telemetryflow
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 178 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 178 additions & 0 deletions
diff --git a/‎.github/workflows/deploy-eks-production.yml‎
Lines changed: 131 additions & 0 deletions b/‎.github/workflows/deploy-eks-production.yml‎
Lines changed: 131 additions & 0 deletions
@@ -0,0 +1,178 @@
+name: CI
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  detect-changes:
+    name: Detect Changes
+    runs-on: ubuntu-latest
+    outputs:
+      operator: ${{ steps.filter.outputs.operator }}
+      helm: ${{ steps.filter.outputs.helm }}
+      ansible: ${{ steps.filter.outputs.ansible }}
+      compose: ${{ steps.filter.outputs.compose }}
+      docs: ${{ steps.filter.outputs.docs }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Detect changed paths
+        id: filter
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            operator:
+              - 'operator/**'
+            helm:
+              - 'helm/**'
+            ansible:
+              - 'ansible/**'
+              - 'ansible-k8s/**'
+            compose:
+              - 'docker-compose.yml'
+            docs:
+              - '**/*.md'
+
+  lint-helm:
+    name: Lint Helm Chart
+    runs-on: ubuntu-latest
+    needs: [detect-changes]
+    if: needs.detect-changes.outputs.helm == 'true' || github.event_name == 'push'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.0
+
+      - name: Helm Lint
+        run: helm lint helm/telemetryflow --strict
+
+      - name: Helm Template (Debug)
+        run: |
+          helm template telemetryflow helm/telemetryflow \
+            --namespace telemetryflow \
+            -f helm/telemetryflow/values.yaml \
+            -f helm/telemetryflow/manifest/tfo-staging.yaml \
+            --debug > /dev/null
+
+  lint-ansible:
+    name: Lint Ansible Playbooks
+    runs-on: ubuntu-latest
+    needs: [detect-changes]
+    if: needs.detect-changes.outputs.ansible == 'true' || github.event_name == 'push'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Lint ansible/
+        uses: ansible/ansible-lint-action@v6
+        with:
+          working-directory: ansible
+
+      - name: Lint ansible-k8s/
+        uses: ansible/ansible-lint-action@v6
+        with:
+          working-directory: ansible-k8s
+
+  lint-operator:
+    name: Lint Operator (Go)
+    runs-on: ubuntu-latest
+    needs: [detect-changes]
+    if: needs.detect-changes.outputs.operator == 'true'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.26"
+          cache-dependency-path: operator/go.sum
+
+      - name: Go Vet
+        working-directory: operator
+        run: go vet ./...
+
+      - name: Go Fmt Check
+        working-directory: operator
+        run: |
+          fmt_output="$(gofmt -l .)"
+          if [ -n "$fmt_output" ]; then
+            echo "::error::Files not formatted: $fmt_output"
+            exit 1
+          fi
+
+  test-operator:
+    name: Test Operator (envtest)
+    runs-on: ubuntu-latest
+    needs: [detect-changes]
+    if: needs.detect-changes.outputs.operator == 'true'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.26"
+          cache-dependency-path: operator/go.sum
+
+      - name: Run Tests
+        working-directory: operator
+        run: make test
+
+  validate-compose:
+    name: Validate Docker Compose
+    runs-on: ubuntu-latest
+    needs: [detect-changes]
+    if: needs.detect-changes.outputs.compose == 'true' || github.event_name == 'push'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate docker-compose.yml
+        run: docker compose -f docker-compose.yml config --quiet
+
+  security-scan:
+    name: Scan for Secrets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Gitleaks Scan
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  validate-docs:
+    name: Validate Documentation
+    runs-on: ubuntu-latest
+    needs: [detect-changes]
+    if: needs.detect-changes.outputs.docs == 'true' || github.event_name == 'push'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check Markdown Files Exist
+        run: |
+          REQUIRED_FILES=("README.md" "CHANGELOG.md" "CONTRIBUTING.md" "SECURITY.md")
+          for f in "${REQUIRED_FILES[@]}"; do
+            if [ ! -f "$f" ]; then
+              echo "::error::Required file missing: $f"
+              exit 1
+            fi
+          done
+
+      - name: Check Markdown Links
+        uses: tcort/github-action-markdown-link-check@v1
+        with:
+          use-quiet-mode: yes
@@ -0,0 +1,131 @@
+# Deploy EKS Production
+#
+# Triggered after CI passes on the main branch.
+# Uses GitHub Environment "eks-production" with strict protection rules:
+#   - Required reviewers: enabled (must approve before deployment proceeds)
+#   - Wait timer: 5 minutes
+#   - Separate environment secrets
+#
+# APPROVAL EMAIL NOTIFICATION:
+#   GitHub automatically sends email notifications to all designated environment
+#   reviewers when a deployment is pending approval. Configure reviewers in:
+#   Settings > Environments > eks-production > Required reviewers
+#
+# ROLLBACK:
+#   To rollback, run manually:
+#     helm rollback telemetryflow [REVISION] -n telemetryflow
+#   Or re-run this workflow from a previous commit on main.
+
+name: Deploy EKS Production
+
+on:
+  workflow_run:
+    workflows: [CI]
+    types: [completed]
+    branches: [main]
+
+concurrency:
+  group: deploy_eks_production
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  HELM_CHART: helm/telemetryflow
+  RELEASE_NAME: telemetryflow
+  NAMESPACE: telemetryflow
+
+jobs:
+  deploy:
+    name: Deploy to EKS Production
+    runs-on: ubuntu-latest
+    environment:
+      name: eks-production
+      # Protection rules configured in GitHub Settings > Environments:
+      #   - Required reviewers: enabled
+      #   - Wait timer: 5 minutes
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.0
+
+      - name: Set up kubectl
+        uses: azure/setup-kubectl@v3
+
+      - name: Update kubeconfig for EKS
+        run: |
+          aws eks update-kubeconfig --name ${{ secrets.EKS_CLUSTER_NAME }} --region ${{ secrets.AWS_REGION }}
+
+      - name: Verify Required Secrets in Namespace
+        run: |
+          REQUIRED_SECRETS=(
+            "JWT_SECRET"
+            "SESSION_SECRET"
+            "ENCRYPTION_KEY"
+            "POSTGRES_PASSWORD"
+            "CLICKHOUSE_PASSWORD"
+            "REDIS_PASSWORD"
+          )
+          MISSING=0
+          for secret in "${REQUIRED_SECRETS[@]}"; do
+            if ! kubectl get secret telemetryflow-secrets -n "$NAMESPACE" -o jsonpath="{.data.$secret}" &>/dev/null; then
+              echo "::warning::Secret '$secret' not found in telemetryflow-secrets"
+              MISSING=1
+            fi
+          done
+          if [ "$MISSING" -eq 1 ]; then
+            echo "::error::Required secrets are missing. Run scripts/generate-secrets.sh first."
+            exit 1
+          fi
+
+      - name: Install CRDs
+        run: bash scripts/install-crds.sh
+
+      - name: Deploy via Helm
+        run: |
+          helm upgrade "$RELEASE_NAME" "$HELM_CHART" \
+            --install \
+            --namespace "$NAMESPACE" \
+            --create-namespace \
+            -f helm/telemetryflow/values.yaml \
+            -f helm/telemetryflow/manifest/tfo-eks-production.yaml \
+            --timeout 10m \
+            --wait \
+            --history-max 5
+
+      - name: Smoke Test
+        run: |
+          BACKEND_URL="$(kubectl get svc "$RELEASE_NAME"-tfo-backend -n "$NAMESPACE" -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null || echo "")"
+          if [ -z "$BACKEND_URL" ]; then
+            echo "No external hostname found, skipping smoke test"
+            exit 0
+          fi
+          HTTP_CODE="$(curl -s -o /dev/null -w "%{http_code}" "http://${BACKEND_URL}:8080/health/live" --max-time 10 || echo "000")"
+          if [ "$HTTP_CODE" -ne 200 ]; then
+            echo "::warning::Smoke test returned HTTP $HTTP_CODE"
+          else
+            echo "Smoke test passed (HTTP 200)"
+          fi
+
+      - name: Print Pod Status
+        if: always()
+        run: kubectl get pods -n "$NAMESPACE" -l app.kubernetes.io/instance="$RELEASE_NAME"
+
+      - name: Print HPA Status
+        if: always()
+        run: kubectl get hpa -n "$NAMESPACE" || echo "No HPA resources found"