Merge pull request #2060 from gooddata/INFRA-4009

refactor: create new lcm pipeline

Author: metju-ac

.github/actions/container-build-push/action.yaml

@@ -0,0 +1,140 @@
+# yamllint disable rule:line-length
+---
+name: "ecr-container-build-push"
+description: "Build a container image and upload it to ECR"
+inputs:
+  aws-creds-vault-path:
+    default: secret/data/v2/data-special/infra1-user-ecr-rw
+    description: "Vault path to AWS credentials used for helm push"
+  aws-creds-vault-role:
+    default: ecr-push
+    description: "Vault auth role for reading AWS credentials"
+  aws-region:
+    default: "us-east-1"
+    description: "AWS region to use for ECR"
+  ecr-repos:
+    description: "Repository (as defined in gooddata/terraform-ecr/repositories)"
+    required: true
+  ecr-url:
+    description: "ECR registry default URL (without prefix/suffix)"
+    required: true
+  vault-url:
+    description: "Vault API URL (default okay in almost all cases)"
+    required: true
+  build-args:
+    description: "Arguments for container build file (ARG in Dockerfile)."
+    required: false
+    default: ""
+  build-context:
+    description: "Context (working directory) where the build should be executed"
+    default: "."
+  build-tags:
+    description: "Tags (newline delimited)"
+    required: true
+  container-file:
+    description: "File (with a path) to use for build"
+    default: "Dockerfile"
+  push-image:
+    description: "Whether to really push to registry"
+    default: "true"
+  debug:
+    description: "Turn on debug messages"
+    default: "false"
+  platforms:
+    description: "List of target platforms for build"
+    default: "linux/amd64"
+  labels:
+    description: "List of labels for image"
+    default: ""
+  secrets:
+    description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
+    default: ""
+  secret-envs:
+    description: "List of secret env vars to expose to the build (e.g., key=envname, MY_SECRET=MY_ENV_VAR)"
+    default: ""
+  provenance:
+    description: "Generate provenance attestation for the build"
+    default: "true"
+outputs:
+  digest:
+    description: "Image digest"
+    value: ${{ steps.build_push.outputs.digest }}
+  imageid:
+    description: "Image ID"
+    value: ${{ steps.build_push.outputs.imageid }}
+  metadata:
+    description: "Image metadata"
+    value: ${{ steps.build_push.outputs.metadata }}
+runs:
+  using: "composite"
+  steps:
+    - name: Check container file
+      env:
+        CONTAINERFILE: ${{ inputs.container-file }}
+      shell: bash
+      run: |
+        test -f $CONTAINERFILE
+    - name: Get required Vault secrets
+      id: secrets
+      uses: hashicorp/vault-action@v3
+      with:
+        url: ${{ inputs.vault-url }}
+        method: jwt
+        path: jwt/github
+        role: ${{ inputs.aws-creds-vault-role }}
+        secrets: |
+          ${{ inputs.aws-creds-vault-path }} aws_ecr_access_key | AWS_ACCESS_KEY ;
+          ${{ inputs.aws-creds-vault-path }} aws_ecr_secret_key | AWS_SECRET_KEY ;
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ env.AWS_ACCESS_KEY }}
+        aws-secret-access-key: ${{ env.AWS_SECRET_KEY }}
+        aws-region: ${{ inputs.aws-region }}
+    - name: Expand tags with ECR url and ECR repo
+      id: expand_tags
+      env:
+        ECR_URL: ${{ inputs.ecr-url }}
+        ECR_REPOS: ${{ inputs.ecr-repos }}
+        BUILD_TAGS: ${{ inputs.build-tags }}
+      shell: bash
+      run: |
+        eval REPO=$ECR_REPOS
+        {
+          echo "EXPANDED_TAGS<<EOF"
+          for BTAG in $BUILD_TAGS; do
+            echo $ECR_URL/$REPO:$BTAG
+          done
+          echo EOF
+        } >> "$GITHUB_ENV"
+        echo "REPO=$REPO" >> "$GITHUB_ENV"
+
+    - name: Build and push Docker images (legacy)
+      shell: bash
+      env:
+        CONTAINERFILE: ${{ inputs.container-file }}
+        BUILD_CONTEXT: ${{ inputs.build-context }}
+        BUILD_ARGS: ${{ inputs.build-args }}
+        ECR_URL: ${{ inputs.ecr-url }}
+        AWS_REGION: ${{ inputs.aws-region }}
+      run: |
+        # Login to ECR
+        aws ecr get-login-password --region $AWS_REGION | \
+          docker login --username AWS --password-stdin $ECR_URL
+
+        # Parse build args
+        DOCKER_BUILD_ARGS=""
+        if [ -n "$BUILD_ARGS" ]; then
+          while IFS= read -r arg; do
+            [ -n "$arg" ] && DOCKER_BUILD_ARGS="$DOCKER_BUILD_ARGS --build-arg $arg"
+          done <<< "$BUILD_ARGS"
+        fi
+
+        # Build and push each tag
+        for TAG in $EXPANDED_TAGS; do
+          docker build -f $CONTAINERFILE \
+            $DOCKER_BUILD_ARGS \
+            -t $TAG \
+            $BUILD_CONTEXT
+          docker push $TAG
+        done

.github/actions/helm-push/action.yaml

@@ -0,0 +1,106 @@
+---
+# yamllint disable rule:line-length
+name: "ecr-helm-push"
+description: "Package a Helm chart and upload to ECR"
+inputs:
+  aws-creds-vault-path:
+    default: secret/data/v2/data-special/infra1-user-ecr-rw
+    description: "Vault path to AWS credentials used for helm push"
+    type: string
+  aws-creds-vault-role:
+    description: "Vault auth role for reading AWS credentials"
+    type: string
+    required: true
+  aws-region:
+    default: "us-east-1"
+    description: "AWS region to use for ECR"
+    type: string
+  ecr-repo-prefix:
+    description: "Repository prefix (without Chart name)"
+    type: string
+    required: true
+  ecr-url:
+    description: "ECR registry default URL (without prefix/suffix)"
+    type: string
+    required: true
+  path:
+    description: "Path to directory containing Chart.yaml"
+    required: true
+    type: string
+  package-destination:
+    default: "."
+    description: "Where to put helm-built package"
+    type: string
+  package-app-version:
+    default: ""
+    description: "Application version"
+    type: string
+  package-version:
+    default: ""
+    description: "Helm chart version - used by `helm package`"
+    type: string
+  vault-url:
+    description: "Vault API URL (default okay in almost all cases)"
+    required: true
+  checkout-code:
+    default: "true"
+    description: "Checkout fresh code from repository"
+    type: string
+  dependency-update:
+    default: "true"
+    description: "Run helm dependency update before packaging"
+    type: string
+  dry-run:
+    default: "false"
+    type: string
+    description: "Dry-run (do not upload to ECR)"
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout code
+      if: ${{ inputs.checkout-code == 'true' }}
+      uses: actions/checkout@v5
+    - name: Install helm binary
+      uses: azure/setup-helm@v4
+      with:
+        version: 'v3.12.1'
+    - name: Get required Vault secrets
+      if: ${{ inputs.dry-run == 'false' }}
+      id: secrets
+      uses: hashicorp/vault-action@v3
+      with:
+        url: ${{ inputs.vault-url }}
+        method: jwt
+        path: jwt/github
+        role: ${{ inputs.aws-creds-vault-role }}
+        secrets: |
+          ${{ inputs.aws-creds-vault-path }} aws_ecr_access_key | AWS_ACCESS_KEY ;
+          ${{ inputs.aws-creds-vault-path }} aws_ecr_secret_key | AWS_SECRET_KEY ;
+    - name: Configure AWS credentials
+      if: ${{ inputs.dry-run == 'false' }}
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ env.AWS_ACCESS_KEY }}
+        aws-secret-access-key: ${{ env.AWS_SECRET_KEY }}
+        aws-region: ${{ inputs.aws-region }}
+    - name: Login to Amazon ECR
+      if: ${{ inputs.dry-run == 'false' }}
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+    - name: Package chart
+      id: package-chart
+      env:
+        DESTINATION: ${{ inputs.package-destination }}
+        APP_VERSION: ${{ inputs.package-app-version }}
+        VERSION: ${{ inputs.package-version }}
+      run: |
+        # helm package doesn't allow custom target name, so we have to parse it this way
+        pkgfile=$(helm package ${DESTINATION:+--destination $DESTINATION} ${APP_VERSION:+--app-version $APP_VERSION} ${VERSION:+--version $VERSION} ${{ inputs.dependency-update == 'true' && '--dependency-update' || '' }} ${{ inputs.path }} | tee | awk '{print $NF}')
+        echo "pkgfile=$pkgfile" >> $GITHUB_OUTPUT
+      shell: bash
+    - name: Push chart to ECR
+      if: ${{ inputs.dry-run == 'false' }}
+      run: |
+        helm push ${{ steps.package-chart.outputs.pkgfile }} oci://${{ inputs.ecr-url }}/${{ inputs.ecr-repo-prefix }}
+        echo "Pushed ${{ steps.package-chart.outputs.pkgfile }} to oci://${{ inputs.ecr-url }}/${{ inputs.ecr-repo-prefix }}" >> $GITHUB_STEP_SUMMARY
+      shell: bash

.github/actions/rundeck/action.yaml

@@ -0,0 +1,56 @@
+name: "Trigger Rundeck job"
+description: "Trigger Rundeck job through Rundeck API with given parameters"
+inputs:
+  server:
+    description: "Which server should the job be run on (rundeck server hostname)"
+    required: true
+  project:
+    description: "Rundeck project name containing the job to run"
+    required: true
+  job-group:
+    description: "Job group name"
+    required: true
+  job-name:
+    description: "Job name"
+    required: true
+  vault-url:
+    description: "Vault URL for certificate retrieval"
+    required: true
+outputs:
+  job-execution-status:
+    description: "Job execution status"
+    value: ${{ steps.python.outputs.execution_status }}
+  job-execution-url:
+    description: "Job execution URL"
+    value: ${{ steps.python.outputs.url }}
+  plan-summary:
+    description: "Overall plan summary extracted from job output"
+    value: ${{ steps.python.outputs.plan_summary }}
+runs:
+  using: "composite"
+  steps:
+    - name: Get certificate from Vault
+      id: cert-from-vault
+      uses: gooddata/github-actions-public/vault/cert@master
+      with:
+        vault-url: ${{ inputs.vault-url }}
+        cn: gh.action
+        role: github-common-action
+        vault-auth-role: common-action
+    - name: Join certificates
+      id: join-certs
+      run: |
+        echo "${{ steps.cert-from-vault.outputs.certificate }}" > cert.pem
+        echo "${{ steps.cert-from-vault.outputs.ca_chain }}" >> cert.pem
+        echo "${{ steps.cert-from-vault.outputs.private_key }}" >> cert.pem
+      shell: bash
+    - name: Run python script
+      id: python
+      run: |
+        python "${{ github.action_path }}/rundeck_job_trigger.py" \
+          --cert-path cert.pem \
+          --server "${{ inputs.server }}" \
+          --project "${{ inputs.project }}" \
+          --job-group "${{ inputs.job-group }}" \
+          --job-name "${{ inputs.job-name }}"
+      shell: bash