diff --git a/.ct.yaml b/.ct.yaml new file mode 100644 index 00000000000..4886c87b1bf --- /dev/null +++ b/.ct.yaml @@ -0,0 +1,10 @@ +chart-dirs: + - helm-chart +check-version-increment: false +validate-maintainers: false +helm-extra-args: --timeout 10m +debug: false +upgrade: true +install: true +namespace: riptides +release-label: riptides diff --git a/.deploystack/deploystack.yaml b/.deploystack/deploystack.yaml deleted file mode 100644 index 669bc115986..00000000000 --- a/.deploystack/deploystack.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# The fields inside this deploystack.yaml file are documented in https://github.com/GoogleCloudPlatform/deploystack. - -title: Microservices Demo (Online Boutique) -name: microservices-demo -duration: 5 -collect_project: true -collect_region: true -region_type: compute -region_default: us-central1 -hard_settings: - filepath_manifest: ../kustomize/ - memorystore: "false" - name: online-boutique - namespace: default -documentation_link: https://cloud.google.com/shell/docs/cloud-shell-tutorials/deploystack/microservices-demo diff --git a/.deploystack/messages/description.txt b/.deploystack/messages/description.txt deleted file mode 100644 index ec1b6a26076..00000000000 --- a/.deploystack/messages/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Online Boutique is a cloud-first microservices demo application. Online Boutique -consists of an 11-tier microservices application. The application is a web-based -e-commerce app where users can browse items, add them to the cart, and purchase -them. \ No newline at end of file diff --git a/.deploystack/messages/success.txt b/.deploystack/messages/success.txt deleted file mode 100644 index 82f48d9906f..00000000000 --- a/.deploystack/messages/success.txt +++ /dev/null @@ -1,4 +0,0 @@ -Congrats! -You have successfully provisioned a GKE (Google Kubernetes Engine) cluster and -deployed Online Boutique's 11 microservices, which includes a load generator. - diff --git a/.deploystack/scripts/preinit.sh b/.deploystack/scripts/preinit.sh deleted file mode 100755 index 78d3f496c14..00000000000 --- a/.deploystack/scripts/preinit.sh +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT=$(pwd) -sed -i.tmp "s/project_id/gcp_project_id/" $ROOT/terraform/terraform.tfvars diff --git a/.deploystack/test b/.deploystack/test deleted file mode 100755 index dab5c98e3c7..00000000000 --- a/.deploystack/test +++ /dev/null @@ -1,207 +0,0 @@ -#! /bin/bash -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# DEPLOYSTACK - this file is a test script that is used by DeployStack's -# testing rig to make sure that the Terraform script installs and uninstalls -# cleanly - -# DON'T REMOVE FROM test script. - -CYAN='\033[0;36m' -BCYAN='\033[1;36m' -NC='\033[0m' # No Color -DIVIDER=$(printf %"$(tput cols)"s | tr " " "*") -DIVIDER+="\n" - -function get_project_id() { - local __resultvar=$1 - VALUE=$(gcloud config get-value project | xargs) - eval $__resultvar="'$VALUE'" -} - -function get_project_number() { - local __resultvar=$1 - local PRO=$2 - VALUE=$(gcloud projects list --filter="project_id=$PRO" --format="value(PROJECT_NUMBER)" | xargs) - eval $__resultvar="'$VALUE'" -} - -# DISPLAY HELPERS - -function section_open() { - section_description=$1 - printf "$DIVIDER" - printf "${CYAN}$section_description${NC} \n" - printf "$DIVIDER" -} - -function section_close() { - printf "$DIVIDER" - printf "${CYAN}$section_description ${BCYAN}- done${NC}\n" - printf "\n\n" -} - -function evalTest() { - local command=$1 - local expected=$2 - - local ERR="" - got=$(eval $command 2>errFile) - ERR=$( /dev/null" "deployment.apps/adservice" - evalTest "kubectl get deployment cartservice --no-headers -o=name 2> /dev/null" "deployment.apps/cartservice" - evalTest "kubectl get deployment checkoutservice --no-headers -o=name 2> /dev/null" "deployment.apps/checkoutservice" - evalTest "kubectl get deployment currencyservice --no-headers -o=name 2> /dev/null" "deployment.apps/currencyservice" - evalTest "kubectl get deployment emailservice --no-headers -o=name 2> /dev/null" "deployment.apps/emailservice" - evalTest "kubectl get deployment loadgenerator --no-headers -o=name 2> /dev/null" "deployment.apps/loadgenerator" - evalTest "kubectl get deployment paymentservice --no-headers -o=name 2> /dev/null" "deployment.apps/paymentservice" - evalTest "kubectl get deployment productcatalogservice --no-headers -o=name 2> /dev/null" "deployment.apps/productcatalogservice" - evalTest "kubectl get deployment recommendationservice --no-headers -o=name 2> /dev/null" "deployment.apps/recommendationservice" - evalTest "kubectl get deployment redis-cart --no-headers -o=name 2> /dev/null" "deployment.apps/redis-cart" - evalTest "kubectl get deployment shippingservice --no-headers -o=name 2> /dev/null" "deployment.apps/shippingservice" -section_close - -sleep 120 - -ENDPOINT=$( kubectl get service frontend-external --no-headers 2> /dev/null | awk '{print $4}') - -section_open "Testing Online Boutique's front-end is working" - evalTest 'curl -s -o /dev/null -w "%{http_code}" $ENDPOINT' "200" -section_close - -# Uncomment the line: "deletion_protection = false" -sed -i "s/# deletion_protection/deletion_protection/g" ${DIR}/main.tf -terraform -chdir="$DIR" apply -auto-approve \ - -var gcp_project_id="${PROJECT}" \ - -var name="${NAME}" \ - -var region="${REGION}" \ - -var namespace="${NAMESPACE}" \ - -var filepath_manifest="${FILEPATH_MANIFEST}" \ - -var memorystore="${MEMORYSTORE}" - -terraform -chdir="$DIR" destroy -auto-approve \ - -var gcp_project_id="${PROJECT}" \ - -var name="${NAME}" \ - -var region="${REGION}" \ - -var namespace="${NAMESPACE}" \ - -var filepath_manifest="${FILEPATH_MANIFEST}" \ - -var memorystore="${MEMORYSTORE}" - -section_open "Testing Google Kubernetes Engine cluster does NOT exist" - evalTest 'gcloud container clusters describe online-boutique --format="value(name)" --region $REGION' "EXPECTERROR" -section_close - -# This is only needed if you tests fail alot because of overlapping runs of the -# same set of tests. Really don't do this if you don't want to severely irritate -# @tpryan -section_open "Delete Test Project" - gcloud projects delete $PROJECT -q -section_close - -printf "$DIVIDER" -printf "CONGRATS!!!!!!! \n" -printf "You got the end the of your test with everything working. \n" -printf "$DIVIDER" diff --git a/.deploystack/test.yaml b/.deploystack/test.yaml deleted file mode 100644 index c9d6a34a229..00000000000 --- a/.deploystack/test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# DEPLOYSTACK - this file is the cloudbuild for running testing automatically -# in the testing rig - -steps: - - name: 'bash' - id: "creds" - args: ['-c','echo $$CREDS > .deploystack/creds.json'] - secretEnv: ['CREDS'] - - name: 'gcr.io/cloudshell-images/cloudshell:latest' - entrypoint: bash - args: [ '.deploystack/test' ] - secretEnv: ['BA'] -timeout: 4200s -options: - machineType: 'E2_HIGHCPU_8' -availableSecrets: - secretManager: - - versionName: projects/$PROJECT_ID/secrets/creds/versions/latest - env: 'CREDS' - - versionName: projects/$PROJECT_ID/secrets/billing_account/versions/latest - env: 'BA' \ No newline at end of file diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS deleted file mode 100644 index b663703680c..00000000000 --- a/.github/CODEOWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See https://help.github.com/en/articles/about-code-owners -# for more info about CODEOWNERS file. - -# These owners will be the default owners for everything in -# the repo. Unless a later match takes precedence. -* @GoogleCloudPlatform/devrel-flagship-app-maintainers @yoshi-approver diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md deleted file mode 100644 index 46b2a08ea6d..00000000000 --- a/.github/CODE_OF_CONDUCT.md +++ /dev/null @@ -1,43 +0,0 @@ -# Contributor Code of Conduct - -As contributors and maintainers of this project, -and in the interest of fostering an open and welcoming community, -we pledge to respect all people who contribute through reporting issues, -posting feature requests, updating documentation, -submitting pull requests or patches, and other activities. - -We are committed to making participation in this project -a harassment-free experience for everyone, -regardless of level of experience, gender, gender identity and expression, -sexual orientation, disability, personal appearance, -body size, race, ethnicity, age, religion, or nationality. - -Examples of unacceptable behavior by participants include: - -* The use of sexualized language or imagery -* Personal attacks -* Trolling or insulting/derogatory comments -* Public or private harassment -* Publishing other's private information, -such as physical or electronic -addresses, without explicit permission -* Other unethical or unprofessional conduct. - -Project maintainers have the right and responsibility to remove, edit, or reject -comments, commits, code, wiki edits, issues, and other contributions -that are not aligned to this Code of Conduct. -By adopting this Code of Conduct, -project maintainers commit themselves to fairly and consistently -applying these principles to every aspect of managing this project. -Project maintainers who do not follow or enforce the Code of Conduct -may be permanently removed from the project team. - -This code of conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. - -Instances of abusive, harassing, or otherwise unacceptable behavior -may be reported by opening an issue -or contacting one or more of the project maintainers. - -This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, -available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/) diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md deleted file mode 100644 index 2c9a77a3d91..00000000000 --- a/.github/CONTRIBUTING.md +++ /dev/null @@ -1,34 +0,0 @@ -# How to Contribute - -Thank you so much for your interest in contributing to Online Boutique. -Before contributing, you must: -* Sign the [Contributor License Agreement (CLA)](#contributor-license-agreement). -* Follow the [Google Open Source Community Guidelines](https://opensource.google.com/conduct/). -* Follow the [Contribution Process](#contribution-process). - -## Contributor License Agreement - -Contributions to Online Boutique must be accompanied by a Contributor License -Agreement (CLA). You (or your employer) retain the copyright to your contribution. -The CLA gives us permission to use and redistribute your contributions as -part of the project. Head over to to see -your current agreements on file or to sign a new one. - -You generally only need to submit a CLA once, so if you've already submitted one -(even if it was for a different project), you probably don't need to do it -again. - -## Contribution Process - -Here's the process for making a change to this repository: - -1. Review Online Boutique's [purpose](/docs/purpose.md) and [product requirements](/docs/product-requirements.md). -1. If your proposed changes **do not align** with the purpose and product requirements of Online Boutique, you may be asked to instead maintain your own fork of this repository. -1. For **small changes** (such as a bug fixes or spelling corrections): - 1. Fork this repository and submit a [pull request](https://help.github.com/articles/about-pull-requests/). - 1. Wait for a maintainer of this repository to review your change. -1. For **bigger changes**: - 1. Create a [GitHub issue](https://github.com/GoogleCloudPlatform/microservices-demo/issues/new/choose) describing the change **before** working on the implementation. This is important to avoid potentially having to discard your development efforts. - 1. Wait for a maintainer of this repository to review your GitHub issue. For significantly complex proposals, you may be asked to start a Google Doc to discuss design decisions. - -If you have any questions, please [create a GitHub issue](https://github.com/GoogleCloudPlatform/microservices-demo/issues/new/choose). diff --git a/.github/ISSUE_TEMPLATE/bug-report.md b/.github/ISSUE_TEMPLATE/bug-report.md deleted file mode 100644 index c5016981444..00000000000 --- a/.github/ISSUE_TEMPLATE/bug-report.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve -title: '' -labels: '' -assignees: '' - ---- - -### Describe the bug - - -### To Reproduce - - - - - -### Logs - - -### Screenshots - - -### Environment - - - - -### Additional context - - -### Exposure - diff --git a/.github/ISSUE_TEMPLATE/feature-request.md b/.github/ISSUE_TEMPLATE/feature-request.md deleted file mode 100644 index e5cd00ba1ca..00000000000 --- a/.github/ISSUE_TEMPLATE/feature-request.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: '' -labels: '' -assignees: '' - ---- - -### Describe request or inquiry - - -### What purpose/environment will this feature serve? - diff --git a/.github/ISSUE_TEMPLATE/other.md b/.github/ISSUE_TEMPLATE/other.md deleted file mode 100644 index 9637cfa7087..00000000000 --- a/.github/ISSUE_TEMPLATE/other.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -name: Other -about: Have a question or need clarification? -title: '' -labels: '' -assignees: '' - ---- -### Write down your inquiry - diff --git a/.github/SECURITY.md b/.github/SECURITY.md deleted file mode 100644 index 8b58ae9c01a..00000000000 --- a/.github/SECURITY.md +++ /dev/null @@ -1,7 +0,0 @@ -# Security Policy - -To report a security issue, please use [g.co/vulnz](https://g.co/vulnz). - -The Google Security Team will respond within 5 working days of your report on g.co/vulnz. - -We use g.co/vulnz for our intake, and do coordination and disclosure here using GitHub Security Advisory to privately discuss and fix the issue. diff --git a/.github/auto-approve.yml b/.github/auto-approve.yml deleted file mode 100644 index e5d98c40105..00000000000 --- a/.github/auto-approve.yml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# https://github.com/googleapis/repo-automation-bots/tree/main/packages/auto-approve -processes: - - "PythonDependency" - - "PythonSampleAppDependency" - - "JavaDependency" - - "JavaSampleAppDependency" - - "GoDependency" - - "NodeDependency" - - "DockerDependency" diff --git a/.github/header-checker-lint.yml b/.github/header-checker-lint.yml deleted file mode 100644 index 39733ace7e6..00000000000 --- a/.github/header-checker-lint.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This file configures a GitHub Bot called "License Header Lint GCF": https://github.com/apps/license-header-lint-gcf -# The bot runs a GitHub check called "header-check" (inside pull-requests) that warns us about invalid/missing license headers. -# The schema for this configutation file is documented at https://github.com/googleapis/repo-automation-bots/tree/main/packages/header-checker-lint#header-checker-lint. - -allowedCopyrightHolders: - - 'Google LLC' - -allowedLicenses: - - 'Apache-2.0' - -# If you want to ignore certain files/folders, use ignoreFiles. -# ignoreFiles: -# - '**/requirements.txt' - -# If you want to ignore checking the license year, use ignoreLicenseYear. -# ignoreLicenseYear: true # Useful when migrating in code licensed at previous years. - -sourceFileExtensions: - - 'cs' - - 'css' - - 'Dockerfile' - - 'dockerignore' - - 'gitignore' - - 'go' - - 'html' - - 'java' - - 'js' - - 'proto' - - 'py' - - 'sh' - - 'tf' - - 'yaml' - - 'yml' diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 80ae26f648f..00000000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,16 +0,0 @@ -### Background - - -### Fixes - -### Change Summary - - -### Additional Notes - - -### Testing Procedure - - -### Related PRs or Issues - diff --git a/.github/release-cluster/README.md b/.github/release-cluster/README.md deleted file mode 100644 index 23cd14921af..00000000000 --- a/.github/release-cluster/README.md +++ /dev/null @@ -1,75 +0,0 @@ -# cymbal-shops.retail.cymbal.dev manifests - -This directory contains extra deploy manifests for configuring Online Boutique solution on GKE for cymbal-shops.retail.cymbal.dev. - -_Note: before moving forward, the Online Boutique apps should already be deployed [on the online-boutique-release GKE cluster](/docs/releasing#10-deploy-releasekubernetes-manifestsyaml-to-our-online-boutique-release-gke-cluster)._ - -## Public static IP address - -Create the static public IP address: -``` -STATIC_IP_NAME=online-boutique-ip # name hard-coded in: frontend-ingress.yaml -gcloud compute addresses create $STATIC_IP_NAME --global -``` - -When ready to do so, you could grab this public IP address and update your DNS: -``` -gcloud compute addresses describe $STATIC_IP_NAME \ - --global \ - --format "value(address)" -``` - -## Cloud Armor - -Set up Cloud Armor: -``` -SECURITY_POLICY_NAME=online-boutique-security-policy # Name hard-coded in: backendconfig.yaml -gcloud compute security-policies create $SECURITY_POLICY_NAME \ - --description "Block various attacks" -gcloud compute security-policies rules create 1000 \ - --security-policy $SECURITY_POLICY_NAME \ - --expression "evaluatePreconfiguredExpr('xss-stable')" \ - --action "deny-403" \ - --description "XSS attack filtering" -gcloud compute security-policies rules create 12345 \ - --security-policy $SECURITY_POLICY_NAME \ - --expression "evaluatePreconfiguredExpr('cve-canary')" \ - --action "deny-403" \ - --description "CVE-2021-44228 and CVE-2021-45046" -gcloud compute security-policies update $SECURITY_POLICY_NAME \ - --enable-layer7-ddos-defense -gcloud compute security-policies update $SECURITY_POLICY_NAME \ - --log-level=VERBOSE -``` - -## SSL Policy - -Set up an SSL policy in order to later set up a redirect from HTTP to HTTPs: -``` -SSL_POLICY_NAME=online-boutique-ssl-policy # Name hard-coded in: frontendconfig.yaml -gcloud compute ssl-policies create $SSL_POLICY_NAME \ - --profile COMPATIBLE \ - --min-tls-version 1.0 -``` - -## Deploy Kubernetes manifests - -Deploy the Kubernetes manifests in this current folder: -``` -kubectl apply -f . -``` - -Wait for the `ManagedCertificate` to be provisioned. This usually takes about 30 minutes. -``` -kubectl get managedcertificates -``` - -Remove the default `LoadBalancer` `Service` not used at this point: -``` -kubectl delete service frontend-external -``` - -Remove the `loadgenerator` `Deployment` not used at this point: -``` -kubectl delete deployment loadgenerator -``` \ No newline at end of file diff --git a/.github/release-cluster/backend-config.yaml b/.github/release-cluster/backend-config.yaml deleted file mode 100644 index 8e5d9768931..00000000000 --- a/.github/release-cluster/backend-config.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: cloud.google.com/v1 -kind: BackendConfig -metadata: - name: frontend-backend-config -spec: - securityPolicy: - name: online-boutique-security-policy \ No newline at end of file diff --git a/.github/release-cluster/frontend-config.yaml b/.github/release-cluster/frontend-config.yaml deleted file mode 100644 index 6cd700c2423..00000000000 --- a/.github/release-cluster/frontend-config.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: networking.gke.io/v1beta1 -kind: FrontendConfig -metadata: - name: frontend-frontend-config -spec: - sslPolicy: online-boutique-ssl-policy - redirectToHttps: - enabled: true - responseCodeName: MOVED_PERMANENTLY_DEFAULT \ No newline at end of file diff --git a/.github/release-cluster/frontend-ingress.yaml b/.github/release-cluster/frontend-ingress.yaml deleted file mode 100644 index 42029ac2e7d..00000000000 --- a/.github/release-cluster/frontend-ingress.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: frontend-ingress - annotations: - kubernetes.io/ingress.global-static-ip-name: online-boutique-ip - networking.gke.io/managed-certificates: online-boutique-certificate - networking.gke.io/v1beta1.FrontendConfig: frontend-frontend-config -spec: - defaultBackend: - service: - name: frontend - port: - number: 80 - rules: - - http: - paths: - - path: /* - pathType: ImplementationSpecific - backend: - service: - name: frontend - port: - number: 80 diff --git a/.github/release-cluster/frontend-service.yaml b/.github/release-cluster/frontend-service.yaml deleted file mode 100644 index e4a304aa8f2..00000000000 --- a/.github/release-cluster/frontend-service.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Service -metadata: - name: frontend - annotations: - cloud.google.com/neg: '{"ingress": true}' - cloud.google.com/backend-config: '{"default": "frontend-backend-config"}' -spec: - type: ClusterIP - selector: - app: frontend - ports: - - name: http - port: 80 - targetPort: 8080 \ No newline at end of file diff --git a/.github/release-cluster/managed-cert.yaml b/.github/release-cluster/managed-cert.yaml deleted file mode 100644 index afcd4c4ee85..00000000000 --- a/.github/release-cluster/managed-cert.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: networking.gke.io/v1 -kind: ManagedCertificate -metadata: - name: online-boutique-certificate -spec: - domains: - - cymbal-shops.retail.cymbal.dev diff --git a/.github/release-config.json b/.github/release-config.json new file mode 100644 index 00000000000..2f049f83dae --- /dev/null +++ b/.github/release-config.json @@ -0,0 +1,61 @@ +{ + "bump-patch-for-minor-pre-major": true, + "separate-pull-requests": true, + "sequential-calls": true, + "include-component-in-tag": true, + "skip-github-release": false, + "packages": { + "helm-chart": { + "package-name": "helm", + "release-type": "helm" + }, + "src/adservice": { + "package-name": "image-adservice", + "release-type": "simple" + }, + "src/cartservice": { + "package-name": "image-cartservice", + "release-type": "simple" + }, + "src/checkoutservice": { + "package-name": "image-checkoutservice", + "release-type": "simple" + }, + "src/currencyservice": { + "package-name": "image-currencyservice", + "release-type": "simple" + }, + "src/emailservice": { + "package-name": "image-emailservice", + "release-type": "simple" + }, + "src/frontend": { + "package-name": "image-frontend", + "release-type": "simple" + }, + "src/loadgenerator": { + "package-name": "image-loadgenerator", + "release-type": "simple" + }, + "src/paymentservice": { + "package-name": "image-paymentservice", + "release-type": "simple" + }, + "src/productcatalogservice": { + "package-name": "image-productcatalogservice", + "release-type": "simple" + }, + "src/recommendationservice": { + "package-name": "image-recommendationservice", + "release-type": "simple" + }, + "src/shippingservice": { + "package-name": "image-shippingservice", + "release-type": "simple" + }, + "src/shoppingassistantservice": { + "package-name": "image-shoppingassistantservice", + "release-type": "simple" + } + } +} diff --git a/.github/release-manifest.json b/.github/release-manifest.json new file mode 100644 index 00000000000..0fd6a130776 --- /dev/null +++ b/.github/release-manifest.json @@ -0,0 +1,15 @@ +{ + "helm-chart": "0.10.6", + "src/adservice": "0.0.1", + "src/cartservice": "0.0.1", + "src/checkoutservice": "0.0.1", + "src/currencyservice": "0.0.1", + "src/emailservice": "0.0.1", + "src/frontend": "0.0.1", + "src/loadgenerator": "0.0.1", + "src/paymentservice": "0.0.1", + "src/productcatalogservice": "0.0.1", + "src/recommendationservice": "0.0.1", + "src/shippingservice": "0.0.1", + "src/shoppingassistantservice": "0.0.1" +} diff --git a/.github/renovate.json5 b/.github/renovate.json5 deleted file mode 100644 index e33dcec8a05..00000000000 --- a/.github/renovate.json5 +++ /dev/null @@ -1,27 +0,0 @@ -{ - extends: [ - 'github>GoogleCloudPlatform/kubernetes-engine-samples//.github/renovate-configs/dee-platform-ops.json5', - 'schedule:earlyMondays', - ], - 'pip-compile': { - enabled: true, - fileMatch: [ - '(^|/)requirements\\.txt$', - ], - }, - pip_requirements: { - enabled: false, - }, - constraints: { - python: '~=3.11.0', - }, - kubernetes: { - fileMatch: [ - '\\.yaml$', - ], - ignorePaths: [ - 'release/**', - 'kustomize/base/**', - ], - }, -} diff --git a/.github/snippet-bot.yml b/.github/snippet-bot.yml deleted file mode 100644 index 26d99f1aa29..00000000000 --- a/.github/snippet-bot.yml +++ /dev/null @@ -1,14 +0,0 @@ - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/.github/terraform/README.md b/.github/terraform/README.md deleted file mode 100644 index cf4e525dbbc..00000000000 --- a/.github/terraform/README.md +++ /dev/null @@ -1,15 +0,0 @@ -This folder contains the Terraform for some of the infrastructure used by the CICD (continuous integration and continuous delivery/continuous deployment) of this repository. - -## Update this Terraform - -To make changes to this Terraform, follow these steps: - -1. Make sure you have access to the `online-boutique-ci` Google Cloud project. -1. Move into this folder: `cd .github/terraform` -1. Set the PROJECT_ID environment variable: `export PROJECT_ID=online-boutique-ci` -1. Prepare Terraform and download the necessary Terraform dependencies (such as the "hashicorp/google" Terraform provider): `terraform init` -1. Apply the Terraform: `terraform apply -var project_id=${PROJECT_ID}` - * Ideally, you would see `Apply complete! Resources: 0 added, 0 changed, 0 destroyed.` in the output. -1. Make your desired changes to the Terraform code. -1. Apply the Terraform: `terraform apply -var project_id=${PROJECT_ID}` - * This time, Terraform will prompt you confirm your changes before applying them. diff --git a/.github/terraform/main.tf b/.github/terraform/main.tf deleted file mode 100644 index 15dd92c5ab8..00000000000 --- a/.github/terraform/main.tf +++ /dev/null @@ -1,116 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# Set defaults for the google Terraform provider. -provider "google" { - project = var.project_id - region = "us-central1" - zone = "us-central1-a" -} - -terraform { - # Store the state inside a Google Cloud Storage bucket. - backend "gcs" { - bucket = "cicd-terraform-state" - prefix = "terraform-state" - } -} - -# Enable Google Cloud APIs. -module "enable_google_apis" { - source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 18.0" - disable_services_on_destroy = false - activate_apis = [ - "cloudresourcemanager.googleapis.com", - "container.googleapis.com", - "iam.googleapis.com", - "storage.googleapis.com", - ] - project_id = var.project_id -} - -# Google Cloud Storage for storing Terraform state (.tfstate). -resource "google_storage_bucket" "terraform_state_storage_bucket" { - name = "cicd-terraform-state" - location = "us" - storage_class = "STANDARD" - force_destroy = false - public_access_prevention = "enforced" - uniform_bucket_level_access = true - versioning { - enabled = true - } -} - -# Google Cloud IAM service account for GKE clusters. -# We avoid using the Compute Engine default service account because it's too permissive. -resource "google_service_account" "gke_clusters_service_account" { - account_id = "gke-clusters-service-account" - display_name = "My Service Account" - depends_on = [ - module.enable_google_apis - ] -} - -# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa -resource "google_project_iam_member" "gke_clusters_service_account_role_metric_writer" { - project = var.project_id - role = "roles/monitoring.metricWriter" - member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}" -} - -# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa -resource "google_project_iam_member" "gke_clusters_service_account_role_logging_writer" { - project = var.project_id - role = "roles/logging.logWriter" - member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}" -} - -# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa -resource "google_project_iam_member" "gke_clusters_service_account_role_monitoring_viewer" { - project = var.project_id - role = "roles/monitoring.viewer" - member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}" -} - -# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa -resource "google_project_iam_member" "gke_clusters_service_account_role_stackdriver_writer" { - project = var.project_id - role = "roles/stackdriver.resourceMetadata.writer" - member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}" -} - -# The GKE cluster used for pull-request (PR) staging deployments. -resource "google_container_cluster" "prs_gke_cluster" { - name = "prs-gke-cluster" - location = "us-central1" - enable_autopilot = true - project = var.project_id - deletion_protection = true - depends_on = [ - module.enable_google_apis - ] - cluster_autoscaling { - auto_provisioning_defaults { - service_account = google_service_account.gke_clusters_service_account.email - } - } - # Need an empty ip_allocation_policy to overcome an error related to autopilot node pool constraints. - # Workaround from https://github.com/hashicorp/terraform-provider-google/issues/10782#issuecomment-1024488630 - ip_allocation_policy { - } -} diff --git a/.github/terraform/variables.tf b/.github/terraform/variables.tf deleted file mode 100644 index e103a7be163..00000000000 --- a/.github/terraform/variables.tf +++ /dev/null @@ -1,23 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# This file lists variables that you can set using the -var flag during "terraform apply". -# Example: terraform apply -var project_id="${PROJECT_ID}" - -variable "project_id" { - type = string - description = "The Google Cloud project ID." -} diff --git a/.github/terraform/versions.tf b/.github/terraform/versions.tf deleted file mode 100644 index f0e1d30c123..00000000000 --- a/.github/terraform/versions.tf +++ /dev/null @@ -1,25 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - required_version = ">= 0.13" - required_providers { - google = { - source = "hashicorp/google" - version = "~> 6.0" - } - } -} diff --git a/.github/workflows/README.md b/.github/workflows/README.md deleted file mode 100644 index a4ebb93b61e..00000000000 --- a/.github/workflows/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# GitHub Actions Workflows - -This page describes the CI/CD workflows for the Online Boutique app, which run in [Github Actions](https://github.com/GoogleCloudPlatform/microservices-demo/actions). - -## Infrastructure - -The CI/CD pipelines for Online Boutique run in Github Actions, using a pool of two [self-hosted runners]((https://help.github.com/en/actions/automating-your-workflow-with-github-actions/about-self-hosted-runners)). These runners are GCE instances (virtual machines) that, for every open Pull Request in the repo, run the code test pipeline, deploy test pipeline, and (on main) deploy the latest version of the app to [cymbal-shops.retail.cymbal.dev](https://cymbal-shops.retail.cymbal.dev) - -We also host a test GKE cluster, which is where the deploy tests run. Every PR has its own namespace in the cluster. - -## Workflows - -**Note**: In order for the current CI/CD setup to work on your pull request, you must branch directly off the repo (no forks). This is because the Github secrets necessary for these tests aren't copied over when you fork. - -### Code Tests - [ci-pr.yaml](ci-pr.yaml) - -These tests run on every commit for every open PR, as well as any commit to main / any release branch. Currently, this workflow runs only Go unit tests. - - -### Deploy Tests- [ci-pr.yaml](ci-pr.yaml) - -These tests run on every commit for every open PR, as well as any commit to main / any release branch. This workflow: - -1. Creates a dedicated GKE namespace for that PR, if it doesn't already exist, in the PR GKE cluster. -2. Uses `skaffold run` to build and push the images specific to that PR commit. Then skaffold deploys those images, via `kubernetes-manifests`, to the PR namespace in the test cluster. -3. Tests to make sure all the pods start up and become ready. -4. Gets the LoadBalancer IP for the frontend service. -5. Comments that IP in the pull request, for staging. - -### Push and Deploy Latest - [push-deploy](push-deploy.yml) - -This is the Continuous Deployment workflow, and it runs on every commit to the main branch. This workflow: - -1. Builds the container images for every service, tagging as `latest`. -2. Pushes those images to Google Container Registry. - -Note that this workflow does not update the image tags used in `release/kubernetes-manifests.yaml` - these release manifests are tied to a stable `v0.x.x` release. - -### Cleanup - [cleanup.yaml](cleanup.yaml) - -This workflow runs when a PR closes, regardless of whether it was merged into main. This workflow deletes the PR-specific GKE namespace in the test cluster. - -## Appendix - Creating a new Actions runner - -Should one of the two self-hosted Github Actions runners (GCE instances) fail, or you want to add more runner capacity, this is how to provision a new runner. Note that you need IAM access to the admin Online Boutique GCP project in order to do this. - -1. Create a GCE instance. - - VM should be at least n1-standard-4 with 50GB persistent disk - - VM should use custom service account with permissions to: access a GKE cluster, create GCS storage buckets, and push to GCR. -2. SSH into new VM through the Google Cloud Console. -3. Install project-specific dependencies, including go, docker, skaffold, and kubectl: - -``` -wget -O - https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/main/.github/workflows/install-dependencies.sh | bash -``` - -The instance will restart when the script completes in order to finish the Docker install. - -4. SSH back into the VM. - -5. Follow the instructions to add a new runner on the [Actions Settings page](https://github.com/GoogleCloudPlatform/microservices-demo/settings/actions) to authenticate the new runner -6. Start GitHub Actions as a background service: -``` -sudo ~/actions-runner/svc.sh install ; sudo ~/actions-runner/svc.sh start -``` diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml deleted file mode 100644 index 92be9463bb9..00000000000 --- a/.github/workflows/ci-main.yaml +++ /dev/null @@ -1,122 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "Continuous Integration - Main/Release" -on: - push: - # run on pushes to main or release/* - branches: - - main - - release/* - paths-ignore: - - '**/README.md' - - 'kustomize/**' - - '.github/workflows/kustomize-build-ci.yaml' - - 'terraform/**' - - '.github/workflows/terraform-validate-ci.yaml' - - 'helm-chart/**' - - '.github/workflows/helm-chart-ci.yaml' -jobs: - code-tests: - runs-on: [self-hosted, is-enabled] - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-dotnet@v4 - env: - DOTNET_INSTALL_DIR: "./.dotnet" - with: - dotnet-version: '9.0' - - uses: actions/setup-go@v5 - with: - go-version: '1.24' - - name: Go Unit Tests - timeout-minutes: 10 - run: | - for SERVICE in "shippingservice" "productcatalogservice"; do - echo "testing $SERVICE..." - pushd src/$SERVICE - go test - popd - done - - name: C# Unit Tests - timeout-minutes: 10 - run: | - dotnet test src/cartservice/ - deployment-tests: - runs-on: [self-hosted, is-enabled] - needs: code-tests - strategy: - matrix: - profile: ["local-code"] - fail-fast: true - steps: - - uses: actions/checkout@v4 - - name: Build + Deploy PR images to GKE - timeout-minutes: 20 - run: | - PR_NUMBER=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }') - NAMESPACE="pr${PR_NUMBER}" - echo "::set-env name=NAMESPACE::$NAMESPACE" - echo "::set-env name=PR_NUMBER::$PR_NUMBER" - - yes | gcloud auth configure-docker us-docker.pkg.dev - gcloud container clusters get-credentials $PR_CLUSTER --region $REGION --project $PROJECT_ID - cat < helm-template.yaml - cat helm-template.yaml - kustomize create --resources helm-template.yaml - kustomize build . - - name: helm template grpc health probes - run: | - # Test related to https://medium.com/google-cloud/b5bd26253a4c - cd helm-chart/ - SPANNER_CONNECTION_STRING=projects/PROJECT_ID/instances/SPANNER_INSTANCE_NAME/databases/SPANNER_DATABASE_NAME - helm template . \ - --set nativeGrpcHealthCheck=true \ - -n onlineboutique \ - > helm-template.yaml - cat helm-template.yaml - kustomize build . - - name: helm template spanner - run: | - # Test related to https://medium.com/google-cloud/f7248e077339 - cd helm-chart/ - SPANNER_CONNECTION_STRING=projects/PROJECT_ID/instances/SPANNER_INSTANCE_NAME/databases/SPANNER_DATABASE_NAME - SPANNER_DB_USER_GSA_ID=spanner-db-user@my-project.iam.gserviceaccount.com - helm template . \ - --set cartDatabase.inClusterRedis.create=false \ - --set cartDatabase.type=spanner \ - --set cartDatabase.connectionString=${SPANNER_CONNECTION_STRING} \ - --set serviceAccounts.create=true \ - --set serviceAccounts.annotationsOnlyForCartservice=true \ - --set "serviceAccounts.annotations.iam\.gke\.io/gcp-service-account=${SPANNER_DB_USER_GSA_ID}" \ - -n onlineboutique \ - > helm-template.yaml - cat helm-template.yaml - kustomize build . - - name: helm template asm - run: | - # Test related to https://medium.com/google-cloud/246119e46d53 - cd helm-chart/ - helm template . \ - --set networkPolicies.create=true \ - --set sidecars.create=true \ - --set serviceAccounts.create=true \ - --set authorizationPolicies.create=true \ - --set frontend.externalService=false \ - --set frontend.virtualService.create=true \ - --set frontend.virtualService.gateway.name=asm-ingressgateway \ - --set frontend.virtualService.gateway.namespace=asm-ingress \ - --set frontend.virtualService.gateway.labelKey=asm \ - --set frontend.virtualService.gateway.labelValue=ingressgateway \ - -n onlineboutique \ - > helm-template.yaml - cat helm-template.yaml - kustomize build . - - name: helm template memorystore istio tls origination - run: | - # Test related to https://medium.com/google-cloud/64b71969318d - cd helm-chart/ - REDIS_IP=0.0.0.0 - REDIS_PORT=7378 - REDIS_CERT=dsjfgkldsjflkdsjflksdajfkldsjkfljsdaklfjaskjfakdsjfaklsdjflskadjfklasjfkls - helm template . \ - --set cartDatabase.inClusterRedis.create=false \ - --set cartDatabase.connectionString=${REDIS_IP}:${REDIS_PORT} \ - --set cartDatabase.externalRedisTlsOrigination.enable=true \ - --set cartDatabase.externalRedisTlsOrigination.certificate="${REDIS_CERT}" \ - --set cartDatabase.externalRedisTlsOrigination.endpointAddress=${REDIS_IP} \ - --set cartDatabase.externalRedisTlsOrigination.endpointPort=${REDIS_PORT} \ - -n onlineboutique \ - > helm-template.yaml - cat helm-template.yaml - kustomize build . diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml new file mode 100644 index 00000000000..98fc6208952 --- /dev/null +++ b/.github/workflows/helm-lint.yaml @@ -0,0 +1,44 @@ +name: Lint and Test Helm Charts + +on: + pull_request: + paths: + - 'helm-chart/**' + push: + branches: [main] + paths: + - 'helm-chart/**' + +jobs: + lint-test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@v4.2.0 + with: + version: v3.17.0 + + - uses: actions/setup-python@v5.3.0 + with: + python-version: '3.13' + check-latest: true + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.7.0 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --config .ct.yaml --target-branch ${{ github.event.repository.default_branch }}) + if [[ -n "$changed" ]]; then + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Run chart-testing (lint) + if: steps.list-changed.outputs.changed == 'true' + run: ct lint --config .ct.yaml --target-branch ${{ github.event.repository.default_branch }} diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml new file mode 100644 index 00000000000..9e1e71936a2 --- /dev/null +++ b/.github/workflows/helm-release.yaml @@ -0,0 +1,63 @@ +# Copyright (c) 2025 Riptides Labs, Inc. +# SPDX-License-Identifier: RIP-1.0 + +--- +name: Release helm chart + +on: + push: + tags: + - 'helm-*' + +jobs: + lint-test: + runs-on: ubuntu-latest + + permissions: + contents: read + packages: write + id-token: write + attestations: write + + steps: + - name: Checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@v4.2.0 + with: + version: v3.17.0 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} + + - name: Helm lint + shell: bash + run: helm lint helm-chart --with-subcharts + + - name: Set chart version + id: chart-version + shell: bash + run: | + TAG="${GITHUB_REF##*/}" + VERSION="${TAG##*-v}" + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + + - name: Helm package + id: build + shell: bash + run: | + helm package helm-chart --dependency-update --version ${{ steps.chart-version.outputs.version }} + echo "package=onlineboutique-${{ steps.chart-version.outputs.version }}.tgz" >> "$GITHUB_OUTPUT" + + - name: Helm push to GHCR OCI registry + shell: bash + run: | + echo "🚧 Pushing ${{ steps.build.outputs.package }} to GHCR OCI registry" + helm push ${{ steps.build.outputs.package }} oci://ghcr.io/${{ github.repository_owner }}/charts diff --git a/.github/workflows/images-release.yml b/.github/workflows/images-release.yml new file mode 100644 index 00000000000..1aea6b6e5af --- /dev/null +++ b/.github/workflows/images-release.yml @@ -0,0 +1,61 @@ +name: Release images + +on: + push: + tags: + - 'image-*-v*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + prepare-build: + name: Prepare Build + outputs: + target: ${{ steps.resolve.outputs.target }} + image-tag: ${{ steps.resolve.outputs.version }} + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v5 + with: + fetch-depth: 0 + + - name: Filter target + id: resolve + run: | + # This assumes tags are in this form + # image---v + + # strip image- prefix from the tag + _target=${GITHUB_REF_NAME#image} + + # remove version to only get the component + target=${_target%-v*} + + # remove the - from the beginning of the target if it exists + target=${target#-} + + # get version only + version=${_target##*-v} + + # set target and version as output + echo target=${target} >> ${GITHUB_OUTPUT} + echo version=${version} >> ${GITHUB_OUTPUT} + + # Print the target and version + echo "Target: $target" + echo "Version: $version" + + build-push: + needs: [prepare-build] + name: Build docker image ${{ needs.prepare-build.outputs.target }} + uses: ./.github/workflows/reusable-docker-build-push.yml + permissions: + contents: 'read' + packages: 'write' + attestations: 'write' + with: + bake-target: ${{ needs.prepare-build.outputs.target }} + image-tag: ${{ needs.prepare-build.outputs.image-tag }} diff --git a/.github/workflows/install-dependencies.sh b/.github/workflows/install-dependencies.sh deleted file mode 100755 index 759a4a92c7f..00000000000 --- a/.github/workflows/install-dependencies.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -euo pipefail - -# install wget -sudo apt install -y wget - -# install dotnet CLI -sudo apt-get update -sudo apt-get install wget -wget -O - https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.asc.gpg -sudo mv microsoft.asc.gpg /etc/apt/trusted.gpg.d/ -wget https://packages.microsoft.com/config/debian/9/prod.list -sudo mv prod.list /etc/apt/sources.list.d/microsoft-prod.list -sudo chown root:root /etc/apt/trusted.gpg.d/microsoft.asc.gpg -sudo chown root:root /etc/apt/sources.list.d/microsoft-prod.list - -sudo apt-get install -y apt-transport-https && \ -sudo apt-get update && \ -sudo apt-get install -y dotnet-sdk-8.0 -echo "✅ dotnet installed" - -# install kubectl -sudo apt-get install -yqq kubectl git -echo "✅ kubectl installed" - -# install go -wget https://golang.org/dl/go1.19.linux-amd64.tar.gz -sudo tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz -echo 'export GOPATH=$HOME/go' >> ~/.profile -echo 'export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin' >> ~/.profile -source ~/.profile -echo "✅ golang installed" - -# install build-essential (gcc, used for go test) -sudo apt install -y build-essential - -# install addlicense -go install github.com/google/addlicense@latest -sudo ln -s $HOME/go/bin/addlicense /bin - -# install build-essential (gcc, used for go test) -sudo apt install -y build-essential - -# install skaffold -curl -Lo skaffold https://storage.googleapis.com/skaffold/releases/latest/skaffold-linux-amd64 && \ -chmod +x skaffold && \ -sudo mv skaffold /usr/local/bin -echo "✅ skaffold installed" - -# install docker -sudo apt install -yqq apt-transport-https ca-certificates curl gnupg2 software-properties-common && \ -curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - && \ -sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" && \ -sudo apt-get update && \ -sudo apt-get install -yqq docker-ce && \ -sudo usermod -aG docker ${USER} -echo "✅ docker installed, rebooting..." - -# reboot for docker setup -sudo reboot diff --git a/.github/workflows/kubevious-manifests-ci.yaml b/.github/workflows/kubevious-manifests-ci.yaml deleted file mode 100644 index ebe23d632ea..00000000000 --- a/.github/workflows/kubevious-manifests-ci.yaml +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: kubevious-manifests-ci -on: - push: - branches: - - main - paths: - - 'helm-chart/**' - - 'kustomize/**' - - '.github/workflows/kubevious-manifests-ci.yaml' - pull_request: - paths: - - 'helm-chart/**' - - 'kustomize/**' - - '.github/workflows/kubevious-manifests-ci.yaml' -permissions: - contents: read -jobs: - kubevious-manifests-ci: - runs-on: ubuntu-24.04 - timeout-minutes: 1 - steps: - - uses: actions/checkout@v4 - - - name: Validate kubernetes-manifests - id: kubernetes-manifests-validation - uses: kubevious/cli@v1.0.62 - with: - manifests: kubernetes-manifests - skip_rules: container-latest-image - - - name: Validate helm-chart - id: helm-chart-validation - uses: kubevious/cli@v1.0.62 - with: - manifests: helm-chart - - - name: Validate kustomize - id: kustomize-validation - uses: kubevious/cli@v1.0.62 - with: - manifests: kustomize - skip_rules: container-latest-image diff --git a/.github/workflows/kustomize-build-ci.yaml b/.github/workflows/kustomize-build-ci.yaml deleted file mode 100644 index 0386f1855b1..00000000000 --- a/.github/workflows/kustomize-build-ci.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: kustomize-build-ci -on: - push: - branches: - - main - paths: - - 'kustomize/**' - - '.github/workflows/kustomize-build-ci.yaml' - pull_request: - paths: - - 'kustomize/**' - - '.github/workflows/kustomize-build-ci.yaml' -jobs: - kustomize-build-ci: - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@v4 - - name: kustomize build base - run: | - cd kustomize/ - kubectl kustomize . - # Build the different combinations of Kustomize components found in kustomize/tests. - - name: kustomize build tests - run: | - cd kustomize/tests - KUSTOMIZE_TESTS_SUBFOLDERS=$(ls -d */) - for test in $KUSTOMIZE_TESTS_SUBFOLDERS; - do - echo "## kustomize build for " + $test - kustomize build $test - done diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml new file mode 100644 index 00000000000..4f575df63d0 --- /dev/null +++ b/.github/workflows/release-please.yaml @@ -0,0 +1,36 @@ +# Copyright (c) 2025 Riptides Labs, Inc. +# SPDX-License-Identifier: RIP-1.0 + +--- +name: Release Please check + +on: + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Generate a token + id: generate-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ vars.RIPTIDES_CI_APP_ID }} + private-key: ${{ secrets.RIPTIDES_CI_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + permission-contents: write + permission-pull-requests: write + permission-issues: write + + - uses: googleapis/release-please-action@v4 + id: release-please + with: + token: ${{ steps.generate-token.outputs.token }} + config-file: .github/release-config.json + manifest-file: .github/release-manifest.json diff --git a/.github/workflows/reusable-docker-build-push.yml b/.github/workflows/reusable-docker-build-push.yml new file mode 100644 index 00000000000..dd24d02f18c --- /dev/null +++ b/.github/workflows/reusable-docker-build-push.yml @@ -0,0 +1,60 @@ +name: Build and Push + +on: + workflow_call: + inputs: + bake-target: + required: true + type: string + description: "Bake target" + bake-file: + required: false + type: string + description: "Bake file" + default: "docker-bake.hcl" + image-tag: + required: true + type: string + description: "Image tag to use." + image-repo: + required: false + type: string + description: "Image repo to use." + default: "ghcr.io/riptideslabs/microservices-demo" + +jobs: + build-and-push: + name: Build and Push + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v5 + with: + fetch-depth: 0 + + - name: Login to GitHub Container Registry + if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }} + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{github.token}} + + - name: Setup QEMU + uses: docker/setup-qemu-action@v3 + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push + uses: docker/bake-action@v6 + env: + IMAGE_REPO: ${{ inputs.image-repo }} + IMAGE_TAG: ${{ inputs.image-tag }} + with: + files: | + ${{ inputs.bake-file }} + targets: ${{ inputs.bake-target }} + push: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }} + provenance: false diff --git a/.github/workflows/terraform-validate-ci.yaml b/.github/workflows/terraform-validate-ci.yaml deleted file mode 100644 index e3c2f3cc236..00000000000 --- a/.github/workflows/terraform-validate-ci.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: terraform-validate-ci -on: - push: - branches: - - main - paths: - - 'terraform/**' - - '.github/workflows/terraform-validate-ci.yaml' - pull_request: - paths: - - 'terraform/**' - - '.github/workflows/terraform-validate-ci.yaml' -jobs: - terraform-validate-ci: - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@v4 - - uses: hashicorp/setup-terraform@v3 - - name: terraform init & validate - run: | - cd terraform/ - terraform init -backend=false - terraform validate diff --git a/docker-bake.hcl b/docker-bake.hcl index d2db5683f29..858574f0b6f 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -5,7 +5,13 @@ variable "IMAGE_TAG" {default = "test"} function "get_tag" { params = [tags, name] - result = coalescelist(tags, ["${IMAGE_REPO}/${name}:${IMAGE_TAG}"]) + result = coalescelist( + tags, + [ + "${IMAGE_REPO}/${name}:${IMAGE_TAG}", + "${IMAGE_REPO}/${name}:latest" + ] + ) } # docker-bake.hcl diff --git a/src/adservice/Dockerfile b/src/adservice/Dockerfile index 5ab382f4c32..4f8fb4f6713 100644 --- a/src/adservice/Dockerfile +++ b/src/adservice/Dockerfile @@ -16,6 +16,12 @@ FROM eclipse-temurin:21.0.7_6-jdk AS builder WORKDIR /app +# Ensure OS CA certs and small utilities are present (helps TLS) and keep layer small +RUN apt-get update \ + && apt-get install -y --no-install-recommends ca-certificates wget curl gnupg2 haveged \ + && update-ca-certificates \ + && rm -rf /var/lib/apt/lists/* + COPY ["build.gradle", "gradlew", "./"] COPY gradle gradle RUN chmod +x gradlew