pikram/user-microservice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: pikram:jenkins-fluxcd
Branches Tags
pikram:main pikram:woodpecker pikram:dev pikram:jenkins-fluxcd pikram:jenkins-pipeline pikram:argo-workflow
..
compare: pikram:argo-workflow
Branches Tags
pikram:woodpecker pikram:dev pikram:jenkins-fluxcd pikram:jenkins-pipeline pikram:main pikram:argo-workflow

6 Commits
jenkins-fl ... argo-workf

Author SHA1 Message Date
Marcin-Ramotowski
0c02c20995 Implemented automatic fetching ACR password from Azure KeyVault 2025-05-12 20:52:29 +00:00
Marcin-Ramotowski
7b12088952 Combined 2 steps checkout and get-git-sha into one 2025-05-12 20:06:44 +00:00
Marcin-Ramotowski
7a411a7148 Git-sha is now set as docker image tag 2025-05-11 18:40:59 +00:00
Marcin-Ramotowski
37ea900325 Prepared first working workflow version to auto build docker images 2025-05-11 17:52:43 +00:00
Marcin-Ramotowski
2a80c733b3 Configured volume to share data between steps 2025-05-10 19:26:23 +00:00
Marcin-Ramotowski
3764970082 Created initial workflow to build and push DOcker image by Argo Workflow 2025-05-10 15:14:33 +00:00
17 changed files with 280 additions and 299 deletions
Expand all files Collapse all files

92
.jenkins/Jenkinsfile vendored
View File

@ -1,92 +0,0 @@
pipeline {
agent {
kubernetes {
yamlFile '.jenkins/podTemplate.yaml'
}
}
environment {
ACR_NAME = 'marcin00'
CLIENT_ID = 'c302726f-fafb-4143-94c1-67a70975574a'
DOCKER_REGISTRY_URL = 'marcin00.azurecr.io'
DOCKER_IMAGE = "${DOCKER_REGISTRY_URL}/user-microservice:${GIT_COMMIT}"
DEPLOY_REPO = 'ssh://git@srv22.mikr.us:20343/pikram/user-microservice-deploy.git'
}
stages {
stage('Code Tests') {
steps {
container('python') {
dir('api') {
sh '''
python3 -m venv env
source env/bin/activate
pip install -r requirements.txt pytest
python3 -m pytest --junit-xml=pytest_junit.xml
'''
}
}
}
post {
always {
junit testResults: '**/*pytest_junit.xml'
}
}
}
stage('Build & Push Docker') {
steps {
container('docker') {
sh '''
docker build -t ${DOCKER_IMAGE} --build-arg APP_VERSION=${GIT_COMMIT} --build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") .
az login --identity --client-id ${CLIENT_ID}
az acr login --name ${ACR_NAME}
docker push ${DOCKER_IMAGE}
'''
}
}
}
stage('Commit new version to GitOps repo') {
steps {
container('git') {
withCredentials([string(credentialsId: 'gitea-known-host', variable: 'GITEA_KNOWN_HOST')]) {
sh '''
mkdir -p ~/.ssh
echo "$GITEA_KNOWN_HOST" >> ~/.ssh/known_hosts
chmod 644 ~/.ssh/known_hosts
git config --global user.name "jenkins[bot]"
git config --global user.email "jenkins@marcin00.pl"
'''
sshagent(['gitea-deploy-key']) {
sh 'git clone ${DEPLOY_REPO} --branch fluxcd'
}
}
sh '''
cd user-microservice-deploy/apps/user-microservice
# Podmień tag obrazu w pliku deploy.yaml
awk -v commit="$GIT_COMMIT" '
$0 ~ /name:[[:space:]]*api/ { in_api_container = 1; print; next }
in_api_container && $0 ~ /^[[:space:]]*image:[[:space:]]*/ {
sub(/:[^:[:space:]]+$/, ":" commit)
in_api_container = 0
print
next
}
{ print }
' deploy.yaml > deploy.tmp && mv deploy.tmp deploy.yaml
'''
sshagent(['gitea-deploy-key']) {
sh '''
cd user-microservice-deploy/apps/user-microservice
git add deploy.yaml
git diff-index --quiet HEAD || git commit -m "JENKINS: Changed deployed version to $GIT_COMMIT"
git push origin fluxcd
'''
}
}
}
}
}
}

60
.jenkins/podTemplate.yaml
View File

@ -1,60 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
io.kubernetes.cri-o.userns-mode: "auto:size=65536"
labels:
jenkins: "slave"
jenkins/label: "kubernetes-agent"
spec:
runtimeClassName: sysbox-runc
containers:
- name: jnlp
image: jenkins/inbound-agent:alpine
tty: false
workingDir: /home/jenkins/agent
volumeMounts:
- name: workspace-volume
mountPath: /home/jenkins/agent
env:
- name: JENKINS_WEB_SOCKET
value: "true"
- name: REMOTING_OPTS
value: "-noReconnectAfter 1d"
- name: python
image: python:3.11.7-alpine
command:
- cat
tty: true
workingDir: /home/jenkins/agent
volumeMounts:
- name: workspace-volume
mountPath: /home/jenkins/agent
- name: docker
image: marcin00.azurecr.io/azure-cli-docker:slim-bookworm
tty: true
workingDir: /home/jenkins/agent
volumeMounts:
- name: workspace-volume
mountPath: /home/jenkins/agent
- name: git
image: alpine/git:latest
command:
- cat
tty: true
workingDir: /home/jenkins/agent
volumeMounts:
- name: workspace-volume
mountPath: /home/jenkins/agent
nodeSelector:
kubernetes.io/os: linux
restartPolicy: Never
volumes:
- name: workspace-volume
emptyDir: {}

15
Dockerfile
View File

@ -1,18 +1,5 @@
FROM python:3.11.7-alpine FROM python:3.11.7-slim-bookworm
# Wersja i data builda jako build-arg
ARG APP_VERSION=unknown
ARG BUILD_DATE=unknown
# Ustawiamy zmienne w ENV, by były dostępne w kontenerze
ENV APP_VERSION=$APP_VERSION
ENV BUILD_DATE=$BUILD_DATE
WORKDIR /app WORKDIR /app
COPY api . COPY api .
RUN apk add --no-cache curl
RUN pip install -r requirements.txt RUN pip install -r requirements.txt
CMD python3 app.py CMD python3 app.py

72
Jenkinsfile vendored Normal file
View File

@ -0,0 +1,72 @@
pipeline {
agent any
environment {
DOCKER_REGISTRY_URL = 'marcin00.azurecr.io'
DOCKER_IMAGE = "${DOCKER_REGISTRY_URL}/user-microservice:${GIT_COMMIT}"
ACR_NAME = 'marcin00'
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Test python app') {
steps {
script {
dir('api') {
sh '''
python3 -m venv env
source env/bin/activate
pip install -r requirements.txt pytest
python3 -m pytest --junit-xml=pytest_junit.xml
'''
}
}
}
post {
always {
junit testResults: '**/*pytest_junit.xml'
}
}
}
stage('Build & test docker image') {
steps {
script {
appImage = docker.build("${DOCKER_IMAGE}")
sh label: 'Install dgoss', script: '''
curl -s -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o goss
curl -s -L https://github.com/aelsabbahy/goss/releases/latest/download/dgoss -o dgoss
chmod +rx *goss
'''
withEnv(['GOSS_OPTS=-f junit', 'GOSS_PATH=./goss', 'GOSS_SLEEP=3', 'SQLALCHEMY_DATABASE_URI=sqlite:///:memory:']) {
sh label: 'run image tests', script: './dgoss run -e SQLALCHEMY_DATABASE_URI=sqlite:///:memory: ${DOCKER_IMAGE} > goss_junit.xml'
}
}
}
post {
always {
junit testResults: '**/*goss_junit.xml'
}
}
}
stage('Deploy') {
steps {
script {
sh '''
az login --identity
az acr login --name ${ACR_NAME}
docker push ${DOCKER_IMAGE}
'''
}
}
}
}
post {
cleanup {
script { cleanWs() }
}
}
}

5
api/app.py
View File

@ -4,8 +4,7 @@ from flask_jwt_extended import JWTManager
from jwt import ExpiredSignatureError from jwt import ExpiredSignatureError
from models import db, RevokedToken from models import db, RevokedToken
import os import os
from tech_views import tech_bp from utils import init_db
from utils import init_db, wait_for_db
from views import user_bp from views import user_bp
from werkzeug.exceptions import HTTPException from werkzeug.exceptions import HTTPException
@ -27,7 +26,6 @@ def create_app(config_name="default"):
# Blueprints registration # Blueprints registration
app.register_blueprint(user_bp) app.register_blueprint(user_bp)
app.register_blueprint(tech_bp)
# Database and JWT initialization # Database and JWT initialization
db.init_app(app) db.init_app(app)
@ -55,7 +53,6 @@ def create_app(config_name="default"):
# Fill database by initial values (only if we are not testing) # Fill database by initial values (only if we are not testing)
with app.app_context(): with app.app_context():
wait_for_db(max_retries=100)
db.create_all() db.create_all()
if config_name != "testing": if config_name != "testing":
init_db() init_db()

20
api/tech_views.py
View File

@ -1,20 +0,0 @@
from flask import Blueprint, jsonify
from models import db
from sqlalchemy import text
from utils import db_ready
# Blueprint with technical endpoints
tech_bp = Blueprint('tech_bp', __name__)
@tech_bp.route('/health', methods=['GET'])
def health_check():
"Check if service works and database is functional"
try:
with db.engine.connect() as connection:
connection.execute(text("SELECT 1"))
return jsonify(status="healthy"), 200
except Exception:
if db_ready:
return jsonify(status="unhealthy"), 500
else:
return jsonify(status="starting"), 503

21
api/utils.py
View File

@ -2,22 +2,17 @@ from flask import abort
from flask_jwt_extended import get_jwt_identity from flask_jwt_extended import get_jwt_identity
from models import User, db from models import User, db
import os import os
from sqlalchemy import text
from sqlalchemy.exc import DatabaseError, InterfaceError
import time
from werkzeug.security import generate_password_hash from werkzeug.security import generate_password_hash
db_ready = False
def admin_required(user_id, message='Access denied.'): def admin_required(user_id, message='Access denied.'):
"Check if common user try to make administrative action."
user = db.session.get(User, user_id) user = db.session.get(User, user_id)
if user is None or user.role != "Administrator": if user is None or user.role != "Administrator":
abort(403, message) abort(403, message)
def validate_access(owner_id, message='Access denied.'): def validate_access(owner_id, message='Access denied.'):
"Check if user try to access or edit resource that does not belong to them." # Check if user try to access or edit resource that does not belong to them
logged_user_id = int(get_jwt_identity()) logged_user_id = int(get_jwt_identity())
logged_user_role = db.session.get(User, logged_user_id).role logged_user_role = db.session.get(User, logged_user_id).role
if logged_user_role != "Administrator" and logged_user_id != owner_id: if logged_user_role != "Administrator" and logged_user_id != owner_id:
@ -32,20 +27,6 @@ def get_user_or_404(user_id):
return user return user
def wait_for_db(max_retries):
"Try to connect with database <max_retries> times."
global db_ready
for _ in range(max_retries):
try:
with db.engine.connect() as connection:
connection.execute(text("SELECT 1"))
db_ready = True
return
except DatabaseError | InterfaceError:
time.sleep(3)
raise Exception("Failed to connect to database.")
def init_db(): def init_db():
"""Create default admin account if database is empty""" """Create default admin account if database is empty"""
with db.session.begin(): with db.session.begin():

8
api/views.py
View File

@ -2,7 +2,6 @@ from flask import Blueprint, jsonify, request, abort
from flask_jwt_extended import create_access_token, set_access_cookies, jwt_required, \ from flask_jwt_extended import create_access_token, set_access_cookies, jwt_required, \
verify_jwt_in_request, get_jwt_identity, unset_jwt_cookies, get_jwt verify_jwt_in_request, get_jwt_identity, unset_jwt_cookies, get_jwt
from models import db, RevokedToken, User from models import db, RevokedToken, User
import os
from utils import admin_required, validate_access, get_user_or_404 from utils import admin_required, validate_access, get_user_or_404
from werkzeug.security import check_password_hash, generate_password_hash from werkzeug.security import check_password_hash, generate_password_hash
@ -111,10 +110,3 @@ def user_logout():
response = jsonify({"msg": "User logged out successfully."}) response = jsonify({"msg": "User logged out successfully."})
unset_jwt_cookies(response) unset_jwt_cookies(response)
return response return response
@user_bp.route('/version', methods=['GET'])
def version():
return jsonify({
"version": os.getenv("APP_VERSION", "unknown"),
"build_time": os.getenv("BUILD_DATE", "unknown")
})

5
argo-workflows/acr-pusher.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: edu-agentpool
namespace: argo

12
argo-workflows/argo-workflow-manager-role.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: argo
name: argo-workflow-manager
rules:
- apiGroups: ["argoproj.io"]
resources: ["workflowtaskresults"]
verbs: ["create", "get", "list", "update", "patch", "delete"]
- apiGroups: ["argoproj.io"]
resources: ["workflows"]
verbs: ["create", "get", "list", "update", "patch", "delete"]

142
argo-workflows/build.yaml Normal file
View File

@ -0,0 +1,142 @@
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: build-workflow-
spec:
entrypoint: main
arguments:
parameters:
- name: repo
value: https://gitea.marcin00.pl/pikram/user-microservice.git
- name: branch
value: main
- name: image
value: marcin00.azurecr.io/user-microservice
- name: registry_server
value: marcin00.azurecr.io
serviceAccountName: edu-agentpool
volumeClaimTemplates:
- metadata:
name: workspace
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 128Mi
volumes:
- name: secrets-store
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: azure-keyvault
templates:
# 🔁 Main steps sequence
- name: main
steps:
- - name: checkout
template: checkout
arguments:
parameters:
- name: repo
value: "{{workflow.parameters.repo}}"
- name: branch
value: "{{workflow.parameters.branch}}"
- - name: tests
template: tests
- - name: build-test-and-push-image
template: build-test-and-push-image
arguments:
parameters:
- name: git-sha
value: "{{steps.checkout.outputs.parameters.git-sha}}"
# 📦 GIT CHECKOUT
- name: checkout
inputs:
parameters:
- name: repo
- name: branch
container:
image: alpine/git
command: [sh,-c]
workingDir: /workspace
args:
- |
git clone --depth 1 --branch "{{inputs.parameters.branch}}" --single-branch "{{inputs.parameters.repo}}" repo
cd repo
git rev-parse HEAD > /tmp/gitsha.txt
volumeMounts:
- name: workspace
mountPath: /workspace
outputs:
parameters:
- name: git-sha
valueFrom:
path: /tmp/gitsha.txt
# 🧪 PYTHON TESTS
- name: tests
script:
image: python:3.11.7-alpine
command: [sh]
workingDir: /workspace/repo/api
source: |
python3 -m venv env
. env/bin/activate
pip install -r requirements.txt pytest
python3 -m pytest --junit-xml=pytest_junit.xml
volumeMounts:
- name: workspace
mountPath: /workspace
# 🐳 BUILDS AND GOSS TESTS
- name: build-test-and-push-image
inputs:
parameters:
- name: git-sha
container:
image: docker:dind
command: [sh, -c]
workingDir: /workspace/repo
args:
- |
dockerd-entrypoint.sh &
sleep 3
DOCKER_IMAGE={{workflow.parameters.image}}:{{inputs.parameters.git-sha}}
docker build -t $DOCKER_IMAGE .
apk add --no-cache bash
wget https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -O goss
wget https://github.com/aelsabbahy/goss/releases/latest/download/dgoss -O dgoss
chmod +rx *goss
export GOSS_OPTS="-f junit"
export GOSS_PATH=./goss
export GOSS_SLEEP=3
./dgoss run -e SQLALCHEMY_DATABASE_URI=sqlite:///:memory: $DOCKER_IMAGE > /workspace/goss_junit.xml
echo "===> Logging into ACR"
ACR_PASSWORD=$(cat /mnt/secrets/acr-password)
echo "$ACR_PASSWORD" | docker login {{workflow.parameters.registry_server}} -u $ACR_USERNAME --password-stdin
echo "===> Pushing image to ACR"
docker push $DOCKER_IMAGE
env:
- name: ACR_USERNAME
value: marcin00
securityContext:
privileged: true
volumeMounts:
- name: workspace
mountPath: /workspace
- name: docker-library
mountPath: /var/lib/docker
- name: secrets-store
mountPath: "/mnt/secrets"
readOnly: true
volumes:
- name: docker-library
emptyDir: {}

13
argo-workflows/role-binding.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argo-edu-agentpool-binding
namespace: argo
subjects:
- kind: ServiceAccount
name: edu-agentpool
namespace: argo
roleRef:
kind: Role
name: argo-workflow-manager
apiGroup: rbac.authorization.k8s.io

25
argo-workflows/secret-store.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: azure-keyvault
namespace: argo
spec:
provider: azure
secretObjects:
- secretName: acr-creds
type: Opaque
data:
- objectName: acr-password
- key: password
parameters:
usePodIdentity: "false"
useVMManagedIdentity: "true"
userAssignedIdentityID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd" # client_id of the user-assigned managed identity
clientID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd" # client_id of the user-assigned managed identity
keyvaultName: "dev-aks"
objects: |
array:
- |
objectName: acr-password
objectType: secret
tenantID: "f4e3e6f7-d21c-460e-b201-2192174e7f41"

65
deployment_timer.sh
View File

@ -1,65 +0,0 @@
#!/bin/bash
# === KONFIGURACJA ===
APP_URL="https://user-microservice.marcin00.pl/version"
MARKER_FILE="version_marker.txt"
OUTPUT_FILE="deployment_times.csv"
CHECK_INTERVAL=1 # sekundy
# === POBRANIE AKTUALNEJ WERSJI APLIKACJI ===
echo "[INFO] Pobieranie aktualnej wersji z /version..."
OLD_VERSION=$(curl -s "$APP_URL" | jq -r '.version')
if [[ -z "$OLD_VERSION" ]]; then
echo "[ERROR] Nie udało się pobrać aktualnej wersji aplikacji."
exit 1
fi
echo "[INFO] Aktualna wersja: $OLD_VERSION"
# === Modyfikacja pliku, commit i push ===
TIMESTAMP=$(date +%s)
echo "$TIMESTAMP" > "$MARKER_FILE"
git add "$MARKER_FILE"
git commit -m "Automatyczna zmiana: $TIMESTAMP"
START_TIME=$(date +%s)
echo "[INFO] Wykonuję git push..."
git push
if [[ $? -ne 0 ]]; then
echo "[ERROR] Push nie powiódł się."
exit 1
fi
echo "[INFO] Oczekiwanie na wdrożenie nowej wersji..."
# === Odpytywanie endpointa /version ===
WAITED=0
echo "[WAIT] Oczekiwanie na nową wersję..."
while true; do
sleep $CHECK_INTERVAL
WAITED=$((WAITED + CHECK_INTERVAL))
NEW_VERSION=$(curl -s "$APP_URL" | jq -r '.version')
if [[ "$NEW_VERSION" != "$OLD_VERSION" ]]; then
END_TIME=$(date +%s)
DURATION=$((END_TIME - START_TIME))
# Nadpisujemy linię z licznikiem
printf "\r[INFO] Nowa wersja wdrożona po %ds: %s\n" "$WAITED" "$NEW_VERSION"
echo "[INFO] Czas wdrożenia: $DURATION sekund"
echo "$START_TIME,$END_TIME,$DURATION,$OLD_VERSION,$NEW_VERSION" >> "$OUTPUT_FILE"
break
else
# Nadpisujemy TYLKO linię z licznikiem
printf "\r[WAIT] Czekam... %ds" "$WAITED"
fi
done
# Żeby kursor przeszedł do nowej linii po zakończeniu
echo ""

15
docker-compose.yml
View File

@ -7,24 +7,9 @@ services:
build: . build: .
env_file: env_file:
- api/.env - api/.env
ports:
- 80:80
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost/health"]
interval: 10s
timeout: 5s
retries: 5
start_period: 15s
db: db:
container_name: db container_name: db
hostname: db hostname: db
image: mysql:latest image: mysql:latest
env_file: env_file:
- db/.env - db/.env
ports:
- 3306:3306
healthcheck:
test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
interval: 10s
timeout: 5s
retries: 5

8
goss.yaml Normal file
View File

@ -0,0 +1,8 @@
port:
tcp:80:
listening: true
ip:
- 0.0.0.0
process:
python3:
running: true

1
version_marker.txt
View File

@ -1 +0,0 @@
1752257920