infra: use helm chart for deployments

Test secContext

Author: RoRu

.github/workflows/production.yml

@@ -11,7 +11,7 @@ jobs:
   build: 
     runs-on: ubuntu-latest
     outputs:
-      image_name: ${{ steps.build.outputs.image_name }}
+      image_name: '${{ steps.build.outputs.image_name }}'
     steps:
       - uses: actions/checkout@v2
 
@@ -24,7 +24,7 @@ jobs:
     environment: production
     needs: build
     container: 
-      image: qwolphin/kdsl:1.21.8
+      image: ghcr.io/helmfile/helmfile-ubuntu:v0.145.3
     strategy:
       fail-fast: false
       matrix:
@@ -38,33 +38,23 @@ jobs:
       - name: GCP Auth
         uses: google-github-actions/[email protected]
         with:
-          credentials_json: ${{ secrets.GCP_SA_KEY }}
+          credentials_json: '${{ secrets.GCP_SA_KEY }}'
       - name: Get GKE credentials
         uses: google-github-actions/[email protected]
         with:
-          cluster_name: ${{ secrets.GKE_CLUSTER }}
-          location: ${{ secrets.GKE_CLUSTER_REGION }}
+          cluster_name: '${{ secrets.GKE_CLUSTER }}'
+          location: '${{ secrets.GKE_CLUSTER_REGION }}'
 
       - name: Render kdsl resources into yaml
         env: 
           MAINNET_RPC: '${{ secrets.MAINNET_RPC }}'
           POLYGON_RPC: '${{ secrets.POLYGON_RPC }}'
-          RECIPE: "chain${{ matrix.CHAIN_ID }}"
-          DOMAIN: cache-api-${{ matrix.CHAIN_ID }}.aave.com
-          CHAIN_ID: ${{ matrix.CHAIN_ID }}
-          IMAGE: ${{ needs.build.outputs.image_name }}
+          DOMAIN: 'cache-api-${{ matrix.CHAIN_ID }}.aave.com'
+          CHAIN_ID: '${{ matrix.CHAIN_ID }}'
+          IMAGE: '${{ needs.build.outputs.image_name }}'
           COMMIT_SHA: "${{ github.sha }}"
-          NAMESPACE: cache-${{ matrix.CHAIN_ID }}
+          NAMESPACE: 'cache-${{ matrix.CHAIN_ID }}'
           ENV_NAME: production
+          HELM_PLUGINS: '/root/.local/share/helm/plugins'
         run: |
-          cd k8s/
-          kubectl config set-context --current --namespace=${{ env.NAMESPACE }}
-          python3 main.py > ../rendered.yml
-      
-      - name: Apply k8s resources
-        run: |
-          kubectl apply -f rendered.yml --dry-run=server
-          kubectl apply -f rendered.yml
-          sleep 3
-          kubectl wait --for condition=ready --timeout 90s pods -l "commit_sha=${{ github.sha }}" || \
-          { kubectl get pods && exit 1; }
+          helmfile apply --suppress-diff

.github/workflows/pull-request-close.yml

@@ -9,29 +9,29 @@ jobs:
     runs-on: ubuntu-latest
     environment: preview
     container: 
-      image: registry.gitlab.com/aave-tech/k8s:63f618c0
-      credentials:
-        username: github-actions
-        password: ${{ secrets.KUBE_IMAGE_PULL }}
+      image: ghcr.io/helmfile/helmfile-ubuntu:v0.145.3
     strategy:
       fail-fast: false
       matrix:
         CHAIN_ID: ["1", "137", "43114"]
     steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 
+
       - name: Set k8s namespace
         shell: bash
-        run: echo "NAMESPACE=cache-${NS_SUFFIX,,}" | tr -c '[:alnum:]-=\n' '-' >>${GITHUB_ENV}
+        run: |
+          cat <<EOF | tr -c '[:alnum:]-=\n' '-' >> ${GITHUB_ENV}
+          NAMESPACE=cache-${NS_SUFFIX,,}
+          EOF
         env:
           NS_SUFFIX: "${{ github.head_ref }}-${{ matrix.CHAIN_ID }}"
 
       - name: Remove preview env
         env:
           REF_NAME: '${{ github.head_ref }}'
+          CHAIN_ID: '${{ matrix.CHAIN_ID }}'
         run: |
           mkdir -p ~/.kube
           echo "${{ secrets.DEV_KUBECONFIG }}" > ~/.kube/config
-          kubectl config set-context --current --namespace="${{ env.NAMESPACE }}"
-          kubectl delete deploy --all
-          kubectl delete svc --all
-          kubectl delete ingress --all
-          kubectl delete ns "${{ env.NAMESPACE }}"
+          helmfile destroy
+          kubectl delete ns '${{ env.NAMESPACE }}'

.github/workflows/pull-request.yml

@@ -33,7 +33,7 @@ jobs:
     environment: preview
     needs: build
     container:
-      image: qwolphin/kdsl:1.21.8
+      image: ghcr.io/helmfile/helmfile-ubuntu:v0.145.3
     strategy:
       fail-fast: false
       matrix:
@@ -44,36 +44,35 @@ jobs:
       - name: Set k8s namespace
         shell: bash
         run: |
-          echo -e "NAMESPACE=cache-${NS_SUFFIX,,}\nENV_NAME=${{ github.head_ref }}" | tr -c '[:alnum:]-=\n_' '-' >> ${GITHUB_ENV}
+          cat <<EOF | tr -c '[:alnum:]-=\n_' '-' >> ${GITHUB_ENV}
+          NAMESPACE=cache-${NS_SUFFIX,,}
+          ENV_NAME=${{ github.head_ref }}
+          EOF
         env:
           NS_SUFFIX: "${{ github.head_ref }}-${{ matrix.CHAIN_ID }}"
 
-      - name: Render kdsl resources into yaml
-        env:
-          MAINNET_RPC: "${{ secrets.MAINNET_RPC }}"
-          POLYGON_RPC: "${{ secrets.POLYGON_RPC }}"
-          RECIPE: "chain${{ matrix.CHAIN_ID }}"
-          DOMAIN: "${{ env.NAMESPACE }}.aaw.fi"
-          CHAIN_ID: "${{ matrix.CHAIN_ID }}"
-          IMAGE: "${{ needs.build.outputs.image_name }}"
-          COMMIT_SHA: "${{ github.sha }}"
-        run: |
-          cd k8s/
-          python3 main.py > ../rendered.yml
-
       - name: Set up kubeconfig
         run: |
           mkdir -p ~/.kube
           echo "${{ secrets.DEV_KUBECONFIG }}" > ~/.kube/config
-          kubectl config set-context --current --namespace="${{ env.NAMESPACE }}"
 
       - name: Apply k8s resources
         shell: bash
+        env:
+          MAINNET_RPC: "${{ secrets.MAINNET_RPC }}"
+          POLYGON_RPC: "${{ secrets.POLYGON_RPC }}"
+          DOMAIN: "${{ env.NAMESPACE }}.aaw.fi"
+          CHAIN_ID: "${{ matrix.CHAIN_ID }}"
+          IMAGE: "${{ needs.build.outputs.image_name }}"
+          COMMIT_SHA: "${{ github.sha }}"
+          HELM_PLUGINS: '/root/.local/share/helm/plugins'
         run: |
-          kubectl apply -f rendered.yml
-          sleep 3
-          kubectl wait --for condition=ready --timeout 90s pods -l "commit_sha=${{ github.sha }}" || \
-          { kubectl get pods && exit 1; }
+          helmfile sync && exit 0 || true
+          helmfile status | grep pending-upgrade
+          RELEASE="$(helmfile status | grep NAME: | awk '{print $2}')"
+          REVISION="$(helmfile status | grep REVISION: | awk '{print $2}')"
+          helm rollback --wait -n "${NAMESPACE}" "${RELEASE}" "$((REVISION-1))"
+          helmfile sync
 
       - uses: actions/github-script@v5
         if: ${{ github.event.action == 'opened' || github.event.action == 'reopened' }}

helm/chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/chart/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: aave-caching-server
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0

helm/chart/templates/_helpers.tpl

@@ -0,0 +1,56 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "chart.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "chart.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "common.env" -}}
+{{- with .Values.common.env }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "common.labels" -}}
+{{- with .Values.common.labels }}
+{{- toYaml . }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Common annotations
+*/}}
+{{- define "common.annotations" -}}
+{{- with .Values.common.annotations }}
+{{- toYaml . }}
+{{- end }}
+{{- end }}

helm/chart/templates/api.yaml

@@ -0,0 +1,92 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+  labels: 
+    {{- include "common.labels" . | nindent 4 }}
+    component: api
+  annotations:
+  {{- include "common.annotations" . | nindent 4 }}
+spec:
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1    
+      maxUnavailable: 0
+  replicas: 1
+  selector:
+    matchLabels:
+     component: api
+  template:
+    metadata:
+      annotations:
+      {{- with .Values.api.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- include "common.annotations" . | nindent 8 }}
+      labels:
+        {{- include "common.labels" . | nindent 8 }}
+        component: api
+    spec:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      containers:
+        - name: api
+          env:
+            - name: REDIS_HOST
+              value: redis
+              {{- include "common.env" . | nindent 12 }}
+          image: "{{ .Values.common.image }}"
+          imagePullPolicy: Always
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: '/.well-known/apollo/server-health'
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 3
+            failureThreshold: 5
+          readinessProbe:
+            httpGet:
+              path: '/.well-known/apollo/server-health'
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 3
+            failureThreshold: 5
+          resources:
+            {{- toYaml .Values.api.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            privileged: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            capabilities:
+              drop:
+                - ALL
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: api
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+    component: api
+  annotations:
+  {{- include "common.annotations" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 3000
+      targetPort: http
+      protocol: TCP
+      name: http-3000
+  selector:
+    component: api

helm/chart/templates/ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: main
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+  annotations:
+  {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- include "common.annotations" . | nindent 4 }}
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - {{ .Values.ingress.domain | quote }}
+  rules:
+    - host: {{ .Values.ingress.domain | quote }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: api
+                port:
+                  name: http-3000