chore: rewrite ecamp3 deployment to helmfile

That it is easier to use github action secrets and vars in the deployment.
Leave dev and stage-prod in separate files that the review is somehow easier.
They will be put into one workflow in the next commit.

Author: BacLuc

.github/actions/setup-helmfile/action.yaml

@@ -0,0 +1,13 @@
+name: 'Setup helmfile'
+description: 'Sets up helmfile in /usr/local/bin/helmfile'
+runs:
+  using: "composite"
+  steps:
+    - name: install helmfile
+      run: |
+        curl -L https://github.com/helmfile/helmfile/releases/download/v1.1.3/helmfile_1.1.3_linux_amd64.tar.gz -o helmfile.tar.gz
+        tar -xvf /tmp/helmfile.tar.gz
+        mv helmfile /usr/local/bin
+        chmod +x /usr/local/bin/helmfile
+      working-directory: /tmp
+      shell: bash

.github/workflows/deployment-devel.yml

@@ -5,6 +5,15 @@ on:
     branches:
       - devel
   workflow_dispatch:
+    inputs:
+      action:
+        description: "Choose action"
+        type: choice
+        required: true
+        default: diff
+        options:
+          - diff
+          - deploy
 
 jobs:
   continuous-integration:
@@ -29,4 +38,5 @@ jobs:
     with:
       name: dev
       env: dev
-    secrets: inherit
+      action: ${{ github.event.inputs.action || 'deploy' }}
+    secrets: inherit

.github/workflows/deployment-pr.yml

@@ -3,6 +3,16 @@ name: CD for feature branches
 on:
   pull_request_target:
     types: [opened, reopened, labeled, synchronize]
+  workflow_dispatch:
+    inputs:
+      action:
+        description: "Choose action"
+        type: choice
+        required: true
+        default: diff
+        options:
+          - diff
+          - deploy
 
 concurrency:
   group: ${{ github.workflow}}-${{ github.event.pull_request.number }}
@@ -30,4 +40,5 @@ jobs:
       env: feature-branch
       pr-number: ${{ github.event.pull_request.number }}
       dropDBOnUninstall: true
+      action: ${{ github.event.inputs.action || 'deploy' }}
     secrets: inherit

.github/workflows/deployment-stage-prod.yml

@@ -9,6 +9,15 @@ on:
       - staging
       - prod
   workflow_dispatch:
+    inputs:
+      action:
+        description: "Choose action"
+        type: choice
+        required: true
+        default: diff
+        options:
+          - diff
+          - deploy
 
 jobs:
   build-and-push:
@@ -25,4 +34,8 @@ jobs:
     name: Upgrade or install deployment
     needs: build-and-push
     uses: ./.github/workflows/reusable-stage-prod-deployment.yml
+    with:
+      name: ${{ github.ref_name }}
+      env: ${{ github.ref_name }}
+      action: ${{ github.event.inputs.action || 'deploy' }}
     secrets: inherit

.github/workflows/reusable-dev-deployment.yml

@@ -1,16 +1,18 @@
-name: '[reusable only] Development deployment'
+name: '[reusable only] ecamp3 deployment'
 
 on:
   workflow_call:
     inputs:
       name:
-        required: true
+        description: Deployment short name for subdomain (e.g. dev, pr123).
+        required: false
         type: string
       sha:
         required: false
         type: string
         default: ${{ github.sha }}
       env:
+        description: Target environment (dev, feature-branch, staging, prod)
         required: true
         type: string
       pr-number:
@@ -23,9 +25,19 @@ on:
       restoreSourceFile:
         required: false
         type: string
+      action:
+        description: "Choose action of (diff|deploy)"
+        type: string
+        required: true
+        default: diff
+
+env:
+  NAME: ${{ inputs.name }}
+  IMAGE_TAG: ${{ inputs.sha }}
+  HELM_TIMEOUT: ${{ vars.HELM_TIMEOUT }}
 
 jobs:
-  dev-deployment:
+  deploy-ecamp3:
     name: Deploy to Kubernetes
     runs-on: ubuntu-latest
     environment:
@@ -36,15 +48,15 @@ jobs:
         id: job-url
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          job_name: Upgrade or install deployment / Deploy to Kubernetes
+          job_name: Deploy to Kubernetes
 
       - name: Create a pending GitHub deployment
         uses: bobheadxi/deployments@v1.5.0
         id: deployment
         with:
           step: start
           token: ${{ secrets.REPO_ACCESS_TOKEN }}
-          env: ${{ inputs.name }}
+          env: ${{ inputs.env }}
 
       - name: Comment progress on PR
         uses: thollander/actions-comment-pull-request@v3
@@ -65,74 +77,51 @@ jobs:
         with:
           ref: ${{ inputs.sha }}
 
-      - name: Upgrade or install helm release
-        env:
-          never_uninstall: ${{ needs.find-prs-to-deploy.outputs.never-uninstall }}
+      - name: Dump secrets to /tmp/secrets.json
+        run: |
+          cat << 'EOF' | tee /tmp/secrets.json
+          ${{ toJSON(secrets) }}
+          EOF
+          jq '.' /tmp/secrets.json
+
+      - name: Dump variables to /tmp/vars.json
+        run: |
+          cat << 'EOF' | tee /tmp/vars.json
+          ${{ toJSON(vars) }}
+          EOF
+          jq '.' /tmp/vars.json
+
+      - name: Merge secrets, variables, and workflow inputs to env.yaml
+        run: |
+          jq -n \
+            '{
+              NAME: "${{ inputs.name }}",
+              IMAGE_TAG: "${{ inputs.sha }}",
+              RESTORE_SOURCE_FILE: "${{ inputs.restoreSourceFile || '' }}",
+              DROP_DB_ON_UNINSTALL: ${{ inputs.dropDBOnUninstall }}
+            }') > /tmp/additions.json
+          jq -s '.[0] + .[1] + .[2]' /tmp/secrets.json /tmp/vars.json /tmp/additions.json > .helm/ecamp3/env.yaml
+          jq '.' .helm/ecamp3/env.yaml
+
+      - name: Setup kubectl authentication
+        run: |
+          mkdir -p ~/.kube
+          echo '${{ secrets.KUBECONFIG }}' > ~/.kube/config
+          chmod go-r ~/.kube/config
+
+      - uses: ./.github/actions/setup-helmfile
+
+      - name: Diff deployment
+        run: |
+          ./.helm/ecamp3/deploy.sh diff || true
+
+      - name: Show values.yaml
+        run: cat ./.helm/ecamp3/values.yaml
+
+      - name: Deploy
+        if: ${{ inputs.action == 'deploy' }}
         run: |
-          # Setup authentication
-          mkdir ~/.kube && echo '${{ secrets.KUBECONFIG }}' > ~/.kube/config && chmod go-r ~/.kube/config
-          # Switch to the helm chart directory
-          cd .helm/ecamp3
-          # Install dependency charts
-          helm dependency update
-          # Set the appVersion, workaround from https://github.com/helm/helm/issues/8194 so that we can
-          # later find out which deployments need to be upgraded
-          sed -i 's/^appVersion:.*$/appVersion: "${{ inputs.sha }}"/' Chart.yaml
-          # Install or upgrade the release
-          helm upgrade --install ecamp3-${{ inputs.name }} . \
-            --set imageTag=${{ inputs.sha }} \
-            --set frontend.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-frontend' \
-            --set print.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-print' \
-            --set api.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-api' \
-            --set apiCache.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-varnish' \
-            --set postgresql.dbBackupRestoreImage.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-db-backup-restore' \
-            --set termsOfServiceLinkTemplate='https://ecamp3.ch/{lang}/tos' \
-            --set newsLink='https://ecamp3.ch/blog' \
-            --set helpLink='https://ecamp3.ch/faq' \
-            --set domain=${{ inputs.name }}.${{ vars.DOMAIN }} \
-            --set ingress.basicAuth.enabled=${{ vars.BASIC_AUTH_ENABLED || false  }} \
-            --set ingress.basicAuth.username=${{ secrets.BASIC_AUTH_USERNAME }} \
-            --set ingress.basicAuth.password='${{ secrets.BASIC_AUTH_PASSWORD }}' \
-            --set apiCache.enabled=${{ vars.API_CACHE_ENABLED || false }} \
-            --set apiCache.sendXKeyHeadersDownstream=${{ vars.SEND_XKEY_HEADERS_DOWNSTREAM != null && format('''{0}''', vars.SEND_XKEY_HEADERS_DOWNSTREAM) || null }} \
-            --set mail.dummyEnabled=true \
-            --set postgresql.url='${{ secrets.POSTGRES_URL }}/ecamp3${{ inputs.name }}?sslmode=require' \
-            --set postgresql.adminUrl='${{ secrets.POSTGRES_ADMIN_URL }}/ecamp3${{ inputs.name }}?sslmode=require' \
-            --set postgresql.dropDBOnUninstall=${{ inputs.dropDBOnUninstall }} \
-            --set postgresql.backup.schedule=${{ vars.BACKUP_SCHEDULE != null && format('''{0}''', vars.BACKUP_SCHEDULE) || null }} \
-            --set postgresql.backup.s3.endpoint='${{ vars.BACKUP_S3_ENDPOINT }}' \
-            --set postgresql.backup.s3.bucket='${{ vars.BACKUP_S3_BUCKET }}' \
-            --set postgresql.backup.s3.accessKeyId='${{ secrets.BACKUP_S3_ACCESS_KEY_ID }}' \
-            --set postgresql.backup.s3.accessKey='${{ secrets.BACKUP_S3_ACCESS_KEY }}' \
-            --set postgresql.backup.encryptionKey=${{ secrets.BACKUP_ENCRYPTION_KEY != null && format('''{0}''', secrets.BACKUP_ENCRYPTION_KEY) || null }} \
-            --set postgresql.restore.sourceFile=${{ inputs.restoreSourceFile != null && format('''{0}''', inputs.restoreSourceFile) || null }} \
-            --set postgresql.restore.sourceAppName=${{ vars.RESTORE_SOURCE_APP != null && format('''{0}''', vars.RESTORE_SOURCE_APP) || null }} \
-            --set postgresql.restore.s3.endpoint='${{ vars.RESTORE_S3_ENDPOINT }}' \
-            --set postgresql.restore.s3.bucket='${{ vars.RESTORE_S3_BUCKET }}' \
-            --set postgresql.restore.s3.accessKeyId='${{ secrets.RESTORE_S3_ACCESS_KEY_ID }}' \
-            --set postgresql.restore.s3.accessKey='${{ secrets.RESTORE_S3_ACCESS_KEY }}' \
-            --set postgresql.restore.encryptionKey=${{ secrets.RESTORE_ENCRYPTION_KEY != null && format('''{0}''', secrets.RESTORE_ENCRYPTION_KEY) || null }} \
-            --set api.dataMigrationsDir='${{ vars.DATA_MIGRATIONS_DIR }}' \
-            --set api.appSecret='${{ secrets.API_APP_SECRET }}' \
-            --set api.sentryDsn='${{ secrets.API_SENTRY_DSN }}' \
-            --set api.jwt.passphrase='${{ secrets.JWT_PASSPHRASE }}' \
-            --set api.jwt.publicKey='${{ secrets.JWT_PUBLIC_KEY }}' \
-            --set api.jwt.privateKey='${{ secrets.JWT_PRIVATE_KEY }}' \
-            --set frontend.sentryDsn='${{ secrets.FRONTEND_SENTRY_DSN }}' \
-            --set print.sentryDsn='${{ secrets.PRINT_SENTRY_DSN }}' \
-            --set print.browserWsEndpoint='${{ secrets.BROWSER_WS_ENDPOINT }}' \
-            --set print.ingress.readTimeoutSeconds='${{ vars.PRINT_INGRESS_READ_TIMEOUT_SECONDS }}' \
-            --set print.renderHTMLTimeoutMs='${{ vars.PRINT_RENDER_HTML_TIMEOUT_MS }}' \
-            --set print.renderPDFTimeoutMs='${{ vars.PRINT_RENDER_PDF_TIMEOUT_MS }}' \
-            --set browserless.connectionTimeout=${{ vars.BROWSERLESS_CONNECTION_TIMEOUT_MS || '30000' }} \
-            --set deploymentTime="$(date -u +%s)" \
-            --set deployedVersion="$(git rev-parse --short '${{ inputs.sha }}')" \
-            --set recaptcha.siteKey='${{ secrets.RECAPTCHA_SITE_KEY }}' \
-            --set recaptcha.secret='${{ secrets.RECAPTCHA_SECRET }}' \
-            --set frontend.loginInfoTextKey=${{ vars.LOGIN_INFO_TEXT_KEY }} \
-            --set featureToggle.developer=true \
-            --set featureToggle.checklist=${{ vars.FEATURE_CHECKLIST || 'false' }} \
-            --timeout ${{ vars.HELM_TIMEOUT || '5m0s' }}
+          ./.helm/ecamp3/deploy.sh deploy
 
       - name: Finish the GitHub deployment
         uses: bobheadxi/deployments@v1.5.0
@@ -142,7 +131,7 @@ jobs:
           token: ${{ secrets.REPO_ACCESS_TOKEN }}
           status: ${{ job.status }}
           deployment_id: ${{ steps.deployment.outputs.deployment_id }}
-          env_url: https://${{ inputs.name }}.${{ vars.DOMAIN }}
+          env_url: ${{ (inputs.env == 'staging' || inputs.env == 'prod') && format('https://{0}.{1}', vars.SUBDOMAIN, vars.DOMAIN) || format('https://{0}.{1}', inputs.name, vars.DOMAIN) }}
           env: ${{ steps.deployment.outputs.env }}
 
       - name: Get current time