AET-DevOps25
diff --git a/‎.github/workflows/build-and-deploy-k8s.yml‎
Lines changed: 212 additions & 0 deletions b/‎.github/workflows/build-and-deploy-k8s.yml‎
Lines changed: 212 additions & 0 deletions
diff --git a/‎.github/workflows/build_docker.yml‎
Lines changed: 6 additions & 2 deletions b/‎.github/workflows/build_docker.yml‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎.github/workflows/deploy-terraform-ansible.yml‎
Lines changed: 130 additions & 0 deletions b/‎.github/workflows/deploy-terraform-ansible.yml‎
Lines changed: 130 additions & 0 deletions
@@ -0,0 +1,212 @@
+# ============================================================================
+# Build and Deploy to Kubernetes Workflow
+# ============================================================================
+# 
+# This workflow builds Docker images for all microservices and deploys them
+# to a Kubernetes cluster using Helm charts with proper secret management.
+#
+# TRIGGERS:
+# - Manual trigger (workflow_dispatch): Run manually from GitHub Actions UI
+# - Push to dev/main branches: Automatically builds and deploys on code changes
+#
+# SERVICES BUILT:
+# - client: Vue.js frontend application
+# - auth-service: Spring Boot authentication service with JWT
+# - quiz-service: Spring Boot quiz management service
+# - flashcard-service: Spring Boot flashcard management service  
+# - genai-service: FastAPI service for AI-powered features
+#
+# DEPLOYMENT TARGET:
+# - Kubernetes cluster with Helm
+# - Namespace: dev
+# - Domain: team-deployaas.student.k8s.aet.cit.tum.de
+#
+# REQUIRED SECRETS:
+# - POSTGRES_PASSWORD: Database password
+# - JWT_SECRET: JWT signing secret (32+ characters)
+# - GENAI_API_KEY: API key for GenAI service
+# - GRAFANA_PASSWORD: Grafana admin password
+# - KUBE_CONFIG: Base64-encoded Kubernetes config file
+#
+# SWAGGER ENDPOINTS (after deployment):
+# - Auth Service: https://team-deployaas.student.k8s.aet.cit.tum.de/auth/swagger-ui
+# - Quiz Service: https://team-deployaas.student.k8s.aet.cit.tum.de/quiz/swagger-ui
+# - Flashcard Service: https://team-deployaas.student.k8s.aet.cit.tum.de/flashcard/swagger-ui
+# - GenAI Service: https://team-deployaas.student.k8s.aet.tum.de/api/genai/docs
+# ============================================================================
+
+name: Build and Deploy to Kubernetes
+
+on:
+  # Manual trigger - can be run from GitHub Actions UI
+  workflow_dispatch:
+  # Automatic trigger on push to main development branches
+  push:
+    branches: [dev, main]
+
+jobs:
+  # ============================================================================
+  # BUILD JOB: Build and push Docker images for all microservices
+  # ============================================================================
+  build:
+    name: Build & Push Docker Images
+    runs-on: ubuntu-latest
+    
+    # Matrix strategy builds all services in parallel for efficiency
+    strategy:
+      matrix:
+        include:
+          # Vue.js frontend with Nginx
+          - service: client
+            context: frontend/client-vue
+            dockerfile: frontend/client-vue/Dockerfile
+          # Spring Boot authentication service
+          - service: auth-service
+            context: auth-service
+            dockerfile: auth-service/Dockerfile
+          # Spring Boot quiz management service  
+          - service: quiz-service
+            context: quiz-service
+            dockerfile: quiz-service/Dockerfile
+          # Spring Boot flashcard management service
+          - service: flashcard-service
+            context: flashcard-service
+            dockerfile: flashcard-service/Dockerfile
+          # FastAPI AI service
+          - service: genai-service
+            context: genai-service
+            dockerfile: genai-service/Dockerfile
+
+    steps:
+      # Checkout source code
+      - uses: actions/checkout@v4
+
+      # Login to GitHub Container Registry using automatic token
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Set up Docker Buildx for multi-platform builds
+      - uses: docker/setup-buildx-action@v3
+
+      # Generate image metadata (tags, labels)
+      - id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}/${{ matrix.service }}
+          tags: |
+            type=raw,value=latest              # Always tag as 'latest'
+            type=ref,event=branch              # Tag with branch name
+            type=sha                           # Tag with git commit SHA
+
+      # Build and push Docker image for current service
+      - name: Build & Push ${{ matrix.service }}
+        uses: docker/build-push-action@v5
+        with:
+          context: ./${{ matrix.context }}     # Build context (service directory)
+          file: ./${{ matrix.dockerfile }}     # Dockerfile path
+          push: true                           # Push to registry
+          tags: ${{ steps.meta.outputs.tags }} # Use generated tags
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64   # Multi-platform build
+          cache-from: type=gha                 # Use GitHub Actions cache
+          cache-to: type=gha,mode=max          # Cache layers for faster builds
+
+  # ============================================================================
+  # DEPLOY JOB: Deploy to Kubernetes using Helm with secrets management
+  # ============================================================================
+  deploy:
+    name: Deploy to Kubernetes
+    runs-on: ubuntu-latest
+    needs: build                              # Wait for build job to complete
+    environment: kubernetes                   # Deployment environment (for protection rules)
+
+    steps:
+      # Checkout source code for Helm charts
+      - uses: actions/checkout@v4
+
+      # Install kubectl for Kubernetes cluster management
+      - name: Setup Kubectl
+        uses: azure/setup-kubectl@v3
+        with:
+          version: 'latest'
+
+      # Install Helm for package management
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: '3.12.0'
+
+      # Configure Kubernetes cluster access
+      - name: Configure Kubernetes
+        run: |
+          mkdir -p ~/.kube
+          # Decode base64-encoded kubeconfig from secrets
+          echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+          
+          # Set context to student cluster
+          kubectl config use-context student
+
+      # Add Bitnami repository for PostgreSQL dependency
+      - name: Add Bitnami Helm Repository
+        run: |
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo update
+
+      # ============================================================================
+      # HELM DEPLOYMENT: Deploy application with secure secrets management
+      # ============================================================================
+      # 
+      # Uses values-secure.yaml which references Kubernetes secrets created
+      # from GitHub Actions secrets. This ensures no sensitive data is stored
+      # in version control.
+      #
+      # Deployed services:
+      # - PostgreSQL database (Bitnami chart)
+      # - All microservices with Swagger UI enabled
+      # - Prometheus + Grafana monitoring stack
+      # - Nginx ingress with Let's Encrypt TLS
+      # ============================================================================
+      
+      - name: Deploy with Helm
+        run: |
+          cd helm/study-assistant
+          
+          # Update Helm chart dependencies (PostgreSQL)
+          helm dependency update
+          
+          # Deploy/upgrade the complete application stack
+          # Uses values-secure.yaml for production-ready configuration
+          helm upgrade --install study-assistant . \
+            --namespace=dev \
+            --timeout=10m \
+            --wait \
+            --values values-secure.yaml \
+            --set secrets.postgresPassword="${{ secrets.POSTGRES_PASSWORD }}" \
+            --set secrets.jwtSecret="${{ secrets.JWT_SECRET }}" \
+            --set secrets.genaiApiKey="${{ secrets.GENAI_API_KEY }}" \
+            --set secrets.grafanaPassword="${{ secrets.GRAFANA_PASSWORD }}"
+
+      - name: Verify Deployment
+        run: |
+          echo "Checking deployment status..."
+          kubectl get pods -n dev -l app.kubernetes.io/instance=study-assistant
+          kubectl get svc -n dev -l app.kubernetes.io/instance=study-assistant
+          kubectl get ingress -n dev -l app.kubernetes.io/instance=study-assistant
+          
+          # Wait for pods to be ready
+          kubectl wait --for=condition=ready pod -l app.kubernetes.io/instance=study-assistant -n dev --timeout=300s
+
+      - name: Get Application URL
+        run: |
+          INGRESS_HOST=$(kubectl get ingress -n dev -l app.kubernetes.io/instance=study-assistant -o jsonpath='{.items[0].spec.rules[0].host}' 2>/dev/null || echo "No ingress found")
+          if [ "$INGRESS_HOST" != "No ingress found" ]; then
+            echo "🚀 Application deployed successfully!"
+            echo "📱 Application URL: https://$INGRESS_HOST"
+          else
+            echo "⚠️  Application deployed but no ingress URL found"
+          fi
@@ -1,10 +1,15 @@
 name: Build Docker Images
 
 on:
-  push:
+   workflow_run:
+     workflows: ["Run Tests"]
+     types:
+       - completed
+  
 
 jobs:
   build:
+    if: ${{ github.event.workflow_run.conclusion == 'success' && (github.event.workflow_run.head_branch == 'main' || github.event.workflow_run.head_branch == 'dev') }}
     name: Build & Push Docker Images
     runs-on: ubuntu-latest
     environment: AWS
@@ -61,7 +66,6 @@ jobs:
             REACT_APP_QUIZ_HOST=quiz.${{ vars.EC2_PUBLIC_IP }}.nip.io
             REACT_APP_FLASHCARD_HOST=flashcard.${{ vars.EC2_PUBLIC_IP }}.nip.io
             FRONTEND_ORIGIN=https://client.${{ vars.EC2_PUBLIC_IP }}.nip.io
-
       - name: Debug IP injection
         if: matrix.service == 'client'
         run: |
 
@@ -0,0 +1,130 @@
+name: Deploy to AWS with Terraform + Ansible
+
+on:
+  push:
+    branches: [dev, ansible-terraform, main]
+  workflow_dispatch:
+
+env:
+  AWS_REGION: us-east-1
+
+jobs:
+  deploy:
+    name: Deploy Infrastructure and Application
+    runs-on: ubuntu-latest
+    environment: AWS
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.6.0
+          terraform_wrapper: false
+
+      - name: Get current IP for security group
+        id: get-ip
+        run: |
+          CURRENT_IP=$(curl -s ipv4.icanhazip.com)
+          echo "current_ip=${CURRENT_IP}/32" >> $GITHUB_OUTPUT
+
+      - name: Setup SSH keys for Terraform
+        run: |
+          mkdir -p ~/.ssh
+          # Use your local devops key for both deployment and local access
+          echo "${{ secrets.LOCAL_SSH_PRIVATE_KEY }}" > ~/.ssh/devops.pem
+          chmod 600 ~/.ssh/devops.pem
+          ssh-keygen -y -f ~/.ssh/devops.pem > infrastructure/devops.pub
+
+      - name: Terraform Init
+        working-directory: infrastructure
+        run: terraform init
+
+      - name: Terraform Plan
+        working-directory: infrastructure
+        run: |
+          # Build terraform plan command with required variables
+          PLAN_CMD="terraform plan \
+            -var=\"my_ip=${{ steps.get-ip.outputs.current_ip }}\" \
+            -var=\"ssh_key=devops.pub\" \
+            -var=\"ssh_private_key=~/.ssh/devops.pem\""
+          
+          # Add local IP if provided
+          if [ -n "${{ secrets.LOCAL_IP }}" ]; then
+            PLAN_CMD="$PLAN_CMD -var=\"local_ip=${{ secrets.LOCAL_IP }}\""
+          fi
+          
+          # Add output file
+          PLAN_CMD="$PLAN_CMD -out=tfplan"
+          
+          # Execute the plan
+          eval $PLAN_CMD
+
+      - name: Terraform Apply
+        working-directory: infrastructure
+        run: terraform apply -auto-approve tfplan
+
+      - name: Get EC2 Instance IP
+        id: get-instance-ip
+        working-directory: infrastructure
+        run: |
+          INSTANCE_IP=$(terraform output -raw server-ip)
+          echo "instance_ip=${INSTANCE_IP}" >> $GITHUB_OUTPUT
+
+      - name: Update Ansible inventory
+        run: |
+          echo "${{ steps.get-instance-ip.outputs.instance_ip }} ansible_user=ec2-user ansible_ssh_private_key_file=~/.ssh/devops.pem" > infrastructure/ansible/inventory.ini
+
+      - name: Install Ansible
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ansible
+
+      - name: Wait for EC2 instance to be ready
+        run: |
+          timeout 300 bash -c 'until ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no -i ~/.ssh/devops.pem ec2-user@${{ steps.get-instance-ip.outputs.instance_ip }} "echo ready"; do sleep 10; done'
+
+      - name: Run initial server setup
+        working-directory: infrastructure/ansible
+        run: |
+          # Build ansible command with optional local SSH key
+          ANSIBLE_CMD="ansible-playbook -i inventory.ini playbook-simple.yml"
+          
+          # Add local SSH public key if provided (same key used for deployment)
+          if [ -n "${{ secrets.LOCAL_SSH_PRIVATE_KEY }}" ]; then
+            LOCAL_PUB_KEY=$(ssh-keygen -y -f ~/.ssh/devops.pem)
+            ANSIBLE_CMD="$ANSIBLE_CMD -e \"local_ssh_public_key=$LOCAL_PUB_KEY\""
+          fi
+          
+          # Execute the command
+          eval $ANSIBLE_CMD
+
+      - name: Run application deployment
+        working-directory: infrastructure/ansible
+        run: |
+          ansible-playbook -i inventory.ini playbook-deploy.yml \
+            -e "openai_api_key=${{ secrets.OPENAI_API_KEY }}" \
+            -v
+
+      - name: Display deployment info
+        run: |
+          echo "🎉 Deployment successful!"
+          echo "Frontend: http://${{ steps.get-instance-ip.outputs.instance_ip }}:3000"
+          echo "Quiz Service: http://${{ steps.get-instance-ip.outputs.instance_ip }}:8081"
+          echo "Flashcard Service: http://${{ steps.get-instance-ip.outputs.instance_ip }}:8082"
+          echo "Auth Service: http://${{ steps.get-instance-ip.outputs.instance_ip }}:8083"
+          echo "GenAI Service: http://${{ steps.get-instance-ip.outputs.instance_ip }}:5001"
+          echo "PgAdmin: http://${{ steps.get-instance-ip.outputs.instance_ip }}:8080"
+          echo "Prometheus: http://${{ steps.get-instance-ip.outputs.instance_ip }}:9090"
+          echo "Grafana: http://${{ steps.get-instance-ip.outputs.instance_ip }}:3001"
+          echo "Alertmanager: http://${{ steps.get-instance-ip.outputs.instance_ip }}:9093"