deployment automation for staging

.forgejo/workflows/build-deploy-staging.yaml

@@ -1,4 +1,4 @@
-name: Build and Deploy
+name: Build and Deploy Staging
 
 on:
   push:
@@ -35,3 +35,29 @@ jobs:
           tags: ${{ vars.CONTAINER_REGISTRY }}/${{ vars.CONTAINER_IMAGE_NAME }}:latest
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    container: catthehacker/ubuntu:act-latest
+    environment:
+      name: staging
+      url: https://staging.portal.servala.com/
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Deploy to OpenShift
+        uses: docker://quay.io/appuio/oc:v4.16
+        with:
+          entrypoint: /bin/bash
+          args: |
+            -c "oc login --token=${OPENSHIFT_TOKEN} --server=${OPENSHIFT_URL} && \
+              oc -n ${NAMESPACE} apply --overwrite -k deployment/kustomize/overlays/staging && \
+              oc -n ${NAMESPACE} rollout restart deployment/servala"
+        env:
+          NAMESPACE: ${{ vars.NAMESPACE_PORTAL_STAGING }}
+          KUBECONFIG: /tmp/kube_config
+          OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
+          OPENSHIFT_URL: ${{ secrets.OPENSHIFT_URL }}

.gitignore

@@ -162,3 +162,5 @@ cython_debug/
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
 
+# Deployment Stuff
+deployment/secrets/*

README.md

@@ -18,7 +18,7 @@ Paths:
 * `docs/modules/ROOT/nav.adoc`: Site navigation (new pages need to be added there)
 
 Writing documentation is best done by running `make docs-preview` and connecting to the site at http://localhost:2020/.
-The browser addon [LiveReload - Web extension](https://addons.mozilla.org/en-US/firefox/addon/livereload-web-extension/) will help while editing with automated page reload in the browser.
+The browser add-on [LiveReload - Web extension](https://addons.mozilla.org/en-US/firefox/addon/livereload-web-extension/) will help while editing with automated page reload in the browser.
 
 ## Development setup
 
@@ -39,7 +39,7 @@ This will start the development server on http://localhost:8000.
 
 TODO
 
-### Code style and linting
+## Code style and linting
 
 Servala uses several linters / formatters to keep the project style consistent for you.
 Run them like this:
@@ -54,7 +54,7 @@ uv run flake8 src/  # Python linter
 The repository features a [pre-commit](https://pre-commit.com/) configuration which helps to properly format the source code before committing.
 It's recommended to install and use it.
 
-### Docker
+## Docker
 
 The project provides a Dockerfile which builds a production-ready container image.
 It uses [Caddy](https://caddyserver.com/) to serve static files and connect to [Gunicorn](https://gunicorn.org/), the Python WSGI application server.
@@ -73,6 +73,10 @@ docker run --rm -ti -p 8080:8080 --name=servala-portal --rm --env-file .env loca
 
 TODO: Persistence
 
-### Testing
+## Deployment
+
+TODO
+
+## Testing
 
 TODO

deployment/kustomize/base/database/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - vshnpostgresql.yaml

deployment/kustomize/base/database/vshnpostgresql.yaml

@@ -0,0 +1,19 @@
+apiVersion: vshn.appcat.vshn.io/v1
+kind: VSHNPostgreSQL
+metadata:
+  name: servala
+spec:
+  parameters:
+    service:
+      majorVersion: "16"
+      pgSettings:
+        timezone: Europe/Zurich
+    size:
+      plan: standard-2
+    backup:
+      schedule: "30 23 * * *"
+      retention: 12
+    encryption:
+      enabled: true
+  writeConnectionSecretToRef:
+    name: database-creds

deployment/kustomize/base/portal/deployment.yaml

@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: servala
+  name: servala
+spec:
+  replicas: 1
+  revisionHistoryLimit: 2
+  selector:
+    matchLabels:
+      app: servala
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: servala
+    spec:
+      containers:
+        - name: servala
+          image: servala-2nkgm.app.codey.ch/servala/servala-portal:latest
+          imagePullPolicy: Always
+          readinessProbe:
+            httpGet:
+              path: /admin/
+              port: 8080
+            periodSeconds: 60
+          livenessProbe:
+            httpGet:
+              path: /admin/
+              port: 8080
+            periodSeconds: 60
+            initialDelaySeconds: 5
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          envFrom:
+            - secretRef:
+                name: servala
+          env:
+            - name: SERVALA_DB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: database-creds
+                  key: POSTGRESQL_USER
+            - name: SERVALA_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: database-creds
+                  key: POSTGRESQL_PASSWORD
+            - name: SERVALA_DB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: database-creds
+                  key: POSTGRESQL_HOST
+            - name: SERVALA_DB_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: database-creds
+                  key: POSTGRESQL_PORT

deployment/kustomize/base/portal/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+  - deployment.yaml
+  - service.yaml

deployment/kustomize/base/portal/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: servala
+  labels:
+    app: servala
+spec:
+  ports:
+    - name: http
+      port: 8080
+      protocol: TCP
+      targetPort: http
+  selector:
+    app: servala
+  type: ClusterIP

deployment/kustomize/overlays/staging/ingress.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+  name: servala
+spec:
+  rules:
+    - host: staging.portal.servala.com
+      http:
+        paths:
+          - pathType: Prefix
+            path: /
+            backend:
+              service:
+                name: servala
+                port:
+                  number: 8080
+  tls:
+    - hosts:
+        - staging.portal.servala.com
+      secretName: ingress-cert

deployment/kustomize/overlays/staging/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/instance: test
+      app.kubernetes.io/name: servala
+resources:
+  - ../../base/portal
+  - ../../base/database
+  - ingress.yaml
+patches:
+  - path: portal-deployment.yaml

deployment/kustomize/overlays/staging/portal-deployment.yaml

@@ -0,0 +1,14 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: servala
+spec:
+  template:
+    spec:
+      containers:
+        - name: servala
+          env:
+            - name: SERVALA_ENVIRONMENT
+              value: staging
+            - name: SERVALA_ALLOWED_HOSTS
+              value: staging.portal.servala.com