From 28d195717aa2a338b3c9c905a07de89240419869 Mon Sep 17 00:00:00 2001 From: Duje Begonja Date: Tue, 21 Oct 2025 10:19:16 -0400 Subject: [PATCH 1/4] update prod resource requests --- .../prod/turn-server-values.yaml.gotmpl | 6 +++--- deploy/helm/environments/prod/values.yaml.gotmpl | 15 ++++++++------- deploy/helm/helmfile.yaml | 15 ++++++++------- 3 files changed, 19 insertions(+), 17 deletions(-) diff --git a/deploy/helm/environments/prod/turn-server-values.yaml.gotmpl b/deploy/helm/environments/prod/turn-server-values.yaml.gotmpl index 6b9c205..fb0c8a3 100644 --- a/deploy/helm/environments/prod/turn-server-values.yaml.gotmpl +++ b/deploy/helm/environments/prod/turn-server-values.yaml.gotmpl @@ -13,7 +13,7 @@ metrics: resources: limits: - memory: 1Gi + memory: 512Mi requests: - cpu: 1 - memory: 1Gi + cpu: 100m + memory: 128Mi diff --git a/deploy/helm/environments/prod/values.yaml.gotmpl b/deploy/helm/environments/prod/values.yaml.gotmpl index 31cc1af..5be9dc9 100644 --- a/deploy/helm/environments/prod/values.yaml.gotmpl +++ b/deploy/helm/environments/prod/values.yaml.gotmpl @@ -13,14 +13,15 @@ ingress: autoscaling: enabled: true - minReplicas: 4 - maxReplicas: 15 + minReplicas: 1 + maxReplicas: 5 targetCPUUtilizationPercentage: 70 targetMemoryUtilizationPercentage: 70 metrics: - env: prod - cluster: rtlj-prod + alert_labels: + env: prod + cluster: rtlj-prod redis: pub: @@ -44,7 +45,7 @@ nodeSelector: resources: limits: - memory: 4Gi + memory: 512Mi requests: - cpu: 1000m - memory: 4Gi + cpu: 100m + memory: 192Mi diff --git a/deploy/helm/helmfile.yaml b/deploy/helm/helmfile.yaml index 233d558..1c35377 100644 --- a/deploy/helm/helmfile.yaml +++ b/deploy/helm/helmfile.yaml @@ -1,7 +1,13 @@ +environments: + default: {} + dev: {} + pr: {} + prod: {} +--- helmDefaults: verify: false - wait: false - timeout: 600 + wait: true + timeout: 120 recreatePods: false force: false createNamespace: false @@ -12,11 +18,6 @@ repositories: url: https://raw.githubusercontent.com/radixdlt/helm-charts/master/ username: {{ requiredEnv "HELM_GH_USER" }} password: {{ requiredEnv "HELM_GH_PASS" }} -environments: - default: {} - dev: {} - pr: {} - prod: {} releases: {{ $SIG_SRV_NS := .Namespace }} {{ $SIG_SRV_IMAGE_TAG := .StateValues.ci.tag }} From 00f2b8ceda0548d57ac97f51bea6739e1fc41954 Mon Sep 17 00:00:00 2001 From: Duje Begonja RDX <108268552+duje-begonja-rdx@users.noreply.github.com> Date: Thu, 4 Dec 2025 08:30:01 -0500 Subject: [PATCH 2/4] use ServiceMonitor fallback property as prometheus SDK is too old (#130) --- deploy/helm/signaling-server/templates/service-monitor.yaml | 1 + deploy/helm/turn-server/templates/service-monitor.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/deploy/helm/signaling-server/templates/service-monitor.yaml b/deploy/helm/signaling-server/templates/service-monitor.yaml index 69b6eee..a4808d0 100644 --- a/deploy/helm/signaling-server/templates/service-monitor.yaml +++ b/deploy/helm/signaling-server/templates/service-monitor.yaml @@ -6,6 +6,7 @@ metadata: labels: release: prometheus-operator spec: + fallbackScrapeProtocol: PrometheusText0.0.4 endpoints: - port: metrics path: {{ .Values.metrics.serviceMonitor.path }} diff --git a/deploy/helm/turn-server/templates/service-monitor.yaml b/deploy/helm/turn-server/templates/service-monitor.yaml index 3800592..4b477e5 100644 --- a/deploy/helm/turn-server/templates/service-monitor.yaml +++ b/deploy/helm/turn-server/templates/service-monitor.yaml @@ -6,6 +6,7 @@ metadata: labels: release: prometheus-operator spec: + fallbackScrapeProtocol: PrometheusText0.0.4 endpoints: - port: metrics interval: {{ .Values.metrics.interval }} From 9368d7da8e974d91b7d5aab15956c462797e0736 Mon Sep 17 00:00:00 2001 From: Duje Begonja RDX <108268552+duje-begonja-rdx@users.noreply.github.com> Date: Fri, 5 Dec 2025 08:20:36 -0500 Subject: [PATCH 3/4] merge main to develop (#131) --- .github/workflows/ci.yml | 134 +------------------------------------- deploy/helm/helmfile.yaml | 4 ++ 2 files changed, 5 insertions(+), 133 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 08140c6..ee2d9c4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,139 +16,8 @@ on: workflow_dispatch: jobs: - snyk-scan-deps-licences: - runs-on: ubuntu-latest - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access' - app_name: 'signaling-server' - step_name: 'snyk-scan-deps-licenses' - secret_prefix: 'SNYK' - secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - - name: Run Snyk to check for deps vulnerabilities - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical - - snyk-scan-code: - runs-on: ubuntu-latest - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access' - app_name: 'signaling-server' - step_name: 'snyk-scan-code' - secret_prefix: 'SNYK' - secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - - name: Run Snyk to check for code vulnerabilities - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high - command: code test - - snyk-sbom: - runs-on: ubuntu-latest - permissions: write-all - needs: - - snyk-scan-deps-licences - - snyk-scan-code - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access' - app_name: 'signaling-server' - step_name: 'snyk-sbom' - secret_prefix: 'SNYK' - secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - - name: Generate SBOM # check SBOM can be generated but nothing is done with it - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json - command: sbom - - name: Upload SBOM - if: github.event_name == 'release' - uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a - with: - files: sbom.json - repo-token: ${{ secrets.GITHUB_TOKEN }} - - snyk-monitor: - runs-on: ubuntu-latest - if: > - ( github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') ) || - ( ${{ github.event_name == 'release' && github.event.release.prerelease == false }} ) - needs: - - build - - push - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access' - app_name: 'signaling-server' - step_name: 'snyk-monitor' - secret_prefix: 'SNYK' - secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - - name: Enable Snyk online monitoring to check for vulnerabilities - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }} - command: monitor - - snyk-container-monitor: - runs-on: ubuntu-latest - if: > - ( github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') ) || - ( ${{ github.event_name == 'release' && github.event.release.prerelease == false }} ) - needs: - - build - - push - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main - with: - role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access' - app_name: 'signaling-server' - step_name: 'snyk-container-monitor' - dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/dockerhub-credentials' - snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - snyk_org_id: ${{ secrets.SNYK_ORG_ID }} - image: docker.io/radixdlt/signaling-server:${{ needs.build.outputs.tag }} - target_ref: ${{ github.ref_name }} - build: runs-on: ubuntu-latest - needs: - - snyk-scan-deps-licences - - snyk-scan-code outputs: tag: ${{ steps.setup_tags.outputs.tag}} steps: @@ -223,9 +92,8 @@ jobs: dockerfile: "./Dockerfile" context: ./ platforms: "linux/amd64" - scan_image: true + scan_image: false continue_on_scan_image_finding: true - snyk_target_ref: ${{ github.ref_name }} secrets: workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }} service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} diff --git a/deploy/helm/helmfile.yaml b/deploy/helm/helmfile.yaml index 1c35377..78e2338 100644 --- a/deploy/helm/helmfile.yaml +++ b/deploy/helm/helmfile.yaml @@ -40,6 +40,10 @@ releases: auth: enabled: true password: redis + image: + registry: public.ecr.aws + repository: u2o0d2a1/bitnami-redis + tag: 7.2.4-debian-12-r16 master: resources: limits: From 86f1b2f1a4cccdca5a49526350b5e03e23930543 Mon Sep 17 00:00:00 2001 From: Duje Begonja RDX <108268552+duje-begonja-rdx@users.noreply.github.com> Date: Fri, 5 Dec 2025 12:27:44 -0500 Subject: [PATCH 4/4] [DO-86c6y4zx8] migrate to Jenkins deployments (#132) --- .github/workflows/ci.yml | 85 +++++++++++++----------- deploy/helm/helmfile.yaml | 82 +++++++++++------------ deploy/helm/signaling-server/values.yaml | 2 +- 3 files changed, 84 insertions(+), 85 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee2d9c4..691e9bf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,4 @@ -name: server +name: "CI/CD" on: push: @@ -100,60 +100,65 @@ jobs: deploy_dev: if: github.ref == 'refs/heads/develop' - uses: radixdlt/iac-resuable-artifacts/.github/workflows/deploy.yml@main + name: "Deploy DEV" + uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main needs: - push - build with: - app_name: signaling-server - step_name: deploy-dev - env_name: dev - namespace: signaling-server-dev - create_subns: false - aws_region: eu-west-2 - role_to_assume: arn:aws:iam::308190735829:role/gh-signaling-server-dev-deployer - eks_cluster: rdx-works-main-dev - helmfile_extra_vars: >- - ci.tag=${{ needs.build.outputs.tag }}, - ci.environment=dev + jenkins_job_name: 'kubernetes-deployments/job/signaling-server' + github_branch: '${{ github.ref }}' + application_name: 'sig-srv' + hierarchical_namespace: 'signaling-server-dev' + create_subnamespace: 'false' + kubernetes_namespace: 'signaling-server-dev' + aws_eks_cluster: 'rdx-works-main-dev' + aws_iam_role_name: 'jenkins-signaling-server-dev-deployer' + helmfile_environment: 'dev' + helmfile_extra_vars: 'ci.tag=${{ needs.build.outputs.tag }},ci.environment=dev' + secrets: + aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }} + secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} deploy_pull_request: if: ${{ github.event_name == 'pull_request' }} - uses: radixdlt/iac-resuable-artifacts/.github/workflows/deploy.yml@main + name: "Deploy PR" + uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main needs: - push - build with: - app_name: signaling-server - step_name: deploy-pr - env_name: pr - hierarchical_namespace: signaling-server-ci-pr - namespace: signaling-server-pr-${{ github.event.number }} - create_subns: true - aws_region: eu-west-2 - role_to_assume: arn:aws:iam::308190735829:role/gh-signaling-server-pr-deployer - eks_cluster: rdx-works-main-dev - helmfile_extra_vars: >- - ci.tag=${{ needs.build.outputs.tag }}, - ci.prNumber=${{ github.event.number }}, - ci.environment=pr + jenkins_job_name: 'kubernetes-deployments/job/signaling-server' + github_branch: '${{ github.head_ref }}' + application_name: 'sig-srv' + hierarchical_namespace: 'signaling-server-ci-pr' + create_subnamespace: 'true' + kubernetes_namespace: 'signaling-server-pr-${{ github.event.number }}' + aws_eks_cluster: 'rdx-works-main-dev' + aws_iam_role_name: 'jenkins-signaling-server-pr-deployer' + helmfile_environment: 'pr' + helmfile_extra_vars: 'ci.tag=${{ needs.build.outputs.tag }},ci.prNumber=${{ github.event.number }},ci.environment=pr' + secrets: + aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }} + secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} deploy_prod: if: ${{ github.event_name == 'release' && github.event.release.prerelease == false }} + name: "Deploy PROD" needs: - build - push - uses: radixdlt/iac-resuable-artifacts/.github/workflows/deploy.yml@main + uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main with: - github_environment: prod - app_name: signaling-server - step_name: deploy-prod - env_name: prod - namespace: signaling-server-prod - create_subns: false - aws_region: eu-west-2 - role_to_assume: arn:aws:iam::821496737932:role/gh-signaling-server-prod-deployer - eks_cluster: rtlj-prod - helmfile_extra_vars: >- - ci.tag=${{ github.event.release.tag_name }}, - ci.environment=prod + github_environment: 'prod' + github_branch: '${{ github.ref }}' + jenkins_job_name: 'kubernetes-deployments/job/incentives' + application_name: 'sig-srv' + kubernetes_namespace: 'signaling-server-prod' + aws_eks_cluster: 'rtlj-prod' + aws_iam_role_name: 'jenkins-signaling-server-prod-deployer' + helmfile_environment: 'prod' + helmfile_extra_vars: 'ci.tag=${{ github.event.release.tag_name }},ci.environment=prod' + secrets: + aws_deployment_account_id: ${{ secrets.AWS_PROD_ACCOUNT_ID }} + secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} \ No newline at end of file diff --git a/deploy/helm/helmfile.yaml b/deploy/helm/helmfile.yaml index 78e2338..30c1bb6 100644 --- a/deploy/helm/helmfile.yaml +++ b/deploy/helm/helmfile.yaml @@ -19,75 +19,69 @@ repositories: username: {{ requiredEnv "HELM_GH_USER" }} password: {{ requiredEnv "HELM_GH_PASS" }} releases: -{{ $SIG_SRV_NS := .Namespace }} -{{ $SIG_SRV_IMAGE_TAG := .StateValues.ci.tag }} -{{ $ENVIRONMENT_NAME := .Environment.Name }} -{{ $INSTALL_LOCAL_REDIS := eq $ENVIRONMENT_NAME "pr" }} -{{ $INSTALL_TURN_SERVER := ne $ENVIRONMENT_NAME "pr" }} - name: redis - namespace: {{ $SIG_SRV_NS }} chart: bitnami/redis version: 16.10.1 - installed: {{ $INSTALL_LOCAL_REDIS }} + installed: {{ eq .Environment.Name "pr" }} values: - - architecture: standalone - commonConfiguration: | - loglevel verbose - client-output-buffer-limit normal 0 0 0 - client-output-buffer-limit slave 1024mb 128mb 60 - client-output-buffer-limit pubsub 1024mb 128mb 60 - auth: - enabled: true - password: redis - image: - registry: public.ecr.aws - repository: u2o0d2a1/bitnami-redis - tag: 7.2.4-debian-12-r16 - master: - resources: - limits: - memory: 512Mi - requests: - cpu: 1000m - memory: 512Mi - persistence: - enabled: true - replica: - replicaCount: 4 - metrics: - enabled: true - serviceMonitor: - enabled: true - additionalLabels: - release: prometheus-operator + - architecture: standalone + commonConfiguration: | + loglevel verbose + client-output-buffer-limit normal 0 0 0 + client-output-buffer-limit slave 1024mb 128mb 60 + client-output-buffer-limit pubsub 1024mb 128mb 60 + auth: + enabled: true + password: redis + image: + registry: public.ecr.aws + repository: u2o0d2a1/bitnami-redis + tag: 7.2.4-debian-12-r16 + master: + resources: + limits: + memory: 512Mi + requests: + cpu: 1000m + memory: 512Mi + persistence: + enabled: true + replica: + replicaCount: 4 + metrics: + image: + registry: public.ecr.aws + repository: u2o0d2a1/bitnami-redis-exporter + tag: 1.58.0-debian-12-r7 + enabled: true + serviceMonitor: + enabled: true + additionalLabels: + release: prometheus-operator - name: turn-server - installed: {{ $INSTALL_TURN_SERVER }} - namespace: {{ $SIG_SRV_NS }} + installed: {{ ne .Environment.Name "pr" }} chart: ./turn-server values: - environments/{{ .Environment.Name }}/turn-server-values.yaml.gotmpl - name: signaling-server - namespace: {{ $SIG_SRV_NS }} chart: ./signaling-server values: - environments/{{ .Environment.Name }}/values.yaml.gotmpl - image: - tag: {{ $SIG_SRV_IMAGE_TAG }} + tag: {{ .StateValues.ci.tag }} - name: developer-access - namespace: {{ $SIG_SRV_NS}} chart: rdx-works/developer-access version: 1.0.0 values: - project: signaling-server - name: alertmanager - namespace: {{ $SIG_SRV_NS }} chart: rdx-works/alertmanager-configs - installed: {{ ne $ENVIRONMENT_NAME "pr" }} + installed: {{ ne .Environment.Name "pr" }} version: 1.1.0 values: - environments/{{ .Environment.Name }}/values.yaml.gotmpl diff --git a/deploy/helm/signaling-server/values.yaml b/deploy/helm/signaling-server/values.yaml index ba53f84..c456599 100644 --- a/deploy/helm/signaling-server/values.yaml +++ b/deploy/helm/signaling-server/values.yaml @@ -16,7 +16,7 @@ docker: region: eu-west-1 name: docker.io/radixdlt -replicaCount: 2 +replicaCount: 1 image: repository: docker.io/radixdlt/signaling-server