Deploy RC 73 to Prod

.gitlab-ci.yml

@@ -5,7 +5,8 @@
 
 variables:
   ECR_REGISTRY: '${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com'
-  IDP_WORKER_IMAGE_TAG: 'main'
+  IDP_IMAGE_TAG: 'main'
+  DASHBOARD_IMAGE_TAG: 'main'
   PIVCAC_CI_SHA: 'sha256:247e38ad3e4abdaed3609ec752985cf308ae56d86eaf70159461bbbeddcadd81'
   CI: 'true'
 
@@ -186,104 +187,141 @@ review-app:
     name: dtzar/helm-kubectl:latest
   script:
     - kubectl config get-contexts
-    - export CONTEXT=$(kubectl config get-contexts | grep -v CURRENT | awk '{print $1}' | head -1)
+    - export CONTEXT=$(kubectl config get-contexts | grep review-apps | awk '{print $1}' | head -1)
     - kubectl config use-context "$CONTEXT"
     - |-
-      export PIVCAC_ENV=$(cat <<EOF
-      [
-        {"name": "CLIENT_CERT_S3_BUCKET", "value": "login-gov-pivcac-public-cert-reviewapp.894947205914-us-west-2"},
-        {"name": "POSTGRES_SSLMODE", "value": "prefer"},
-        {"name": "POSTGRES_NAME", "value": "identity_pki_production"},
-        {"name": "POSTGRES_HOST","value": "$CI_ENVIRONMENT_SLUG-login-chart-pivcac-pg.review-apps"},
-        {"name": "POSTGRES_USERNAME", "value": "postgres"},
-        {"name": "POSTGRES_PASSWORD", "value": "pivcac"},
-        {"name": "IDP_HOST", "value": "$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov"},
-        {"name": "DOMAIN_NAME", "value": "$CI_ENVIRONMENT_SLUG-review-app.pivcac.identitysandbox.gov"}
-      ]
+      export IDP_CONFIG=$(cat <<EOF
+      {
+        "kubernetesReviewApp": "true",
+        "postgres": {
+          "sslmode": "prefer",
+          "name": "idp",
+          "host": "$CI_ENVIRONMENT_SLUG-login-chart-pg.review-apps"
+        },
+        "postgresWorker": {
+          "sslmode": "prefer",
+          "name": "idp",
+          "host": "$CI_ENVIRONMENT_SLUG-login-chart-pg.review-apps"
+        },
+        "railsOffline": "true",
+        "redis": {
+          "irsAttemptsApiUrl": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379/2",
+          "throttleUrl": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379/1",
+          "url": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379"
+        },
+        "assetHost": "https://$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov",
+        "domainName": "$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov",
+        "loginDatacenter": "true",
+        "loginDomain": "identitysandbox.gov",
+        "loginEnv": "$CI_ENVIRONMENT_SLUG",
+        "loginHostRole": "idp",
+        "loginSkipRemoteConfig": "true",
+        "pivcacServiceUrl": "https://$CI_ENVIRONMENT_SLUG.review-app.pivcac.identitysandbox.gov/",
+        "pivcacVerifyTokenUrl": "https://$CI_ENVIRONMENT_SLUG.review-app.pivcac.identitysandbox.gov/",
+        "dashboardUrl": "https://$CI_ENVIRONMENT_SLUG-review-app-dashboard.review-app.identitysandbox.gov"
+      }
+      EOF
+      )
+    - |-
+      export WORKER_CONFIG=$(cat <<EOF
+      {
+        "kubernetesReviewApp": "true",
+        "postgres": {
+          "sslmode": "prefer",
+          "name": "idp",
+          "host": "$CI_ENVIRONMENT_SLUG-login-chart-pg.review-apps"
+        },
+        "postgresWorker": {
+          "sslmode": "prefer",
+          "name": "idp",
+          "host": "$CI_ENVIRONMENT_SLUG-login-chart-pg.review-apps"
+        },
+        "railsOffline": "true",
+        "redis": {
+          "irsAttemptsApiUrl": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379/2",
+          "throttleUrl": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379/1",
+          "url": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379"
+        },
+        "assetHost": "https://$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov",
+        "domainName": "$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov",
+        "loginDatacenter": "true",
+        "loginDomain": "identitysandbox.gov",
+        "loginEnv": "$CI_ENVIRONMENT_SLUG",
+        "loginHostRole": "worker",
+        "loginSkipRemoteConfig": "true",
+        "pivcacServiceUrl": "https://$CI_ENVIRONMENT_SLUG.review-app.pivcac.identitysandbox.gov/",
+        "pivcacVerifyTokenUrl": "https://$CI_ENVIRONMENT_SLUG.review-app.pivcac.identitysandbox.gov/"
+      }
       EOF
       )
     - |-
-      export IDP_ENV=$(cat <<EOF
-      [
-        {"name": "POSTGRES_SSLMODE", "value": "prefer"},
-        {"name": "POSTGRES_NAME", "value": "idp"},
-        {"name": "POSTGRES_HOST","value": "$CI_ENVIRONMENT_SLUG-login-chart-pg.review-apps"},
-        {"name": "POSTGRES_USERNAME", "value": "postgres"},
-        {"name": "POSTGRES_PASSWORD", "value": "postgres"},
-        {"name": "POSTGRES_WORKER_SSLMODE", "value": "prefer"},
-        {"name": "POSTGRES_WORKER_NAME", "value": "idp-worker-jobs"},
-        {"name": "POSTGRES_WORKER_HOST", "value": "$CI_ENVIRONMENT_SLUG-login-chart-pg.review-apps"},
-        {"name": "POSTGRES_WORKER_USERNAME", "value": "postgres"},
-        {"name": "POSTGRES_WORKER_PASSWORD", "value": "postgres"},
-        {"name": "RAILS_OFFLINE", "value": "true"},
-        {"name": "REDIS_IRS_ATTEMPTS_API_URL", "value": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379/2"},
-        {"name": "REDIS_THROTTLE_URL", "value": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379/1"},
-        {"name": "REDIS_URL", "value": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379"},
-        {"name": "ASSET_HOST", "value": "https://$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov"},
-        {"name": "DOMAIN_NAME", "value": "$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov"},
-        {"name": "LOGIN_DATACENTER", "value": "true" },
-        {"name": "LOGIN_DOMAIN", "value": "identitysandbox.gov"},
-        {"name": "LOGIN_ENV", "value": "$CI_ENVIRONMENT_SLUG" },
-        {"name": "LOGIN_HOST_ROLE", "value": "idp" },
-        {"name": "LOGIN_SKIP_REMOTE_CONFIG", "value": "true" },
-        {"name": "PIV_CAC_SERVICE_URL", "value": "https://$CI_ENVIRONMENT_SLUG-review-app.pivcac.identitysandbox.gov/"},
-        {"name": "PIV_CAC_VERIFY_TOKEN_URL", "value": "https://$CI_ENVIRONMENT_SLUG-review-app.pivcac.identitysandbox.gov/"}
-      ]
+      export PIVCAC_CONFIG=$(cat <<EOF
+      {
+        "kubernetesReviewApp": "true",
+        "clientCertS3Bucket": "login-gov-pivcac-public-cert-reviewapps.894947205914-us-west-2",
+        "postgres": {
+          "sslmode": "prefer",
+          "name": "idp",
+          "host": "$CI_ENVIRONMENT_SLUG-login-chart-pivcac-pg.review-apps"
+        },
+        "idpHost": "$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov",
+        "domainName": "$CI_ENVIRONMENT_SLUG.review-app.pivcac.identitysandbox.gov"
+      }
       EOF
       )
     - |-
-      export WORKER_ENV=$(cat <<EOF
-      [
-        {"name": "POSTGRES_SSLMODE", "value": "prefer"},
-        {"name": "POSTGRES_NAME", "value": "idp"},
-        {"name": "POSTGRES_HOST", "value": "$CI_ENVIRONMENT_SLUG-login-chart-pg.review-apps"},
-        {"name": "POSTGRES_USERNAME", "value": "postgres"},
-        {"name": "POSTGRES_PASSWORD", "value": "postgres"},
-        {"name": "POSTGRES_WORKER_SSLMODE", "value": "prefer"},
-        {"name": "POSTGRES_WORKER_NAME", "value": "idp-worker-jobs"},
-        {"name": "POSTGRES_WORKER_HOST", "value": "$CI_ENVIRONMENT_SLUG-login-chart-pg.review-apps"},
-        {"name": "POSTGRES_WORKER_USERNAME", "value": "postgres"},
-        {"name": "POSTGRES_WORKER_PASSWORD", "value": "postgres"},
-        {"name": "RAILS_OFFLINE", "value": "true"},
-        {"name": "REDIS_IRS_ATTEMPTS_API_URL", "value": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379/2"},
-        {"name": "REDIS_THROTTLE_URL", "value": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379/1"},
-        {"name": "REDIS_URL", "value": "redis://$CI_ENVIRONMENT_SLUG-login-chart-redis.review-apps:6379"},
-        {"name": "ASSET_HOST", "value": "https://$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov"},
-        {"name": "DOMAIN_NAME", "value": "$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov"},
-        {"name": "LOGIN_DATACENTER", "value": "true" },
-        {"name": "LOGIN_DOMAIN", "value": "identitysandbox.gov"},
-        {"name": "LOGIN_ENV", "value": "$CI_ENVIRONMENT_SLUG" },
-        {"name": "LOGIN_HOST_ROLE", "value": "worker" },
-        {"name": "LOGIN_SKIP_REMOTE_CONFIG", "value": "true" },
-        {"name": "PIV_CAC_SERVICE_URL", "value": "https://$CI_ENVIRONMENT_SLUG-review-app.pivcac.identitysandbox.gov/"},
-        {"name": "PIV_CAC_VERIFY_TOKEN_URL", "value": "https://$CI_ENVIRONMENT_SLUG-review-app.pivcac.identitysandbox.gov/"}
-      ]
+      export DASHBOARD_CONFIG=$(cat <<EOF
+      {
+        "kubernetesReviewApp": "true",
+        "postgres": {
+          "sslmode": "prefer",
+          "name": "dashboard",
+          "host": "$CI_ENVIRONMENT_SLUG-login-chart-dashboard-pg.review-apps"
+        },
+        "newrelic": {
+          "enabled": "false"
+        },
+        "samlSpIssuer": "https://$CI_ENVIRONMENT_SLUG-review-app-dashboard.review-app.identitysandbox.gov",
+        "idpUrl": "https://$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov",
+        "idpSpUrl": "https://$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov",
+        "postLogoutUrl": "https://$CI_ENVIRONMENT_SLUG-review-app-dashboard.review-app.identitysandbox.gov",
+        "domainName": "$CI_ENVIRONMENT_SLUG-review-app-dashboard.review-app.identitysandbox.gov"
+      }
       EOF
       )
-# Update helm command with idp and worker image repo/tag for blessed images once those repos are implemented    
     - git clone -b main --single-branch https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.login.gov/lg-public/identity-idp-helm-chart.git
     - >-
       helm upgrade --install --namespace review-apps
       --debug
-      --set pivcac.image.repository="${ECR_REGISTRY}/identity-pivcac/review"
-      --set pivcac.image.tag="${CI_COMMIT_SHA}"
+      --set env="reviewapps-$CI_ENVIRONMENT_SLUG"
       --set idp.image.repository="${ECR_REGISTRY}/identity-idp/review"
-      --set idp.image.tag="${IDP_WORKER_IMAGE_TAG}"
+      --set idp.image.tag="${IDP_IMAGE_TAG}"
       --set worker.image.repository="${ECR_REGISTRY}/identity-idp/review"
-      --set worker.image.tag="${IDP_WORKER_IMAGE_TAG}"
-      --set-json pivcac.env="$PIVCAC_ENV"
-      --set-json idp.env="$IDP_ENV"
-      --set-json worker.env="$WORKER_ENV"
-      --set-json pivcac.ingress.hosts="[{\"host\": \"$CI_ENVIRONMENT_SLUG-review-app.pivcac.identitysandbox.gov\", \"paths\": [{\"path\": \"/\", \"pathType\": \"Prefix\"}]}]"
+      --set worker.image.tag="${IDP_IMAGE_TAG}"
+      --set pivcac.image.repository="${ECR_REGISTRY}/identity-pivcac/review"
+      --set pivcac.image.tag="${CI_COMMIT_SHA}"
+      --set pivcac.image.pullPolicy="Always"
+      --set dashboard.image.repository="${ECR_REGISTRY}/identity-dashboard/review"
+      --set dashboard.image.tag="${DASHBOARD_IMAGE_TAG}"
+      --set dashboard.image.pullPolicy="Always"
+      --set-json dashboard.config="$DASHBOARD_CONFIG"
+      --set-json dashboard.enabled=true
+      --set-json idp.config="$IDP_CONFIG"
+      --set-json worker.config="$WORKER_CONFIG"
+      --set-json pivcac.config="$PIVCAC_CONFIG"
       --set-json idp.ingress.hosts="[{\"host\": \"$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov\", \"paths\": [{\"path\": \"/\", \"pathType\": \"Prefix\"}]}]"
+      --set-json pivcac.ingress.hosts="[{\"host\": \"$CI_ENVIRONMENT_SLUG.review-app.pivcac.identitysandbox.gov\", \"paths\": [{\"path\": \"/\", \"pathType\": \"Prefix\"}]}]"
+      --set-json dashboard.ingress.hosts="[{\"host\": \"$CI_ENVIRONMENT_SLUG-review-app-dashboard.review-app.identitysandbox.gov\", \"paths\": [{\"path\": \"/\", \"pathType\": \"Prefix\"}]}]"
       $CI_ENVIRONMENT_SLUG ./identity-idp-helm-chart
     - echo "DNS may take a while to propagate, so be patient if it doesn't show up right away"
-    - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name review_app'"
-    - echo "Then run 'aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-pivcac -n review-apps -- /app/bin/rails console'"
+    - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name reviewapps'"
+    - echo "Then run aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-idp -n review-apps -- /app/bin/rails console"
     - echo "Address of IDP review app:"
     - echo https://$CI_ENVIRONMENT_SLUG.review-app.identitysandbox.gov
     - echo "Address of PIVCAC review app:"
-    - echo https://$CI_ENVIRONMENT_SLUG-review-app.pivcac.identitysandbox.gov
+    - echo https://$CI_ENVIRONMENT_SLUG.review-app.pivcac.identitysandbox.gov
+    - echo "Address of Dashboard review app:"
+    - echo https://$CI_ENVIRONMENT_SLUG-review-app-dashboard.review-app.identitysandbox.gov
   environment:
     name: review/$CI_COMMIT_REF_NAME
     url: https://$CI_ENVIRONMENT_SLUG-review-app.pivcac.identitysandbox.gov
@@ -297,7 +335,7 @@ review-app:
 stop-review-app:
   resource_group: $CI_ENVIRONMENT_SLUG-review-app.pivcac.identitysandbox.gov
   script:
-    - export CONTEXT=$(kubectl config get-contexts | grep -v CURRENT | awk '{print $1}' | head -1)
+    - export CONTEXT=$(kubectl config get-contexts | grep review-apps | awk '{print $1}' | head -1)
     - kubectl config use-context "$CONTEXT"
     - helm uninstall --namespace review-apps $CI_ENVIRONMENT_SLUG
   stage: review

Gemfile

@@ -3,7 +3,7 @@ git_source(:github) { |repo_name| "https://github.com/#{repo_name}.git" }
 
 ruby '~> 3.2'
 
-gem 'rails', '~> 7.0.8'
+gem 'rails', '~> 7.0.8.3'
 
 gem 'activerecord-import', '>= 1.0.2'
 gem 'aws-sdk-s3'