bcgov · jlangy · Jan 23, 2025 · Jan 17, 2025 · Jan 17, 2025 · Jan 21, 2025
diff --git a/.github/workflows/deploy-aggregator.yaml b/.github/workflows/deploy-aggregator.yaml
@@ -0,0 +1,83 @@
+name: Create and publish SSO Aggregator helm chart
+
+on:
+  push:
+    branches:
+    - main
+    - dev
+    paths:
+    - aggregator/**
+    - helm/aggregator/**
+    - .github/workflows/deploy-aggregator.yaml
+
+env:
+  GITHUB_REGISTRY: ghcr.io
+  IMAGE_NAME: bcgov/sso-aggregator
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+
+    - name: Log in to the GitHub Container registry
+      uses: docker/login-action@v2
+      with:
+        registry: ${{ env.GITHUB_REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@v4
+      with:
+        images: ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}
+        tags: |
+          type=ref,event=branch
+          type=sha,format=long
+
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v3
+      with:
+        context: aggregator
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+
+    - name: Set env to Sandbox
+      if: (github.ref == 'refs/heads/dev' && github.event_name == 'push')
+      run: |
+        cat >> $GITHUB_ENV <<EOF
+        OPENSHIFT_TOKEN=${{ secrets.SANDBOX_OPENSHIFT_TOKEN }}
+        OPENSHIFT_SERVER=${{ secrets.SANDBOX_OPENSHIFT_SERVER }}
+        OPENSHIFT_NAMESPACE=e4ca1d-prod
+        EOF
+
+    - name: Set env to Production
+      if: (github.ref == 'refs/heads/main' && github.event_name == 'push')
+      run: |
+        cat >> $GITHUB_ENV <<EOF
+        OPENSHIFT_TOKEN=${{ secrets.PROD_OPENSHIFT_TOKEN }}
+        OPENSHIFT_SERVER=${{ secrets.PROD_OPENSHIFT_SERVER }}
+        OPENSHIFT_NAMESPACE=eb75ad-tools
+        EOF
+
+    - name: Authenticate and set context
+      uses: redhat-actions/oc-login@v1
+      with:
+        openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
+        openshift_token: ${{ env.OPENSHIFT_TOKEN }}
+        namespace: ${{ env.OPENSHIFT_NAMESPACE }}
+
+    - name: Deploy aggregator with Helm chart
+      run: |
+        namespace=${{ env.OPENSHIFT_NAMESPACE }}
+        make upgrade NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }}
+      working-directory: ./helm/aggregator
diff --git a/.github/workflows/deploy-dashboard.yaml b/.github/workflows/deploy-dashboard.yaml
@@ -0,0 +1,56 @@
+name: Publish SSO Grafana helm chart
+
+on:
+  push:
+    branches:
+    - main
+    - dev
+    paths:
+    - helm/grafana/**
+    - .github/workflows/deploy-dashboard.yaml
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+
+    - name: Set env to Sandbox
+      if: (github.ref == 'refs/heads/dev' && github.event_name == 'push')
+      run: |
+        cat >> $GITHUB_ENV <<EOF
+        OPENSHIFT_TOKEN=${{ secrets.SANDBOX_OPENSHIFT_TOKEN }}
+        OPENSHIFT_SERVER=${{ secrets.SANDBOX_OPENSHIFT_SERVER }}
+        OPENSHIFT_NAMESPACE=e4ca1d-tools
+        ${{ secrets.GRAFANA_SANDBOX_ENV }}
+        EOF
+
+    - name: Set env to Production
+      if: (github.ref == 'refs/heads/main' && github.event_name == 'push')
+      run: |
+        cat >> $GITHUB_ENV <<EOF
+        OPENSHIFT_TOKEN=${{ secrets.PROD_OPENSHIFT_TOKEN }}
+        OPENSHIFT_SERVER=${{ secrets.PROD_OPENSHIFT_SERVER }}
+        OPENSHIFT_NAMESPACE=eb75ad-tools
+        ${{ secrets.GRAFANA_PROD_ENV }}
+        EOF
+
+    - name: Authenticate and set context
+      uses: redhat-actions/oc-login@v1
+      with:
+        openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
+        openshift_token: ${{ env.OPENSHIFT_TOKEN }}
+        namespace: ${{ env.OPENSHIFT_NAMESPACE }}
+
+    - name: Deploy aggregator with Helm chart
+      run: |
+        namespace=${{ env.OPENSHIFT_NAMESPACE }}
+        make upgrade NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }}
+      working-directory: ./helm/grafana
diff --git a/.github/workflows/deploy-promtail.yaml b/.github/workflows/deploy-promtail.yaml
@@ -0,0 +1,65 @@
+name: Publish SSO Promtail Instances
+
+on:
+  push:
+    branches:
+    - main
+    - dev
+    paths:
+    - helm/promtail-aggregator/**
+    - helm/promtail-loki/**
+    - .github/workflows/deploy-promtail.yaml
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+
+    - name: Set env to Sandbox
+      if: (github.ref == 'refs/heads/dev' && github.event_name == 'push')
+      run: |
+        cat >> $GITHUB_ENV <<EOF
+        OPENSHIFT_TOKEN=${{ secrets.SANDBOX_OPENSHIFT_TOKEN }}
+        OPENSHIFT_SERVER=${{ secrets.SANDBOX_OPENSHIFT_SERVER }}
+        OPENSHIFT_NAMESPACE=e4ca1d
+        ${{ secrets.GRAFANA_SANDBOX_ENV }}
+        EOF
+
+    - name: Set env to Production
+      if: (github.ref == 'refs/heads/main' && github.event_name == 'push')
+      run: |
+        cat >> $GITHUB_ENV <<EOF
+        OPENSHIFT_TOKEN=${{ secrets.PROD_OPENSHIFT_TOKEN }}
+        OPENSHIFT_SERVER=${{ secrets.PROD_OPENSHIFT_SERVER }}
+        OPENSHIFT_NAMESPACE=eb75ad
+        ${{ secrets.GRAFANA_PROD_ENV }}
+        EOF
+
+    - name: Authenticate and set context
+      uses: redhat-actions/oc-login@v1
+      with:
+        openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
+        openshift_token: ${{ env.OPENSHIFT_TOKEN }}
+        namespace: ${{ env.OPENSHIFT_NAMESPACE }}
+
+    - name: Deploy aggregator-promtail with Helm chart
+      run: |
+        make upgrade NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }}-dev
+        make upgrade NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }}-test
+        make upgrade NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }}-prod
+      working-directory: ./helm/promtail-aggregator
+
+    - name: Deploy loki-promtail with Helm chart
+      run: |
+        make upgrade NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }}-dev
+        make upgrade NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }}-test
+        make upgrade NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }}-prod
+      working-directory: ./helm/promtail-loki
diff --git a/.github/workflows/publish-aggregator-image.yml b/.github/workflows/publish-aggregator-image.yml
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -56,7 +56,6 @@ jobs:
     permissions: write-all
     runs-on: ubuntu-20.04
     steps:
-    - uses: hmarr/debug-action@v3
     - uses: actions/checkout@v4
 
     - name: Install asdf
@@ -143,6 +142,7 @@ jobs:
         retention_period="${{env.RETENTION_PERIOD}}"
         subnet_a="${{env.SUBNET_A}}"
         subnet_b="${{env.SUBNET_B}}"
+        loki_tag="${{env.LOKI_TAG}}"
         EOF
 
     - name: Terraform Plan

diff --git a/README.md b/README.md
@@ -50,44 +50,36 @@ Loki has a helm chart for deploying in kubernetes. For the deployment in an ECS
 - Service discovery can be used in ECS to replace services in k8s. Since we cannot use this in the BCGov AWS, it has been replaced with a network load balancer. This is necessary to allow read and write tasks to communicate on port 7946. If not working, you will see "empty ring" errors.
 - ECS does not support config maps. To replace this a custom image was built with custom configuration files. Configurations that will be changed at runtime can set their values with the syntax ${ENV_VAR:-default}, and environment variables can be used to configure them. Values consistent across environments can be hardcoded.
 - The helm chart includes a deployment "gateway". This is an nginx reverse proxy which provides path-based routing to the read and write services. It has been replaced with listener rules on the application load balancer.
+- When deploying locally, you will need to use the values from the [terraform workflow file](/.github/workflows/terraform.yaml#97) to populate a var file, refer to the dev or prod block depending on environment. The secret value loki_auth_token can be found in the tools namespace secret loki-auth-token.
 
 <!-- ![image](https://user-images.githubusercontent.com/36021827/211399712-5bbeaa67-2994-460f-a12b-368b13187cdd.png) -->
 
 ## Deployment
 
-The helm charts for the promtail instances and grafana dashboard can be installed with make commands. These automate adding environment variables from .env files in their directories. See the directory readmes for more information.
+The helm charts for the promtail instances and grafana dashboard can be installed with make commands. These automate adding environment variables from .env files in their directories. See the directory readmes for more information. They will deploy on merge to dev for sandbox, and main for production.
 
 The Loki setup is deployed with terraform into AWS. It deploys automatically on merge to dev/main.
 
-GitHub CD pipeline scripts are triggered based on the directory that has changed; there is a recommended deployment order when deploying the resources for the very first time:
-
-1. `Loki`: deploys the `MinIO` and `Loki` resources, `read`, `write`, and `gateway`.
-1. `Aggregator`: deploys the `Aggregator` and `Compactor` with the `Postgres DB`.
-1. `Grafana`: deploys the `Grafana` dashboard with the two `datasources` configured above.
-1. `Promtail`: deploys the `Promtail` in multiple namespaces to collect the Keycloak disk logs.
+GitHub CD pipeline scripts are triggered based on the directory that has changed; When deploying for the first time you should deploy promtail last, as it will give not found errors until the receiving resources (loki and aggregator) are up and running.
 
 The terraform account for deployment is restricted to the required resource types for this repository. If adding new resources not currently required, you will get a permission denied error. Expand the permissions on the `sso-dashboard-boundary` as needed.
 
+## Service accounts
+
+Service accounts are already generated and added to github secrets, see below for the related OC secret to see the token value. If needing to recreate the service account, see the [service-account-generator directory](/service-account-generator/README.md) for how to do so.
+
 ## GitHub secrets
 
 The following secrets are set in the GitHub secrets of the repository and can be found in [OCP secret](https://console.apps.silver.devops.gov.bc.ca/k8s/ns/6d70e7-tools/secrets/sso-team-sso-dashboard-github-secrets)
 
 ### Sandbox
 
 - `SANDBOX_OPENSHIFT_SERVER`: the OpenShift online server URL.
-- `SANDBOX_OPENSHIFT_TOKEN`: : the OpenShift session token.
-  - please the find the secret in [Sandbox Deployer Secret](https://console.apps.gold.devops.gov.bc.ca/k8s/ns/c6af30-tools/secrets/oc-deployer-token-9tgwm)
-- `SANDBOX_OPENSHIFT_NAMESPACE`: the namespace name to deploy `Grafana`, `Loki`, and `Aggregator`.
-- `SANDBOX_SSO_CLIENT_ID`: the SSO integration credentials, `client id`, to set in `Grafana` and `MinIO` dashboard UI.
-- `SANDBOX_SSO_CLIENT_SECRET`: the SSO integration credentials, `client secret`, to set in `Grafana` and `MinIO` dashboard UI.
-  - please find the integration `#4492 SSO Dashboard` via [CSS app](https://bcgov.github.io/sso-requests)
+- `SANDBOX_OPENSHIFT_TOKEN`: The OpenShift session token. The token can be found in the sso-dashboard-deployer-e4ca1d-token secret in the prod namespace.
+- `GRAFANA_SANDBOX_ENV`: Contains all secrets necessary to deploy grafana as an env file, see [the example env file](/helm/grafana/.env.example) for the list. The values are saved in the openshift secret sso-grafana-env in the tools namespace for reference.
 
 ### Production
 
 - `PROD_OPENSHIFT_SERVER`: the OpenShift online server URL.
-- `PROD_OPENSHIFT_TOKEN`: : the OpenShift session token.
-  - please the find the secret in [Sandbox Deployer Secret](https://console.apps.gold.devops.gov.bc.ca/k8s/ns/eb75ad-tools/secrets/oc-deployer-token-b99cz)
-- `PROD_OPENSHIFT_NAMESPACE`: the namespace name to deploy `Grafana`, `Loki`, and `Aggregator`.
-- `PROD_SSO_CLIENT_ID`: the SSO integration credentials, `client id`, to set in `Grafana` and `MinIO` dashboard UI.
-- `PROD_SSO_CLIENT_SECRET`: the SSO integration credentials, `client secret`, to set in `Grafana` and `MinIO` dashboard UI.
-  - please find the integration `#4492 SSO Dashboard` via [CSS app](https://bcgov.github.io/sso-requests)
+- `PROD_OPENSHIFT_TOKEN`: The OpenShift session token. The token can be found in the sso-dashboard-deployer-eb75ad-token secret in the prod namespace.
+- `GRAFANA_PROD_ENV`: Contains all secrets necessary to deploy grafana as an env file, see [the example env file](/helm/grafana/.env.example) for the list. The values are saved in the openshift secret sso-grafana-env in the tools namespace for reference.
diff --git a/helm/aggregator/Makefile b/helm/aggregator/Makefile
@@ -1,15 +1,13 @@
 SHELL := /usr/bin/env bash
 NAMESPACE=
-IMAGE_TAG=dev
 NAME=sso-aggregator
 
 ifndef NAMESPACE
 $(error NAMESPACE is not set)
 endif
 
 define arguments
-	"${NAME}" . -n "${NAMESPACE}" -f values.yaml -f "values-${NAMESPACE}.yaml" \
-	--set image.tag="${IMAGE_TAG}"
+	"${NAME}" . -n "${NAMESPACE}" -f values.yaml -f "values-${NAMESPACE}.yaml"
 endef
 
 .PHONY: helm-dep