Auto Deploy for Care Backend

[jesbinjoseph]

Proposed Changes

• Enable auto-deploy to the care backend whenever code is pushed to the develop branch.

Associated Issue

• Currently, deployments require manual intervention. This auto-deploy setup eliminates manual steps by automatically rolling out new images to the cluster after a successful build on the develop branch.

Prerequisites

• Install the following packages on the jumphost. You can skip this if they already exist on the machine.

  # Install hcledit
  curl -sSL https://github.com/minamijoyo/hcledit/releases/download/v0.2.17/hcledit_0.2.17_linux_amd64.tar.gz | tar xz
  mv hcledit /usr/local/bin/
  
  # Install OpenTofu v1.11.5
  curl -sSL https://github.com/opentofu/opentofu/releases/download/v1.11.5/tofu_1.11.5_linux_amd64.tar.gz | tar xz -C /tmp
  mv /tmp/tofu /usr/local/bin/

• This deploy stage needs SSH access to the jumphost. Please add the following secrets in your GitHub repo under Settings > Secrets and variables > Actions:

  Secret	Description
  DEPLOY_SSH_KEY	Private SSH key for connecting to the jumphost
  DEPLOY_HOST	Public IP or hostname of the jumphost
  DEPLOY_USER	SSH username on the jumphost (e.g. ubuntu)
  DEPLOY_PATH	Absolute path to deploy-backend on the jumphost (e.g. /home/ubuntu/iac_tofu_template/deploy-backend)

Additional Docs

• https://github.com/10bedicu/iac_tofu_template/blob/tofu-changes-regional-ip/docs/autodeploy.md

Merge Checklist

• Tests added/fixed
• Update docs in /docs
• Linting Complete
• Any other necessary step

Only PR's with test cases included and passing lint and test pipelines will be reviewed

@ohcnetwork/care-backend-maintainers @ohcnetwork/care-backend-admins

[gigincg]

@jesbinjoseph On reading a bit, I've come across the thought that the idea of updating the image using tofu/terraform is fundamentally flawed, and ideally the CI/CD Pipeline should be separate, and the tofu scripts need not ever update the image.

If we switch to proper helm charts, the tofu script can have:

resource "helm_release" "care" {
  name  = "care"
  chart = "./chart"

  values = [
    yamlencode({
      image = {
        repository = "repo/care"
        tag        = "latest"
      }
    })
  ]

  lifecycle {
    ignore_changes = [values]
  }
}

And the CI/CD Pipeline would simply do

helm upgrade care ./chart \
  --set image.tag=${GITHUB_SHA}