diff --git a/oot-deploy/README.md b/oot-deploy/README.md deleted file mode 100644 index 85502605..00000000 --- a/oot-deploy/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# OOT Deploy Orb [![CircleCI Orb Version](https://img.shields.io/badge/endpoint.svg?url=https://badges.circleci.io/orb/ovotech/oot-deploy)](https://circleci.com/orbs/registry/orb/ovotech/oot-deploy) - -Provides commands for packaging and deploying OOT images via our gitops repo. We use it with [ArgoCD](https://argoproj.github.io/argo-cd/) although -there is no hard dependency on that application. - -The gitops repo is expected to have the structure: - -``` - - - templates - - argo-applications - - manifest.yaml - - - - manifest.yaml - - - - manifest.yaml - ... - - - - manifest.yaml -``` - -- Each `manifest.yaml` template in the `./templates/` directories represents all the kubernetes resources deployed - to the cluster for "serviceX". So, typically it will just be a single kubernetes "deployment" but could potentially have multiple resources. - The template will be interpolated by the orb as described in the next section. -- The `./templates/argo-applications/manifest.yaml` is the template that will be used to define "applications" within Argo itself. See - the Argo documentation on [declaritive setup](https://argoproj.github.io/argo-cd/operator-manual/declarative-setup) for more information. Specifically, - the template must be of the form described in the [application.yaml](https://argoproj.github.io/argo-cd/operator-manual/application.yaml). The - template will be interpolated by the orb as described in the next section. - -> IMPORTANT: This does imply that a "argo-applications" application is setup by hand in the Argo console to listen to the -> content of the `.//argo-applications` folder. By syncing that application from within Argo, Argo will add -> the new applications defined in the manifests in the folder. - -## What does the orb do? - -1. Clone the specified gitops repo. Then from within that cloned folder: -2. Copies the service manifest template `./templates//manifest.yaml` to the service manifest `.///manifest.yaml` - - The `.//` folder will be created if it does not already exist. -3. Interpolates placeholders within the service manifest as: - - `{{AWS_ACCOUNT_ID}}` will be swapped for the value of the `account` parameter. - - `{{ENVIRONMENT}}` will be swapped for the value of `environment` parameter. - - `{{IMAGE_TAG}}` will be swapped for the core CircleCI environment variable `${CIRCLE_SHA1}` - - The sed expression (if any) given by the `extra-interpolation` parameter like so: `sed -i manifest.yaml` -4. Copies the argo application manifest template `./templates/argo-applications/manifest.yaml` to the argo application manifest `.//argo-applications/.yaml` -5. Interpolates placeholders within the argo application manifest as: - - `{{ENVIRONMENT}}` will be swapped for the value of `environment` parameter. - - `{{SERVICE}}` will be swapped for the value of `service` parameter. -6. Pushes the changes to the gitops repo as the github user ``. - -From there, as long as the prerequisites below are configured properly, Argo should take over and pull the changes from `.///manifest.yaml` -and deploy them to your kubernetes cluster. - -## Prerequisites - -- The source project is configured in Argo such that Argo watches the `.//` folder for updates to deploy. -- A deploy key with push rights to the gitops repo has been assigned under "Additional SSH keys" in this source project. - - The host name should be "github.com". - - The fingerprint of this deploy key is the one used as the value of the `gitops-ssh-key-fingerprint` parameter. - -## Example - -```yaml -orbs: - oot-deploy: ovotech/oot-deploy@2.2.0 - -jobs: - update-gitops-nonprod: - executor: oot-deploy/aws - steps: - - oot-deploy/update-gitops: - service: my-service - environment: nonprod - account: "1234567890" - extra-interpolation: "s/{{MY_PLACEHOLDER}}/value1/g;s/{{MY_OTHER_PLACEHOLDER}}/value2/g" - gitops-repo: git@github.com:ovotech/my-gitops.git - gitops-ssh-key-fingerprint: "xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx" - gitops-username: my-bot - gitops-email: my-bot@myco.co.uk -``` diff --git a/oot-deploy/orb.yml b/oot-deploy/orb.yml deleted file mode 100644 index 076e05d6..00000000 --- a/oot-deploy/orb.yml +++ /dev/null @@ -1,104 +0,0 @@ -version: 2.1 -description: "Update OOT deployments with gitops." - -orbs: - shipit: ovotech/shipit@1 - -commands: - update-gitops: - description: "Updates the appropriate manifest in the given gitops repo with a new image tag." - parameters: - service: - description: "The name of the service that will be updated. This should match with the path in the gitops repo." - type: string - image-tag: - description: "The tag of the image to update the manifest with." - type: string - default: ${CIRCLE_SHA1} - account: - description: "The numeric identifier for the AWS account which will be interpolated into the manifest." - type: string - default: ${AWS_ACCOUNT} - environment: - description: "Environment string used for substitution in the manifest and matching the appropriate path in the gitops repo." - type: string - default: ${ENVIRONMENT} - extra-interpolation: - description: "Extra interpolations to do in the manifest expressed as a semi-colon-delimited sed expression. E.g. s/{{MY_PLACEHOLDER}}/12345678/g;s/{{ANOTHER}}/test/g" - type: string - default: "" - gitops-repo: - description: "git URL to the gitops github repo." - type: string - gitops-ssh-key-fingerprint: - description: "The github SSH key that will be used to update the gitops repo." - type: string - gitops-username: - description: "The username of the git user to push gitops changes as." - type: string - gitops-email: - description: "The email address of the git user to push gitops changes as." - type: string - - steps: - - attach_workspace: - at: . - - - add_ssh_keys: - fingerprints: - - << parameters.gitops-ssh-key-fingerprint >> - - - run: - name: Prepare gitops manifest - command: | - git clone << parameters.gitops-repo >> /tmp/gitops - - mkdir -p /tmp/gitops/<< parameters.environment >>/<< parameters.service >> - cd /tmp/gitops/<< parameters.environment >>/<< parameters.service >> - cp /tmp/gitops/templates/<>/manifest.yaml /tmp/gitops/<< parameters.environment >>/<< parameters.service >> - - - run: - name: Interpolate gitops manifest - command: | - cd /tmp/gitops/<< parameters.environment >>/<< parameters.service >> - sed -i "s/{{AWS_ACCOUNT_ID}}/<< parameters.account >>/g" manifest.yaml - sed -i "s/{{IMAGE_TAG}}/<< parameters.image-tag >>/g" manifest.yaml - sed -i "s/{{ENVIRONMENT}}/<< parameters.environment >>/g" manifest.yaml - sed -i '<< parameters.extra-interpolation >>' manifest.yaml - - - run: - name: Prepare argo application manifest - command: | - mkdir -p /tmp/gitops/<< parameters.environment >>/argo-applications - cd /tmp/gitops/<< parameters.environment >>/argo-applications - cp /tmp/gitops/templates/argo-applications/manifest.yaml /tmp/gitops/<< parameters.environment >>/argo-applications/<< parameters.service >>.yaml - - - run: - name: Interpolate argo application definition - command: | - cd /tmp/gitops/<< parameters.environment >>/argo-applications - sed -i "s/{{ENVIRONMENT}}/<< parameters.environment >>/g" << parameters.service >>.yaml - sed -i "s/{{SERVICE}}/<< parameters.service >>/g" << parameters.service >>.yaml - - - run: - name: Push gitops manifest - command: | - cd /tmp/gitops - git config user.email "<< parameters.gitops-email >>" - git config user.name "<< parameters.gitops-username >>" - git add --all - if [ -z "$(git status --porcelain)" ]; then - echo "No changes detected." - else - git commit -m "Bumped << parameters.service >> in << parameters.environment >> to << parameters.image-tag >>" - git push origin master - fi - -jobs: - shipit: - description: "Alerts ShipIt to the fact that the service has been deployed." - executor: shipit/default - steps: - - shipit/shipit - - diff --git a/oot-deploy/orb_version.txt b/oot-deploy/orb_version.txt deleted file mode 100644 index 363cfcf6..00000000 --- a/oot-deploy/orb_version.txt +++ /dev/null @@ -1 +0,0 @@ -ovotech/oot-deploy@2.2.1 diff --git a/oot-eks-oidc/README.md b/oot-eks-oidc/README.md deleted file mode 100644 index e9a1a071..00000000 --- a/oot-eks-oidc/README.md +++ /dev/null @@ -1,30 +0,0 @@ -# OOT EKS Orb (OIDC Test) [![CircleCI Orb Version](https://img.shields.io/badge/endpoint.svg?url=https://badges.circleci.io/orb/ovotech/oot-eks-oidc)](https://circleci.com/orbs/registry/orb/ovotech/oot-eks-oidc) - -Provides commands for packaging images for deployment to [AWS EKS](https://aws.amazon.com/eks/). - -## Prerequisites - -- An [AWS ECR registry](https://aws.amazon.com/ecr/) with the same name as the service being deployed exists on the same AWS account. - -## Example - -```yaml -orbs: - oot-eks-oidc: ovotech/oot-eks-oidc@2.0.0 - -jobs: - push-image-nonprod: - executor: oot-eks-oidc/aws - steps: - - oot-eks-oidc/push-image: - service: my-service - account: "1234567890" -``` - -This is what will happen upon running the `push-image-nonprod` job: - -1. A new docker image is built from the current source. -2. The image is scanned for vulnerabilities by Snyk. -3. The image is pushed to an ECR registry called "my-service" within the AWS account 1234567890 - -This orb tests switching aws deployment authentication away from an iam user and towards our OIDC provider. diff --git a/oot-eks-oidc/orb.yml b/oot-eks-oidc/orb.yml deleted file mode 100644 index ab6d5976..00000000 --- a/oot-eks-oidc/orb.yml +++ /dev/null @@ -1,78 +0,0 @@ -version: 2.1 -description: "Opinionated commands for releasing OOT projects on AWS EKS via ECR. This orb uses the circle ci oidc provider instead of an aws iam user." - -orbs: - aws-cli: circleci/aws-cli@3.1.4 - aws-ecr: circleci/aws-ecr@8.2.1 - snyk: snyk/snyk@1.1.2 - -commands: - push-image: - description: "Builds, scans and pushes a new service to ECR." - parameters: - service: - description: "The name of the service that will be deployed. This will be used to build up the image name." - type: string - aws-deploy-role-arn: - description: "Terraformed role arn for AWS access. Can be found from oot-infra terraform state." - type: string - default: ${AWS_DEPLOY_ROLE_ARN} - account: - description: "The numeric identifier for the AWS account on which the operation will be run." - type: string - default: ${AWS_ACCOUNT} - region: - description: "The AWS region on which the operation will be run." - type: string - default: ${AWS_REGION} - extra-build-args: - description: "Extra arguments to pass when running docker build" - type: string - default: "" - image-tag: - description: "Tag to push the image with" - type: string - default: ${CIRCLE_SHA1} - extra-image-tags: - description: "Extra tags to push the image with, these will not be snyk scanned" - type: string - default: latest - - steps: - - attach_workspace: - at: . - - - run: - command: | - echo "export AWS_DEFAULT_REGION=<< parameters.region >>" >> $BASH_ENV - echo "export AWS_ECR_ACCOUNT_URL=<< parameters.account >>.dkr.ecr.<< parameters.region >>.amazonaws.com" >> $BASH_ENV - - - aws-cli/install - - aws-cli/setup: - role-arn: << parameters.aws-deploy-role-arn >> - - aws-ecr/ecr-login: - role-arn: << parameters.aws-deploy-role-arn >> - registry-id: AWS_ACCOUNT_ID - - - aws-ecr/build-image: - repo: << parameters.service >> - tag: << parameters.image-tag >>,<< parameters.extra-image-tags >> - extra-build-args: << parameters.extra-build-args >> - registry-id: AWS_ACCOUNT_ID - - - snyk/scan: - monitor-on-build: true - severity-threshold: high - fail-on-issues: false - target-file: Dockerfile - docker-image-name: $AWS_ECR_ACCOUNT_URL/<< parameters.service >>:<< parameters.image-tag >> - - - aws-ecr/push-image: - repo: << parameters.service >> - tag: << parameters.image-tag >>,<< parameters.extra-image-tags >> - registry-id: AWS_ACCOUNT_ID - -executors: - aws: - machine: - image: ubuntu-2004:202201-02 diff --git a/oot-eks-oidc/orb_version.txt b/oot-eks-oidc/orb_version.txt deleted file mode 100644 index 5fe48353..00000000 --- a/oot-eks-oidc/orb_version.txt +++ /dev/null @@ -1 +0,0 @@ -ovotech/oot-eks-oidc@1.0.10 diff --git a/oot-eks/README.md b/oot-eks/README.md deleted file mode 100644 index 394da251..00000000 --- a/oot-eks/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# OOT EKS Orb [![CircleCI Orb Version](https://img.shields.io/badge/endpoint.svg?url=https://badges.circleci.io/orb/ovotech/oot-eks)](https://circleci.com/orbs/registry/orb/ovotech/oot-eks) - -Provides commands for packaging images for deployment to [AWS EKS](https://aws.amazon.com/eks/). - -## Prerequisites - -- An [AWS ECR registry](https://aws.amazon.com/ecr/) with the same name as the service being deployed exists on the same AWS account. - -## Example - -```yaml -orbs: - oot-eks: ovotech/oot-eks@2.0.0 - -jobs: - push-image-nonprod: - executor: oot-eks/aws - steps: - - oot-eks/push-image: - service: my-service - account: "1234567890" -``` - -This is what will happen upon running the `push-image-nonprod` job: - -1. A new docker image is built from the current source. -2. The image is scanned for vulnerabilities by Snyk. -3. The image is pushed to an ECR registry called "my-service" within the AWS account 1234567890 - -This orb tests switching aws deployment authentication away from an iam user and towards our OIDC provider. - -## Version note - -Between version 2.3.0 and version 3.0.0 we moved to using the oidc provider for authentication rather than an AWS IAM user. diff --git a/oot-eks/orb.yml b/oot-eks/orb.yml deleted file mode 100644 index ab6d5976..00000000 --- a/oot-eks/orb.yml +++ /dev/null @@ -1,78 +0,0 @@ -version: 2.1 -description: "Opinionated commands for releasing OOT projects on AWS EKS via ECR. This orb uses the circle ci oidc provider instead of an aws iam user." - -orbs: - aws-cli: circleci/aws-cli@3.1.4 - aws-ecr: circleci/aws-ecr@8.2.1 - snyk: snyk/snyk@1.1.2 - -commands: - push-image: - description: "Builds, scans and pushes a new service to ECR." - parameters: - service: - description: "The name of the service that will be deployed. This will be used to build up the image name." - type: string - aws-deploy-role-arn: - description: "Terraformed role arn for AWS access. Can be found from oot-infra terraform state." - type: string - default: ${AWS_DEPLOY_ROLE_ARN} - account: - description: "The numeric identifier for the AWS account on which the operation will be run." - type: string - default: ${AWS_ACCOUNT} - region: - description: "The AWS region on which the operation will be run." - type: string - default: ${AWS_REGION} - extra-build-args: - description: "Extra arguments to pass when running docker build" - type: string - default: "" - image-tag: - description: "Tag to push the image with" - type: string - default: ${CIRCLE_SHA1} - extra-image-tags: - description: "Extra tags to push the image with, these will not be snyk scanned" - type: string - default: latest - - steps: - - attach_workspace: - at: . - - - run: - command: | - echo "export AWS_DEFAULT_REGION=<< parameters.region >>" >> $BASH_ENV - echo "export AWS_ECR_ACCOUNT_URL=<< parameters.account >>.dkr.ecr.<< parameters.region >>.amazonaws.com" >> $BASH_ENV - - - aws-cli/install - - aws-cli/setup: - role-arn: << parameters.aws-deploy-role-arn >> - - aws-ecr/ecr-login: - role-arn: << parameters.aws-deploy-role-arn >> - registry-id: AWS_ACCOUNT_ID - - - aws-ecr/build-image: - repo: << parameters.service >> - tag: << parameters.image-tag >>,<< parameters.extra-image-tags >> - extra-build-args: << parameters.extra-build-args >> - registry-id: AWS_ACCOUNT_ID - - - snyk/scan: - monitor-on-build: true - severity-threshold: high - fail-on-issues: false - target-file: Dockerfile - docker-image-name: $AWS_ECR_ACCOUNT_URL/<< parameters.service >>:<< parameters.image-tag >> - - - aws-ecr/push-image: - repo: << parameters.service >> - tag: << parameters.image-tag >>,<< parameters.extra-image-tags >> - registry-id: AWS_ACCOUNT_ID - -executors: - aws: - machine: - image: ubuntu-2004:202201-02 diff --git a/oot-eks/orb_version.txt b/oot-eks/orb_version.txt deleted file mode 100644 index 8f0bc272..00000000 --- a/oot-eks/orb_version.txt +++ /dev/null @@ -1 +0,0 @@ -ovotech/oot-eks@3.0.0 diff --git a/oot-eks/pre-oidc-orb_v2.30.txt b/oot-eks/pre-oidc-orb_v2.30.txt deleted file mode 100644 index 57b953a9..00000000 --- a/oot-eks/pre-oidc-orb_v2.30.txt +++ /dev/null @@ -1,83 +0,0 @@ -version: 2.1 -description: "Opinionated commands for releasing OOT projects on AWS EKS via ECR." - -orbs: - aws-cli: circleci/aws-cli@1.4.1 - aws-ecr: circleci/aws-ecr@6.15.3 - snyk: snyk/snyk@1.1.2 - -commands: - push-image: - description: "Builds, scans and pushes a new service to ECR." - parameters: - service: - description: "The name of the service that will be deployed. This will be used to build up the image name." - type: string - access-key-name: - description: "The name of the environment variable that will be used to provide the AWS access key id." - type: string - default: ACCESS_KEY_ID - secret-access-key-name: - description: "The name of the environment variable that will be used to provide the AWS secret access key." - type: string - default: SECRET_ACCESS_KEY - account: - description: "The numeric identifier for the AWS account on which the operation will be run." - type: string - default: ${AWS_ACCOUNT} - region: - description: "The AWS region on which the operation will be run." - type: string - default: eu-west-1 - extra-build-args: - description: "Extra arguments to pass when running docker build" - type: string - default: "" - image-tag: - description: "Tag to push the image with" - type: string - default: ${CIRCLE_SHA1} - extra-image-tags: - description: "Extra tags to push the image with, these will not be snyk scanned" - type: string - default: latest - - steps: - - attach_workspace: - at: . - - - run: - command: | - echo "export AWS_DEFAULT_REGION=<< parameters.region >>" >> $BASH_ENV - echo "export AWS_REGION=eu-west-1" >> $BASH_ENV - echo "export AWS_ECR_ACCOUNT_URL=<< parameters.account >>.dkr.ecr.<< parameters.region >>.amazonaws.com" >> $BASH_ENV - - - aws-cli/install - - aws-cli/setup: - aws-access-key-id: << parameters.access-key-name >> - aws-secret-access-key: << parameters.secret-access-key-name >> - - - aws-ecr/build-image: - account-url: AWS_ECR_ACCOUNT_URL - aws-access-key-id: << parameters.access-key-name >> - aws-secret-access-key: << parameters.secret-access-key-name >> - repo: << parameters.service >> - tag: << parameters.image-tag >>,<< parameters.extra-image-tags >> - ecr-login: true - extra-build-args: << parameters.extra-build-args >> - - - snyk/scan: - monitor-on-build: true - severity-threshold: high - fail-on-issues: false - target-file: Dockerfile - docker-image-name: $AWS_ECR_ACCOUNT_URL/<< parameters.service >>:<< parameters.image-tag >> - - - aws-ecr/push-image: - repo: << parameters.service >> - tag: << parameters.image-tag >>,<< parameters.extra-image-tags >> - -executors: - aws: - machine: - image: ubuntu-2004:202201-02