First draft of CD workflow

[cc-a]

A deployment pipeline intended for use with the Beta launch:

Features:

• The deployment workflow is run on pushes to develop and main. In order to pass the sha of the published docker image the deployment is run is called from the publish workflow with the image tag being passed as an input argument.
• The deployment workflow may also be triggered manually in order to support manual redeployment and disaster recovery scenarios. In this case the image tag is provided when the workflow is triggered.
• The docker image is provided via sha to ensure that the relevant Kubernetes deployments are updated with the new image.
• The same workflow is run for both the develop and main branches but different values are provided for the secrets and environment variables via Github Actions environments. For manual deployments the environment is provided as an input value.
• The ref of the commit to use for the Helm chart is set via environment variable to allow controlled updates of the helm chart being used in testing/production.

Developer Checklist

Developers should review and confirm each of these items before requesting review

• Code meets acceptance criteria from issue
• Unit tests are written and all pass
• User Test Scripts (if required) are written and have been run through
• Code documentation and related non-code documentation has all been updated

Reviewer Checklist

Reviewers should review and confirm each of these items before approval
If there are multiple reviewers, this section can be duplicated for each reviewer

• Code meets acceptance criteria from issue
• Unit tests are written and all pass
• User Test Scripts (if required) are written and have been run through
• Code documentation and related non-code documentation has all been updated
• Migation has been created and tested

Testing

List user test scripts that need to be run

List any non-unit test scripts that need to be run

[Steven-Eardley]

These latest changes make sense to me - we're using the raw helm command so it's acting equivalently to our dev environments

[Copilot]

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

[alexdewar]

Seems sensible. Is the plan to use helm for development as well as production eventually?

[alexdewar]

How about some more indentation for readability:

Suggested change

	-f ${{ vars.CHART_OVERRIDE_PATH }} \
	-n invenio --install --create-namespace \
	--set invenio.secret_key="${{ secrets.INVENIO_SECRET_KEY }}" \
	--set invenio.security_login_salt="${{ secrets.INVENIO_SECURITY_LOGIN_SALT }}" \
	--set invenio.csrf_secret_salt="${{ secrets.INVENIO_CSRF_SECRET_SALT }}" \
	--set invenio.extraConfig.ICL_OAUTH_CLIENT_ID=${{ vars.ICL_OAUTH_CLIENT_ID }} \
	--set invenio.extraConfig.ICL_OAUTH_CLIENT_SECRET="${{ secrets.ICL_OAUTH_CLIENT_SECRET }}" \
	--set invenio.extraConfig.ICL_OAUTH_WELL_KNOWN_URL=${{ vars.ICL_OAUTH_WELL_KNOWN_URL }} \
	--set rabbitmq.auth.password="${{ secrets.RABBITMQ_AUTH_PASSWORD }}" \
	--set postgresql.auth.password="${{ secrets.POSTGRESQL_AUTH_PASSWORD }}" \
	--set invenio.hostname=${{ vars.HOSTNAME }} \
	--set web.image=${{ inputs.image_tag_with_sha }} \
	--set worker.image=${{ inputs.image_tag_with_sha }} \
	--set invenio.datacite.password="${{ secrets.DATACITE_PASSWORD }}" \
	--set invenio.datacite.username=${{ vars.DATACITE_USERNAME }} \
	--set invenio.extraConfig.INVENIO_DATACITE_PREFIX=${{ vars.DATACITE_PREFIX }} \
	--set-string invenio.extraConfig.INVENIO_DATACITE_TEST_MODE=True \
	--set invenio.extraConfig.INVENIO_MAIL_USERNAME=${{ vars.EMAIL_USERNAME }} \
	--set invenio.extraConfig.INVENIO_MAIL_PASSWORD="${{ secrets.MAIL_PASSWORD }}" \
	--set persistence.size=${{ vars.FILES_STORAGE_SIZE }} \
	--set-string invenio.extraConfig.INVENIO_MAIL_USE_TLS=True \
	--set-string invenio.extraConfig.INVENIO_MAIL_DEFAULT_SENDER=${{ vars.EMAIL_USERNAME }}
	-f ${{ vars.CHART_OVERRIDE_PATH }} \
	-n invenio --install --create-namespace \
	--set invenio.secret_key="${{ secrets.INVENIO_SECRET_KEY }}" \
	--set invenio.security_login_salt="${{ secrets.INVENIO_SECURITY_LOGIN_SALT }}" \
	--set invenio.csrf_secret_salt="${{ secrets.INVENIO_CSRF_SECRET_SALT }}" \
	--set invenio.extraConfig.ICL_OAUTH_CLIENT_ID=${{ vars.ICL_OAUTH_CLIENT_ID }} \
	--set invenio.extraConfig.ICL_OAUTH_CLIENT_SECRET="${{ secrets.ICL_OAUTH_CLIENT_SECRET }}" \
	--set invenio.extraConfig.ICL_OAUTH_WELL_KNOWN_URL=${{ vars.ICL_OAUTH_WELL_KNOWN_URL }} \
	--set rabbitmq.auth.password="${{ secrets.RABBITMQ_AUTH_PASSWORD }}" \
	--set postgresql.auth.password="${{ secrets.POSTGRESQL_AUTH_PASSWORD }}" \
	--set invenio.hostname=${{ vars.HOSTNAME }} \
	--set web.image=${{ inputs.image_tag_with_sha }} \
	--set worker.image=${{ inputs.image_tag_with_sha }} \
	--set invenio.datacite.password="${{ secrets.DATACITE_PASSWORD }}" \
	--set invenio.datacite.username=${{ vars.DATACITE_USERNAME }} \
	--set invenio.extraConfig.INVENIO_DATACITE_PREFIX=${{ vars.DATACITE_PREFIX }} \
	--set-string invenio.extraConfig.INVENIO_DATACITE_TEST_MODE=True \
	--set invenio.extraConfig.INVENIO_MAIL_USERNAME=${{ vars.EMAIL_USERNAME }} \
	--set invenio.extraConfig.INVENIO_MAIL_PASSWORD="${{ secrets.MAIL_PASSWORD }}" \
	--set persistence.size=${{ vars.FILES_STORAGE_SIZE }} \
	--set-string invenio.extraConfig.INVENIO_MAIL_USE_TLS=True \
	--set-string invenio.extraConfig.INVENIO_MAIL_DEFAULT_SENDER=${{ vars.EMAIL_USERNAME }}

[alexdewar]

I was thinking dependabot normally does these... but it seems we don't actually have dependabot enabled for this repo. Do we want to add it?

[cc-a]

Would be great if you could take a look when you get the chance @Steven-Eardley

[Steven-Eardley]

I understand this is what Trevor asked for - my approach would probably be to set these in the values.override and not necessarily bring them all the way out to helm upgrade just because of the verbosity of this approach. But since it was a request, let's carry on

[Steven-Eardley]

handy for a proper rolling upgrade