Move to GitHub Actions for deployments; other deployment updates/cleanup

.dockerignore

@@ -1,4 +1,4 @@
-.git
+.git*
 env/
 *.pyc
 *.rdb
@@ -14,3 +14,6 @@ Jenkinsfile
 werf.yaml
 **/*.dylib
 **/*.dll
+Dockerfile*
+.dockerignore
+/config/deploy

.env.example

@@ -0,0 +1,3 @@
+# Get your individual key from here: https://developer.nlr.gov/signup/ and
+# replace the DEMO_KEY with that
+NLR_API_KEY=DEMO_KEY

.github/workflows/deploy.yml

@@ -0,0 +1,115 @@
+name: Deploy
+
+on:
+  push:
+    branches: "**"
+  pull_request:
+    types:
+      - closed
+      - labeled
+      - reopened
+      - unlabeled
+  workflow_dispatch:
+
+concurrency:
+  # Concurrency group is more complicated in this case because:
+  # 1. This gets triggered by both `push` and `pull_request` label events, so
+  #    both should use the same git head ref (and not `github.ref`, which may
+  #    be different for PRs).
+  # 2. Our own deploy process may trigger an `unlabeled` event for removing the
+  #    db-restore label, so separate that so that doesn't cause the previous
+  #    deploy that was finishing up to be canceled.
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}${{ github.event.action == 'unlabeled' && github.event.label.name == 'deploy-db-restore' && '-removing-ephemeral-label' || '' }}
+  cancel-in-progress: true
+
+jobs:
+  deploy-metadata:
+    name: Deploy Metadata
+    runs-on: self-hosted
+    outputs:
+      staging-perform-deploy: ${{ steps.staging-metadata.outputs.perform-deploy }}
+      staging-perform-undeploy: ${{ steps.staging-metadata.outputs.perform-undeploy }}
+      staging-metadata: ${{ toJSON(steps.staging-metadata.outputs) }}
+      production-perform-deploy: ${{ steps.production-metadata.outputs.perform-deploy }}
+      production-metadata: ${{ toJSON(steps.production-metadata.outputs) }}
+    steps:
+      - name: Import vault nonsensitive secrets
+        id: vault-nonsensitive-secrets
+        uses: TADA/vault-action/nonsensitive-secrets@v1
+        with:
+          template: |
+            {{ with (datasource "vault" "reopt-api/ci/deploy").data }}
+              {{ $secrets = coll.Merge (coll.Dict
+                "container_registry" .container_registry
+                "production_rancher_project_id" .production_rancher_project_id
+                "production_url_host" .production_url_host
+                "staging_rancher_project_id" .staging_rancher_project_id
+                "staging_url_host_base" .staging_url_host_base
+              ) $secrets }}
+            {{ end }}
+          vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
+          vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
+
+      - name: Staging Metadata
+        id: staging-metadata
+        uses: TADA/deploy-action/metadata@v2
+        with:
+          deploy-env: staging
+          app-name: reopt-api
+          rancher-project-id: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).staging_rancher_project_id }}
+          registry: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).container_registry }}
+          branch-url-host-base: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).staging_url_host_base }}
+          branch-db-name-base: reopt_api_staging
+
+      - name: Production Metadata
+        id: production-metadata
+        uses: TADA/deploy-action/metadata@v2
+        with:
+          deploy-env: production
+          app-name: reopt-api
+          rancher-project-id: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).production_rancher_project_id }}
+          registry: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).container_registry }}
+          branch-url-host-base: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).production_url_host }}
+
+  undeploy-staging:
+    name: Undeploy Staging
+    needs:
+      - deploy-metadata
+    if: ${{ needs.deploy-metadata.outputs.staging-perform-undeploy == 'true' }}
+    uses: TADA/deploy-action/.github/workflows/undeploy-branch.yml@v2
+    with:
+      metadata: ${{ needs.deploy-metadata.outputs.staging-metadata }}
+      vault-kubeconfig-path: secret/data/deploy/staging/on-prem-rancher-test-ponderosa-cluster-test-reopt
+      vault-db-superuser-path: secret/data/reopt-db/staging/db-superuser
+    secrets:
+      vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
+      vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
+
+  deploy-staging:
+    name: Deploy Staging
+    needs:
+      - deploy-metadata
+    if: ${{ needs.deploy-metadata.outputs.staging-perform-deploy == 'true' }}
+    uses: TADA/deploy-action/.github/workflows/deploy.yml@v2
+    with:
+      metadata: ${{ needs.deploy-metadata.outputs.staging-metadata }}
+      vault-registry-credentials-path: secret/data/deploy/common/aws-ecr
+      vault-kubeconfig-path: secret/data/deploy/staging/on-prem-rancher-test-ponderosa-cluster-test-reopt
+    secrets:
+      vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
+      vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
+
+  deploy-production:
+    name: Deploy Production
+    needs:
+      - deploy-metadata
+      - deploy-staging
+    if: ${{ needs.deploy-metadata.outputs.production-perform-deploy == 'true' }}
+    uses: TADA/deploy-action/.github/workflows/deploy.yml@v2
+    with:
+      metadata: ${{ needs.deploy-metadata.outputs.production-metadata }}
+      vault-registry-credentials-path: secret/data/deploy/common/aws-ecr
+      vault-kubeconfig-path: secret/data/deploy/production/on-prem-rancher-ponderosa-cluster-reopt
+    secrets:
+      vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
+      vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}

.github/workflows/prune-deploy-images.yml

@@ -0,0 +1,51 @@
+name: Prune Deploy Images
+
+on:
+  schedule:
+    - cron: "6 6 * * *" # Every day at 11:06 PM MST / 12:06 AM MDT
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  vault-nonsensitive-secrets:
+    name: Vault Non-Sensitive Secrets
+    runs-on: self-hosted
+    outputs:
+      nonsensitive-secrets: ${{ steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets }}
+    steps:
+      - name: Import vault nonsensitive secrets
+        id: vault-nonsensitive-secrets
+        uses: TADA/vault-action/nonsensitive-secrets@v1
+        with:
+          template: |
+            {{ with (datasource "vault" "reopt-api/ci/deploy").data }}
+              {{ $secrets = coll.Merge (coll.Dict
+                "container_registry" .container_registry
+                "production_rancher_project_id" .production_rancher_project_id
+                "staging_rancher_project_id" .staging_rancher_project_id
+              ) $secrets }}
+            {{ end }}
+          vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
+          vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
+
+  prune-images:
+    name: Prune Deploy Images
+    uses: TADA/deploy-action/.github/workflows/prune-deploy-images.yml@v2
+    needs:
+      - vault-nonsensitive-secrets
+    with:
+      vault-registry-credentials-path: secret/data/deploy/common/aws-ecr
+      registry: ${{ fromJSON(needs.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).container_registry }}
+      images: |
+        tada/reopt-api
+      clusters: |
+        - vault-kubeconfig-path: secret/data/deploy/staging/on-prem-rancher-test-ponderosa-cluster-test-reopt
+          rancher-project-id: ${{ fromJSON(needs.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).staging_rancher_project_id }}
+        - vault-kubeconfig-path: secret/data/deploy/production/on-prem-rancher-ponderosa-cluster-reopt
+          rancher-project-id: ${{ fromJSON(needs.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).production_rancher_project_id }}
+    secrets:
+      vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
+      vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}

.github/workflows/pull_request_tests.yml

@@ -17,17 +17,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2      
-      # - name: Decrypt
-      #   env:
-      #     TRANSCRYPT_PASSWORD: ${{ secrets.TRANSCRYPT_PASSWORD }}
-      #   run: ./.github/scripts/decrypt.sh 
-      - name: Make keys.py
-        env:
-          NREL_DEV_API_KEY: ${{ secrets.NREL_DEV_API_KEY }}
-        run: ./.github/scripts/make_keys.py.sh 
+      - uses: actions/checkout@v5
       - name: Build containers
         run: docker compose up -d
+        env:
+          NLR_API_KEY: ${{ secrets.NREL_DEV_API_KEY }}
       - name: Check running containers
         run: docker ps -a
       - name: Wait for julia_api

.github/workflows/push_tests.yml

@@ -13,17 +13,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
-      # - name: Decrypt
-      #   env:
-      #     TRANSCRYPT_PASSWORD: ${{ secrets.TRANSCRYPT_PASSWORD }}
-      #   run: ./.github/scripts/decrypt.sh 
-      - name: Make keys.py
-        env:
-          NREL_DEV_API_KEY: ${{ secrets.NREL_DEV_API_KEY }}
-        run: ./.github/scripts/make_keys.py.sh 
+      - uses: actions/checkout@v5
       - name: Build containers
         run: docker compose up -d
+        env:
+          NLR_API_KEY: ${{ secrets.NREL_DEV_API_KEY }}
       - name: Check running containers
         run: docker ps -a
       - name: Wait for julia_api

.github/workflows/restart-celery-julia.yml

@@ -0,0 +1,118 @@
+name: Restart Celery & Julia
+
+on:
+  schedule:
+    - cron: "23 8 * * *" # Every day at 01:23 AM MST / 02:23 AM MDT
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  deploy-metadata:
+    name: Deploy Metadata
+    runs-on: self-hosted
+    outputs:
+      ci-deploy-image: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).ci_deploy_image }}
+      staging-perform-deploy: ${{ steps.staging-metadata.outputs.perform-deploy }}
+      staging-perform-undeploy: ${{ steps.staging-metadata.outputs.perform-undeploy }}
+      staging-metadata: ${{ toJSON(steps.staging-metadata.outputs) }}
+      production-perform-deploy: ${{ steps.production-metadata.outputs.perform-deploy }}
+      production-metadata: ${{ toJSON(steps.production-metadata.outputs) }}
+    steps:
+      - name: Import vault nonsensitive secrets
+        id: vault-nonsensitive-secrets
+        uses: TADA/vault-action/nonsensitive-secrets@v1
+        with:
+          template: |
+            {{ with (datasource "vault" "reopt-api/ci/deploy").data }}
+              {{ $secrets = coll.Merge (coll.Dict
+                "ci_deploy_image" .ci_deploy_image
+                "container_registry" .container_registry
+                "production_rancher_project_id" .production_rancher_project_id
+                "production_url_host" .production_url_host
+                "staging_rancher_project_id" .staging_rancher_project_id
+                "staging_url_host_base" .staging_url_host_base
+              ) $secrets }}
+            {{ end }}
+          vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
+          vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
+
+      - name: Staging Metadata
+        id: staging-metadata
+        uses: TADA/deploy-action/metadata@v2
+        with:
+          deploy-env: staging
+          app-name: reopt-api
+          rancher-project-id: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).staging_rancher_project_id }}
+          registry: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).container_registry }}
+          branch-url-host-base: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).staging_url_host_base }}
+          branch-db-name-base: reopt_api_staging
+
+      - name: Production Metadata
+        id: production-metadata
+        uses: TADA/deploy-action/metadata@v2
+        with:
+          deploy-env: production
+          app-name: reopt-api
+          rancher-project-id: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).production_rancher_project_id }}
+          registry: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).container_registry }}
+          branch-url-host-base: ${{ fromJSON(steps.vault-nonsensitive-secrets.outputs.nonsensitive-secrets).production_url_host }}
+
+  restart-staging:
+    name: Restart Staging
+    needs:
+      - deploy-metadata
+    if: ${{ needs.deploy-metadata.outputs.staging-perform-deploy == 'true' }}
+    runs-on: self-hosted
+    container:
+      image: ${{ needs.deploy-metadata.outputs.ci-deploy-image }}
+    env:
+      NODE_OPTIONS: --use-openssl-ca
+    steps:
+      - name: Kubernetes config setup
+        uses: TADA/deploy-action/kubeconfig@v2
+        with:
+          vault-kubeconfig-path: secret/data/deploy/staging/on-prem-rancher-test-ponderosa-cluster-test-reopt
+          vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
+          vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
+          rancher-project-id: ${{ fromJSON(needs.deploy-metadata.outputs.staging-metadata).rancher-project-id }}
+      - name: Rollout restart
+        env:
+          app_namespace: "${{ fromJSON(needs.deploy-metadata.outputs.staging-metadata).app-namespace }}"
+        run: |
+          set -x
+          kubectl -n "$app_namespace" rollout restart deployment/celery-deployment
+          kubectl -n "$app_namespace" rollout status deployment/celery-deployment --timeout=10m
+          kubectl -n "$app_namespace" rollout restart deployment/julia-deployment
+          kubectl -n "$app_namespace" rollout status deployment/julia-deployment --timeout=10m
+
+  restart-production:
+    name: Restart Production
+    needs:
+      - deploy-metadata
+      - restart-staging
+    if: ${{ needs.deploy-metadata.outputs.production-perform-deploy == 'true' }}
+    runs-on: self-hosted
+    container:
+      image: ${{ needs.deploy-metadata.outputs.ci-deploy-image }}
+    env:
+      NODE_OPTIONS: --use-openssl-ca
+    steps:
+      - name: Kubernetes config setup
+        uses: TADA/deploy-action/kubeconfig@v2
+        with:
+          vault-kubeconfig-path: secret/data/deploy/production/on-prem-rancher-ponderosa-cluster-reopt
+          vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
+          vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
+          rancher-project-id: ${{ fromJSON(needs.deploy-metadata.outputs.production-metadata).rancher-project-id }}
+      - name: Rollout restart
+        env:
+          app_namespace: "${{ fromJSON(needs.deploy-metadata.outputs.production-metadata).app-namespace }}"
+        run: |
+          set -x
+          kubectl -n "$app_namespace" rollout restart deployment/celery-deployment
+          kubectl -n "$app_namespace" rollout status deployment/celery-deployment --timeout=10m
+          kubectl -n "$app_namespace" rollout restart deployment/julia-deployment
+          kubectl -n "$app_namespace" rollout status deployment/julia-deployment --timeout=10m