From cce3ed045831ef8b73c6a23a9a2edc1f492c4f0d Mon Sep 17 00:00:00 2001
From: BacLuc <lucius.bachmann@gmx.ch>
Date: Sat, 2 Nov 2024 18:38:49 +0100
Subject: [PATCH] ops-dashboard: add workflow to deploy it with github actions

Use set -a to export the variables in .env directly.
We can only use single line env variables as vars and secrets here.
---
 .github/workflows/deploy-ops-dashboard.yml | 64 ++++++++++++++++++++++
 .ops/ops-dashboard/.env-example            | 13 +++++
 .ops/ops-dashboard/.gitignore              |  3 +-
 .ops/ops-dashboard/README.md               | 21 ++++---
 .ops/ops-dashboard/demo.values.access.yaml | 46 ----------------
 .ops/ops-dashboard/deploy.sh               | 25 +++++++--
 .ops/ops-dashboard/values.yaml             | 37 ++++++++++++-
 7 files changed, 147 insertions(+), 62 deletions(-)
 create mode 100644 .github/workflows/deploy-ops-dashboard.yml
 create mode 100644 .ops/ops-dashboard/.env-example
 delete mode 100644 .ops/ops-dashboard/demo.values.access.yaml

diff --git a/.github/workflows/deploy-ops-dashboard.yml b/.github/workflows/deploy-ops-dashboard.yml
new file mode 100644
index 0000000000..5940e93514
--- /dev/null
+++ b/.github/workflows/deploy-ops-dashboard.yml
@@ -0,0 +1,64 @@
+name: Deploy ops-dashboard
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Choose environment'
+        type: environment
+        required: true
+
+jobs:
+  deploy-ops-dashboard:
+    name: "Deploy ops-dashboard"
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.environment }}
+    steps:
+      - name: Validate environment
+        uses: actions/github-script@v7
+        with:
+          script: |
+            if (!"${{ github.event.inputs.environment }}".startsWith("ops-dashboard")) {
+                throw new Error("Environment must start with 'ops-dashboard'");
+            }
+
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Dump secrets to .env
+        run: |
+          echo '${{ toJSON(secrets) }}' | jq -r 'keys[] as $k | select(.[$k] |contains("\n") | not) | "\($k)=\"\(.[$k])\""' >> .env
+        working-directory: .ops/ops-dashboard
+
+      - name: Dump variables to .env
+        run: |  
+          echo '${{ toJSON(vars) }}' | jq -r 'keys[] as $k | select(.[$k] |contains("\n") | not) | "\($k)=\"\(.[$k])\""' >> .env
+        working-directory: .ops/ops-dashboard
+
+      - name: Show .env for debugging
+        run: echo "$(cat .env | sort)"
+        working-directory: .ops/ops-dashboard
+
+      - name: Setup helm
+        run: |
+          mkdir ~/.kube && echo '${{ secrets.KUBECONFIG }}' > ~/.kube/config && chmod go-r ~/.kube/config
+
+      - name: Add helm repositories
+        run: |
+          helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
+          helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
+          helm repo update
+
+      - name: Diff deployment
+        run: |
+          ./deploy.sh diff || true
+        working-directory: .ops/ops-dashboard
+        
+      - name: Show values.out.yaml
+        run: cat values.out.yaml
+        working-directory: .ops/ops-dashboard
+
+      - name: Deploy
+        run: |
+          ./deploy.sh deploy
+        working-directory: .ops/ops-dashboard
diff --git a/.ops/ops-dashboard/.env-example b/.ops/ops-dashboard/.env-example
new file mode 100644
index 0000000000..cae744e733
--- /dev/null
+++ b/.ops/ops-dashboard/.env-example
@@ -0,0 +1,13 @@
+COOKIE_SECRET=
+
+GRAFANA_PROXY_HOST=
+GRAFANA_PROXY_OAUTH_CLIENT_ID=
+GRAFANA_PROXY_OAUTH_CLIENT_SECRET=
+
+KUBERNETES_DASHBOARD_PROXY_HOST=
+KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_ID=
+KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_SECRET=
+
+LOGGING_PROXY_HOST=
+LOGGING_PROXY_OAUTH_CLIENT_ID=
+LOGGING_PROXY_OAUTH_CLIENT_SECRET=
diff --git a/.ops/ops-dashboard/.gitignore b/.ops/ops-dashboard/.gitignore
index 1c8f7e5516..9dfb49eea2 100644
--- a/.ops/ops-dashboard/.gitignore
+++ b/.ops/ops-dashboard/.gitignore
@@ -1,2 +1,3 @@
+/.env
 /charts
-/values.access.yaml
+/values.out.yaml
diff --git a/.ops/ops-dashboard/README.md b/.ops/ops-dashboard/README.md
index c836b3f7bb..b23fa68580 100644
--- a/.ops/ops-dashboard/README.md
+++ b/.ops/ops-dashboard/README.md
@@ -22,23 +22,26 @@ helm repo update
 
 ## Deployment
 
-First, make sure you don't overwrite the configuration currently applied:
+First, check what is currently applied:
 
 ```shell
 helm -n ops-dashboard get values ops-dashboard
 ```
 
-Fill in the values for values.access.yaml according to demo.values.access.yaml
+Fill in the values for .env according to .env.example
 
 ```shell
-cp demo.values.access.yaml values.access.yaml 
+cp .env-example .env
 ```
 
-To diff the deployment
+you may diff the current deployment with the one you want to do now
+
+```shell
+./deploy.sh diff
+````
+
+Deploy
+
 ```shell
-helm template \
-    --namespace ops-dashboard --no-hooks --skip-tests \
-    ops-dashboard . \
-    --values values.yaml \
-    --values values.access.yaml | kubectl diff --namespace ops-dashboard -f - | batcat -l diff -
+./deploy.sh deploy
 ```
diff --git a/.ops/ops-dashboard/demo.values.access.yaml b/.ops/ops-dashboard/demo.values.access.yaml
deleted file mode 100644
index 10ef4e3b6e..0000000000
--- a/.ops/ops-dashboard/demo.values.access.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-grafana-proxy:
-  ingress: 
-    hosts:
-      # dev, stage or prod grafana url
-      - dev-grafana.ecamp3.ch
-  extraArgs:
-    # dev, stage or prod grafana url
-    whitelist-domain: dev-grafana.ecamp3.ch
-  config:
-    # OAuth client ID
-    clientID: ""
-    # OAuth client secret
-    clientSecret: ""
-    # Create a new secret with the following command
-    # openssl rand -base64 32 | head -c 32 | base64
-    cookieSecret: ""
-kubernetes-dashboard-proxy:
-  ingress:
-    hosts:
-      # dev, stage or prod kubernetes-dashboard url
-      - dev-kubernetes-dashboard.ecamp3.ch
-  extraArgs:
-    # dev, stage or prod kubernetes-dashboard url
-    whitelist-domain: dev-kubernetes-dashboard.ecamp3.ch
-  config:
-    # OAuth client ID
-    clientID: ""
-    # OAuth client secret
-    clientSecret: ""
-    # use the same cookieSecret as above
-    cookieSecret: ""
-logging-proxy:
-  config:
-    # OAuth client ID
-    clientID:
-    # OAuth client secret
-    clientSecret:
-    # use the same cookieSecret as above
-    cookieSecret:
-  extraArgs:
-    # dev, stage or prod kubernetes-dashboard url
-    whitelist-domain: dev-logging.ecamp3.ch
-  ingress:
-    hosts:
-      # dev, stage or prod kubernetes-dashboard url
-      - dev-logging.ecamp3.ch
diff --git a/.ops/ops-dashboard/deploy.sh b/.ops/ops-dashboard/deploy.sh
index 806b773556..070ee2e90e 100755
--- a/.ops/ops-dashboard/deploy.sh
+++ b/.ops/ops-dashboard/deploy.sh
@@ -1,9 +1,26 @@
-#!/bin/bash
+#!/bin/sh
 
-set -e
+set -ea
 
 SCRIPT_DIR=$(realpath "$(dirname "$0")")
 cd $SCRIPT_DIR
 
-# to debug: --dry-run --debug
-helm dep build && helm upgrade --install ops-dashboard --namespace=ops-dashboard --create-namespace $SCRIPT_DIR --values $SCRIPT_DIR/values.yaml --values $SCRIPT_DIR/values.access.yaml
+. $SCRIPT_DIR/.env
+
+envsubst < $SCRIPT_DIR/values.yaml > $SCRIPT_DIR/values.out.yaml
+
+helm dep build
+
+if [ $1 = "deploy" ]; then
+  # to debug: --dry-run --debug
+  helm upgrade --install ops-dashboard --namespace=ops-dashboard --create-namespace $SCRIPT_DIR --values $SCRIPT_DIR/values.out.yaml
+  exit 0
+fi
+
+if [ $1 = "diff" ]; then
+  helm template \
+      --namespace ops-dashboard --no-hooks --skip-tests ops-dashboard  \
+      $SCRIPT_DIR \
+      --values $SCRIPT_DIR/values.out.yaml | kubectl diff --namespace ops-dashboard -f -
+  exit 0
+fi
diff --git a/.ops/ops-dashboard/values.yaml b/.ops/ops-dashboard/values.yaml
index 9b64e924a0..b485c55c07 100644
--- a/.ops/ops-dashboard/values.yaml
+++ b/.ops/ops-dashboard/values.yaml
@@ -2,24 +2,57 @@ grafana-proxy:
   ingress:
     enabled: true
     className: nginx
-  extraArgs: 
+    hosts:
+      - ${GRAFANA_PROXY_HOST}
+  extraArgs:
+    whitelist-domain: ${GRAFANA_HOST}
     provider: github
     github-org: ecamp
     upstream: http://kube-prometheus-stack-grafana.kube-prometheus-stack.svc.cluster.local:80
-kubernetes-dashboard-proxy: 
+  config:
+    # OAuth client ID
+    clientID: ${GRAFANA_PROXY_OAUTH_CLIENT_ID}
+    # OAuth client secret
+    clientSecret: ${GRAFANA_PROXY_OAUTH_CLIENT_SECRET}
+    # Create a new secret with the following command
+    # openssl rand -base64 32 | head -c 32 | base64
+    cookieSecret: ${COOKIE_SECRET}
+kubernetes-dashboard-proxy:
   ingress:
     enabled: true
     className: nginx
+    hosts:
+      - ${KUBERNETES_DASHBOARD_PROXY_HOST}
   extraArgs:
+    whitelist-domain: ${KUBERNETES_DASHBOARD_PROXY_HOST}
     provider: github
     github-org: ecamp
     upstream: https://ops-dashboard-kong-proxy.ops-dashboard.svc.cluster.local
     ssl-upstream-insecure-skip-verify: true
+  config:
+    # OAuth client ID
+    clientID: ${KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_ID}
+    # OAuth client secret
+    clientSecret: ${KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_SECRET}
+    # Create a new secret with the following command
+    # openssl rand -base64 32 | head -c 32 | base64
+    cookieSecret: ${COOKIE_SECRET}
 logging-proxy:
   ingress:
     enabled: true
     className: nginx
+    hosts:
+      - ${LOGGING_PROXY_HOST}
   extraArgs:
+    whitelist-domain: ${LOGGING_PROXY_HOST}
     provider: github
     github-org: ecamp
     upstream: http://kibana.ecamp3-logging.svc.cluster.local:5601
+  config:
+    # OAuth client ID
+    clientID: ${LOGGING_PROXY_OAUTH_CLIENT_ID}
+    # OAuth client secret
+    clientSecret: ${LOGGING_PROXY_OAUTH_CLIENT_SECRET}
+    # Create a new secret with the following command
+    # openssl rand -base64 32 | head -c 32 | base64
+    cookieSecret: ${COOKIE_SECRET}