Lab16

.github/workflows/ansible-deploy.yml

@@ -0,0 +1,150 @@
+name: Ansible Deployment
+
+on:
+  push:
+    branches: [lab06]
+    paths:
+      - "ansible/**"
+      - ".github/workflows/ansible-deploy.yml"
+
+  pull_request:
+    branches: [lab06]
+    paths:
+      - "ansible/**"
+      - ".github/workflows/ansible-deploy.yml"
+
+jobs:
+
+  lint:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible ansible-lint
+          ansible-galaxy collection install community.docker
+
+      - name: Write vault password from GitHub Secret (required to decrypt group_vars/all.yml)
+        working-directory: ansible
+        shell: bash
+        run: |
+          if [ -z "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" ]; then
+            echo "ERROR: GitHub Secret ANSIBLE_VAULT_PASSWORD is not set, but group_vars/all.yml is encrypted with Ansible Vault."
+            exit 1
+          fi
+          printf '%s' "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > .vault_pass
+          chmod 600 .vault_pass
+
+      - name: Run ansible-lint
+        working-directory: ansible
+        run: |
+          ansible-lint playbooks/*.yml
+
+
+  deploy:
+    name: Deploy Application
+    needs: lint
+    runs-on: ubuntu-latest
+    if: >
+      github.event_name == 'push' ||
+      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
+
+    env:
+      ANSIBLE_HOST_KEY_CHECKING: "False"
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible
+          ansible-galaxy collection install community.docker
+
+      - name: Validate required deployment secrets
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          VM_HOST: ${{ secrets.VM_HOST }}
+          VM_USER: ${{ secrets.VM_USER }}
+          ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+        run: |
+          missing=()
+          for var in SSH_PRIVATE_KEY VM_HOST VM_USER ANSIBLE_VAULT_PASSWORD; do
+            if [ -z "${!var}" ]; then
+              missing+=("$var")
+            fi
+          done
+          if [ ${#missing[@]} -ne 0 ]; then
+            echo "Missing required secrets: ${missing[*]}"
+            exit 1
+          fi
+
+      - name: Write vault password from GitHub Secret
+        working-directory: ansible
+        shell: bash
+        run: |
+          if [ -z "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" ]; then
+            echo "ERROR: GitHub Secret ANSIBLE_VAULT_PASSWORD is not set."
+            exit 1
+          fi
+          printf '%s\n' "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > .vault_pass
+          chmod 600 .vault_pass
+
+      - name: Configure SSH
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SSH_DIR: $HOME/.ssh
+        run: |
+          install -m 700 -d "$SSH_DIR"
+          SSH_KEY_PATH="$SSH_DIR/ansible_deploy"
+          printf '%s\n' "$SSH_PRIVATE_KEY" > "$SSH_KEY_PATH"
+          chmod 600 "$SSH_KEY_PATH"
+          echo "SSH_KEY_PATH=$SSH_KEY_PATH" >> "$GITHUB_ENV"
+
+      - name: Generate CI inventory
+        working-directory: ansible/inventory
+        run: |
+          cat <<EOF > ci_hosts.ini
+          [webservers]
+          ci ansible_host=${{ secrets.VM_HOST }} ansible_user=${{ secrets.VM_USER }} ansible_ssh_private_key_file=$SSH_KEY_PATH
+          EOF
+
+
+      - name: SSH diagnostics
+        env:
+          VM_HOST: ${{ secrets.VM_HOST }}
+          VM_USER: ${{ secrets.VM_USER }}
+          SSH_KEY_PATH: ${{ env.SSH_KEY_PATH }}
+        run: |
+          set -x
+          ls -l "$SSH_KEY_PATH"
+          ssh -i "$SSH_KEY_PATH" -o BatchMode=yes -o StrictHostKeyChecking=no -v "$VM_USER@$VM_HOST" "echo 'SSH ok'" || true
+
+      - name: Deploy with Ansible
+        working-directory: ansible
+        run: |
+          ansible-playbook playbooks/deploy.yml \
+            -i inventory/ci_hosts.ini \
+            --tags app_deploy
+
+      - name: Verify deployment
+        run: |
+          sleep 10
+          curl -f http://${{ secrets.VM_HOST }}:5000
+          curl -f http://${{ secrets.VM_HOST }}:5000/health

.github/workflows/python-ci.yml

@@ -0,0 +1,91 @@
+name: python-ci
+
+on:
+  push:
+    branches: [lab08, master]
+    paths:
+      - "app_python/**"
+      - ".github/workflows/python-ci.yml"
+    tags:
+      - "v*"
+  pull_request:
+    paths:
+      - "app_python/**"
+      - ".github/workflows/python-ci.yml"
+  workflow_dispatch:
+
+concurrency:
+  group: python-ci-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_NAME: egrapa/devops-core-course-lab2
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: app_python
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          cache: "pip"
+          cache-dependency-path: |
+            app_python/requirements.txt
+            app_python/requirements-dev.txt
+
+      - name: Install deps
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi
+
+      - name: Lint
+        run: flake8 .
+
+      - name: Tests
+        run: pytest -q
+
+  docker-release:
+    runs-on: ubuntu-latest
+    needs: [ test ]
+    if: startsWith(github.ref, 'refs/tags/v')
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract version
+        id: version
+        run: |
+          VERSION="${GITHUB_REF#refs/tags/v}"
+          MAJOR_MINOR="$(echo "$VERSION" | awk -F. '{print $1"."$2}')"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "major_minor=$MAJOR_MINOR" >> $GITHUB_OUTPUT
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./app_python
+          file: ./app_python/Dockerfile
+          push: true
+          tags: |
+            ${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }}
+            ${{ env.IMAGE_NAME }}:${{ steps.version.outputs.major_minor }}
+            ${{ env.IMAGE_NAME }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.gitignore

@@ -1 +1,7 @@
-test
+test
+*.retry
+.vault_pass
+.env
+.venv
+monitoring/data/*
+!monitoring/data/.gitkeep

ansible/ansible.cfg

@@ -0,0 +1,11 @@
+[defaults]
+inventory = inventory/hosts.ini
+roles_path = roles
+host_key_checking = False
+retry_files_enabled = False
+vault_password_file = .vault_pass
+
+[privilege_escalation]
+become = True
+become_method = sudo
+become_user = root