chore: rewrite ecamp3 deployment to helmfile

That it is easier to use github action secrets and vars in the deployment.
Leave dev and stage-prod in separate files that the review is somehow easier.
They will be put into one workflow in the next commit.

The default false for the num_threads is currently a hack because
the if statement in the secret should be an if empty, not just if.
There we should move the default into the application code, and
then we can simplify the null handling.

Also add api.dataMigrationsDir as an explicit value.
This was implicit before.
There we should also move the default to the application code later.

I leave these improvements out that this PR remains reviewable.
It's also best to diff the deleted values.yaml and the values.yaml.gotmpl.
Sadly the similarity was not enough for git to mark this as rename.

Author: BacLuc

.github/workflows/deployment-devel.yml

@@ -5,6 +5,15 @@ on:
     branches:
       - devel
   workflow_dispatch:
+    inputs:
+      action:
+        description: "Choose action"
+        type: choice
+        required: true
+        default: diff
+        options:
+          - diff
+          - deploy
 
 jobs:
   continuous-integration:
@@ -29,4 +38,5 @@ jobs:
     with:
       name: dev
       env: dev
-    secrets: inherit
+      action: ${{ github.event.inputs.action || 'deploy' }}
+    secrets: inherit

.github/workflows/deployment-pr.yml

@@ -3,6 +3,16 @@ name: CD for feature branches
 on:
   pull_request_target:
     types: [opened, reopened, labeled, synchronize]
+  workflow_dispatch:
+    inputs:
+      action:
+        description: "Choose action"
+        type: choice
+        required: true
+        default: diff
+        options:
+          - diff
+          - deploy
 
 concurrency:
   group: ${{ github.workflow}}-${{ github.event.pull_request.number }}
@@ -30,4 +40,5 @@ jobs:
       env: feature-branch
       pr-number: ${{ github.event.pull_request.number }}
       dropDBOnUninstall: true
+      action: ${{ github.event.inputs.action || 'deploy' }}
     secrets: inherit

.github/workflows/deployment-stage-prod.yml

@@ -9,6 +9,15 @@ on:
       - staging
       - prod
   workflow_dispatch:
+    inputs:
+      action:
+        description: "Choose action"
+        type: choice
+        required: true
+        default: diff
+        options:
+          - diff
+          - deploy
 
 jobs:
   build-and-push:
@@ -25,4 +34,8 @@ jobs:
     name: Upgrade or install deployment
     needs: build-and-push
     uses: ./.github/workflows/reusable-stage-prod-deployment.yml
+    with:
+      name: ${{ github.ref_name }}
+      env: ${{ github.ref_name }}
+      action: ${{ github.event.inputs.action || 'deploy' }}
     secrets: inherit

.github/workflows/restore-backup-dev-pr.yml

@@ -21,6 +21,14 @@ on:
         description: The environment, if name is dev then dev, else feature-branch
         required: true
         default: dev
+      action:
+        description: "Choose action"
+        type: choice
+        required: true
+        default: diff
+        options:
+          - diff
+          - deploy
 
 
 jobs:
@@ -44,4 +52,5 @@ jobs:
       pr-number: ${{ inputs.pr-number }}
       dropDBOnUninstall: ${{ inputs.pr-number != null }}
       restoreSourceFile: ${{ inputs.restoreSourceFile }}
+      action: ${{ github.event.inputs.action }}
     secrets: inherit

.github/workflows/restore-backup-stage-prod.yml

@@ -18,6 +18,14 @@ on:
           and restore the database with the given backup file?
           Repeat the branch name to confirm. (e.g. staging or prod)
         required: true
+      action:
+        description: "Choose action"
+        type: choice
+        required: true
+        default: diff
+        options:
+          - diff
+          - deploy
 
 jobs:
   check-parameters:
@@ -49,4 +57,6 @@ jobs:
     uses: ./.github/workflows/reusable-stage-prod-deployment.yml
     with:
       restoreSourceFile: ${{ inputs.restoreSourceFile }}
+      env: ${{ github.ref_name }}
+      action: ${{ github.event.inputs.action }}
     secrets: inherit

.github/workflows/reusable-dev-deployment.yml

@@ -1,16 +1,18 @@
-name: '[reusable only] Development deployment'
+name: '[reusable only] ecamp3 deployment'
 
 on:
   workflow_call:
     inputs:
       name:
-        required: true
+        description: Deployment short name for subdomain (e.g. dev, pr123).
+        required: false
         type: string
       sha:
         required: false
         type: string
         default: ${{ github.sha }}
       env:
+        description: Target environment (dev, feature-branch, staging, prod)
         required: true
         type: string
       pr-number:
@@ -23,15 +25,26 @@ on:
       restoreSourceFile:
         required: false
         type: string
+      action:
+        description: "Choose action of (diff|deploy)"
+        type: string
+        required: true
+        default: diff
+
+env:
+  NAME: ${{ inputs.name }}
+  IMAGE_TAG: ${{ inputs.sha }}
+  HELM_TIMEOUT: ${{ vars.HELM_TIMEOUT }}
 
 jobs:
-  dev-deployment:
+  deploy-ecamp3:
     name: Deploy to Kubernetes
     runs-on: ubuntu-latest
     environment:
       name: ${{ inputs.env }}
     steps:
       - name: Get link to currently running job logs
+        if: ${{ inputs.env == 'feature-branch' }}
         uses: Tiryoh/[email protected]
         id: job-url
         with:
@@ -44,7 +57,7 @@ jobs:
         with:
           step: start
           token: ${{ secrets.REPO_ACCESS_TOKEN }}
-          env: ${{ inputs.name }}
+          env: ${{ inputs.env }}
 
       - name: Comment progress on PR
         uses: thollander/actions-comment-pull-request@v3
@@ -65,74 +78,51 @@ jobs:
         with:
           ref: ${{ inputs.sha }}
 
-      - name: Upgrade or install helm release
-        env:
-          never_uninstall: ${{ needs.find-prs-to-deploy.outputs.never-uninstall }}
+      - name: Dump secrets to /tmp/secrets.json
+        run: |
+          cat << 'EOF' | tee /tmp/secrets.json
+          ${{ toJSON(secrets) }}
+          EOF
+          jq '.' /tmp/secrets.json
+
+      - name: Dump variables to /tmp/vars.json
+        run: |
+          cat << 'EOF' | tee /tmp/vars.json
+          ${{ toJSON(vars) }}
+          EOF
+          jq '.' /tmp/vars.json
+
+      - name: Merge secrets, variables, and workflow inputs to env.yaml
+        run: |
+          jq -n \
+            '{
+              NAME: "${{ inputs.name }}",
+              IMAGE_TAG: "${{ inputs.sha }}",
+              RESTORE_SOURCE_FILE: "${{ inputs.restoreSourceFile || '' }}",
+              DROP_DB_ON_UNINSTALL: ${{ inputs.dropDBOnUninstall }}
+            }' > /tmp/additions.json
+          jq -s '.[0] + .[1] + .[2]' /tmp/secrets.json /tmp/vars.json /tmp/additions.json > .helm/ecamp3/env.yaml
+          jq '.' .helm/ecamp3/env.yaml
+
+      - name: Setup kubectl authentication
+        run: |
+          mkdir -p ~/.kube
+          echo '${{ secrets.KUBECONFIG }}' > ~/.kube/config
+          chmod go-r ~/.kube/config
+
+      - uses: ./.github/actions/setup-helmfile
+
+      - name: Diff deployment
+        run: |
+          ./.helm/ecamp3/deploy.sh diff || true
+
+      - name: Show values.yaml
+        run: cat ./.helm/ecamp3/values.yaml
+
+      - name: Deploy
+        if: ${{ inputs.action == 'deploy' }}
         run: |
-          # Setup authentication
-          mkdir ~/.kube && echo '${{ secrets.KUBECONFIG }}' > ~/.kube/config && chmod go-r ~/.kube/config
-          # Switch to the helm chart directory
-          cd .helm/ecamp3
-          # Install dependency charts
-          helm dependency update
-          # Set the appVersion, workaround from https://github.com/helm/helm/issues/8194 so that we can
-          # later find out which deployments need to be upgraded
-          sed -i 's/^appVersion:.*$/appVersion: "${{ inputs.sha }}"/' Chart.yaml
-          # Install or upgrade the release
-          helm upgrade --install ecamp3-${{ inputs.name }} . \
-            --set imageTag=${{ inputs.sha }} \
-            --set frontend.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-frontend' \
-            --set print.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-print' \
-            --set api.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-api' \
-            --set apiCache.image.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-varnish' \
-            --set postgresql.dbBackupRestoreImage.repository='docker.io/${{ vars.DOCKER_HUB_USERNAME }}/ecamp3-db-backup-restore' \
-            --set termsOfServiceLinkTemplate='https://ecamp3.ch/{lang}/tos' \
-            --set newsLink='https://ecamp3.ch/blog' \
-            --set helpLink='https://ecamp3.ch/faq' \
-            --set domain=${{ inputs.name }}.${{ vars.DOMAIN }} \
-            --set ingress.basicAuth.enabled=${{ vars.BASIC_AUTH_ENABLED || false  }} \
-            --set ingress.basicAuth.username=${{ secrets.BASIC_AUTH_USERNAME }} \
-            --set ingress.basicAuth.password='${{ secrets.BASIC_AUTH_PASSWORD }}' \
-            --set apiCache.enabled=${{ vars.API_CACHE_ENABLED || false }} \
-            --set apiCache.sendXKeyHeadersDownstream=${{ vars.SEND_XKEY_HEADERS_DOWNSTREAM != null && format('''{0}''', vars.SEND_XKEY_HEADERS_DOWNSTREAM) || null }} \
-            --set mail.dummyEnabled=true \
-            --set postgresql.url='${{ secrets.POSTGRES_URL }}/ecamp3${{ inputs.name }}?sslmode=require' \
-            --set postgresql.adminUrl='${{ secrets.POSTGRES_ADMIN_URL }}/ecamp3${{ inputs.name }}?sslmode=require' \
-            --set postgresql.dropDBOnUninstall=${{ inputs.dropDBOnUninstall }} \
-            --set postgresql.backup.schedule=${{ vars.BACKUP_SCHEDULE != null && format('''{0}''', vars.BACKUP_SCHEDULE) || null }} \
-            --set postgresql.backup.s3.endpoint='${{ vars.BACKUP_S3_ENDPOINT }}' \
-            --set postgresql.backup.s3.bucket='${{ vars.BACKUP_S3_BUCKET }}' \
-            --set postgresql.backup.s3.accessKeyId='${{ secrets.BACKUP_S3_ACCESS_KEY_ID }}' \
-            --set postgresql.backup.s3.accessKey='${{ secrets.BACKUP_S3_ACCESS_KEY }}' \
-            --set postgresql.backup.encryptionKey=${{ secrets.BACKUP_ENCRYPTION_KEY != null && format('''{0}''', secrets.BACKUP_ENCRYPTION_KEY) || null }} \
-            --set postgresql.restore.sourceFile=${{ inputs.restoreSourceFile != null && format('''{0}''', inputs.restoreSourceFile) || null }} \
-            --set postgresql.restore.sourceAppName=${{ vars.RESTORE_SOURCE_APP != null && format('''{0}''', vars.RESTORE_SOURCE_APP) || null }} \
-            --set postgresql.restore.s3.endpoint='${{ vars.RESTORE_S3_ENDPOINT }}' \
-            --set postgresql.restore.s3.bucket='${{ vars.RESTORE_S3_BUCKET }}' \
-            --set postgresql.restore.s3.accessKeyId='${{ secrets.RESTORE_S3_ACCESS_KEY_ID }}' \
-            --set postgresql.restore.s3.accessKey='${{ secrets.RESTORE_S3_ACCESS_KEY }}' \
-            --set postgresql.restore.encryptionKey=${{ secrets.RESTORE_ENCRYPTION_KEY != null && format('''{0}''', secrets.RESTORE_ENCRYPTION_KEY) || null }} \
-            --set api.dataMigrationsDir='${{ vars.DATA_MIGRATIONS_DIR }}' \
-            --set api.appSecret='${{ secrets.API_APP_SECRET }}' \
-            --set api.sentryDsn='${{ secrets.API_SENTRY_DSN }}' \
-            --set api.jwt.passphrase='${{ secrets.JWT_PASSPHRASE }}' \
-            --set api.jwt.publicKey='${{ secrets.JWT_PUBLIC_KEY }}' \
-            --set api.jwt.privateKey='${{ secrets.JWT_PRIVATE_KEY }}' \
-            --set frontend.sentryDsn='${{ secrets.FRONTEND_SENTRY_DSN }}' \
-            --set print.sentryDsn='${{ secrets.PRINT_SENTRY_DSN }}' \
-            --set print.browserWsEndpoint='${{ secrets.BROWSER_WS_ENDPOINT }}' \
-            --set print.ingress.readTimeoutSeconds='${{ vars.PRINT_INGRESS_READ_TIMEOUT_SECONDS }}' \
-            --set print.renderHTMLTimeoutMs='${{ vars.PRINT_RENDER_HTML_TIMEOUT_MS }}' \
-            --set print.renderPDFTimeoutMs='${{ vars.PRINT_RENDER_PDF_TIMEOUT_MS }}' \
-            --set browserless.connectionTimeout=${{ vars.BROWSERLESS_CONNECTION_TIMEOUT_MS || '30000' }} \
-            --set deploymentTime="$(date -u +%s)" \
-            --set deployedVersion="$(git rev-parse --short '${{ inputs.sha }}')" \
-            --set recaptcha.siteKey='${{ secrets.RECAPTCHA_SITE_KEY }}' \
-            --set recaptcha.secret='${{ secrets.RECAPTCHA_SECRET }}' \
-            --set frontend.loginInfoTextKey=${{ vars.LOGIN_INFO_TEXT_KEY }} \
-            --set featureToggle.developer=true \
-            --set featureToggle.checklist=${{ vars.FEATURE_CHECKLIST || 'false' }} \
-            --timeout ${{ vars.HELM_TIMEOUT || '5m0s' }}
+          ./.helm/ecamp3/deploy.sh deploy
 
       - name: Finish the GitHub deployment
         uses: bobheadxi/[email protected]
@@ -142,7 +132,7 @@ jobs:
           token: ${{ secrets.REPO_ACCESS_TOKEN }}
           status: ${{ job.status }}
           deployment_id: ${{ steps.deployment.outputs.deployment_id }}
-          env_url: https://${{ inputs.name }}.${{ vars.DOMAIN }}
+          env_url: ${{ (inputs.env == 'staging' || inputs.env == 'prod') && format('https://{0}.{1}', vars.SUBDOMAIN, vars.DOMAIN) || format('https://{0}.{1}', inputs.name, vars.DOMAIN) }}
           env: ${{ steps.deployment.outputs.env }}
 
       - name: Get current time