build: wpb-22439 add cd_staging script

.github/pull_request_template.md

@@ -25,6 +25,7 @@ Fixes ${ISSUE_URL}
 Add one or more labels to trigger offline builds:
 - `build-default` - Full production build (ansible, terraform, all packages)
 - `build-demo` - Demo/WIAB build
+- `build-wiab-staging` - WIAB-staging build
 - `build-min` - Minimal build (fastest, essential charts only)
 - `build-all` - Run all three builds
 

.github/workflows/offline.yml

@@ -9,21 +9,22 @@
 #   - No label: No builds run (must add label to trigger builds)
 #   - 'build-default': Builds only default profile
 #   - 'build-demo': Builds only demo profile
+#   - 'build-wiab-staging' - Builds only wiab-staging profile
 #   - 'build-min': Builds only min profile
 #   - 'build-all': Explicitly builds all profiles (useful for workflow changes)
 #
 # Push to master/develop: Always builds all profiles regardless of labels
 #
 on:
   push:
-    branches: [master, develop]
+    branches: ["**"]
     tags: [v*]
     paths-ignore:
       - "*.md"
       - "**/*.md"
   pull_request:
     types: [synchronize, reopened, labeled]
-    branches: [master, develop]
+    branches: ["**"]
     paths-ignore:
       - "*.md"
       - "**/*.md"
@@ -32,9 +33,9 @@ jobs:
   build-default:
     name: Build default profile
     if: |
-      github.event_name == 'push' ||
       contains(github.event.pull_request.labels.*.name, 'build-all') ||
-      contains(github.event.pull_request.labels.*.name, 'build-default')
+      contains(github.event.pull_request.labels.*.name, 'build-default') ||
+      contains(github.event.pull_request.labels.*.name, 'build-wiab-staging')
     runs-on:
       group: wire-server-deploy
     outputs:
@@ -72,6 +73,27 @@ jobs:
           AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}'
           AWS_REGION: "eu-west-1"
 
+  verify-default:
+    name: Verify default profile
+    needs: build-default
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'build-all') ||
+      contains(github.event.pull_request.labels.*.name, 'build-default')
+    runs-on:
+      group: wire-server-deploy
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: true
+      - uses: cachix/install-nix-action@v27
+      - uses: cachix/cachix-action@v15
+        with:
+          name: wire-server
+          signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}"
+
+      - name: Install nix environment
+        run: nix-env -f default.nix -iA env
+
       - name: Install terraform
         uses: hashicorp/setup-terraform@v3
         with:
@@ -89,6 +111,45 @@ jobs:
         env:
           HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
 
+  # verify wiab-staging profile
+  verify-wiab-staging:
+    name: Verify wiab staging profile
+    needs: build-default
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'build-all') ||
+      contains(github.event.pull_request.labels.*.name, 'build-wiab-staging')
+    runs-on:
+      group: wire-server-deploy
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: true
+      - uses: cachix/install-nix-action@v27
+      - uses: cachix/cachix-action@v15
+        with:
+          name: wire-server
+          signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}"
+
+      - name: Install nix environment
+        run: nix-env -f default.nix -iA env
+
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.3.7"
+          terraform_wrapper: false
+
+      - name: Deploy offline wiab-staging environment to hetzner
+        run: ./offline/cd_staging.sh
+        env:
+          HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
+
+      - name: Clean up hetzner wiab-staging environment; just in case
+        if: always()
+        run: (cd terraform/examples/wiab-staging-hetzner ; terraform init && terraform destroy -auto-approve)
+        env:
+          HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
+
   # Build container in parallel
   build-container:
     name: Build container
@@ -118,7 +179,6 @@ jobs:
   build-demo:
     name: Build demo profile
     if: |
-      github.event_name == 'push' ||
       contains(github.event.pull_request.labels.*.name, 'build-all') ||
       contains(github.event.pull_request.labels.*.name, 'build-demo')
     runs-on:
@@ -179,7 +239,6 @@ jobs:
   build-min:
     name: Build min profile
     if: |
-      github.event_name == 'push' ||
       contains(github.event.pull_request.labels.*.name, 'build-all') ||
       contains(github.event.pull_request.labels.*.name, 'build-min')
     runs-on:

ansible/inventory/offline/99-static

@@ -83,7 +83,19 @@
 
 [postgresql:vars]
 postgresql_network_interface = enp1s0
-
+repmgr_node_config:
+  postgresql1:  # Maps to postgresql_rw group
+    node_id: 1
+    priority: 150
+    role: primary
+  postgresql2:  # Maps to first postgresql_ro
+    node_id: 2
+    priority: 100
+    role: standby
+  postgresql3:  # Maps to second postgresql_ro
+    node_id: 3
+    priority: 50
+    role: standby
 
 [elasticsearch:vars]
 # elasticsearch_network_interface = enp1s0

ansible/inventory/offline/group_vars/postgresql/postgresql.yml

@@ -24,19 +24,8 @@ repmgr_namespace: "{{ wire_namespace | default('default') }}"
 wire_pg_secret_name: "wire-postgresql-external-secret"
 
 # Node configuration for repmgr
-repmgr_node_config:
-  postgresql1:  # Maps to postgresql_rw group
-    node_id: 1
-    priority: 150
-    role: primary
-  postgresql2:  # Maps to first postgresql_ro
-    node_id: 2
-    priority: 100
-    role: standby
-  postgresql3:  # Maps to second postgresql_ro
-    node_id: 3
-    priority: 50
-    role: standby
+# NOTE: repmgr_node_config is defined in the inventory file ansible/inventory/offline/99-static, ansible/inventory/offline/staging.yml and terraform/examples/wire-server-deploy-offline-hetzner/outputs.tf
+# to allow environment-specific node mappings. Do not define here.
 
 # repmgr settings
 # repmgrd monitoring and reconnection configuration

ansible/inventory/offline/staging.yml

@@ -38,8 +38,6 @@ k8s-cluster:
     kube-master: {}
 
 datanodes:
-  # host names here must match each node's actual hostname
-  # its a requirement for rabbitmq
   hosts:
     datanode1:
       ansible_host: "datanode1_ip"
@@ -76,6 +74,8 @@ minio:
 
 rmq-cluster:
   children:
+    # host names here must match each node's actual hostname
+    # its a requirement for rabbitmq
     datanodes: {}
   vars:
     rabbitmq_network_interface: enp1s0
@@ -88,6 +88,19 @@ postgresql:
   vars:
     wire_dbname: wire-server
     postgresql_network_interface: enp1s0
+    repmgr_node_config:
+      datanode1:  # Maps to postgresql_rw group
+        node_id: 1
+        priority: 150
+        role: primary
+      datanode2:  # Maps to first postgresql_ro
+        node_id: 2
+        priority: 100
+        role: standby
+      datanode3:  # Maps to second postgresql_ro
+        node_id: 3
+        priority: 50
+        role: standby
 
 postgresql_rw:
   hosts:

ansible/wiab-staging-provision.yml

@@ -258,6 +258,10 @@
         yq -i ".rmq-cluster.vars.rabbitmq_network_interface |= \"$GATEWAY_NAME\"" "{{ inventory_file }}"
         yq -i ".rmq-cluster.vars.rabbitmq_cluster_master |= \"datanode1\"" "{{ inventory_file }}"
         yq -i ".postgresql.vars.postgresql_network_interface |= \"$GATEWAY_NAME\"" "{{ inventory_file }}"
+
+        # setting up ansible_ssh_private_key_file to access VMs for secondary ansible operations
+        yq -i ".all.vars.ansible_ssh_private_key_file |= \"ssh/id_ed25519\"" "{{ inventory_file }}"
+
       args:
         executable: /bin/bash