(PC-32932)[API] chore: use tinyproxy instead of teleport for deploy w…

…orkflows
pass-culture · Jan 15, 2025 · 870094d · 870094d
1 parent 11947c8
commit 870094d
Show file tree

Hide file tree

Showing 5 changed files with 76 additions and 24 deletions.
diff --git a/.github/workflows/dev_on_dispatch_delete_pullrequest_deployment.yaml b/.github/workflows/dev_on_dispatch_delete_pullrequest_deployment.yaml
@@ -58,7 +58,7 @@ jobs:
       - name: "Authentification to Google"
         uses: 'google-github-actions/auth@v2'
         with:
-          service_account : ${{ steps.secrets.outputs.DEPLOYMENT_SA }}
+          service_account: ${{ steps.secrets.outputs.DEPLOYMENT_SA }}
           workload_identity_provider: ${{ steps.secrets.outputs.DEPLOYMENT_WORKLOAD_IDENTITY_PROVIDER }}
 
       - name: "Connect to cluster"

diff --git a/.github/workflows/dev_on_dispatch_deploy_ops.yml b/.github/workflows/dev_on_dispatch_deploy_ops.yml
@@ -14,8 +14,9 @@ jobs:
     with:
       environment: ops
       app_version: ${{ inputs.pcapi_image_tag }}
-      teleport_proxy: teleport.ops.passculture.team:443
-      teleport_kubernetes_cluster: passculture-metier-ops
+      cluster_scope: metier
+      cluster_environment: ops
+      workload_identity_provider_secret_name: gcp_metier_ops_workload_identity_provider
       deploy_api: true
       deploy_pro: false
     secrets:

diff --git a/.github/workflows/dev_on_dispatch_release_deploy.yml b/.github/workflows/dev_on_dispatch_release_deploy.yml
@@ -91,8 +91,9 @@ jobs:
     with:
       environment: ${{ github.event.inputs.target_environment }}
       app_version: ${{ needs.version.outputs.APP_VERSION }}
-      teleport_proxy: teleport.ehp.passculture.team:443
-      teleport_kubernetes_cluster: passculture-metier-ehp
+      cluster_scope: metier
+      cluster_environment: ehp
+      workload_identity_provider_secret_name: gcp_metier_ehp_workload_identity_provider
       deploy_api: true
       deploy_pro: true
       doc-api-entrypoint: 'api/documentation'
@@ -108,8 +109,9 @@ jobs:
     with:
       environment: integration
       app_version: ${{ needs.version.outputs.APP_VERSION }}
-      teleport_proxy: teleport.ehp.passculture.team:443
-      teleport_kubernetes_cluster: passculture-metier-ehp
+      cluster_scope: metier
+      cluster_environment: ehp
+      workload_identity_provider_secret_name: gcp_metier_ehp_workload_identity_provider
       deploy_api: true
       deploy_pro: true
       doc-api-entrypoint: 'api/documentation'
@@ -125,8 +127,9 @@ jobs:
     with:
       environment: ${{ github.event.inputs.target_environment }}
       app_version: ${{ needs.version.outputs.APP_VERSION }}
-      teleport_proxy: teleport.passculture.team:443
-      teleport_kubernetes_cluster: passculture-metier-prod
+      cluster_scope: metier
+      cluster_environment: prod
+      workload_identity_provider_secret_name: gcp_metier_prod_workload_identity_provider
       deploy_api: true
       deploy_pro: true
     secrets:

diff --git a/.github/workflows/dev_on_push_workflow_main.yml b/.github/workflows/dev_on_push_workflow_main.yml
@@ -338,8 +338,9 @@ jobs:
     with:
       environment: testing
       app_version: ${{ github.sha }}
-      teleport_proxy: teleport.ehp.passculture.team:443
-      teleport_kubernetes_cluster: passculture-metier-ehp
+      cluster_scope: metier
+      cluster_environment: ehp
+      workload_identity_provider_secret_name: gcp_metier_ehp_workload_identity_provider
       deploy_api: ${{ needs.test-api.result == 'success' }}
       deploy_pro: ${{ needs.test-pro.result == 'success' }}
     secrets:
@@ -359,8 +360,9 @@ jobs:
     with:
       environment: ops
       app_version: ${{ github.sha }}
-      teleport_proxy: teleport.ops.passculture.team:443
-      teleport_kubernetes_cluster: passculture-metier-ops
+      cluster_scope: metier
+      cluster_environment: ops
+      workload_identity_provider_secret_name: gcp_metier_ops_workload_identity_provider
       deploy_api: ${{ needs.test-api.result == 'success' }}
       deploy_pro: false
     secrets:

diff --git a/.github/workflows/dev_on_workflow_deploy.yml b/.github/workflows/dev_on_workflow_deploy.yml
@@ -8,10 +8,15 @@ on:
       app_version:
         type: string
         required: true
-      teleport_proxy:
+      cluster_scope:
         type: string
-        required: true
-      teleport_kubernetes_cluster:
+        required: false
+        default: metier
+      cluster_environment:
+        type: string
+        required: false
+        default: ehp
+      workload_identity_provider_secret_name:
         type: string
         required: true
       deploy_api:
@@ -55,17 +60,26 @@ jobs:
 
       # Get github api token that will be used to commit and push app_version to pass-culture-deployment repository
       - name: "Get secrets (github)"
-        id: 'get-github-token'
+        id: 'secrets'
         uses: 'google-github-actions/get-secretmanager-secrets@v2'
         with:
           secrets: |-
             API_TOKEN_GITHUB:passculture-metier-ehp/passculture-main-sa-access-token
+            DEPLOYMENT_SA:passculture-metier-ehp/pcapi-${{ inputs.environment }}_deploy-service-account
+            DEPLOYMENT_WORKLOAD_IDENTITY_PROVIDER:passculture-metier-ehp/${{ inputs.workload_identity_provider_secret_name }}
+
+      - name: "Authentification to Google"
+        uses: 'google-github-actions/auth@v2'
+        with:
+          service_account: ${{ steps.secrets.outputs.DEPLOYMENT_SA }}
+          workload_identity_provider: ${{ steps.secrets.outputs.DEPLOYMENT_WORKLOAD_IDENTITY_PROVIDER }}
 
       - name: "Connect to cluster"
-        uses: pass-culture/common-workflows/actions/teleport-connect@teleport-connect/v0.2.0
+        uses: pass-culture/common-workflows/actions/pc-k8s-connect@pc-k8s-connect/v0.1.0
         with:
-          teleport_proxy: ${{ inputs.teleport_proxy }}
-          teleport_kubernetes_cluster: ${{ inputs.teleport_kubernetes_cluster }}
+          cluster_scope: ${{ inputs.cluster_scope }}
+          cluster_environment: ${{ inputs.cluster_environment }}
+          api_token_github: ${{ steps.secrets.outputs.API_TOKEN_GITHUB }}
 
       - name: "Play pre-migrations"
         uses: pass-culture/common-workflows/actions/pcapi-migration@pcapi-migration/v0.2.3
@@ -91,7 +105,7 @@ jobs:
       - uses: actions/[email protected]
         with:
           repository: pass-culture/pass-culture-deployment
-          token: ${{ steps.get-github-token.outputs.API_TOKEN_GITHUB }}
+          token: ${{ steps.secrets.outputs.API_TOKEN_GITHUB }}
           path: ./pass-culture-deployment
 
       # Commit and push app_version to matching pcapi environment helm value file.
@@ -118,11 +132,26 @@ jobs:
           api_token_github_secret_name: passculture-metier-ehp/passculture-main-sa-access-token
           chart_values_repository: ""
           helmfile_path: "./pass-culture-deployment/helm/pcapi"
+
+      - name: "Authentification to Google"
+        uses: 'google-github-actions/auth@v2'
+        with:
+          service_account: ${{ steps.secrets.outputs.DEPLOYMENT_SA }}
+          workload_identity_provider: ${{ steps.secrets.outputs.DEPLOYMENT_WORKLOAD_IDENTITY_PROVIDER }}
+
+      - name: "Connect to cluster"
+        uses: pass-culture/common-workflows/actions/pc-k8s-connect@pc-k8s-connect/v0.1.0
+        with:
+          cluster_scope: ${{ inputs.cluster_scope }}
+          cluster_environment: ${{ inputs.cluster_environment }}
+          api_token_github: ${{ steps.secrets.outputs.API_TOKEN_GITHUB }}
+
       - name: "Sync ArgoCD application"
         uses: pass-culture/common-workflows/actions/argocd-sync@argocd-sync/v0.5.0
         with:
           app_name: pcapi-${{ inputs.environment }}
           sync_timeout: 900
+
       - name: "Play post-migrations"
         uses: pass-culture/common-workflows/actions/pcapi-migration@pcapi-migration/v0.2.3
         with:
@@ -229,11 +258,28 @@ jobs:
       contents: read
     runs-on: ubuntu-22.04
     steps:
+      - name: "Get secrets (github)"
+        id: 'secrets'
+        uses: 'google-github-actions/get-secretmanager-secrets@v2'
+        with:
+          secrets: |-
+            API_TOKEN_GITHUB:passculture-metier-ehp/passculture-main-sa-access-token
+            DEPLOYMENT_SA:passculture-metier-ehp/pcapi-${{ inputs.environment }}_deploy-service-account
+            DEPLOYMENT_WORKLOAD_IDENTITY_PROVIDER:passculture-metier-ehp/${{ inputs.workload_identity_provider_secret_name }}
+
+      - name: "Authentification to Google"
+        uses: 'google-github-actions/auth@v2'
+        with:
+          service_account: ${{ steps.secrets.outputs.DEPLOYMENT_SA }}
+          workload_identity_provider: ${{ steps.secrets.outputs.DEPLOYMENT_WORKLOAD_IDENTITY_PROVIDER }}
+
       - name: "Connect to cluster"
-        uses: pass-culture/common-workflows/actions/teleport-connect@teleport-connect/v0.2.0
+        uses: pass-culture/common-workflows/actions/pc-k8s-connect@pc-k8s-connect/v0.1.0
         with:
-          teleport_proxy: ${{ inputs.teleport_proxy }}
-          teleport_kubernetes_cluster: ${{ inputs.teleport_kubernetes_cluster }}
+          cluster_scope: ${{ inputs.cluster_scope }}
+          cluster_environment: ${{ inputs.cluster_environment }}
+          api_token_github: ${{ steps.secrets.outputs.API_TOKEN_GITHUB }}
+
       - name: "Configure algolia"
         id: "set_algolia_settings"
         uses: nick-fields/retry@v3