vimeda · kieranajp · Oct 8, 2024 · Oct 9, 2024 · Oct 31, 2024 · Nov 5, 2024
diff --git a/.github/workflows/crossplane-release.yaml b/.github/workflows/crossplane-release.yaml
@@ -0,0 +1,167 @@
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      service_name:
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+  statuses: write
+
+jobs:
+  crossplane-terraform:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      -
+        name: Checkout shared-actions
+        uses: actions/checkout@v4
+        with:
+          repository: vimeda/shared-actions
+          path: ./scripts
+          ref: feature/shared-crossplane
+      -
+        name: Checkout service
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+          path: ./scripts/${{ inputs.service_name }}
+      -
+        name: Install yq
+        uses: chrisdickinson/setup-yq@v1.0.1
+        with:
+          yq-version: v4.25.3
+      -
+        name: Install 1Password CLI
+        uses: 1password/install-cli-action@v1
+      -
+        name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-kubernetes-role
+          role-session-name: ga-${{ inputs.service_name }}
+          aws-region: eu-central-1
+      -
+        name: Install Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ~1.9
+
+      #build lambdas zip or lambda docker images
+
+      - name: Build lambdas
+        if: ${{inputs.run_zip_lambda_workflow_step == true}}
+        run: cd  ${{ github.workspace }} &&  make lambda
+        env:
+          GITHUB_TOKEN: ${{ secrets.GB_TOKEN_PRIVATE }}
+          GOPRIVATE: "github.com/vimeda/*"
+
+      - name: Upload Build Artifacts
+        if: ${{inputs.run_zip_lambda_workflow_step == true}}
+        uses: actions/upload-artifact@v4
+        with:
+          name: srv-lambdas
+          path: ${{ github.workspace }}/dist/*
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: ${{inputs.run_zip_lambda_workflow_step == true}}
+        with:
+          name: srv-lambdas
+          path: ${{ github.workspace }}/dist
+
+      - name: Display structure of downloaded files
+        if: ${{env.run_zip_lambda_workflow_step == true}}
+        run: ls -R
+        working-directory: ${{ steps.download.outputs.download-path }}
+        env:
+          run_zip_lambda_workflow_step: ${{ inputs.run_zip_lambda_workflow_step }}
+
+      - name: Push all functions to Bucket
+        if: ${{env.run_zip_lambda_workflow_step == true}}
+        run: |
+          cd ${{ github.workspace }}/dist && ls
+          for file in "./"/*lambda.zip
+          do
+            filename=$(basename "$file" .zip)
+            function_name=${filename%_lambda}
+            aws s3 cp "$file" "s3://${{inputs.env}}-lykon-lambdas/${{ github.event.repository.name}}/$function_name.zip"
+          done
+        env:
+          run_zip_lambda_workflow_step: ${{ inputs.run_zip_lambda_workflow_step }}
+
+      #apply terraform
+
+      -
+        name: Terraform Init
+        working-directory: ./scripts/crossplane
+        run: |
+          terraform init \
+            -backend-config="region=eu-central-1" \
+            -backend-config="bucket=terraform-eks" \
+            -backend-config="key=crossplane/${{ inputs.environment }}/${{ inputs.service_name }}"
+
+      -
+        name: Terraform Validate
+        working-directory: ./scripts/crossplane
+        run: |
+          terraform validate -no-color
+      -
+        name: Verify Kubeconfig
+        working-directory: ./scripts/crossplane
+        run: |
+          if [ -z "$KUBECONFIG" ]; then
+            echo "Error: KUBECONFIG environment variable is not set"
+            exit 1
+          fi
+
+          # Test if we can connect to the cluster using the kubeconfig directly
+          if ! echo "$KUBECONFIG" | base64 -d | kubectl --kubeconfig=/dev/stdin cluster-info; then
+            echo "Error: Unable to connect to Kubernetes cluster"
+            exit 1
+          fi
+
+          echo "Kubeconfig verification successful"
+        env:
+          KUBECONFIG: ${{ secrets.PRD_KUBECONFIG }}
+
+      - name: Terraform
+        working-directory: ./scripts/crossplane
+        run: |
+          # Create and decode kubeconfig
+          echo "${{ secrets.PRD_KUBECONFIG }}" | base64 -d > ${{ github.workspace }}/kubeconfig.yaml
+          chmod 600 ${{ github.workspace }}/kubeconfig.yaml
+
+          # Set KUBECONFIG environment variable
+          export KUBECONFIG=${{ github.workspace }}/kubeconfig.yaml
+
+          # Verify kubectl can connect to the cluster
+          kubectl cluster-info
+
+          # Create provider configuration file
+          cat > provider.tf << EOF
+          provider "kubectl" {
+            config_path = "${{ github.workspace }}/kubeconfig.yaml"
+            apply_retry_count      = 5
+            load_config_file       = true
+          }
+          EOF
+
+          # Run terraform apply
+          terraform apply -auto-approve -no-color \
+            -var-file=${{ inputs.environment }}.tfvars \
+            -var="commit_hash=${{ github.sha }}" \
+            -var="service_name=${{ inputs.service_name }}"
+        env:
+          TF_WORKSPACE: ${{ inputs.environment }}
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.PROD_ONEPASSWORD_SERVICEACCOUNT_TOKEN }}
+          AWS_DEFAULT_REGION: eu-central-1
+
+
diff --git a/.github/workflows/crossplane.yaml b/.github/workflows/crossplane.yaml
@@ -0,0 +1,138 @@
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      service_name:
+        required: true
+        type: string
+      run_zip_lambda_workflow_step:
+        type: boolean
+        default:  false
+      role_name:
+        type: string
+        default: 'github-actions-kubernetes-role'
+      role_session_name:
+        type: string
+        default: 'ga-kubernetes'
+
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+  statuses: write
+
+jobs:
+  crossplane-terraform:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      -
+        name: Checkout shared-actions
+        uses: actions/checkout@v4
+        with:
+          repository: vimeda/shared-actions
+          path: ./scripts
+          ref: feature/shared-crossplane
+      -
+        name: Checkout service
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+          path: ./scripts/${{ inputs.service_name }}
+      -
+        name: Install yq
+        uses: chrisdickinson/setup-yq@v1.0.1
+        with:
+          yq-version: v4.25.3
+      -
+        name: Install 1Password CLI
+        uses: 1password/install-cli-action@v1
+      -
+        name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.role_name }}
+          role-session-name: ${{ inputs.role_session_name }}
+          aws-region: eu-central-1
+      -
+        name: Install Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ~1.9
+
+      #build lambdas zip or lambda docker images
+
+      - name: Build lambdas
+        if: ${{inputs.run_zip_lambda_workflow_step == true}}
+        run: cd  ${{ github.workspace }} &&  make lambda
+        env:
+          GITHUB_TOKEN: ${{ secrets.GB_TOKEN_PRIVATE }}
+          GOPRIVATE: "github.com/vimeda/*"
+
+      - name: Upload Build Artifacts
+        if: ${{inputs.run_zip_lambda_workflow_step == true}}
+        uses: actions/upload-artifact@v4
+        with:
+          name: srv-lambdas
+          path: ${{ github.workspace }}/dist/*
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: ${{inputs.run_zip_lambda_workflow_step == true}}
+        with:
+          name: srv-lambdas
+          path: ${{ github.workspace }}/dist
+
+      - name: Display structure of downloaded files
+        if: ${{env.run_zip_lambda_workflow_step == true}}
+        run: ls -R
+        working-directory: ${{ steps.download.outputs.download-path }}
+        env:
+          run_zip_lambda_workflow_step: ${{ inputs.run_zip_lambda_workflow_step }}
+
+      - name: Push all functions to Bucket
+        if: ${{env.run_zip_lambda_workflow_step == true}}
+        run: |
+          cd ${{ github.workspace }}/dist && ls
+          for file in "./"/*lambda.zip
+          do
+            filename=$(basename "$file" .zip)
+            function_name=${filename%_lambda}
+            aws s3 cp "$file" "s3://${{inputs.env}}-lykon-lambdas/${{ github.event.repository.name}}/$function_name.zip"
+          done
+        env:
+            run_zip_lambda_workflow_step: ${{ inputs.run_zip_lambda_workflow_step }}
+
+      #apply terraform
+
+      -
+        name: Terraform Init
+        working-directory: ./scripts/crossplane
+        run: |
+          terraform init \
+            -backend-config="region=eu-central-1" \
+            -backend-config="bucket=terraform-eks" \
+            -backend-config="key=crossplane/${{ inputs.environment }}/${{ inputs.service_name }}"
+
+      -
+        name: Terraform Validate
+        working-directory: ./scripts/crossplane
+        run: |
+          terraform validate -no-color
+      -
+        name: Terraform
+        working-directory: ./scripts/crossplane
+        run: |
+          echo "${{ secrets.STG_KUBECONFIG }}" > ${{ github.workspace }}/kubeconfig.yaml
+          export KUBECONFIG=${{ github.workspace }}/kubeconfig.yaml
+          terraform apply -auto-approve -no-color \
+          -var-file=${{ inputs.environment }}.tfvars \
+          -var="commit_hash=${{ github.sha }}" \
+          -var="service_name=${{ inputs.service_name }}"
+        env:
+          TF_WORKSPACE: ${{ inputs.environment }}
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.STAGING_ONEPASSWORD_SERVICEACCOUNT_TOKEN }}
diff --git a/.github/workflows/kubeconfig b/.github/workflows/kubeconfig
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Config
+preferences: {}
+current-context: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2
+
+clusters:
+- name: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2
+  cluster:
+    server: https://6FAE7EA31F6ABDC83D35085CD36856A9.gr7.eu-central-1.eks.amazonaws.com
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJZXBDbzlyUGFBN1V3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBME1ETXhOekk1TlRGYUZ3MHpOVEEwTURFeE56TTBOVEZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURsYXRxcENFaHhjNHZuR1Q2U3htbzcwY3pFZ0M2Nm5TR2NwaDdNeTl4Njg4UTZTSWV6MFFyTnNPM3IKdExjaGRsaWtpREdZU1RwK2dmUlVNWDN5UjdYVTVyTHVEaktWWkh1N21XTTR4RFEwenhkNlVKcGd5NFRzK0kvbwpmc0NESnZoOUdtRjk4Z2kxdTdvTnorU0d3OXdFd3U1MzJsbEVtUXRTclpSemZuNHFYOUk1b1hRSXB0dkd3ekxXCk1ON0RmSjVTTGZIWlloblZPTmJUeCtQOWN4QW0yMXhVdGRYUlFIaXRJbklxZnFsTlhsYWlLbWlwQUNNRlJtazQKeTFETElVM1lWZDk0eGtJcDlVTFdMTnRjZ2NtWEdvZUMyMGhDUXJnRkJWaC9LRlNlQmNkOWQ2eVdySjFhVCtKUgovWEJTa1BvMWNBMDBjYy9jajNjWjVhZ3ozSXEvQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSeUF5aGd2Rm1LY2plTFcvNUNia0M0R2hYUFVEQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ0VQNUVzc0pnMAo5VW03TkZId0FRN0JWdCs0VWJkR3VQZEdaU0JDVWFwS1pCN05tUlFKdGtac05oRHJkQngydlpGZjVDWm1iUzB1CkhrRVJpSjc3K2hweWtuSEVKZmdyMjV0NWZ1cFBUdXRWU3V6ZTBicEJFMmZheEZpQy9kQlQ5bjBlK2lRVnd0SUkKemxGbVZBQUVRU2VSQjNqdFhFTk1CSUdOSXhoSUw4ZGRPVnFLQmdRWm9tZGlvdzhRRVRYV29iSzZLM3ZUVmRKcwozYmVUZ204NTZYdnRuSGtWM0JmTTFRK1dMTm1DYlYzeS9SODBHd3drQXJaK01VN2J1Q1hOUkhqem9qTkx0UEdTCmk3cjdZVmlUenlvTHFubVBub3N6VFZzTVh4YWxLelNnSGlQOGxFNUhWM2xQYm9TeUFnMm13ZEVVRFQ2ZkFzb0cKK2ROY1BBUnNwVUpvCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+
+contexts:
+- name: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2
+  context:
+    cluster: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2
+    user: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2
+
+users:
+- name: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: aws
+      args:
+        - --region
+        - eu-central-1
+        - eks
+        - get-token
+        - --cluster-name
+        - prd-eks-v2
diff --git a/.github/workflows/main-deploy.yaml b/.github/workflows/main-deploy.yaml
@@ -78,4 +78,4 @@ jobs:
         release: ${{ inputs.release_name }}
         namespace: ${{ inputs.namespace }}
       env:
-        KUBECONFIG_FILE: ${{ secrets.STAGING_KUBECONFIG }}
+        KUBECONFIG_FILE: ${{ secrets.STG_KUBECONFIG }}