Add publish-k8s workflow

.github/workflows/code-quality.yml

@@ -1,11 +1,7 @@
 name: Code Quality
 
 on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-    branches:
-      - "**"
-      - "!main"
+  workflow_dispatch:
 
 env:
   NODE_VERSION: "22.5.1"

.github/workflows/publish-k8s.yml

@@ -0,0 +1,64 @@
+name: Publish K8s
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches:
+      - "**"
+      - "!main"
+
+jobs:
+  publish-helm:
+    name: "publish helm"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+#      - name: Troubleshooting
+#        run: |
+#          curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | \
+#          jq "{ jwt: .value, role: \"$VAULT_ROLE\" }" > ./token.json
+#
+#          echo 'GitHub Actions Token Claims'
+#          cat ./token.json | jq -r '.jwt | split(".") | .[1] | @base64d' | jq
+#
+#          echo 'Vault Login Response'
+#          curl -sSLf -X POST -H "Content-Type: application/json" -H "X-Vault-Namespace: admin" --data @token.json $VAULT_URL/v1/auth/$VAULT_AUTH_PATH/login
+#
+#          # Remove the token file when we're done (if we don't fail)
+#          rm ./token.json
+#        env:
+#          VAULT_URL: https://swisstopo-vault-public-vault-d680830d.382257a9.z1.hashicorp.cloud:8200
+#          VAULT_AUTH_PATH: jwt
+#          VAULT_ROLE: ${{ secrets.VAULT_ROLE }}
+      - name: "Load secrets"
+        id: load-secrets
+        uses: hashicorp/vault-action@v2
+        with:
+          url: https://swisstopo-vault-public-vault-d680830d.382257a9.z1.hashicorp.cloud:8200
+          caCertificate: ${{ secrets.VAULT_CA_CERT }}
+          method: jwt
+          role: ${{ secrets.VAULT_ROLE }}
+          namespace: admin/igi/igi-cloud/swisstopo-ngm
+          secrets: |
+            kv/data/dev/k8s kubeconfig   | KUBECONFIG;
+            kv/data/dev/k8s helm_values  | HELM_VALUES;
+            kv/data/dev/k8s helm_secrets | HELM_SECRETS;
+      - name: "Checkout repository"
+        uses: actions/checkout@v4
+      - name: "Setup kubectl"
+        uses: azure/setup-kubectl@v4
+      - name: "Install helm"
+        uses: azure/setup-helm@v4
+      - name: "Write kubeconfig file"
+        run: |
+          echo "${{ env.HELM_VALUES }}" > ./k8s/values.yaml
+          echo "${{ env.HELM_SECRETS }}" > ./k8s/secrets.yaml
+          echo "${{ env.KUBECONFIG }}" > kubeconfig
+      - name: "Deploy helm charts"
+        env:
+          KUBECONFIG: kubeconfig
+        run: |
+          helm upgrade --install swissgeol-viewer ./k8s --values ./k8s/values.yaml --values ./k8s/secrets.yaml
+

k8s/templates/deployment.api.yaml

@@ -17,6 +17,7 @@ spec:
       labels:
         app: {{ .Release.Name }}-api
     spec:
+      serviceAccountName: api
       containers:
       - name: {{ .Release.Name }}-api
         image: {{ .Values.docker.api_image }}
@@ -53,24 +54,12 @@ spec:
                 key: database_password
 
           # S3
-          - name: S3_ENDPOINT
-            value: {{ .Values.s3.endpoint }}
           - name: S3_AWS_REGION
             value: {{ .Values.s3.region }}
           - name: S3_BUCKET
             value: {{ .Values.s3.bucket }}
           - name: PROJECTS_S3_BUCKET
-            value: {{ .Values.s3.project_bucket }}
-          - name: AWS_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Release.Name }}-secrets
-                key: s3_access_key
-          - name: AWS_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Release.Name }}-secrets
-                key: s3_secret_key
+            value: {{ .Values.s3.projects_bucket }}
 
           # Cognito
           - name: COGNITO_AWS_REGION

k8s/templates/service-account.api.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: api
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .Values.service_roles.s3 }}