema/** + +env: + GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} + GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} + GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} + GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} + GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} + GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} + GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} + GKE_ZONE: ${{ vars.GKE_ZONE }} + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + +jobs: + build: + environment: development + runs-on: ubuntu-latest + if: ${{ !contains(github.event.head_commit.message, '#update') }} + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Authentication via credentials json + - name: Google Auth + id: auth + uses: google-github-actions/auth@v2 + with: + project_id: ${{ env.GCP_PROJECT_ID }} + credentials_json: ${{ secrets.GCP_SA_KEY }} + + # Install Cloud SDK + - name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@v1 + with: + install_components: beta + + # Build image on Google Cloud Artifact Registry + - name: Build Docker Image + run: |- + gcloud builds submit \ + --quiet \ + --timeout=40m \ + --config=cloudbuild.yml \ + --substitutions=_GCP_PROJECT_ID=${{ env.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ env.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_ARTIFACT_REGISTRY_LOCATION=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_IMAGE_NAME=${{ env.GCP_IMAGE_NAME }},_GCP_IMAGE_TAG=${{ github.sha }},_GCP_IMAGE_ENVIRONMENT=${{ env.GKE_APP_NAMESPACE }} + + deploy: + needs: build + environment: development + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Authentication via credentials json + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ vars.GCP_PROJECT_ID }}' + credentials_json: '${{ secrets.GCP_SA_KEY }}' + + # Get google kubernetes engine credentials + - name: Get GKE Credentials + uses: google-github-actions/get-gke-credentials@v2 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + + # Transform GitHub secrets to base64 encoded + - name: Set encoded secret values + run: | + echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV + + # Install Helm chart + - name: Helm install + uses: WyriHaximus/github-action-helm3@v2 + with: + exec: | + helm upgrade --install --create-namespace \ + --namespace ${{ env.GKE_APP_NAMESPACE }} \ + --set app.environment=${{ env.GKE_APP_NAMESPACE }} \ + --set app.release=${{ env.GKE_APP_NAMESPACE }} \ + --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \ + --set image.tag=${{ github.sha }} \ + --set nameOverride=${{ env.GKE_APP_NAME }} \ + --set fullnameOverride=${{ env.GKE_APP_NAME }} \ + --set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \ + ${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm + + update: + runs-on: ubuntu-latest + environment: api + if: ${{ contains(github.event.head_commit.message, '#update') }} + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Authentication via credentials json + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ vars.GCP_PROJECT_ID }}' + credentials_json: '${{ secrets.GCP_SA_KEY }}' + + # Get google kubernetes engine credentials + - name: Get GKE Credentials + uses: google-github-actions/get-gke-credentials@v2 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + + # Transform GitHub secrets to base64 encoded + - name: Set encoded secret values + run: | + echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV + + # Install Helm chart + - name: Helm install + uses: WyriHaximus/github-action-helm3@v2 + with: + exec: | + helm upgrade --install --create-namespace \ + --namespace ${{ env.GKE_APP_NAMESPACE }} \ + --set app.environment=${{ env.GKE_APP_NAMESPACE }} \ + --set app.release=${{ env.GKE_APP_NAMESPACE }} \ + --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \ + --set image.tag=${{ github.sha }} \ + --set nameOverride=${{ env.GKE_APP_NAME }} \ + --set fullnameOverride=${{ env.GKE_APP_NAME }} \ + --set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \ + ${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm \ No newline at end of file diff --git a/.github/workflows/google-registry-gke.yml b/.github/workflows/google-registry-gke.yml deleted file mode 100644 index 2dec9e3..0000000 --- a/.github/workflows/google-registry-gke.yml +++ /dev/null @@ -1,136 +0,0 @@ -# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the "develop" branch -# -# To configure this workflow: -# -# 1. Ensure the required Google Cloud APIs are enabled in the project: -# -# Cloud Build cloudbuild.googleapis.com -# Artifact Registry artifactregistry.googleapis.com -# -# 2. Create a service account (if you don't have one) with the following fields: -# -# Service Account Name -github-actions -# Service Account ID -github-actions -# -# 3. Ensure the service account have the required IAM permissions granted: -# -# Cloud Build -# roles/cloudbuild.builds.editor (cloud build editor) -# roles/cloudbuild.builds.builder (cloud build service account) -# -# Artifact Registry -# roles/artifactregistry.repoAdmin (artifact registry repository administrator) -# roles/artifactregistry.admin (artifact registry administrator) -# -# Service Account -# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) -# -# Basic Roles -# roles/viewer (viewer) -# -# NOTE: You should always follow the principle of least privilege when assigning IAM roles -# -# 4. Ensure you have the following GitHub Secrets and Variables: -# -# GitHub Secrets -# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets -# -# GitHub Variables -# GCP_PROJECT_ID (Google Cloud Project ID) -# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) -# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) -# -# 5. Ensure you have the following GitHub Vatiables for each environment that you will set up: -# -# GitHub Variables -# GCP_IMAGE_NAME (Docker Image Name) -# GKE_APP_NAME (Kubernetes Application Name) -# GKE_APP_RELEASE (Kubernetes Application Release Version) -# GKE_APP_NAMESPACE (Kubernetes Application Namespace) -# GKE_CLUSTER (Kubernetes Cluster Name) -# GKE_ZONE (Kubernetes Cluster Location) -# -# Further reading: -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying -# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles -# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege -# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun -name: Build to Artifact Registry and Deploy to GKE - -on: - push: - branches: [ "develop" ] - -env: - GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} - GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} - GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} - GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} - GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} - GKE_APP_RELEASE: ${{ vars.GKE_APP_RELEASE }} - GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} - GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} - GKE_ZONE: ${{ vars.GKE_ZONE }} - -jobs: - build: - runs-on: ubuntu-latest - environment: development - steps: - - name: Checkout - uses: actions/checkout@v3 - - # Authentication via credentials json - - name: Google Auth - id: auth - uses: google-github-actions/auth@v0 - with: - project_id: ${{ env.GCP_PROJECT_ID }} - credentials_json: ${{ secrets.GCP_SA_KEY }} - - # Build image on Google Cloud Artifact Registry - - name: Build Docker Image - run: |- - gcloud builds submit \ - --quiet \ - --timeout=30m \ - --config=cloudbuild.yml \ - --substitutions=_GCP_ARTIFACT_REGISTRY_LOCATION=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_PROJECT_ID=${{ env.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ env.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_IMAGE_NAME=${{ env.GCP_IMAGE_NAME }},_GITHUB_SHA=${{ github.sha }} - - # Uncomment for adding the latest tag to the latest image created - - name: Add 'Latest' Tag to Development Environments - run: |- - gcloud beta artifacts docker tags add \ - --quiet \ - ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ github.sha }} \ - ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:latest - - deploy: - needs: build - runs-on: ubuntu-latest - environment: development - steps: - - name: Checkout - uses: actions/checkout@v3 - - # Authentication via credentials json - - name: Google Auth - id: auth - uses: google-github-actions/auth@v0 - with: - project_id: ${{ env.GCP_PROJECT_ID }} - credentials_json: ${{ secrets.GCP_SA_KEY }} - - # Get google kubernetes engine credentials - - name: Get GKE Credentials - uses: google-github-actions/get-gke-credentials@v0 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - - # Install Helm chart - - name: Helm install - uses: WyriHaximus/github-action-helm3@v2 - with: - exec: helm upgrade --install --create-namespace --namespace ${{ env.GKE_APP_NAMESPACE }} --set app.environment=${{ env.GKE_APP_NAMESPACE }} --set app.release=${{ env.GKE_APP_RELEASE }} --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} --set image.tag=${{ github.sha }} --set nameOverride=${{ env.GKE_APP_NAME }} --set fullnameOverride=${{ env.GKE_APP_NAME }} ${{ env.GKE_APP_NAME }} ./helm --values=./helm/values.yaml \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 8ae5eff..d430ec0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,44 +1,42 @@ FROM python:3.9 -# install required dependencies +# Install api pre requirements RUN pip install -U pip setuptools wheel -# allow statements and log messages to immediately appear in the Knative logs -ENV PYTHONUNBUFFERED True - -# define work directory +# Define api directory ENV APP_HOME /usr/src/app WORKDIR $APP_HOME -# transfer python requirements +# Allow that statements and log messages appear in the Knative logs +ENV PYTHONUNBUFFERED True + +# Transfer api requirements COPY requirements.txt ./ -# install python requirements on environment +# Install api requirements RUN useradd -m -r tesseract &&\ - chown -R tesseract $APP_HOME &&\ + chown tesseract $APP_HOME &&\ pip install --no-cache-dir -r requirements.txt -# transfer app files +# Transfer app files COPY --chown=tesseract:tesseract . . RUN chown -R tesseract $APP_HOME -# define git hash +# Define api required env vars ARG GIT_HASH ENV GIT_HASH=${GIT_HASH:-dev} - -# change user to tesseract user +# Change unix user to tesseract USER tesseract -# expose the required port +# Expose api port ENV PORT 7777 EXPOSE 7777 -# setup host and port for cloudrun +# Setup host and port +# Uncomment this line for a cloudrun instance #ENV HOST 0.0.0.0 -# define startup commands -# CMD ["python", "app.py"] - +# Define startup commands CMD ["app.py"] ENTRYPOINT ["python"] \ No newline at end of file diff --git a/cloudbuild.yml b/cloudbuild.yml index eb26c74..8d44495 100644 --- a/cloudbuild.yml +++ b/cloudbuild.yml @@ -1,9 +1,19 @@ steps: # [START cloudbuild_image_yaml] - # Docker Build using Kaniko Cache (Google) - - name: 'gcr.io/kaniko-project/executor:latest' - args: - - --destination=$_GCP_ARTIFACT_REGISTRY_LOCATION-docker.pkg.dev/$_GCP_PROJECT_ID/$_GCP_ARTIFACT_REGISTRY_NAME/$_GCP_IMAGE_NAME:$_GITHUB_SHA - - --cache=true - - --cache-ttl=336h - # [END cloudbuild_image_yaml] \ No newline at end of file + # Start from previous build + - name: "gcr.io/cloud-builders/docker" + entrypoint: "bash" + args: ["-c", "docker pull ${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_ENVIRONMENT} || exit 0"] + # Docker Build + - name: "gcr.io/cloud-builders/docker" + args: [ + "build", + "-t", "${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_TAG}", + "-t", "${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_ENVIRONMENT}", + "--cache-from", "${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_ENVIRONMENT}", + "." + ] + # [END cloudbuild_image_yaml] +images: + - "${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_TAG}" + - "${_GCP_ARTIFACT_REGISTRY_LOCATION}-docker.pkg.dev/${_GCP_PROJECT_ID}/${_GCP_ARTIFACT_REGISTRY_NAME}/${_GCP_IMAGE_NAME}:${_GCP_IMAGE_ENVIRONMENT}" \ No newline at end of file diff --git a/helm/values.yaml b/helm/development.yaml similarity index 75% rename from helm/values.yaml rename to helm/development.yaml index 0794da5..dfbcaae 100644 --- a/helm/values.yaml +++ b/helm/development.yaml @@ -7,18 +7,18 @@ imagePullSecrets: replicaCount: 1 autoscaling: - enabled: false - # minReplicas: 1 - # maxReplicas: 10 - # targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 120 + enabled: true + minReplicas: 1 + maxReplicas: 4 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 120 resources: requests: - cpu: 0.5 - memory: 1Gi + cpu: 500m + memory: 2Gi limits: - cpu: 1 + cpu: 1000m memory: 8Gi livenessProbe: @@ -27,9 +27,9 @@ livenessProbe: path: / port: 7777 scheme: HTTP - initialDelaySeconds: 15 - periodSeconds: 10 - timeoutSeconds: 10 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 30 successThreshold: 1 readinessProbe: @@ -38,9 +38,9 @@ readinessProbe: path: / port: 7777 scheme: HTTP - initialDelaySeconds: 15 - periodSeconds: 10 - timeoutSeconds: 10 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 30 successThreshold: 2 service: @@ -60,8 +60,8 @@ configMap: TESSERACT_DEBUG: "true" TESSERACT_SCHEMA: "schema" -secrets: - TESSERACT_BACKEND: Y2xpY2tob3VzZTovL2RlZmF1bHQ6NFpnRk1KWk5hNHM5SzdRb1VKc1VBUU16dHBkOUJnQGRiLWRldi5kYXRhdXNhLmlvOjkwMDAvYmxzX2Ri +# secrets: +# TESSERACT_BACKEND: ingress: enabled: true From 716a76800b754d0a45aa00ba60d73d406d9440c2 Mon Sep 17 00:00:00 2001 From: nspmx Date: Thu, 4 Jan 2024 16:25:06 -0300 Subject: [PATCH 09/11] #update change environment for update run --- .github/workflows/google-registry-gke-dev.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/google-registry-gke-dev.yaml b/.github/workflows/google-registry-gke-dev.yaml index f859d05..c761819 100644 --- a/.github/workflows/google-registry-gke-dev.yaml +++ b/.github/workflows/google-registry-gke-dev.yaml @@ -155,7 +155,7 @@ jobs: update: runs-on: ubuntu-latest - environment: api + environment: development if: ${{ contains(github.event.head_commit.message, '#update') }} steps: - name: Checkout From e9ba04321a21b8bb34f76258d2b2fb96785467b3 Mon Sep 17 00:00:00 2001 From: nspmx Date: Thu, 4 Jan 2024 16:41:11 -0300 Subject: [PATCH 10/11] #update add production environment --- .github/workflows/google-gke-prod.yaml | 135 ++++++++++++++++++++ .github/workflows/google-registry-prod.yaml | 108 ++++++++++++++++ helm/production.yaml | 86 +++++++++++++ 3 files changed, 329 insertions(+) create mode 100644 .github/workflows/google-gke-prod.yaml create mode 100644 .github/workflows/google-registry-prod.yaml create mode 100644 helm/production.yaml diff --git a/.github/workflows/google-gke-prod.yaml b/.github/workflows/google-gke-prod.yaml new file mode 100644 index 0000000..70bab63 --- /dev/null +++ b/.github/workflows/google-gke-prod.yaml @@ -0,0 +1,135 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch +# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled in the project: +# +# Cloud Build cloudbuild.googleapis.com +# Kubernetes Engine API container.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create a service account (if you don't have one) with the following fields: +# +# Service Account Name -github-actions +# Service Account ID -github-actions +# +# 3. Ensure the service account have the required IAM permissions granted: +# +# Kubernetes Engine Developer +# roles/container.developer (kubernetes engine developer) +# +# Artifact Registry +# roles/artifactregistry.repoAdmin (artifact registry repository administrator) +# roles/artifactregistry.admin (artifact registry administrator) +# +# Service Account +# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) +# +# Basic Roles +# roles/viewer (viewer) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Ensure you have the following GitHub Secrets and Variables: +# +# GitHub Secrets +# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets +# +# GitHub Variables +# GCP_PROJECT_ID (Google Cloud Project ID) +# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) +# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) +# +# 5. Ensure you have the following GitHub Variables for each environment that you will set up: +# +# GitHub Variables +# GCP_IMAGE_NAME (Docker Image Name) +# GKE_APP_NAME (Google Kubernetes Engine Deployment Name) +# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace) +# GKE_CLUSTER (Google Kubernetes Engine Cluster Name) +# GKE_ZONE (Google Kubernetes Engine Cluster Zone) +# +# Further reading: +# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun +name: "[GCP][PROD] Deploy to GKE via Helm" + +on: + workflow_dispatch: + inputs: + release: + description: 'Production Release Name' + required: true + type: string + update_release: + description: 'Check if you are updating the production release name of the latest image' + required: true + type: boolean + +env: + GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} + GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} + GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} + GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} + GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} + GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} + GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} + GKE_ZONE: ${{ vars.GKE_ZONE }} + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + +jobs: + deploy: + environment: production + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Authentication via credentials json + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ vars.GCP_PROJECT_ID }}' + credentials_json: '${{ secrets.GCP_SA_KEY }}' + + # Get google kubernetes engine credentials + - name: Get GKE Credentials + uses: google-github-actions/get-gke-credentials@v2 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + + # Retag latest image + - name: Retag Image to Production Release + if: ${{ inputs.update_release }} + run: |- + gcloud beta artifacts docker tags add \ + --quiet \ + ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ env.GKE_APP_NAMESPACE }} \ + ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ inputs.release }} + + # Transform GitHub secrets to base64 encoded + - name: Set encoded secret values + run: | + echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV + + # Install Helm chart + - name: Helm install + uses: WyriHaximus/github-action-helm3@v2 + with: + exec: | + helm upgrade --install --create-namespace \ + --namespace ${{ env.GKE_APP_NAMESPACE }} \ + --set app.environment=${{ env.GKE_APP_NAMESPACE }} \ + --set app.release=${{ env.GKE_APP_NAMESPACE }} \ + --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \ + --set image.tag=${{ github.sha }} \ + --set nameOverride=${{ env.GKE_APP_NAME }} \ + --set fullnameOverride=${{ env.GKE_APP_NAME }} \ + --set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \ + ${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm \ No newline at end of file diff --git a/.github/workflows/google-registry-prod.yaml b/.github/workflows/google-registry-prod.yaml new file mode 100644 index 0000000..0c38772 --- /dev/null +++ b/.github/workflows/google-registry-prod.yaml @@ -0,0 +1,108 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch +# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled in the project: +# +# Cloud Build cloudbuild.googleapis.com +# Kubernetes Engine API container.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create a service account (if you don't have one) with the following fields: +# +# Service Account Name -github-actions +# Service Account ID -github-actions +# +# 3. Ensure the service account have the required IAM permissions granted: +# +# Kubernetes Engine Developer +# roles/container.developer (kubernetes engine developer) +# +# Artifact Registry +# roles/artifactregistry.repoAdmin (artifact registry repository administrator) +# roles/artifactregistry.admin (artifact registry administrator) +# +# Service Account +# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) +# +# Basic Roles +# roles/viewer (viewer) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Ensure you have the following GitHub Secrets and Variables: +# +# GitHub Secrets +# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets +# +# GitHub Variables +# GCP_PROJECT_ID (Google Cloud Project ID) +# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) +# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) +# +# 5. Ensure you have the following GitHub Variables for each environment that you will set up: +# +# GitHub Variables +# GCP_IMAGE_NAME (Docker Image Name) +# GKE_APP_NAME (Google Kubernetes Engine Deployment Name) +# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace) +# GKE_CLUSTER (Google Kubernetes Engine Cluster Name) +# GKE_ZONE (Google Kubernetes Engine Cluster Zone) +# +# Further reading: +# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun +name: "[GCP][PROD] Build API to Google Registry" + +on: + push: + branches: [ "main" ] + paths: + - schema/** + +env: + GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} + GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} + GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} + GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} + GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} + GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} + GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} + GKE_ZONE: ${{ vars.GKE_ZONE }} + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + +jobs: + build: + environment: production + runs-on: ubuntu-latest + # runs-on: self-hosted + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Authentication via credentials json + - name: Google Auth + id: auth + uses: google-github-actions/auth@v2 + with: + project_id: ${{ env.GCP_PROJECT_ID }} + credentials_json: ${{ secrets.GCP_SA_KEY }} + + # Install Cloud SDK + - name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@v1 + with: + install_components: beta + + # Build image on Google Cloud Artifact Registry + - name: Build Docker Image + run: |- + gcloud builds submit \ + --quiet \ + --timeout=40m \ + --config=cloudbuild.yml \ + --substitutions=_GCP_PROJECT_ID=${{ env.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ env.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_ARTIFACT_REGISTRY_LOCATION=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_IMAGE_NAME=${{ env.GCP_IMAGE_NAME }},_GCP_IMAGE_TAG=${{ github.sha }},_GCP_IMAGE_ENVIRONMENT=${{ env.GKE_APP_NAMESPACE }} \ No newline at end of file diff --git a/helm/production.yaml b/helm/production.yaml new file mode 100644 index 0000000..fdda1a8 --- /dev/null +++ b/helm/production.yaml @@ -0,0 +1,86 @@ +image: + pullPolicy: Always + +imagePullSecrets: + - name: github + +replicaCount: 1 + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 4 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 120 + +resources: + requests: + cpu: 500m + memory: 2Gi + limits: + cpu: 1000m + memory: 8Gi + +livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: 7777 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 30 + successThreshold: 1 + +readinessProbe: + failureThreshold: 3 + httpGet: + path: / + port: 7777 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 30 + successThreshold: 2 + +service: + type: ClusterIP + port: 7777 + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +configMap: + TESSERACT_DEBUG: "true" + TESSERACT_SCHEMA: "schema" + +# secrets: +# TESSERACT_BACKEND: + +ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" + acme.cert-manager.io/http01-edit-in-place: "true" + ingress.kubernetes.io/ssl-redirect: "true" + nginx.org/proxy-connect-timeout: "120s" + nginx.org/proxy-read-timeout: "120s" + nginx.org/proxy-buffers: "8 16k" + nginx.org/proxy-buffer-size: "16k" + nginx.org/proxy-busy-buffers-size: "64k" + nginx.org/location-snippets: | + add_header Access-Control-Allow-Origin *; + hosts: + - host: api-prod.datausa.io + paths: + - / + tls: + - secretName: tesseract-api-ingress-tls + hosts: + - api-prod.datausa.io From df7b00f41085c86257ee26e1f25948c697aebae1 Mon Sep 17 00:00:00 2001 From: nspmx Date: Thu, 4 Jan 2024 17:13:11 -0300 Subject: [PATCH 11/11] update workflows --- .github/workflows/google-gke-prod.yaml | 4 ++-- .github/workflows/google-registry-gke-dev.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/google-gke-prod.yaml b/.github/workflows/google-gke-prod.yaml index 70bab63..7e677f8 100644 --- a/.github/workflows/google-gke-prod.yaml +++ b/.github/workflows/google-gke-prod.yaml @@ -128,8 +128,8 @@ jobs: --set app.environment=${{ env.GKE_APP_NAMESPACE }} \ --set app.release=${{ env.GKE_APP_NAMESPACE }} \ --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \ - --set image.tag=${{ github.sha }} \ + --set image.tag=${{ inputs.release }} \ --set nameOverride=${{ env.GKE_APP_NAME }} \ --set fullnameOverride=${{ env.GKE_APP_NAME }} \ --set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \ - ${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm \ No newline at end of file + ${{ env.GKE_APP_NAME }} --values=./helm/production.yaml ./helm \ No newline at end of file diff --git a/.github/workflows/google-registry-gke-dev.yaml b/.github/workflows/google-registry-gke-dev.yaml index c761819..2c732ad 100644 --- a/.github/workflows/google-registry-gke-dev.yaml +++ b/.github/workflows/google-registry-gke-dev.yaml @@ -191,7 +191,7 @@ jobs: --set app.environment=${{ env.GKE_APP_NAMESPACE }} \ --set app.release=${{ env.GKE_APP_NAMESPACE }} \ --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \ - --set image.tag=${{ github.sha }} \ + --set image.tag=${{ env.GKE_APP_NAMESPACE }} \ --set nameOverride=${{ env.GKE_APP_NAME }} \ --set fullnameOverride=${{ env.GKE_APP_NAME }} \ --set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \