(cicd) install new helm charts when deploying (#743)

* cicd use matrix strategy

* bump ssh-action version

* build and push helm charts in actions

* install helm dependencies during cicd

* fix typo

* inherit secrets

* use configmap and secret for env variables

* quote port

* fix env

* put back metadata

* fix sealed secret

* use a namespace-wide scope

* reduce ready probe delay

* add back placeholder secrets to backend configmap

* use helm registry as source when deploying

* fix indentation

* dont use secret because github action moment

* login to helm in action

* specify chart in deploy script

* dont use secret because github action moment

* only cicd app helm chart

* staging and production

* fix staging

* use helm ugprade

* use helm ugprade

* use quotes around version number

* update comment

* remove nodeenv=development

* refactor deploy step

.github/workflows/cd-dev.yaml

@@ -30,44 +30,32 @@ jobs:
           echo "sha_short=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_OUTPUT
 
   build-push:
-    name: Build and Push Images
+    name: Build and Push Images and Charts
     needs: [compute-sha]
     uses: ./.github/workflows/cd.yaml
     with:
-      tag: ${{ needs.compute-sha.outputs.sha_short }}
+      image_tag: ${{ needs.compute-sha.outputs.sha_short }}
+      chart_ver: 0.1.0-dev.${{ needs.compute-sha.outputs.sha_short }}
     secrets: inherit
 
   deploy:
-    name: Deploy with SSH
+    name: SSH and Deploy
     needs: [compute-sha, build-push]
-    runs-on: ubuntu-latest
-    environment: development
-
-    steps:
-      - name: SSH and Helm Install
-        uses: appleboy/[email protected]
-        with:
-          host: ${{ secrets.SSH_HOST }}
-          username: root
-          key: ${{ secrets.SSH_KEY }}
-          script: |
-            set -e  # Exit immediately if a command fails
-            cd ./infra
-
-            # Uninstall the old helm chart if it exists
-            helm uninstall bt-dev-app-${{ needs.compute-sha.outputs.sha_short }} || true
-
-            # Install new chart
-            helm install bt-dev-app-${{ needs.compute-sha.outputs.sha_short }} ./app --namespace=bt \
-              --set env=dev \
-              --set ttl=${{ inputs.ttl }} \
-              --set-string frontend.image.tag=${{ needs.compute-sha.outputs.sha_short }} \
-              --set-string backend.image.tag=${{ needs.compute-sha.outputs.sha_short }} \
-              --set host=${{ needs.compute-sha.outputs.sha_short }}.stanfurdtime.com \
-              --set mongoUri=mongodb://bt-dev-mongo-mongodb.bt.svc.cluster.local:27017/bt \
-              --set redisUri=redis://bt-dev-redis-master.bt.svc.cluster.local:6379 \
-              --set nodeEnv=development
-
-            # Check container status
-            kubectl rollout status --timeout=180s deployment bt-dev-app-${{ needs.compute-sha.outputs.sha_short }}-backend
-            kubectl rollout status --timeout=180s deployment bt-dev-app-${{ needs.compute-sha.outputs.sha_short }}-frontend
+    uses: ./.github/workflows/deploy.yaml
+    with:
+      environment: development
+      name: bt-dev-app-${{ needs.compute-sha.outputs.sha_short }}
+      version: 0.1.0-dev.${{ needs.compute-sha.outputs.sha_short }}
+      values: |
+        env: dev
+        ttl: ${{ inputs.ttl }}
+        frontend:
+          image:
+            tag: ${{ needs.compute-sha.outputs.sha_short }}
+        backend:
+          image:
+            tag: ${{ needs.compute-sha.outputs.sha_short }}
+        host: ${{ needs.compute-sha.outputs.sha_short }}.dev.stanfurdtime.com
+        mongoUri: mongodb://bt-dev-mongo-mongodb.bt.svc.cluster.local:27017/bt
+        redisUri: redis://bt-dev-redis-master.bt.svc.cluster.local:6379
+    secrets: inherit

.github/workflows/cd-prod.yaml

@@ -1,6 +1,6 @@
 name: Deploy to Production
 
-concurrency: prod
+concurrency: production
 
 on:
   workflow_dispatch:
@@ -16,40 +16,22 @@ jobs:
         run: echo "Passed check"
 
   build-push:
-    name: Build and Push Images
+    name: Build and Push Images and Charts
     needs: [branch-check]
     uses: ./.github/workflows/cd.yaml
     with:
-      tag: prod
+      image_tag: prod
+      chart_ver: "1.0.0"
     secrets: inherit
 
   deploy:
-    name: Deploy with SSH
+    name: SSH and Deploy
     needs: [build-push]
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: SSH and Helm Install
-        uses: appleboy/[email protected]
-        with:
-          host: ${{ secrets.SSH_HOST }}
-          username: root
-          key: ${{ secrets.SSH_KEY }}
-          script: |
-            set -e  # Exit immediately if a command fails
-            cd ./infra
-
-            # Check if the Helm release exists
-            if helm status bt-prod-app ; then
-              # Restart deployments if the Helm release exists
-              kubectl rollout restart deployment bt-prod-app-backend
-              kubectl rollout restart deployment bt-prod-app-frontend
-            else
-              # Install the Helm release if it doesn't exist
-              helm install bt-prod-app ./app --namespace=bt \
-                --set host=stanfurdtime.com
-            fi
-
-            # Check container status
-            kubectl rollout status --timeout=180s deployment bt-prod-app-backend
-            kubectl rollout status --timeout=180s deployment bt-prod-app-frontend
+    uses: ./.github/workflows/deploy.yaml
+    with:
+      environment: production
+      name: bt-prod-app
+      version: "1.0.0"
+      values: |
+        host: stanfurdtime.com
+    secrets: inherit

.github/workflows/cd-stage.yaml

@@ -1,52 +1,37 @@
 name: Deploy to Staging
 
-concurrency: stage
+concurrency: staging
 
 on:
   push:
     branches: [master, gql]
 
 jobs:
   build-push:
-    name: Build and Push Images
+    name: Build and Push Images and Charts
     uses: ./.github/workflows/cd.yaml
     with:
-      tag: latest
+      image_tag: latest
+      chart_ver: 0.1.0-stage
     secrets: inherit
 
   deploy:
-    name: Deploy with SSH
+    name: SSH and Deploy
     needs: [build-push]
-    runs-on: ubuntu-latest
-    environment: staging
-
-    steps:
-      - name: SSH and Helm Install
-        uses: appleboy/[email protected]
-        with:
-          host: ${{ secrets.SSH_HOST }}
-          username: root
-          key: ${{ secrets.SSH_KEY }}
-          script: |
-            set -e  # Exit immediately if a command fails
-            cd ./infra
-
-            # Check if the Helm release exists
-            if helm status bt-stage-app ; then
-              # Restart deployments if the Helm release exists
-              kubectl rollout restart deployment bt-stage-app-backend
-              kubectl rollout restart deployment bt-stage-app-frontend
-            else
-              # Install the Helm release if it doesn't exist
-              helm install bt-stage-app ./app --namespace=bt \
-                --set env=stage \
-                --set frontend.image.tag=latest \
-                --set backend.image.tag=latest \
-                --set host=staging.stanfurdtime.com \
-                --set mongoUri=mongodb://bt-stage-mongo-mongodb.bt.svc.cluster.local:27017/bt \
-                --set redisUri=redis://bt-stage-redis-master.bt.svc.cluster.local:6379
-            fi
-
-            # Check container status
-            kubectl rollout status --timeout=180s deployment bt-stage-app-backend
-            kubectl rollout status --timeout=180s deployment bt-stage-app-frontend
+    uses: ./.github/workflows/deploy.yaml
+    with:
+      environment: staging
+      name: bt-stage-app
+      version: 0.1.0-stage
+      values: |
+        env: stage
+        frontend:
+          image:
+            tag: latest
+        backend:
+          image:
+            tag: latest
+        host: staging.stanfurdtime.com
+        mongoUri: mongodb://bt-stage-mongo-mongodb.bt.svc.cluster.local:27017/bt
+        redisUri: redis://bt-stage-redis-master.bt.svc.cluster.local:6379
+    secrets: inherit

.github/workflows/cd.yaml

@@ -1,17 +1,24 @@
-name: Deploy to Development
+name: Build and Push Images and Charts
 
 on:
   workflow_call:
     inputs:
-      tag:
+      image_tag:
         description: "Image build tag"
         required: true
         type: string
+      chart_ver:
+        description: "Chart build tag"
+        required: true
+        type: string
 
 jobs:
-  build-push-backend:
-    name: Build and Push Backend Image
+  build-push-image:
+    name: Build and Push Image
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: [backend, frontend]
 
     steps:
       - name: Checkout Repository
@@ -25,24 +32,32 @@ jobs:
 
       - name: Build and Push Image with Tag
         run: |
-          docker build --no-cache --platform=linux/amd64 --target backend-prod --tag "${{ secrets.DOCKER_USERNAME }}/bt-backend:${{ inputs.tag }}" .
-          docker push "${{ secrets.DOCKER_USERNAME }}/bt-backend:${{ inputs.tag }}"
+          docker build --no-cache --platform=linux/amd64 --target ${{ matrix.image }}-prod --tag "${{ secrets.DOCKER_USERNAME }}/bt-${{ matrix.image }}:${{ inputs.image_tag }}" .
+          docker push "${{ secrets.DOCKER_USERNAME }}/bt-${{ matrix.image }}:${{ inputs.image_tag }}"
 
-  build-push-frontend:
-    name: Build and Push Frontend Image
+  build-push-chart:
+    name: Build and Push Helm Chart
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        chart: [app]
 
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
+        with:
+          sparse-checkout: infra
 
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Build and Push Image with Tag
+      - name: Build and Push Helm Chart
         run: |
-          docker build --no-cache --platform=linux/amd64 --target frontend-prod --tag "${{ secrets.DOCKER_USERNAME }}/bt-frontend:${{ inputs.tag }}" .
-          docker push "${{ secrets.DOCKER_USERNAME }}/bt-frontend:${{ inputs.tag }}"
+          cd ./infra
+          helm registry login registry-1.docker.io -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
+          helm dependency update ${{ matrix.chart }}
+          helm package ${{ matrix.chart }} --version ${{ inputs.chart_ver }}
+          helm push bt-${{ matrix.chart }}-${{ inputs.chart_ver }}.tgz oci://registry-1.docker.io/${{ secrets.DOCKER_USERNAME }}

.github/workflows/deploy.yaml

@@ -0,0 +1,48 @@
+name: SSH and Deploy
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: "Github action environment to deploy within"
+        required: true
+        type: string
+      name:
+        description: "Helm chart installation name"
+        required: true
+        type: string
+      version:
+        description: "Helm chart version"
+        required: true
+        type: string
+      values:
+        description: "Helm chart override values (yaml)"
+        required: true
+        type: string
+
+jobs:
+  deploy:
+    name: SSH and Deploy
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+
+    steps:
+      - name: SSH and Helm Install
+        uses: appleboy/[email protected]
+        with:
+          host: ${{ secrets.SSH_HOST }}
+          username: ${{ secrets.SSH_USERNAME }}
+          key: ${{ secrets.SSH_KEY }}
+          script: |
+            set -e  # Exit immediately if a command fails
+
+            # Upgrade helm chart, or install if not exists
+            helm upgrade ${{ inputs.name }} oci://registry-1.docker.io/octoberkeleytime/bt-app \
+              --install \
+              --version=${{ inputs.version }} \
+              --namespace=bt \
+              --values <(echo "${{ inputs.values }}")
+
+            # Check container status
+            kubectl rollout status --timeout=180s deployment ${{ inputs.name }}-backend
+            kubectl rollout status --timeout=180s deployment ${{ inputs.name }}-frontend

infra/base/templates/certificate.yaml

@@ -11,3 +11,4 @@ spec:
   dnsNames:
     - stanfurdtime.com
     - "*.stanfurdtime.com"
+    - "*.dev.stanfurdtime.com"