From 13e23ad28b584d7f0443c4323fd4c3a70fcb83c2 Mon Sep 17 00:00:00 2001
From: Sanjay Vasandani <sanjayvas@google.com>
Date: Fri, 5 May 2023 15:38:43 -0700
Subject: [PATCH] Deploy Reporting system to dev environment on release.

---
 .github/workflows/configure-reporting.yml     | 149 ++++++++++++++++++
 .github/workflows/deploy-dev.yml              |   2 -
 .github/workflows/update-cmms.yml             |  10 ++
 build/k8s/defs.bzl                            |  10 +-
 .../reporting_secrets_kustomization.yaml      |  26 +++
 5 files changed, 193 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/configure-reporting.yml
 create mode 100644 src/main/k8s/testing/secretfiles/reporting_secrets_kustomization.yaml

diff --git a/.github/workflows/configure-reporting.yml b/.github/workflows/configure-reporting.yml
new file mode 100644
index 00000000000..a206661c5ec
--- /dev/null
+++ b/.github/workflows/configure-reporting.yml
@@ -0,0 +1,149 @@
+# Copyright 2023 The Cross-Media Measurement Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Configure Reporting"
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        type: string
+        required: true
+      image-tag:
+        description: "Tag of container images"
+        type: string
+        required: true
+      apply:
+        description: "Apply the new configuration"
+        type: boolean
+        required: true
+  workflow_dispatch:
+    inputs:
+      environment:
+        required: true
+        type: choice
+        options:
+        - dev
+      image-tag:
+        description: "Tag of container images"
+        type: string
+        required: true
+      apply:
+        description: "Apply the new configuration"
+        type: boolean
+        default: false
+
+permissions:
+  id-token: write
+
+env:
+  KUSTOMIZATION_PATH: "k8s/reporting"
+
+jobs:
+  update-reporting:
+    runs-on: ubuntu-20.04
+    environment: ${{ inputs.environment }}
+    steps:
+    - uses: actions/checkout@v3
+
+    # Authenticate to Google Cloud. This will export some environment
+    # variables, including GCLOUD_PROJECT.
+    - name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@v1
+      with:
+        workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
+        service_account: ${{ vars.GKE_CONFIG_SERVICE_ACCOUNT }}
+
+    - name: Generate archives
+      env:
+        IMAGE_TAG: ${{ inputs.image-tag }}
+        POSTGRES_INSTANCE: ${{ vars.POSTGRES_INSTANCE }}
+        POSTGRES_REGION: ${{ vars.POSTGRES_REGION }}
+        KINGDOM_PUBLIC_API_TARGET: ${{ vars.KINGDOM_PUBLIC_API_TARGET }}
+      run: >
+        bazelisk build 
+        "//src/main/k8s/dev:reporting.tar"
+        //src/main/k8s/testing/secretfiles:archive
+        --config ghcr
+        --define "image_tag=$IMAGE_TAG"
+        --define "google_cloud_project=$GCLOUD_PROJECT"
+        --define "postgres_instance=$POSTGRES_INSTANCE"
+        --define "postgres_region=$POSTGRES_REGION"
+        --define "kingdom_public_api_target=$KINGDOM_PUBLIC_API_TARGET"
+
+
+    - name: Make Kustomization dir
+      run: mkdir -p "$KUSTOMIZATION_PATH"
+
+    - name: Export BAZEL_BIN
+      run: echo "BAZEL_BIN=$(bazelisk info bazel-bin)" >> $GITHUB_ENV
+
+    - name: Extract Kustomization archive
+      run: >
+        tar -xf "$BAZEL_BIN/src/main/k8s/dev/reporting.tar"
+        -C "$KUSTOMIZATION_PATH"
+
+    - name: Extract secret files archive
+      run: >
+        tar -xf "$BAZEL_BIN/src/main/k8s/testing/secretfiles/archive.tar"
+        -C "$KUSTOMIZATION_PATH/src/main/k8s/dev/reporting_secrets"
+
+    # Write files from configuration variables. Since it appears that GitHub
+    # configuration variables use DOS (CRLF) line endings, we convert these to
+    # Unix (LF) line endings.
+
+    - name: Write AKID to principal map
+      env:
+        AKID_TO_PRINCIPAL_MAP: ${{ vars.AKID_TO_PRINCIPAL_MAP }}
+      run: >
+        echo "$AKID_TO_PRINCIPAL_MAP" | sed $'s/\r$//'  >
+        "$KUSTOMIZATION_PATH/src/main/k8s/dev/reporting_config_files/authority_key_identifier_to_principal_map.textproto"
+
+    - name: Write encryption key-pair config
+      env:
+        ENCRYPTION_KEY_PAIR_CONFIG: ${{ vars.ENCRYPTION_KEY_PAIR_CONFIG }}
+      run: >
+        echo "$ENCRYPTION_KEY_PAIR_CONFIG" | sed $'s/\r$//'  >
+        "$KUSTOMIZATION_PATH/src/main/k8s/dev/reporting_config_files/encryption_key_pair_config.textproto"
+
+    - name: Write measurement consumer config
+      env:
+        MEASUREMENT_CONSUMER_CONFIG: ${{ vars.MEASUREMENT_CONSUMER_CONFIG }}
+      run: >
+        echo "$MEASUREMENT_CONSUMER_CONFIG" | sed $'s/\r$//'  >
+        "$KUSTOMIZATION_PATH/src/main/k8s/dev/reporting_secrets/measurement_consumer_config.textproto"
+
+    - name: Copy secret generator
+      run: >
+        cp src/main/k8s/testing/secretfiles/reporting_secrets_kustomization.yaml
+        "$KUSTOMIZATION_PATH/src/main/k8s/dev/reporting_secrets/kustomization.yaml"
+
+    - name: Get GKE cluster credentials
+      uses: google-github-actions/get-gke-credentials@v1
+      with:
+        cluster_name: reporting
+        location: ${{ vars.REPORTING_CLUSTER_LOCATION }}
+
+    - name: Export KUSTOMIZE_PATH
+      run: echo "KUSTOMIZE_PATH=$KUSTOMIZATION_PATH/src/main/k8s/dev/reporting" >> $GITHUB_ENV
+
+    # Run kubectl diff, treating the command as succeeded even if the exit
+    # code is 1 as kubectl uses this code to indicate there's a diff.
+    - name: kubectl diff
+      id: kubectl-diff
+      run: kubectl diff -k "$KUSTOMIZE_PATH" || (( $? == 1 ))
+
+    - name: kubectl apply
+      if: ${{ inputs.apply }}
+      run: kubectl apply -k "$KUSTOMIZE_PATH"
diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
index 3f2e53a0a0d..f604a4590ea 100644
--- a/.github/workflows/deploy-dev.yml
+++ b/.github/workflows/deploy-dev.yml
@@ -24,5 +24,3 @@ jobs:
     with:
       environment: dev
       apply: true
-
-  # TODO(@SanjayVas): Update Reporting system.
diff --git a/.github/workflows/update-cmms.yml b/.github/workflows/update-cmms.yml
index f13a0399663..aefe3c37eee 100644
--- a/.github/workflows/update-cmms.yml
+++ b/.github/workflows/update-cmms.yml
@@ -77,4 +77,14 @@ jobs:
       environment: ${{ inputs.environment }}
       apply: ${{ inputs.apply }}
 
+  # Update the Reporting system.
+  #
+  # This isn't technically part of the CMMS, but we do it here for simplicity.
+  update-reporting:
+    uses: ./.github/workflows/configure-reporting.yml
+    with:
+      image-tag: ${{ needs.publish-images.outputs.image-tag }}
+      environment: ${{ inputs.environment }}
+      apply: ${{ inputs.apply }}
+
   # TODO(@SanjayVas): Run correctness test.
diff --git a/build/k8s/defs.bzl b/build/k8s/defs.bzl
index 623419ed91f..937b8c6b467 100644
--- a/build/k8s/defs.bzl
+++ b/build/k8s/defs.bzl
@@ -15,7 +15,7 @@
 """Build defs for Kubernetes (K8s)."""
 
 load("@bazel_skylib//lib:shell.bzl", "shell")
-load("@rules_pkg//pkg:mappings.bzl", "pkg_filegroup", "pkg_files")
+load("@rules_pkg//pkg:mappings.bzl", "pkg_filegroup", "pkg_files", "pkg_mkdirs")
 load("@rules_pkg//pkg:pkg.bzl", "pkg_tar")
 load(
     "@rules_pkg//pkg:providers.bzl",
@@ -186,7 +186,13 @@ def kustomization_dir(
             visibility = ["//visibility:private"],
             **kwargs
         )
-        pkg_srcs.append(files_name)
+    else:
+        # Empty Kustomization dir.
+        pkg_mkdirs(
+            name = files_name,
+            dirs = [path],
+        )
+    pkg_srcs.append(files_name)
 
     pkg_filegroup(
         name = group_name,
diff --git a/src/main/k8s/testing/secretfiles/reporting_secrets_kustomization.yaml b/src/main/k8s/testing/secretfiles/reporting_secrets_kustomization.yaml
new file mode 100644
index 00000000000..f1caa14babe
--- /dev/null
+++ b/src/main/k8s/testing/secretfiles/reporting_secrets_kustomization.yaml
@@ -0,0 +1,26 @@
+# Copyright 2023 The Cross-Media Measurement Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+secretGenerator:
+- name: signing
+  files:
+  - all_root_certs.pem
+  - reporting_tls.key
+  - reporting_tls.pem
+  - mc_enc_public.tink
+  - mc_enc_private.tink
+  - mc_cs_private.der
+- name: mc-config
+  files:
+  - measurement_consumer_config.textproto