npm - @vaharoni/devops - Versions diffs - 1.2.13 → 1.2.14 - Mend

@vaharoni/devops 1.2.13 → 1.2.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (323) hide show

package/dist/src/target-templates/lang-variants-common/typescript/.devops/manifests/ingress.yaml.hb ADDED Viewed

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{app_name}}
+  namespace: {{namespace}}
+  labels:
+    app: {{app_name}}
+    env: {{monorepo_env}}
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: {{subdomain}}.{{domain_name}}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{service_name}}
+                port:
+                  number: 80

package/dist/src/target-templates/lang-variants-common/typescript/.devops/manifests/service.yaml.hb ADDED Viewed

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{service_name}}
+  labels:
+    app: {{app_name}}
+    env: {{monorepo_env}}
+  namespace: {{namespace}}
+spec:
+  selector:
+    app: {{app_name}}
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: {{port}}

package/dist/src/target-templates/lang-variants-common/typescript/.envrc ADDED Viewed

@@ -0,0 +1,5 @@
+if [ -f "$PWD/config/kubeconfig" ]; then
+  export KUBECONFIG="$PWD/config/kubeconfig"
+else
+  export KUBECONFIG="${HOME}/.kube/config"
+fi

package/dist/src/target-templates/lang-variants-common/typescript/.github/actions/build-image@v1/action.yaml ADDED Viewed

@@ -0,0 +1,81 @@
+name: "Build image"
+description: "Build the specified image if it's affected"
+inputs:
+  image_name:
+    description: 'The image key in images.yaml'
+    required: true
+  cache_path:
+    description: "The path to cache inside the container"
+    required: true
+outputs:
+  affected:
+    description: "Whether the image is affected"
+    value: ${{ steps.check_affected.outputs.affected }}
+runs:
+  using: "composite"
+  steps:
+    - name: Setup basic vars
+      shell: bash
+      run: |
+        echo "IMAGE_NAME=${{ inputs.image_name }}" >> $GITHUB_ENV
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    - name: Check if affected
+      id: check_affected
+      shell: bash
+      run: |
+        AFFECTED=$(devops affected image $IMAGE_NAME --from-live-version)
+        echo "affected=$AFFECTED" >> $GITHUB_OUTPUT
+        if [[ "$AFFECTED" == "true" ]]; then
+          echo "${{ env.IMAGE_NAME }} is affected. Proceeding with build."
+        else
+          echo "${{ env.IMAGE_NAME }} is not affected. Skipping."
+        fi
+    - name: Prepare build
+      shell: bash
+      if: steps.check_affected.outputs.affected == 'true'
+      run: |
+        echo "CACHE_PREFIX=v1-${{ runner.os }}-${{ env.IMAGE_NAME }}-${{ github.ref_name }}" >> $GITHUB_ENV
+        echo "ECR_URL=$(devops registry repo-url ${{ env.IMAGE_NAME }} ${{ github.sha }})" >> $GITHUB_ENV
+        folder=$(devops prep-build ${{ env.IMAGE_NAME }})
+        mv $folder /home/runner/build
+        echo MONOREPO_ENV=${{ env.MONOREPO_ENV }}
+    - name: Setup cache
+      if: steps.check_affected.outputs.affected == 'true'
+      id: setup-cache
+      uses: actions/cache@v4
+      with:
+        path: cache-path
+        key: ${{ env.CACHE_PREFIX }}
+    - name: Inject cache into docker
+      if: steps.check_affected.outputs.affected == 'true'
+      uses: reproducible-containers/buildkit-cache-dance@v3.1.0
+      with:
+        cache-map: |
+          {
+            "cache-path": "${{ inputs.cache_path }}"
+          }
+        skip-extraction: ${{ steps.setup-cache.outputs.cache-hit }}
+    - name: Build and push Docker image
+      if: steps.check_affected.outputs.affected == 'true'
+      uses: docker/build-push-action@v6
+      with:
+        context: /home/runner/build
+        push: true
+        tags: ${{ env.ECR_URL }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        build-args: |
+          MONOREPO_ENV=${{ env.MONOREPO_ENV }}
+    - name: Prune registry
+      if: steps.check_affected.outputs.affected == 'true'
+      shell: bash
+      run: |
+        devops registry prune ${{ env.IMAGE_NAME }}

package/dist/src/target-templates/lang-variants-common/typescript/.github/actions/connect-to-digital-ocean@v1/action.yaml ADDED Viewed

@@ -0,0 +1,29 @@
+name: "Connect to Digital Ocean"
+description: "Sets up kubernetes connection to Digital Ocean and ensures connection"
+inputs:
+  access_token:
+    description: "DigitalOcean access token"
+    required: true
+  cluster_name:
+    description: "DigitalOcean cluster name"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Install doctl
+      uses: digitalocean/action-doctl@v2
+      with:
+        token: ${{ inputs.access_token }}
+    - name: Log in to DigitalOcean Container Registry with short-lived credentials
+      run: doctl registry login --expiry-seconds 1200
+      shell: bash
+    - name: Save DigitalOcean kubeconfig with short-lived credentials
+      run: |
+        doctl kubernetes cluster kubeconfig save --expiry-seconds 1200 ${{ inputs.cluster_name }}
+      shell: bash
+    - name: verify namepsace exists
+      run: devops namespace check --env ${{ github.ref_name }}
+      shell: bash

package/dist/src/target-templates/lang-variants-common/typescript/.github/actions/connect-to-gke@v1/action.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+name: "Connect to Google Cloud GKE"
+description: "Sets up kubernetes connection to Google Cloud and ensures connection"
+inputs:
+  project_id:
+    description: "Google Cloud project ID"
+    required: true
+  zone:
+    description: "Google Cloud GKE zone (e.g., us-central1)"
+    required: true
+  cluster_name:
+    description: "Google Cloud GKE cluster name"
+    required: true
+  service_account_key:
+    description: "Google Cloud service account key in JSON format"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@v2
+      with:
+        project_id: ${{ inputs.project_id }}
+        credentials_json: ${{ inputs.service_account_key }}
+    - name: Install gcloud
+      uses: google-github-actions/setup-gcloud@v2
+      with:
+        project_id: ${{ inputs.project_id }}
+    - name: Configure Docker auth
+      shell: bash
+      run: gcloud --quiet auth configure-docker
+    - name: Fetch GKE credentials
+      uses: google-github-actions/get-gke-credentials@v2
+      with:
+        cluster_name: ${{ inputs.cluster_name }}
+        location: ${{ inputs.zone }}
+        project_id: ${{ inputs.project_id }}
+    - name: verify namepsace exists
+      run: devops namespace check --env ${{ github.ref_name }}
+      shell: bash

package/dist/src/target-templates/lang-variants-common/typescript/.github/actions/connect-to-hetzner@v1/action.yaml ADDED Viewed

@@ -0,0 +1,31 @@
+name: "Connect to Hetzner"
+description: "Sets up kubernetes connection to Hetzner and ensures connection"
+inputs:
+  kubeconfig:
+    description: "The Hetzner kubeconfig file"
+    required: true
+  harbor_user:
+    description: "The user name for the harbor registry"
+    required: true
+  harbor_password:
+    description: "The password for the harbor registry"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Create a kubeconfig file
+      run: |
+        mkdir -p ~/.kube
+        echo "${{ inputs.kubeconfig }}" > ~/.kube/config
+        chmod 600 ~/.kube/config
+      shell: bash
+    - name: Verify cluster connection and that namepsace exists
+      run: devops namespace check --env ${{ github.ref_name }}
+      shell: bash
+    - name: Connect to the registry
+      run: |
+        server_url=$(devops registry server-url)
+        docker login $server_url -u '${{ inputs.harbor_user }}' -p ${{ inputs.harbor_password }}
+      shell: bash

package/dist/src/target-templates/lang-variants-common/typescript/.github/actions/db-migrate@v1/action.yaml ADDED Viewed

@@ -0,0 +1,23 @@
+name: "DB Migrate"
+description: "Run DB migrate on an affected image, if applicable"
+runs:
+  using: "composite"
+  steps:
+    - name: run-db-migrate
+      shell: bash
+      run: |
+        set +e
+        IMAGE=$(devops affected find-migrator --from-live-version)
+        status=$?
+        set -e
+        if [[ $status -eq 13 ]]; then
+          echo "db project missing, skipping DB migration"
+        elif [[ $status -ne 0 ]]; then
+          exit $status
+        elif [[ "$IMAGE" != "" ]]; then
+          devops job db-migrate create $IMAGE ${{ github.sha }} --timeout 240
+        else
+          echo "No image requires a DB migration"
+        fi

package/dist/src/target-templates/lang-variants-common/typescript/.github/actions/deploy-image-cloudrun@v1/action.yaml ADDED Viewed

@@ -0,0 +1,71 @@
+name: "Deploy image"
+description: "Deploy the specified image if it's affected and set its version"
+inputs:
+  project_id:
+    description: 'The GCP project ID of the Cloud Run service'
+    required: true
+  image_name:
+    description: 'The image key in images.yaml'
+    required: true
+  region:
+    description: 'The region of the Cloud Run service'
+    required: true
+  sa_id:
+    description: 'The name of the service account used to run the Cloud Run service'
+    required: true
+  forward_env:
+    description: 'The environment variables to forward to the Cloud Run service (comma separated, e.g. ENV1,ENV2)'
+    required: false
+  allow_unauthenticated:
+    description: 'Whether to allow unauthenticated access to the Cloud Run service. Send "true" to allow unauthenticated access.'
+    required: false
+outputs:
+  affected:
+    description: 'Whether the specified image is affected (computed before deploy)'
+    value: ${{ steps.check_affected.outputs.affected }}
+runs:
+  using: "composite"
+  steps:
+    - name: Setup basic vars
+      shell: bash
+      run: |
+        echo "IMAGE_NAME=${{ inputs.image_name }}" >> $GITHUB_ENV
+    - name: Check if affected
+      id: check_affected
+      shell: bash
+      run: |
+        AFFECTED=$(devops affected image $IMAGE_NAME --from-live-version)
+        echo "affected=$AFFECTED" >> $GITHUB_OUTPUT
+        echo "affected=$AFFECTED"
+        if [[ "$AFFECTED" == "true" ]]; then
+          echo "${{ env.IMAGE_NAME }} is affected. Proceeding with deployment."
+        else
+          echo "${{ env.IMAGE_NAME }} is not affected. Skipping."
+        fi
+    - name: Deploy
+      shell: bash
+      if: steps.check_affected.outputs.affected == 'true'
+      run: |
+        RUNTIME_SA="${{ inputs.sa_id }}@${{ inputs.project_id }}.iam.gserviceaccount.com"
+        if [[ -z "${{ inputs.forward_env }}" ]]; then
+          FORWARD_ENV=""
+        else
+          FORWARD_ENV="--forward-env ${{ inputs.forward_env }}"
+        fi
+        if [[ "${{ inputs.allow_unauthenticated }}" == "true" ]]; then
+          ALLOW_UNAUTHENTICATED="--allow-unauthenticated"
+        else
+          ALLOW_UNAUTHENTICATED="--no-allow-unauthenticated"
+        fi
+        devops cloudrun deploy ${{ env.IMAGE_NAME }} ${{ github.sha }} \
+          --region ${{ inputs.region }} \
+          --service-account ${RUNTIME_SA} \
+          ${FORWARD_ENV} \
+          ${ALLOW_UNAUTHENTICATED}
+        devops image version set ${{ env.IMAGE_NAME }} ${{ github.sha }}

package/dist/src/target-templates/lang-variants-common/typescript/.github/actions/deploy-image-k8s@v1/action.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+name: "Deploy image"
+description: "Deploy the specified image if it's affected and set its version"
+inputs:
+  image_name:
+    description: 'The image key in images.yaml'
+    required: true
+outputs:
+  affected:
+    description: 'Whether the specified image is affected (computed before deploy)'
+    value: ${{ steps.check_affected.outputs.affected }}
+runs:
+  using: "composite"
+  steps:
+    - name: Setup basic vars
+      shell: bash
+      run: |
+        echo "IMAGE_NAME=${{ inputs.image_name }}" >> $GITHUB_ENV
+    - name: Check if affected
+      id: check_affected
+      shell: bash
+      run: |
+        AFFECTED=$(devops affected image $IMAGE_NAME --from-live-version)
+        echo "affected=$AFFECTED" >> $GITHUB_OUTPUT
+        echo "affected=$AFFECTED"
+        if [[ "$AFFECTED" == "true" ]]; then
+          echo "${{ env.IMAGE_NAME }} is affected. Proceeding with deployment."
+        else
+          echo "${{ env.IMAGE_NAME }} is not affected. Skipping."
+        fi
+    - name: Deploy
+      shell: bash
+      if: steps.check_affected.outputs.affected == 'true'
+      run: |
+        devops image deployment create ${{ env.IMAGE_NAME }} ${{ github.sha }}
+        devops image version set ${{ env.IMAGE_NAME }} ${{ github.sha }}

package/dist/src/target-templates/lang-variants-common/typescript/.github/actions/setup-prereq@v1/action.yaml ADDED Viewed

@@ -0,0 +1,24 @@
+name: "Install prerequesites"
+description: "Sets up Node, Bun, and devops"
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: 23
+    - name: Setup bun
+      uses: oven-sh/setup-bun@v2
+    - name: set $MONOREPO_ENV
+      shell: bash
+      run: |
+        BRANCH_NAME=${{ github.ref_name }}
+        echo "MONOREPO_ENV=$BRANCH_NAME" >> $GITHUB_ENV
+    - name: Install the devops tool
+      shell: bash
+      run: |
+        bun install @vaharoni/devops
+        echo "$(pwd)/node_modules/.bin" >> $GITHUB_PATH

package/dist/src/target-templates/lang-variants-common/typescript/applications/example-node/index.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import express from "express";
+import { InternalToken } from '@vaharoni/devops';
+const app = express();
+const port = 3001;
+app.get("/", (req, res) => {
+  res.send("Hello from node");
+});
+// See applications/jobs/README.md for more information
+app.post("/ping-from-jobs", (req, res) => {
+  const authorizationHeader = req.headers['authorization'];
+  try {
+    new InternalToken('jobs').verifyFromHeaderOrThrow(authorizationHeader);
+  } catch {
+    res.status(401).json({ status: 'unauthorized' });
+    return;
+  }
+  console.log('Pong');
+  res.json({ status: 'ok' });
+});
+app.get("/healthz", (req, res) => {
+  res.send("OK");
+});
+app.listen(port, () => {
+  console.log(`Server is listening on ${port}`);
+});

package/dist/src/target-templates/lang-variants-common/typescript/applications/example-node/package.json ADDED Viewed

@@ -0,0 +1,26 @@
+{
+  "name": "example-node",
+  "module": "index.ts",
+  "type": "module",
+  "private": true,
+  "deployment": {
+    "service_name": "example-node",
+    "port": 3001,
+    "template": "external-service"
+  },
+  "scripts": {
+    "start": "tsx index.ts",
+    "verify": "tsc -p ./tsconfig.json --noEmit"
+  },
+  "dependencies": {
+    "express": "^4.21.2",
+    "example-node-lib": "workspace:*"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "@types/express": "^5.0.0"
+  },
+  "peerDependencies": {
+    "typescript": "^5"
+  }
+}

package/dist/src/target-templates/lang-variants-common/typescript/applications/example-node/tsconfig.json ADDED Viewed

@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}

package/dist/src/target-templates/lang-variants-common/typescript/applications/jobs/README.md ADDED Viewed

@@ -0,0 +1,68 @@
+This application allows running commands at a certain schedule via k8s cron jobs.
+Currently only curl is supported. A special auth token is injected to the Authorization Bearer which can
+be verified by the receiver.
+## Adding a cron job
+To add a cron job, add an entry in `package.json` under `deployments.cronJobs`:
+```json
+  "deployment": {
+    "template": "cron-job",
+    "cronJobs": [
+      {
+        "name": "call-check-something-in-example",
+        "cron": "*/15 * * * *",
+        "curl": ["jobs", "-X", "POST", "http://example/jobs/check-something"]
+      }
+    ]
+  }
+```
+- `name` - must be unique across jobs and a valid k8s name. No spaces are allowed.
+- `cron` - must be a valid Cron format per [here](https://en.wikipedia.org/wiki/Cron).
+- `curl` - must be an array of strings, where each arg is an element in the array.
+A few things to note about the `curl` argument:
+- We use an array here, since curl relies heavily on args with spaces, e.g. `Content-Type: application/json` is a single arg.
+- The first element must be the subject of the token sent to the endpoint. The endpoint should verify the request header contains a bearer token with the expected subject.
+- The endpoint can be a DNS internal to the cluster, i.e. simply use the service name if it is in the same namepsace.
+Downsides of this approach:
+- the domain name used is a duplication of the `deployment.service_name` of the target application. This can be addressed in the future, e.g. by adding another arg to the cronjob with the `appName` that performs service discovery.
+## Securing an API endpoint
+Next.js example:
+```typescript
+// app/someroute/route.ts
+import { NextResponse } from 'next/server';
+import { InternalToken } from '@vaharoni/devops';
+export async function POST(request: Request) {
+  const authorizationHeader = request.headers.get('Authorization');
+  try {
+    new InternalToken('jobs').verifyFromHeaderOrThrow(authorizationHeader);
+  } catch {
+    return NextResponse.json({ status: 'unauthorized' }, { status: 401 });
+  }
+  // Do something
+  return NextResponse.json({ status: 'ok' });
+}
+```
+## Testing a secure endpoint in local development
+Make sure your `config/.env.global` has something like the following. This represents hex of 32 bytes. When creating a namespace, devops properly set these for you in a k8s secret. Locally, something like this suffices.
+```text
+MONOREPO_BASE_SECRET=0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
+```
+Then run:
+```bash
+devops internal-curl jobs -v -X POST localhost:3001/jobs/someroute
+```

package/dist/src/target-templates/lang-variants-common/typescript/applications/jobs/index.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ // no-op

package/dist/src/target-templates/lang-variants-common/typescript/applications/jobs/package.json ADDED Viewed

@@ -0,0 +1,30 @@
+{
+  "name": "jobs",
+  "type": "module",
+  "version": "0.0.1",
+  "main": "index.ts",
+  "nx": {
+    "projectType": "application"
+  },
+  "scripts": {
+    "print-token": "bunx tsx print-token.ts",
+    "verify": "tsc -p ./tsconfig.json --noEmit"
+  },
+  "author": "",
+  "license": "ISC",
+  "deployment": {
+    "template": "cron-jobs",
+    "cronJobs": [
+      {
+        "name": "test",
+        "cron": "*/15 * * * *",
+        "curl": [
+          "jobs",
+          "-X",
+          "POST",
+          "http://example-node/ping-from-jobs"
+        ]
+      }
+    ]
+  }
+}

package/dist/src/target-templates/lang-variants-common/typescript/applications/jobs/tsconfig.json ADDED Viewed

@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}

package/dist/src/target-templates/lang-variants-common/typescript/config/.env.development ADDED Viewed

	@@ -0,0 +1 @@
1	+ # Add here env variables that are for local development environment

package/dist/src/target-templates/lang-variants-common/typescript/config/.env.global ADDED Viewed

@@ -0,0 +1,4 @@
+# Add here env variables that are global to all environments
+# This should remain locally on your machine. There is no need to set this in the remote environment.
+MONOREPO_BASE_SECRET=0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff

package/dist/src/target-templates/lang-variants-common/typescript/config/.env.test ADDED Viewed

	@@ -0,0 +1 @@
1	+ # Add here env variables that are for local test environment

package/dist/src/target-templates/lang-variants-common/typescript/devops ADDED Viewed

@@ -0,0 +1,3 @@
+#! /usr/bin/env bash
+bunx devops "$@"

package/dist/src/target-templates/lang-variants-common/typescript/libs/example-node-lib/index.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export function test() {
+  return "test";
+}

package/dist/src/target-templates/lang-variants-common/typescript/libs/example-node-lib/package.json ADDED Viewed

@@ -0,0 +1,12 @@
+{
+  "name": "example-node-lib",
+  "module": "index.ts",
+  "type": "module",
+  "private": true,
+  "devDependencies": {
+    "@types/bun": "latest"
+  },
+  "peerDependencies": {
+    "typescript": "^5"
+  }
+}

package/dist/src/target-templates/lang-variants-common/typescript/libs/example-node-lib/tsconfig.json ADDED Viewed

@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}

package/dist/src/target-templates/lang-variants-common/typescript/tmp/.gitkeep ADDED Viewed

File without changes

package/dist/src/target-templates/lang-variants-common/typescript/tsconfig.json ADDED Viewed

@@ -0,0 +1,27 @@
+{
+  "compilerOptions": {
+    // Enable latest features
+    "lib": ["ESNext", "DOM"],
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleDetection": "force",
+    "jsx": "react-jsx",
+    "allowJs": true,
+    // Bundler mode
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "noEmit": true,
+    // Best practices
+    "strict": true,
+    "skipLibCheck": true,
+    "noFallthroughCasesInSwitch": true,
+    // Some stricter flags (disabled by default)
+    "noUnusedLocals": false,
+    "noUnusedParameters": false,
+    "noPropertyAccessFromIndexSignature": false
+  }
+}

package/dist/src/target-templates/lang-variants-prisma/README.md ADDED Viewed

@@ -0,0 +1,3 @@
+During `./devops init`, the user is asked whether prisma should be used.
+If it is, the files under `typescript` are copied under the root project folder.
+The files under `python` are copied if the user requested python support.