packaging: Initial workflow files

h2oai · Oct 29, 2023 · f94114d · f94114d
1 parent af8b8b3
commit f94114d
Show file tree

Hide file tree

Showing 12 changed files with 439 additions and 0 deletions.
diff --git a/.github/workflows/helm-release-university.yaml b/.github/workflows/helm-release-university.yaml
@@ -0,0 +1,29 @@
+name: Release Generated Helm Chart
+
+on:
+  workflow_call:
+
+jobs:
+  retrieve-metadata:
+    runs-on: ubuntu-latest
+    outputs:
+      build-version: ${{ steps.get-build-version.outputs.VERSION }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Get App Version
+        id: get-build-version
+        run: |
+          echo "VERSION=${{ env.VERSION }}" >> "$GITHUB_OUTPUT"
+
+  release-helm-chart:
+    needs: retrieve-metadata
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read # This is required for actions/checkout
+
+    uses: h2oai/workflows-library/.github/workflows/wave-bundle-helm-release.yaml@main
+    with:
+      build-version: ${{ needs.retrieve-metadata.outputs.build-version }}
+      helm-chart-artifact: wave-bundle-helm
diff --git a/.github/workflows/wave-bundle-university.yaml b/.github/workflows/wave-bundle-university.yaml
@@ -0,0 +1,48 @@
+name: Wave Bundle
+
+on:
+  workflow_call:
+
+jobs:
+  airgapped:
+    name: Create Wave Bundle
+    runs-on: ubuntu-latest
+    outputs:
+      build-version: ${{ steps.get-build-version.outputs.VERSION }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Download H2O CLI
+        run: mkdir -p .bin && curl -o .bin/h2o https://h2oai-cloud-release.s3.amazonaws.com/releases/ai/h2o/h2o-cloud/v0.28.2/cli/linux-amd64/h2o
+
+      - name: Change permissions
+        run: chmod +x .bin/h2o
+
+      - name: Get App Version
+        id: get-build-version
+        run: |
+          echo "VERSION=${{ env.VERSION }}" >> "$GITHUB_OUTPUT"
+
+      - name: Make air-gapped bundle
+        run: |
+          .bin/h2o bundle \
+            --docker-base-image 524466471676.dkr.ecr.us-east-1.amazonaws.com/q8s/launcher:v0.23.0-38 \
+            --docker-include static \
+            --docker-use-buildkit \
+            --generate-helm-charts \
+            --helm-chart-version ${{ steps.get-build-version.outputs.VERSION }} \
+            --helm-chart-name ${{ github.event.repository.name }} \
+            --generate-dockerfile
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: wave-bundle
+          path: |
+            ./*.Dockerfile
+            ./*.wave
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: wave-bundle-helm
+          path: helm/
diff --git a/.github/workflows/wave-publish-university.yaml b/.github/workflows/wave-publish-university.yaml
@@ -0,0 +1,29 @@
+name: Publish Wave Bundle
+
+on:
+  workflow_call:
+
+jobs:
+  retrieve-metadata:
+    runs-on: ubuntu-latest
+    outputs:
+      build-version: ${{ steps.get-build-version.outputs.VERSION }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Get App Version
+        id: get-build-version
+        run: |
+          echo "VERSION=$(make version)" >> "$GITHUB_OUTPUT"
+
+  build-and-publish:
+    needs: retrieve-metadata
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read # This is required for actions/checkout
+
+    uses: h2oai/workflows-library/.github/workflows/wave-bundle-docker-build-publish.yaml@main
+    with:
+      build-version: ${{ needs.retrieve-metadata.outputs.build-version }}
+      bundle-artifact: wave-bundle
diff --git a/.github/workflows/wave-university.yaml b/.github/workflows/wave-university.yaml
@@ -0,0 +1,31 @@
+name: Wave Bundle
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release Version'
+        required: true
+
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  VERSION: "${{ github.event.inputs.version }}"
+  TAG: "v${{ github.event.inputs.version }}"
+
+jobs:
+  bundle:
+    name: Create Wave Bundle
+    working-directory: ./university
+    uses: ./.github/workflows/wave-bundle-university.yaml
+
+  publish:
+    needs: bundle
+    name: Build and Publish
+    working-directory: ./university
+    uses: ./.github/workflows/wave-publish-university.yaml
+
+  helm-publish:
+    needs: bundle
+    name: Build and Publish Helm Chart
+    working-directory: ./university
+    uses: ./.github/workflows/helm-release-university.yaml
diff --git a/university/bundle_generated_files/ai.h2o.wave.university.1.0.0.bundle.Dockerfile b/university/bundle_generated_files/ai.h2o.wave.university.1.0.0.bundle.Dockerfile
@@ -0,0 +1,4 @@
+FROM alpine:3.18
+
+COPY ../ai.h2o.wave.university.1.0.0.wave /app/ai.h2o.wave.university.1.0.0.wave
+ENV WAVE_BUNDLE_FILE /app/ai.h2o.wave.university.1.0.0.wave
diff --git a/university/bundle_generated_files/ai.h2o.wave.university.1.0.0.runtime.Dockerfile b/university/bundle_generated_files/ai.h2o.wave.university.1.0.0.runtime.Dockerfile
@@ -0,0 +1,33 @@
+FROM 524466471676.dkr.ecr.us-east-1.amazonaws.com/q8s/launcher:v0.23.0-gpu38
+
+WORKDIR /app/
+
+# Create a virtual environment
+RUN python3 -m venv /app/venv
+
+LABEL \
+	# Version of the bundle cmd used to generate this Dockerfile
+	ai.h2o.appstore.bundle.version = 0.0.1 \
+	# App name as defined in the app.toml
+	ai.h2o.appstore.app.name = "ai.h2o.wave.university" \
+	# App version as defined in the app.toml
+	ai.h2o.appstore.app.version = "1.0.0"
+
+# Unpack .wave bundle
+RUN --mount=type=bind,src=ai.h2o.wave.university.1.0.0.wave,target=/app/ai.h2o.wave.university.1.0.0.wave \
+	unzip ai.h2o.wave.university.1.0.0.wave || UNZIP_EXIT_CODE=$? && \
+	# Ignore exit code 2, seems to be a false positive
+	if [ $UNZIP_EXIT_CODE != 0 ] && [ $UNZIP_EXIT_CODE != 2 ]; then echo "unzip failed with exit code $UNZIP_EXIT_CODE"; exit $UNZIP_EXIT_CODE; fi
+
+# Install Python dependencies
+RUN --mount=type=cache,target=/home/.cache \
+	--mount=type=cache,target=/root/.cache \
+	--mount=type=cache,target=/.cache \
+	/app/venv/bin/pip3 install -r requirements.txt
+
+# Path to the venv directory
+ENV H2O_CLOUD_VENV_PATH /app/venv
+# Path to the app directory
+ENV H2O_CLOUD_APP_ROOT /app
+# App main module
+ENV H2O_CLOUD_PY_MODULE=h2o_wave_university.university
diff --git a/university/bundle_generated_files/helm/charts/university/Chart.yaml b/university/bundle_generated_files/helm/charts/university/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+appVersion: 1.0.0
+name: university
+version: 0.1.0
+description: |
+  Interactive Wave learning experience.
+type: application
diff --git a/university/bundle_generated_files/helm/charts/university/templates/_helpers.tpl b/university/bundle_generated_files/helm/charts/university/templates/_helpers.tpl
@@ -0,0 +1,42 @@
+{{- define "university.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "university.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "university.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "university.labels" -}}
+helm.sh/chart: {{ include "university.chart" . }}
+{{ include "university.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- define "university.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "university.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{- define "university.import.auth.oidc.usernamePassword.secretName" -}}
+{{- if .Values.import.auth.oidc.usernamePassword.existingSecret }}
+{{- .Values.import.auth.oidc.usernamePassword.existingSecret }}
+{{- else }}
+{{- printf "%s-import-creds" (include "university.fullname" .) }}
+{{- end }}
+{{- end }}
diff --git a/university/bundle_generated_files/helm/charts/university/templates/configmap.yaml b/university/bundle_generated_files/helm/charts/university/templates/configmap.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.caCertificates }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "university.fullname" . }}-ca-certificates
+data:
+  root-ca-bundle.crt:  |
+    {{ .Values.caCertificates | nindent 4 | trim }}
+{{- end }}
diff --git a/university/bundle_generated_files/helm/charts/university/templates/job.yaml b/university/bundle_generated_files/helm/charts/university/templates/job.yaml
@@ -0,0 +1,86 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "university.fullname" . }}-import
+  labels:
+    {{- include "university.labels" . | nindent 4 }}
+  annotations:
+    # marks this as a hook - https://helm.sh/docs/topics/charts_hooks/
+    # this resource will be automatically removed after the install/upgrade is complete, given
+    # the job completes successfully
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 10
+  template:
+    metadata:
+      name: {{ include "university.fullname" . }}-import
+      labels:
+        {{- include "university.labels" . | nindent 8 }}
+    spec:
+      restartPolicy: Never
+      {{- with coalesce .Values.import.image.pullSecrets .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      initContainers:
+        - name: cp-bundle
+          imagePullPolicy: {{ .Values.import.image.pullPolicy | default .Values.image.pullPolicy | quote }}
+          image: "{{ required "'university.bundleImage.repository' is required!" .Values.university.bundleImage.repository }}:{{ required "'university.bundleImage.tag' is required!" .Values.university.bundleImage.tag }}"
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          command: ["/bin/sh"]
+          args: ["-c", "cp ${WAVE_BUNDLE_FILE} /workspace/app-bundle.wave"]
+          volumeMounts:
+          - mountPath: /workspace
+            name: "wave-bundle-volume"
+      containers:
+        - name: import-app
+          imagePullPolicy: {{ .Values.import.image.pullPolicy | default .Values.image.pullPolicy | quote }}
+          image: "{{ required "'import.image.repository' is required!" .Values.import.image.repository }}:{{ required "'import.image.tag' is required!" .Values.import.image.tag }}"
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.import.auth.oidc.usernamePassword.enabled }}
+          env:
+          - name: H2O_IMPORT_APP_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: "{{ include "university.import.auth.oidc.usernamePassword.secretName" . }}"
+                key: "{{ .Values.import.auth.oidc.usernamePassword.usernameKey }}"
+          - name: H2O_IMPORT_APP_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "{{ include "university.import.auth.oidc.usernamePassword.secretName" . }}"
+                key: "{{ .Values.import.auth.oidc.usernamePassword.passwordKey }}"
+          {{- end }}
+          command: ["/app/bin/hac-import-app"]
+          args: [
+            "import",
+            "--app-store-endpoint", "{{ .Values.import.appStore.endpoint }}",
+            "--oidc-provider", "{{ .Values.import.auth.oidc.provider }}",
+            "--oidc-client-id", "{{ .Values.import.auth.oidc.clientID }}",
+            "--image", "{{ required "'university.runtimeImage.repository' is required!" .Values.university.runtimeImage.repository }}:{{ required "'university.runtimeImage.tag' is required!" .Values.university.runtimeImage.tag }}",
+            "--bundle-path", "/workspace/app-bundle.wave",
+          ]
+          volumeMounts:
+          - mountPath: /workspace
+            name: "wave-bundle-volume"
+            readOnly: true
+          {{- if .Values.caCertificates }}
+          - name: ca-certificates
+            mountPath: /etc/ssl/certs/root-ca-bundle.crt
+            subPath: root-ca-bundle.crt
+          {{- end }}
+      volumes:
+      - name: "wave-bundle-volume"
+        emptyDir: {}
+      {{- if .Values.caCertificates }}
+      - name: ca-certificates
+        configMap:
+          name: {{ include "university.fullname" . }}-ca-certificates
+      {{- end }}
diff --git a/university/bundle_generated_files/helm/charts/university/templates/secret.yaml b/university/bundle_generated_files/helm/charts/university/templates/secret.yaml
@@ -0,0 +1,23 @@
+{{ if and .Values.import.auth.oidc.usernamePassword.enabled (not .Values.import.auth.oidc.usernamePassword.existingSecret) -}}
+
+{{- $secretName := include "university.import.auth.oidc.usernamePassword.secretName" .  }}
+{{- $sec := lookup "v1" "Secret" .Release.Namespace $secretName }}
+
+{{- $username := get (coalesce $sec.data dict) .Values.import.auth.oidc.usernamePassword.usernameKey | b64dec }}
+{{- $username = .Values.import.auth.oidc.usernamePassword.username | default $username }}
+
+{{- $password := get (coalesce $sec.data dict) .Values.import.auth.oidc.usernamePassword.passwordKey | b64dec }}
+{{- $password = .Values.import.auth.oidc.usernamePassword.password | default $password }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName | quote }}
+  labels:
+    {{- include "university.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{ .Values.import.auth.oidc.usernamePassword.usernameKey }}: {{ $username | b64enc | quote }}
+  {{ .Values.import.auth.oidc.usernamePassword.passwordKey }}: {{ $password | b64enc | quote }}
+
+{{- end -}}