Open ben851 opened 4 months ago
I've got the github ARC runner working inside the cluster, but it needs some additional config in order to work with our existing workflows. Working on that today.
Implemented private EKS with ARC runners working on custom runner image, verified workflow works. Wrote the beginning of the private EKS ADR.
Completed ADR. Need to follow up with next steps.
Jimmy will review the ADR once more, and I will proceed with the Terraform and Manifest PRs
Running into issues with the docker build step in notification-api which uses kubectl. Working on solutions.
Working on centralizing the kubernetes rollouts to manifest, and have other workflows call that workflow remotely. I have this working with CURL, and am trying to integrate it into the api workflow.
Integrated into the API workflow. I've created 5 PRs to move the remaining components. Note that the manifests one must be merged first, or the other PRs will break functionality.
https://github.com/cds-snc/notification-manifests/pull/2443
https://github.com/cds-snc/notification-api/pull/2138 https://github.com/cds-snc/notification-admin/pull/1775 https://github.com/cds-snc/notification-document-download-api/pull/161 https://github.com/cds-snc/notification-documentation/pull/145
PR for TF on ARC https://github.com/cds-snc/notification-terraform/pull/1187
Many PRs to review and approve for Ben to move on.
A ton of work done over the last two days. Github ARC is in staging, and is working on several workflows.
The merge to main staging (and production) manifest kustomize code is too old for the latest version of kubectl. I will have to update it before proceeding.
Many trials and errors yesterday. Got a few issues with kubectl
and need to update the kustomize
code today to re-organize and get past troubled waters and trying times.
Kustomize refactored for dev and staging and now running on internal GHA properly!
Next step is to do the app workflow updates, which will occur tomorrow.
Ben: "It's all working!" Staging environment is good with the manifests changes. A few more repositories to migrate for today and more PRs coming in.
Some access token issues that were fixed last week. Work almost ready to switch!
Converted ARC to use GitHub App (Notify PR Bot) instead of PAT. Updated the ADR to reflect this. Private EKS is ready to go out today after notify dev review
in staging, ready for testing. Will let it sit in staging for a week before pushing changes to prod
Had an issue deploying k8s to staging. fixed now but needs improvement.
This is deployed to staging so we're letting it sit for a week to stew. (we're getting a stew going)
The 3 PRs above need to be merged 👆
The PRs were merged and now we're looking to review the work and make sure it's all good
waiting til tuesday to get the prod prs going
we have to change some production code
This is done in staging and dev. We need to change a release pipeline in production. Waiting for today's release. Won't be enabled in production, we just want to verify first if the github controllers work in production.
Started work on prod: New version of github arc runner image to include jq https://github.com/cds-snc/notification-terraform/pull/1237
Updated production kustomize to build against latest kubectl https://github.com/cds-snc/notification-manifests/pull/2515
Still waiting for a review on 2515
2515 Merged, to be released tomorrow
released, just a bit more work debugging the prod release workflow.
Made changes to production workflows yesterday. Will be tested during release process today. If they work, I can switch prod to private eks.
Workflow worked on github arc, created PR to move to private eks.
ready for review! https://github.com/cds-snc/notification-terraform/pull/1259
merged, ready for release then QA in prod
Released in prod, ready for QA
Pond is QA'ing.
Verified. connectivity to Production K8s only works when the vpn is turned on
Description
As a developer of GC Notify, I would like our administrative endpoints to be as secure as possible so that we can stay out of the news.
It is best practice that the EKS admin API not be exposed publicly. With the introduction of our VPN, we can now move this behind the VPN.
WHY are we building?
WHAT are we building?
VALUE created by our solution
Increased security and reliability Policy conformance
Acceptance Criteria
Given some context, when (X) action occurs, then (Y) outcome is achieved.
QA Steps
kubectl
commands in production