diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 1ea2367..3ca0dcd 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -1,5 +1,5 @@ --- -name: 'Deploy' +name: "Deploy" on: push: @@ -7,120 +7,124 @@ on: - main pull_request: paths: - - 'deployment/**' + - "deployment/**" -permissions: +permissions: pull-requests: write jobs: terraform: - name: 'Terraform' + name: "Terraform" runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Setup python - uses: actions/setup-python@v5 - with: - python-version: 3.x - - name: Install environment - run: | - curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq - chmod +x jq - pip install yq ansible git+https://github.com/tdviet/fedcloudclient.git - curl -L https://github.com/oidc-mytoken/client/releases/download/v0.5.2/mytoken_0.5.2_linux_64-bit.tar.gz \ - | tar -xzf - - mkdir ~/.mytoken - curl https://raw.githubusercontent.com/oidc-mytoken/client/master/config/example-config.yaml \ - | sed 's/default_provider:/default_provider: "egi"/g' \ - > ~/.mytoken/config.yaml - - name: Configure providers access - env: - MYTOKEN: ${{ secrets.MYTOKEN }} - run: | - PATH="$PWD:$PATH" - cd deployment - ./site-config.sh - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.2.9 - - name: Terraform Format - id: fmt - run: | - cd deployment - terraform fmt -check - - name: Terraform init - id: init - run: | - cd deployment - terraform init - - name: terraform plan - id: plan - if: github.event_name == 'pull_request' - run: | - cd deployment - terraform plan -no-color -var-file=deploy.tfvars - continue-on-error: true - - name: Update Pull Request - uses: actions/github-script@v7 - if: github.event_name == 'pull_request' - env: - PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` - #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` - #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` -
Show Plan + - name: Checkout + uses: actions/checkout@v4 + - name: Setup python + uses: actions/setup-python@v5 + with: + python-version: 3.x + - name: Install environment + run: | + curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq + chmod +x jq + pip install yq ansible git+https://github.com/tdviet/fedcloudclient.git + curl -L https://github.com/oidc-mytoken/client/releases/download/v0.5.2/mytoken_0.5.2_linux_64-bit.tar.gz \ + | tar -xzf - + mkdir ~/.mytoken + curl https://raw.githubusercontent.com/oidc-mytoken/client/master/config/example-config.yaml \ + | sed 's/default_provider:/default_provider: "egi"/g' \ + > ~/.mytoken/config.yaml + # add PWD to the PATH + echo "$PWD" >> "$GITHUB_PATH" + - name: Configure providers access + env: + MYTOKEN: ${{ secrets.MYTOKEN }} + run: | + cd deployment + ./site-config.sh + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.2.9 + - name: Terraform Format + id: fmt + run: | + cd deployment + terraform fmt -check + - name: Terraform init + id: init + run: | + cd deployment + terraform init + - name: terraform plan + id: plan + if: github.event_name == 'pull_request' + run: | + cd deployment + terraform plan -no-color -var-file=deploy.tfvars + continue-on-error: true + - name: Update Pull Request + uses: actions/github-script@v7 + if: github.event_name == 'pull_request' + env: + PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` + #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` + #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` +
Show Plan - \`\`\` - ${process.env.PLAN} - \`\`\` + \`\`\` + ${process.env.PLAN} + \`\`\` -
+
- *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) - - name: Terraform Plan Status - if: steps.plan.outcome == 'failure' - run: exit 1 - - name: Terraform Apply - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - run: | - cd deployment - terraform apply -auto-approve -var-file=deploy.tfvars - - name: Get IP - id: public_ip - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - run: | - cd deployment - terraform output -raw public_ip - - name: Update IP in DNS - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - env: - NSUPDATE_SECRET: ${{ secrets.NSUPDATE_SECRET }} - run: | - curl -u "horizon.vm.fedcloud.eu:$NSUPDATE_SECRET" \ - "https://nsupdate.fedcloud.eu/nic/update?myip=${{ steps.public_ip.outputs.stdout }}" - - name: Configure with ansible - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - uses: dawidd6/action-ansible-playbook@v2 - with: - playbook: playbook.yaml - directory: ./deployment - key: ${{ secrets.SSH_KEY }} - inventory: | - [all] - ${{ steps.public_ip.outputs.stdout }} - requirements: galaxy-requirements.yaml - options: | - --extra-vars git_ref=${{ github.sha }} - --ssh-common-args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" - -u egi + *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + - name: Terraform Plan Status + if: steps.plan.outcome == 'failure' + run: exit 1 + - name: Terraform Apply + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + run: | + cd deployment + terraform apply -auto-approve -var-file=deploy.tfvars + - name: Get IP + id: public_ip + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + run: | + cd deployment + terraform output -raw public_ip + - name: Update IP in DNS + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + env: + NSUPDATE_SECRET: ${{ secrets.NSUPDATE_SECRET }} + run: | + curl -u "horizon.vm.fedcloud.eu:$NSUPDATE_SECRET" \ + "https://nsupdate.fedcloud.eu/nic/update?myip=${{ steps.public_ip.outputs.stdout }}" + - name: Configure with ansible + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + uses: dawidd6/action-ansible-playbook@v2 + env: + MYTOKEN: ${{ secrets.MYTOKEN }} + with: + playbook: playbook.yaml + directory: ./deployment + key: ${{ secrets.SSH_KEY }} + inventory: | + [all] + ${{ steps.public_ip.outputs.stdout }} + requirements: galaxy-requirements.yaml + options: | + --extra-vars ACCESS_TOKEN=$(mytoken AT --MT-env MYTOKEN) + --extra-vars git_ref=${{ github.sha }} + --ssh-common-args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" + -u egi diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 520dd4e..67eebb9 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -10,19 +10,16 @@ contribute are also welcome. ## Feedback and Questions -If you wish to discuss anything related to the project, please open an issue or -start a topic on the [EGI Community Forum](https://community.egi.eu). The -maintainers will sometimes move issues off of GitHub to the community forum if -it is thought that longer, more open-ended discussion would be beneficial, -including a wider community scope. +If you wish to discuss anything related to the project, please open a +[GitHub issue](https://github.com/EGI-Federation/fedcloud-dashboard/issues/new). ## Contribution Process -Before proposing a contribution via pull request, ideally there is an open issue -describing the need for your contribution (refer to this issue number when you -submit the pull request). We have a 3 steps process for contributions. +Before proposing a contribution via pull request (PR), ideally there is an open +issue describing the need for your contribution (refer to this issue number when +you submit the pull request). We have a 3 steps process for contributions. -1. Fork the project if you have not, and commit changes to a git branch +1. Fork the project if you have not, and commit changes to a Git branch 1. Create a GitHub Pull Request for your change, following the instructions in the pull request template. 1. Perform a [Code Review](#code-review-process) with the maintainers on the @@ -38,11 +35,11 @@ submit the pull request). We have a 3 steps process for contributions. ### Code Review Process Code review takes place in GitHub pull requests. See -[this article](https://help.github.com/articles/about-pull-requests/) if you're -not familiar with GitHub Pull Requests. +[this article](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests) +if you're not familiar with GitHub Pull Requests. Once you open a pull request, maintainers will review your code using the -built-in code review process in Github PRs. The process at this point is as +built-in code review process in GitHub PRs. The process at this point is as follows: 1. A maintainer will review your code and merge it if no changes are necessary. @@ -50,7 +47,7 @@ follows: 1. If a maintainer has feedback or questions on your changes then they will set `request changes` in the review and provide an explanation. -## Using git +## Using Git For collaboration purposes, it is best if you create a GitHub account and fork the repository to your own account. Once you do this you will be able to push @@ -59,7 +56,7 @@ easier to send pull requests. ### Branches and Commits -You should submit your patch as a git branch named after the Github issue, such +You should submit your patch as a Git branch named after the GitHub issue, such as `#3`\. This is called a _topic branch_ and allows users to associate a branch of code with the issue. @@ -90,7 +87,6 @@ EGI benefits from a strong community of developers and system administrators, and vice-versa. If you have any questions or if you would like to get involved in the wider EGI community you can check out: -- [EGI Community Forum](https://community.egi.eu/) -- [EGI website](https://www.egi.eu) +- [EGI site](https://www.egi.eu) **This file has been modified from the Chef Cookbook Contributing Guide**. diff --git a/deployment/cloud-init.yaml b/deployment/cloud-init.yaml index 7c28d38..830dcc0 100644 --- a/deployment/cloud-init.yaml +++ b/deployment/cloud-init.yaml @@ -2,19 +2,32 @@ --- # avoid auto-upgrade kicking off in the first boot bootcmd: -- [cloud-init-per, once, touch, /var/lib/apt/periodic/update-success-stamp] + - [cloud-init-per, once, touch, /var/lib/apt/periodic/update-success-stamp] users: -- name: egi - gecos: EGI - primary_group: egi - groups: users - shell: /bin/bash - sudo: ALL=(ALL) NOPASSWD:ALL - ssh_import_id: - - gh:enolfc - - gh:gwarf - - gh:CatalinCondurache - - gh:sebastian-luna-valero - ssh_authorized_keys: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD3rdgKJj5WWIE5sD+Mup8HxgMQGY7cYwjwGGa4TJAkZMrhDon5MTgFko51xNZuU7pRhOdTQwJqu8Bkb+y2nAtFS3vHij4x4GgHU9TuLwhgiWjB3qhAj959vXg2FItHO8JsjM3a5R/VxX/hSXlEy+7iyHpH1zCi/LwhcFLEd7yTv0bV99yNMoLPQYhGjYQ5DqrWBKyu8ddFxfRzxaiHgFTvBPwa52Gwft7S7N90tV7fHCI8p+9nD57q6aWwTRtxbClJyf2vohSlIB0WqqPKTBy+he7QkV8VRq9zJyUMaelTTUy+nBolF4oyAHJViY9GAvfdEsHKW0FaV0SS4ICKjilQOAyK3uG+Hl26CCLvtWUmbx/XGAwfoCIipMqXwbjLwA2J+dXCaKS4uBz0f4eXKsXXoFmh4awEIOxpdVXUFYV231JxcgMGGhSQvaqla5QWZ93RNNS0v7SEhHKAkG6B8mOS8yyAu1mBCS0Y03p6xT/7lI5QI4cTIVD3HZU6dB2s/Fc= enol@Enols-MacBook-Pro.local + - name: egi + gecos: EGI + primary_group: egi + groups: users + shell: /bin/bash + sudo: ALL=(ALL) NOPASSWD:ALL + ssh_import_id: + - gh:enolfc + - gh:gwarf + - gh:CatalinCondurache + - gh:sebastian-luna-valero + ssh_authorized_keys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD3rdgKJj5WWIE5sD+Mup8HxgMQGY7cYwjwGGa4TJAkZMrhDon5MTgFko51xNZuU7pRhOdTQwJqu8Bkb+y2nAtFS3vHij4x4GgHU9TuLwhgiWjB3qhAj959vXg2FItHO8JsjM3a5R/VxX/hSXlEy+7iyHpH1zCi/LwhcFLEd7yTv0bV99yNMoLPQYhGjYQ5DqrWBKyu8ddFxfRzxaiHgFTvBPwa52Gwft7S7N90tV7fHCI8p+9nD57q6aWwTRtxbClJyf2vohSlIB0WqqPKTBy+he7QkV8VRq9zJyUMaelTTUy+nBolF4oyAHJViY9GAvfdEsHKW0FaV0SS4ICKjilQOAyK3uG+Hl26CCLvtWUmbx/XGAwfoCIipMqXwbjLwA2J+dXCaKS4uBz0f4eXKsXXoFmh4awEIOxpdVXUFYV231JxcgMGGhSQvaqla5QWZ93RNNS0v7SEhHKAkG6B8mOS8yyAu1mBCS0Y03p6xT/7lI5QI4cTIVD3HZU6dB2s/Fc= enol@Enols-MacBook-Pro.local + +write_files: + - content: | + # Created by cloud-init according to: + # https://github.com/EGI-Federation/fedcloud-dashboard/blob/main/deployment/cloud-init.yaml + # + # 1. Access is restricted to members of the vo.cloud.egi.eu VO with the auditor role + # urn:mace:egi.eu:group:cloud.egi.eu:role=auditor#aai.egi.eu + # + # 2. Once logged in, they have unrestricted sudo power: + %egi-eu_cloud-egi-eu ALL=(ALL) NOPASSWD:ALL + path: /etc/sudoers.d/motley + permissions: "0644" diff --git a/deployment/galaxy-requirements.yaml b/deployment/galaxy-requirements.yaml index 6fac1f7..6f5b010 100644 --- a/deployment/galaxy-requirements.yaml +++ b/deployment/galaxy-requirements.yaml @@ -1,2 +1,4 @@ # docker installation - src: grycap.docker +# ssh-oidc access +- src: grycap.motley_cue diff --git a/deployment/playbook.yaml b/deployment/playbook.yaml index d9d2b61..a5db8ca 100644 --- a/deployment/playbook.yaml +++ b/deployment/playbook.yaml @@ -2,56 +2,58 @@ - hosts: all gather_facts: no tasks: - - name: Wait for ssh - # give it some time as the VM may take a while to start - wait_for_connection: - delay: 30 - timeout: 600 + - name: Wait for ssh + # give it some time as the VM may take a while to start + wait_for_connection: + delay: 30 + timeout: 600 - hosts: all become: yes gather_facts: yes roles: - - role: 'grycap.docker' - docker_config_values: { "mtu": 1400 } - + - role: "grycap.docker" + docker_config_values: { "mtu": 1400 } + - role: "grycap.motley_cue" + ssh_oidc_other_vos_name: cloud.egi.eu + ssh_oidc_other_vos_role: auditor - hosts: all become: yes gather_facts: yes tasks: - - name: Checkout repo at VM - ansible.builtin.git: - repo: 'https://github.com/EGI-Federation/fedcloud-dashboard.git' - version: "{{ git_ref }}" - dest: /fedcloud-dashboard + - name: Checkout repo at VM + ansible.builtin.git: + repo: "https://github.com/EGI-Federation/fedcloud-dashboard.git" + version: "{{ git_ref }}" + dest: /fedcloud-dashboard - - name: service file - ansible.builtin.copy: - content: | - # - # This manages the cloudkeeper OS backend - # - [Unit] - Description=Dashboard - After=docker.service - Requires=docker.service + - name: service file + ansible.builtin.copy: + content: | + # + # This manages the cloudkeeper OS backend + # + [Unit] + Description=Dashboard + After=docker.service + Requires=docker.service - [Service] - Type=oneshot - RemainAfterExit=true - WorkingDirectory=/fedcloud-dashboard - ExecStartPre=/usr/bin/docker pull python:3.10 - ExecStart=/usr/bin/docker-compose up -d --force-recreate --build --remove-orphans - ExecStop=/usr/bin/docker-compose down + [Service] + Type=oneshot + RemainAfterExit=true + WorkingDirectory=/fedcloud-dashboard + ExecStartPre=/usr/bin/docker pull python:3.10 + ExecStart=/usr/bin/docker-compose up -d --force-recreate --build --remove-orphans + ExecStop=/usr/bin/docker-compose down - [Install] - WantedBy=multi-user.target - dest: /etc/systemd/system/dashboard.service + [Install] + WantedBy=multi-user.target + dest: /etc/systemd/system/dashboard.service - - name: Run, baby run - ansible.builtin.systemd: - name: dashboard.service - enabled: yes - state: restarted - daemon_reload: yes + - name: Run, baby run + ansible.builtin.systemd: + name: dashboard.service + enabled: yes + state: restarted + daemon_reload: yes