Merge pull request #22 from seekingalpha/ar_3271_noach_sa_devops_cleanup

Clean up the "Deploy to EC2" script and its GitHub Workflow
seekingalpha · Apr 10, 2024 · 8df4f06 · 8df4f06
2 parents 7e25863 + 7df4c3d
commit 8df4f06
Show file tree

Hide file tree

Showing 8 changed files with 150 additions and 230 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,34 +1,20 @@
+name: Deploy to EC2
+run-name: Deploy to ${{ inputs.environment }} (${{ inputs.version }})
+
 on:
   workflow_dispatch:
     inputs:
       version:
+        description: Tarball (either the full filename or just its {rc_version}.{commit_hash} substring)
         type: string
-        description: |
-          version:
-          
-            RC version + git commit number.
-
-            For a list of available versions, look in
-
-            s3://seekingalpha-rocketchat-builds/
-
-            for rocket.chat-VERSION.tgz
-
-            Special versions:
-
-            latest  = version last built
-
-            staging = version last deployed to staging
-
-            production = version last deployed to production
         required: true
-
       environment:
+        description: Deploy to
         type: choice
-        description: chose the AWS environment
         options:
           - staging
           - production
+        required: true
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ inputs.environment }}
@@ -39,35 +25,43 @@ defaults:
 
 jobs:
   deploy:
-    name: deploy
+    name: Deploy to EC2
     environment: ${{ inputs.environment }}
-    runs-on: [rocketchat]
+    runs-on: rocketchat  # https://github.com/seekingalpha/Rocket.Chat/settings/actions/runners
     steps:
-      - name: Checkout code
+      - name: CONFIG VARS  # Log our configuration inputs right here at the top, so they are easy to find
+        env:
+          environment: ${{ inputs.environment }}
+          version: ${{ inputs.version }}
+        run: |
+          echo
+          echo 'Running the "Deploy to EC2" workflow with the following config vars:'
+          echo "  - version: $version"
+          echo "  - environment: $environment"
+
+      - name: Checkout deploy script branch
         uses: actions/checkout@v4
 
-      - name: install dependencies.
+      - name: Install dependencies
         run: |
           sudo apt-get update -y
           sudo apt-get install -y cloud-utils
           sudo apt-get install -y pssh
-          sudo apt-get install -y gettext
+          sudo apt-get install -y gettext      # provides envsubst(1) template renderer
 
-      - name: Configure AWS Credentials
+      - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
           aws-region: ${{ vars.AWS_REGION }}
 
-      #this is the private key for ci user, used by jenkins slave, can be found in ssm parameter staging jenkins slave. that allows ssh to airflow.
-      - name: install the ci private key
+      - name: Obtain the SSH private key for logging in to RC EC2 instances
         uses: webfactory/[email protected]
         with:
           ssh-private-key: '${{ secrets.CI_SSH_PRIVATE_KEY }}'
 
-      - name: Run deployment
-        run: "$GITHUB_WORKSPACE/github.sh"
-        shell: bash
+      - name: Run deploy script
+        run: ./github.sh
         env:
-          ENVIRONMENT_NAME: ${{ inputs.environment }}
+          environment: ${{ inputs.environment }}
           version: ${{ inputs.version }}
diff --git a/.github/workflows/rotate_aws_secrets.yml b/.github/workflows/rotate_aws_secrets.yml
@@ -0,0 +1,22 @@
+name: Rotate AWS secrets
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 1 * *'  # monthly
+
+
+jobs:
+  rotate-aws-secrets:
+    name: Rotate AWS secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Rotate AWS secrets
+        uses: kneemaa/[email protected]
+        env:
+          OWNER_REPOSITORY: ${{ github.repository }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.ROCKETCHAT_GITHUB_TOKEN }}
+          AWS_ACCESS_KEY_ID:      ${{ secrets.AWS_USER_GITHUB_ROCKETCHAT_ACCESS_KEY_ID }}
+          GITHUB_ACCESS_KEY_NAME:             AWS_USER_GITHUB_ROCKETCHAT_ACCESS_KEY_ID
+          AWS_SECRET_ACCESS_KEY:  ${{ secrets.AWS_USER_GITHUB_ROCKETCHAT_SECRET_ACCESS_KEY }}
+          GITHUB_SECRET_KEY_NAME:             AWS_USER_GITHUB_ROCKETCHAT_SECRET_ACCESS_KEY
diff --git a/Jenkinsfile b/Jenkinsfile
diff --git a/Jenkinsfile.sh b/Jenkinsfile.sh
diff --git a/README.md b/README.md
@@ -1,10 +1,29 @@
-# RC deploy scripts
+This repo contains Seeking Alpha's customized version
+of the Rocket.Chat server and web client.  That code
+may be found in any of the `sa_patches_1.2.3` branches,
+which are forks of the `1.2.3` release tags, with our
+custom patches re-cherry-picked onto each new release.
 
-Overview of the deploy process:
-- The Jenkins job is configured to run a Groovy script named `Jenkinsfile`,
-  passing it the job parameters (currently, just `version`)
-- The `Jenkinsfile` script invokes `Jenkinsfile.sh`, passing on all job parameters as environment variables
-- `Jenkinsfile.sh` uses the `*.sh.tpl` template files to prepare `*.sh` files which are executed on
-  the rocketchat nodes via ssh:
-  - `pre_install.sh` installs the RC bundle tarball and its dependencies into a temporary folder
-  - `rotate_version.sh` swaps out the old installation folder with the new one
+This branch (`sa_devops`), however, is a mostly empty
+branch which serves two purposes:
+  - The "Deploy to EC2" workflow, which copies a tarball
+    from S3 onto the various RC EC2 instances and relaunches
+    the RocketChat servers from it.
+  - The "Rotate AWS secrets" monthly cronjob
+
+GitHub requires a branch to be marked as the "default" branch,
+which is used for three purposes:
+  - Default target for new PRs
+  - Definition of the scheduled cronjob workflows
+  - Adds a "Run workflow" button to the Workflow run-history page
+    if a `on: workflow_dispatch:` is defined for this workflow.
+    (You may choose another branch to actually *run* workflow code,
+    but the button only appears if the default branch defines it.)
+
+# The Deployment Process
+- The Deploy job (defined in .github/workflows/deploy.yml)
+  obtains credentials and runs `./github.sh`
+- `github.sh` uses the `*.sh.tpl` template files to prepare `*.sh` files
+  which are executed on the rocketchat EC2 nodes via ssh:
+  - `install_tarball.sh` installs the RC bundle tarball and its dependencies into a temporary folder
+  - `activate_new_build.sh` swaps out the old installation folder with the new one and HUPs the daemon
diff --git a/rotate_version.sh.tpl → activate_new_build.sh.tpl b/rotate_version.sh.tpl → activate_new_build.sh.tpl
@@ -1,5 +1,5 @@
 #!/bin/bash
-RC_DIR=$RC_DIR_ENVSUBST
+RC_DIR='$RC_DIR_ENVSUBST'
 
 set -e