Merge pull request #8 from ministryofjustice/LASB-2636

[LASB-2636] CircleCI and Helm config changes
ministryofjustice · Nov 6, 2023 · c5740b6 · c5740b6
2 parents 4a871ef + f1bab79
commit c5740b6
Show file tree

Hide file tree

Showing 19 changed files with 677 additions and 0 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -0,0 +1,282 @@
+version: 2.1
+
+orbs:
+  snyk: snyk/snyk@1.4.0
+  aws-cli: circleci/aws-cli@4.0.0
+  aws-ecr: circleci/aws-ecr@8.2.1
+
+_snyk_options: &snyk_options
+  project: "${CIRCLE_PROJECT_REPONAME}/${CIRCLE_BRANCH}"
+  organization: "legal-aid-agency"
+  severity-threshold: "critical"
+  fail-on-issues: true
+  monitor-on-build: false
+  token-variable: SNYK_TOKEN
+  additional-arguments: --policy-path=.snyk
+
+# ------------------
+# EXECUTORS
+# ------------------
+executors:
+  cloud-platform-executor:
+    resource_class: small
+    docker:
+      - image: ministryofjustice/cloud-platform-tools
+    working_directory: ~/laa-crime-application-tracking-service/crime-application-tracking
+  build-executor:
+    docker:
+      - image: cimg/openjdk:21.0.0
+    working_directory: ~/laa-crime-application-tracking-service/crime-application-tracking
+
+# ------------------
+# COMMANDS
+# ------------------
+commands:
+  deploy-to:
+    description: >
+      Deploy image to the specified environment
+    parameters:
+      environment:
+        description: Destination environment
+        type: string
+      token:
+        description: CircleCI Service account token
+        type: string
+    steps:
+      - checkout
+      - run:
+          name: Decrypt secrets
+          command: |
+            echo "${GIT_CRYPT_KEY}" | base64 -d > git-crypt.key
+            git-crypt unlock git-crypt.key
+      - run:
+          name: Authenticate with cluster
+          command: |
+            echo -n ${K8S_CLUSTER_CERT} | base64 -d > ./ca.crt
+            kubectl config set-cluster ${K8S_CLUSTER_NAME} --certificate-authority=./ca.crt --server=https://${K8S_CLUSTER_NAME}
+            kubectl config set-credentials circleci --token=<< parameters.token >>
+            kubectl config set-context ${K8S_CLUSTER_NAME} --cluster=${K8S_CLUSTER_NAME} --user=circleci --namespace=laa-crime-application-tracking-service-<< parameters.environment >>
+            kubectl config use-context ${K8S_CLUSTER_NAME}
+            kubectl --namespace=laa-crime-application-tracking-service-<< parameters.environment >> get pods
+      - run:
+          name: Upgrade helm chart
+          command: |
+            helm upgrade laa-crime-application-tracking-service ./helm_deploy/laa-crime-application-tracking-service/. \
+                          --install --wait \
+                          --namespace=laa-crime-application-tracking-service-<< parameters.environment >> \
+                          --values ./helm_deploy/laa-crime-application-tracking-service/values-<< parameters.environment >>.yaml \
+                          --set image.tag="${CIRCLE_SHA1}"
+
+# ------------------
+# JOBS
+# ------------------
+jobs:
+  build_and_scan:
+    executor: build-executor
+    steps:
+      - checkout:
+          path: ~/laa-crime-application-tracking-service
+      - restore_cache:
+          key: v1-gradle-wrapper-{{ checksum "gradle/wrapper/gradle-wrapper.properties" }}
+      - restore_cache:
+          key: v1-gradle-cache-{{ checksum "build.gradle" }}
+      - run:
+          name: Build
+          command: ./gradlew clean build
+      - run:
+          name: Run SonarQube
+          command: ./gradlew sonarqube -Dsonar.projectKey=${SONAR_PROJECT_KEY} -Dsonar.host.url=${SONARQUBE_URL} -Dsonar.organization=${SONAR_ORG}
+      - save_cache:
+          paths:
+            - ~/.gradle/wrapper
+          key: v1-gradle-wrapper-{{ checksum "gradle/wrapper/gradle-wrapper.properties" }}
+      - save_cache:
+          paths:
+            - ~/.gradle/caches
+          key: v1-gradle-cache-{{ checksum "build.gradle" }}
+      - persist_to_workspace:
+          root: .
+          paths:
+            - build
+      - store_test_results:
+          path: build/test-results/test
+      - store_artifacts:
+          path: build/test-results/test
+      - store_artifacts:
+          path: build/reports/jacoco/test/html
+      - store_artifacts:
+          path: build/libs
+      - snyk/scan:
+          <<: *snyk_options
+
+  build_scan_and_push_image:
+    executor: build-executor
+    steps:
+      - checkout:
+          path: ~/laa-crime-application-tracking-service
+      - attach_workspace:
+          at: .
+      - setup_remote_docker:
+          docker_layer_caching: true
+      - aws-cli/setup:
+          role_arn: $ECR_ROLE_TO_ASSUME
+          region: $ECR_REGION
+      - run: |
+          aws ecr get-login-password --region $ECR_REGION | docker login --username AWS --password-stdin ${AWS_ECR_REGISTRY_ID}.dkr.ecr.${ECR_REGION}.amazonaws.com
+      - run:
+          name: Build docker image
+          command: |
+            docker build \
+            --build-arg COMMIT_ID=${CIRCLE_SHA1} \
+            --build-arg BUILD_TAG=${CIRCLE_SHA1} \
+            --build-arg APP_BRANCH=${CIRCLE_BRANCH} \
+            --build-arg BUILD_DATE=$(date +%Y-%m-%dT%H:%M:%S%z) \
+            -t $AWS_ECR_ACCOUNT_URL/laa-crime-apps-team/laa-crime-application-tracking-service-dev:${CIRCLE_SHA1} .
+      - snyk/scan:
+          docker-image-name: "$AWS_ECR_ACCOUNT_URL/laa-crime-apps-team/laa-crime-application-tracking-service-dev:${CIRCLE_SHA1}"
+          <<: *snyk_options
+      - run:
+          name: Push to ECR
+          command: |
+            docker push "$AWS_ECR_ACCOUNT_URL/laa-crime-apps-team/laa-crime-application-tracking-service-dev:${CIRCLE_SHA1}"
+
+  deploy-dev:
+    executor: cloud-platform-executor
+    steps:
+      - deploy-to:
+          environment: dev
+          token: ${CIRCLE_CI_TOKEN_DEV}
+
+  deploy-test:
+    executor: cloud-platform-executor
+    steps:
+      - deploy-to:
+          environment: test
+          token: ${CIRCLE_CI_TOKEN_TEST}
+
+  deploy-uat:
+    executor: cloud-platform-executor
+    steps:
+      - deploy-to:
+          environment: uat
+          token: ${CIRCLE_CI_TOKEN_UAT}
+
+  deploy-staging:
+    executor: cloud-platform-executor
+    steps:
+      - deploy-to:
+          environment: staging
+          token: ${CIRCLE_CI_TOKEN_STAGING}
+
+  deploy-prod:
+    executor: cloud-platform-executor
+    steps:
+      - deploy-to:
+          environment: prod
+          token: ${CIRCLE_CI_TOKEN_PROD}
+
+# ------------------
+# WORKFLOWS
+# ------------------
+workflows:
+  version: 2
+
+  build-deploy-master:
+    jobs:
+      - build_and_scan:
+          filters:
+            branches:
+              only:
+                - main
+
+      - build_scan_and_push_image:
+          requires:
+            - build_and_scan
+
+      - deploy-dev:
+          requires:
+            - build_scan_and_push_image
+
+      - hold_install_on_test:
+          type: approval
+          requires:
+            - build_scan_and_push_image
+
+      - deploy-test:
+          requires:
+            - hold_install_on_test
+
+      - hold_install_on_uat:
+          type: approval
+          requires:
+            - build_scan_and_push_image
+
+      - deploy-uat:
+          requires:
+            - hold_install_on_uat
+
+      - hold_install_on_staging:
+          type: approval
+          requires:
+            - build_scan_and_push_image
+
+      - deploy-staging:
+          requires:
+            - hold_install_on_staging
+
+      - hold_install_on_prod:
+          type: approval
+          requires:
+            - build_scan_and_push_image
+
+      - deploy-prod:
+          requires:
+            - hold_install_on_prod
+
+  build-deploy-branch:
+    jobs:
+      - build_and_scan:
+          filters:
+            branches:
+              ignore:
+                - main
+
+      - build_scan_and_push_image:
+          requires:
+            - build_and_scan
+
+      - hold_install_on_dev:
+          type: approval
+          requires:
+            - build_scan_and_push_image
+
+      - deploy-dev:
+          requires:
+            - hold_install_on_dev
+
+      - hold_install_on_test:
+          type: approval
+          requires:
+            - build_scan_and_push_image
+
+      - deploy-test:
+          requires:
+            - hold_install_on_test
+
+      - hold_install_on_uat:
+          type: approval
+          requires:
+            - build_scan_and_push_image
+
+      - deploy-uat:
+          requires:
+            - hold_install_on_uat
+
+      - hold_install_on_staging:
+          type: approval
+          requires:
+            - build_scan_and_push_image
+
+      - deploy-staging:
+          requires:
+            - hold_install_on_staging
diff --git a/helm_deploy/laa-crime-application-tracking-service/.helmignore b/helm_deploy/laa-crime-application-tracking-service/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/helm_deploy/laa-crime-application-tracking-service/Chart.yaml b/helm_deploy/laa-crime-application-tracking-service/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: laa-crime-application-tracking-service
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.0.1"
diff --git a/helm_deploy/laa-crime-application-tracking-service/templates/NOTES.txt b/helm_deploy/laa-crime-application-tracking-service/templates/NOTES.txt
@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "laa-crime-application-tracking-service.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "laa-crime-application-tracking-service.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "laa-crime-application-tracking-service.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "laa-crime-application-tracking-service.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
diff --git a/helm_deploy/laa-crime-application-tracking-service/templates/_environment.tpl b/helm_deploy/laa-crime-application-tracking-service/templates/_environment.tpl
@@ -0,0 +1,15 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Environment variables for service containers
+*/}}
+{{- define "laa-crime-application-tracking-service.env-vars" }}
+env:
+  - name: AWS_REGION
+    value: {{ .Values.aws_region }}
+  - name: SENTRY_DSN
+    value: {{ .Values.sentry.dsn }}
+  - name: SENTRY_ENV
+    value: {{ .Values.java.host_env }}
+  - name: SENTRY_SAMPLE_RATE
+    value: {{ .Values.sentry.sampleRate | quote }}
+{{- end -}}