staging: argocd ui deployment

.github/workflows/check-generated-values.yml

@@ -0,0 +1,59 @@
+on: push
+name: Check values files
+jobs:
+  diff:
+    runs-on: ubuntu-latest
+    env:
+      TMP_DIR: "/tmp/shared"
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Create directories
+        run: |
+          mkdir -p ~/.local/bin
+          mkdir -p "${TMP_DIR}"
+          chmod 777 "${TMP_DIR}"
+      - name: Create helmfile docker shim
+        run: |
+          docker pull ghcr.io/helmfile/helmfile:latest
+
+          echo 'docker run \
+            --rm \
+            --volume "${TMP_DIR}:${TMP_DIR}" \
+            --volume "${PWD}:/workdir" \
+            --workdir /workdir \
+            --user $(id -u):$(id -g) \
+            ghcr.io/helmfile/helmfile:latest helmfile $*' \
+            | tee ~/.local/bin/helmfile
+
+          chmod +x ~/.local/bin/helmfile
+      - name: Create yq docker shim
+        run: |
+          docker pull mikefarah/yq:latest
+
+          echo 'docker run \
+            --rm \
+            --volume "${TMP_DIR}:${TMP_DIR}" \
+            --volume "${PWD}:/workdir" \
+            --workdir /workdir \
+            --user $(id -u):$(id -g) \
+            mikefarah/yq:latest $*' \
+            | tee ~/.local/bin/yq
+
+          chmod +x ~/.local/bin/yq
+      - name: Diff current values files against generated ones
+        run: >
+          set -x;
+          for ENV_DIR in k8s/argocd/*; do
+            ENV=$(basename "${ENV_DIR}")
+
+            for RELEASE_FILE in "${ENV_DIR}"/*.values.yaml; do
+              RELEASE=$(basename "${RELEASE_FILE}" .values.yaml)
+              TMP_VALUES="${TMP_DIR}"/tmp_"${ENV}.${RELEASE}".yml
+
+              echo "checking $RELEASE_FILE - [$ENV] [$RELEASE]"
+
+              ./bin/generate-values "${ENV}" "${RELEASE}" "${TMP_VALUES}"
+              diff "${TMP_VALUES}" "${RELEASE_FILE}"
+            done
+          done

bin/generate-values

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+function usage() {
+    echo
+    echo "usage: $(basename $0) <environment> <release-name> [output-file-template]"
+    echo
+}
+
+ENVIRONMENT="$1"
+RELEASE="$2"
+
+# absolute path of the wbaas-deploy repository
+ROOT=$(realpath $(dirname $(realpath $BASH_SOURCE))/..)
+OUTPUT_TEMPLATE="${ROOT}/k8s/argocd/${ENVIRONMENT}/${RELEASE}.values.yaml"
+HELMFILE="k8s/helmfile/helmfile.yaml"
+TMP_HELMFILE="$(dirname ${HELMFILE})/.tmp_helmfile.$(mktemp -u XXXXXX).yaml"
+
+if [[ -n "$3" ]]; then
+    OUTPUT_TEMPLATE="$3"
+fi
+
+if [[ ! -e "${HELMFILE}" ]]; then
+    echo "error: helmfile not found: '${HELMFILE}'"
+    usage
+    exit 1 
+fi
+
+if [[ -z "${ENVIRONMENT}" ]]; then
+    echo "error: missing environment"
+    usage
+    exit 2
+fi
+
+if [[ -z "${RELEASE}" ]]; then
+    echo "error: missing release name"
+    usage
+    exit 3
+fi
+
+echo "environment: ${ENVIRONMENT}"
+echo "release: ${RELEASE}"
+
+# modify tmp helmfile by setting each release as "installed", so it always gets processed
+cp "${HELMFILE}" "${TMP_HELMFILE}"
+sed -i 's/installed: .*$/installed: true/g' "${TMP_HELMFILE}"
+
+helmfile \
+    --file "${TMP_HELMFILE}" \
+    --environment "${ENVIRONMENT}" \
+    --selector name="${RELEASE}" \
+    --output-file-template "${OUTPUT_TEMPLATE}" \
+    --skip-deps \
+    write-values
+
+rm "${TMP_HELMFILE}"
+
+# fix indentation in output file for yamllint action
+yq -I 2 -i "${OUTPUT_TEMPLATE}"

charts/argocd-apps/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: argocd-apps
+description: Chart to deploy WBaaS apps in an "app-of-apps" pattern via ArgoCD
+type: application
+version: 0.1.0
+appVersion: "1.0"

charts/argocd-apps/templates/wbaas-ui.yaml

@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ui
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: default
+    server: {{ .Values.clusterUrl }}
+  project: {{ .Values.environment }}
+  sources:
+    - repoURL: {{ .Values.repoUrls.charts }}
+      path: charts/ui
+      targetRevision: HEAD
+      helm:
+        valueFiles:
+          - $values/k8s/argocd/{{ .Values.environment }}/ui.values.yaml
+    - repoURL: {{ .Values.repoUrls.deploy }}
+      targetRevision: de/argo-ui-simple
+      ref: values
+
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true

charts/argocd-apps/values.yaml

@@ -0,0 +1,3 @@
+clusterUrl: https://kubernetes.default.svc
+
+# "inherits" values from argocd-config chart

charts/argocd-config/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/argocd-config/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: argocd-apps
+description: Chart to deploy ArgoCD configuration (including the argocd-apps chart)
+type: application
+version: 0.1.0
+appVersion: "1.0"

charts/argocd-config/templates/app-of-apps.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: app-of-apps
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  project: {{ .Values.environment }}
+  source:
+    path: charts/argocd-apps
+    repoURL: {{ .Values.repoUrls.deploy }}
+    targetRevision: de/argo-ui-simple # debug! needs to be set to HEAD
+    helm:
+      values: |
+{{ toYaml .Values | indent 8 }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

charts/argocd-config/templates/projects.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: {{ .Values.environment }}
+spec:
+  description: The {{ .Values.environment }} deployment of wikibase.cloud
+  destinations:
+  - name: in-cluster-default
+    namespace: default
+    server: https://kubernetes.default.svc
+  - name: in-cluster-argocd
+    namespace: argocd
+    server: https://kubernetes.default.svc
+  sourceRepos:
+  - {{ .Values.repoUrls.deploy }}
+  - {{ .Values.repoUrls.charts }}

charts/argocd-config/values.yaml

@@ -0,0 +1,5 @@
+environment: production
+
+repoUrls:
+  deploy: https://github.com/wmde/wbaas-deploy
+  charts: https://github.com/wbstack/charts.git

k8s/argocd/local/ui.values.yaml

@@ -0,0 +1,29 @@
+image:
+  tag: sha-a678a06
+ingress:
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+  enabled: true
+  hosts:
+    - host: www.wbaas.localhost
+      paths:
+        - /*
+  tls: null
+podLabels:
+  sidecar.istio.io/inject: "true"
+resources:
+  limits:
+    cpu: 10m
+    memory: 20Mi
+  requests:
+    cpu: 1m
+    memory: 6Mi
+ui:
+  apiUrl: http://api.wbaas.localhost
+  cnameConfigMapKey: cname_record
+  configMapName: wbaas-ui-config
+  recaptchaSitekeySecretKey: site_key
+  recaptchaSitekeySecretName: recaptcha-v3-secrets
+  subdomainSuffix: .wbaas.localhost

k8s/argocd/production/ui.values.yaml

@@ -0,0 +1,32 @@
+image:
+  tag: sha-a678a06
+ingress:
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+  enabled: true
+  hosts:
+    - host: www.wikibase.cloud
+      paths:
+        - /*
+  tls:
+    - hosts:
+        - www.wikibase.cloud
+      secretName: wikibase-production-tls
+podLabels:
+  sidecar.istio.io/inject: "true"
+resources:
+  limits:
+    cpu: 10m
+    memory: 20Mi
+  requests:
+    cpu: 1m
+    memory: 6Mi
+ui:
+  apiUrl: https://api.wikibase.cloud
+  cnameConfigMapKey: cname_record
+  configMapName: wbaas-ui-config
+  recaptchaSitekeySecretKey: site_key
+  recaptchaSitekeySecretName: recaptcha-v3-secrets
+  subdomainSuffix: .wikibase.cloud

k8s/argocd/staging/ui.values.yaml

@@ -0,0 +1,32 @@
+image:
+  tag: sha-a678a06
+ingress:
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+  enabled: true
+  hosts:
+    - host: www.wikibase.dev
+      paths:
+        - /*
+  tls:
+    - hosts:
+        - www.wikibase.dev
+      secretName: wikibase-dev-tls
+podLabels:
+  sidecar.istio.io/inject: "true"
+resources:
+  limits:
+    cpu: 10m
+    memory: 20Mi
+  requests:
+    cpu: 1m
+    memory: 6Mi
+ui:
+  apiUrl: https://api.wikibase.dev
+  cnameConfigMapKey: cname_record
+  configMapName: wbaas-ui-config
+  recaptchaSitekeySecretKey: site_key
+  recaptchaSitekeySecretName: recaptcha-v3-secrets
+  subdomainSuffix: .wikibase.dev

k8s/helmfile/env/local/argocd-config.values.yaml.gotmpl

@@ -0,0 +1,2 @@
+environment: local
+

k8s/helmfile/env/production/argocd-config.values.yaml.gotmpl

@@ -0,0 +1,2 @@
+environment: production
+

k8s/helmfile/env/staging/argocd-config.values.yaml.gotmpl

@@ -0,0 +1,2 @@
+environment: staging
+

k8s/helmfile/helmfile.yaml

@@ -104,6 +104,12 @@ releases:
   ################################
   # ALL ENVIRONMENTS
   ################################
+  - name: argocd-config
+    namespace: argocd
+    chart: ../../charts/argocd-config
+    installed: {{ ne .Environment.Name "production" | toYaml }}
+    <<: *default_release
+
   - name: redirects
     namespace: default
     chart: ./../../charts/redirects
@@ -159,6 +165,7 @@ releases:
     <<: *default_release
 
   - name: ui
+    installed: {{ eq .Environment.Name "production" | toYaml }}
     namespace: default
     chart: wbstack/ui
     version: 0.3.1