add new domain for test

Signed-off-by: Polina Sizintseva <[email protected]>

Author: odiora

.github/workflows/deploy-production-ru.yml

@@ -19,6 +19,11 @@ on:
         options:
           - preflight
           - deploy
+      ru_test_host:
+        description: "Temporary RU host for local testing without public DNS"
+        required: true
+        default: ru-test.werf.io
+        type: string
 
 env:
   RUN_MODE: ${{ github.event_name == 'push' && 'deploy' || github.event_name == 'workflow_dispatch' && github.event.inputs.mode || 'preflight' }}
@@ -27,6 +32,7 @@ env:
   WERF_STAGES_STORAGE: "ghcr.io/werf/werfio-guides-stages"
   WERF_SET_ACTIVE_RELEASE: "global.active_release=2"
   WERFIO_GITHUB_TOKEN: "${{ secrets.API_TOKEN }}"
+  RU_TEST_HOST: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.ru_test_host || 'ru-test.werf.io' }}
 
 jobs:
   converge-ru:
@@ -90,71 +96,17 @@ jobs:
           echo "field=kube.config" >> "$GITHUB_OUTPUT"
           echo "kubeconfig_base64=$kubeconfig_base64" >> "$GITHUB_OUTPUT"
 
-      - name: Check RU cluster access
-        env:
-          WERF_KUBE_CONFIG_BASE64: ${{ steps.ru_kubeconfig.outputs.kubeconfig_base64 }}
-        run: |
-          set -euo pipefail
-          . $(werf ci-env github --as-file)
-
-          can_create_namespaces=no
-
-          echo "== cluster-info =="
-          werf kubectl cluster-info
-
-          echo "== namespace =="
-          if werf kubectl get ns werfio-production >/dev/null 2>&1; then
-            echo "Namespace werfio-production exists"
-          else
-            echo "Namespace werfio-production is missing"
-            echo "Can create namespaces?"
-            can_create_namespaces="$(werf kubectl auth can-i create namespaces || true)"
-            echo "$can_create_namespaces"
-            if [[ "$can_create_namespaces" != "yes" ]]; then
-              echo "No permission to create namespaces, RU rollout would fail later" >&2
-              exit 1
-            fi
-          fi
-
-          echo "== priorityclass =="
-          if werf kubectl get priorityclass production-medium >/dev/null 2>&1; then
-            echo "PriorityClass production-medium exists"
-          else
-            echo "PriorityClass production-medium is missing"
-            exit 1
-          fi
-
-          echo "== can-i =="
-          werf kubectl auth can-i get pods -n werfio-production
-          werf kubectl auth can-i get ingress -n werfio-production
-          werf kubectl auth can-i create deployment.apps -n werfio-production
-
-          echo "== image pull secret =="
-          if werf kubectl get ns werfio-production >/dev/null 2>&1; then
-            if werf kubectl -n werfio-production get secret github-werfio >/dev/null 2>&1; then
-              echo "Secret github-werfio exists in werfio-production"
-            else
-              echo "Secret github-werfio is missing in werfio-production"
-              if [[ "$RUN_MODE" == "deploy" ]]; then
-                echo "Deploy mode requires github-werfio to exist in werfio-production" >&2
-                exit 1
-              fi
-              echo "This is acceptable for preflight, but deploy will fail until the secret is created."
-            fi
-
-            echo "== existing resources =="
-            werf kubectl -n werfio-production get deploy,svc,ingress,pdb || true
-          else
-            echo "Skipping namespace-scoped resource checks because namespace is missing"
-          fi
-
       - name: Render RU manifests
         env:
           WERF_KUBE_CONFIG_BASE64: ${{ steps.ru_kubeconfig.outputs.kubeconfig_base64 }}
         run: |
           set -euo pipefail
           . $(werf ci-env github --as-file)
-          werf render --dev --env production --without-images --stub-tags --ignore-secret-key --set global.targetCluster=ru >/tmp/werf-render-ru.yaml
+          werf render --dev --env production --without-images --stub-tags --ignore-secret-key \
+            --set global.targetCluster=ru \
+            --set productionDeploy.ru.hostOverride="$RU_TEST_HOST" \
+            --set productionDeploy.ru.tlsEnabled=false \
+            --set productionDeploy.ru.certificateEnabled=false >/tmp/werf-render-ru.yaml
 
           echo "Rendered RU objects summary:"
           grep '^kind:' /tmp/werf-render-ru.yaml | sort | uniq -c | cat
@@ -163,7 +115,11 @@ jobs:
         if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.mode == 'deploy') }}
         run: |
           . $(werf ci-env github --as-file)
-          werf converge --set global.targetCluster=ru
+          werf converge \
+            --set global.targetCluster=ru \
+            --set productionDeploy.ru.hostOverride="$RU_TEST_HOST" \
+            --set productionDeploy.ru.tlsEnabled=false \
+            --set productionDeploy.ru.certificateEnabled=false
         env:
           WERF_NAMESPACE: "werfio-production"
           WERF_RELEASE: "werfio-site-production"
@@ -184,10 +140,12 @@ jobs:
           - Secret path: projects/data/b454e6aa-39f0-45f4-aa7c-a9465ab154cb/KUBE_CONFIG_RU
           - Secret field used: ${{ steps.ru_kubeconfig.outputs.field }}
           - Helm switch: global.targetCluster=ru
+          - Temporary RU host: $RU_TEST_HOST
+          - TLS for RU test host: disabled
+          - Certificate for RU test host: disabled
 
           On push to branch `chore/prod-split-ru-eu`, this workflow performs a real RU deploy.
-          Missing namespace is allowed if the token can create namespaces.
-          Missing imagePullSecret is allowed only for preflight and blocks deploy.
+          RU deploy uses a temporary host and does not request a public certificate until DNS cutover.
           Current old production cluster was not modified by this workflow.
           EOF
 
@@ -199,4 +157,15 @@ jobs:
 
 
 
+
+
+
+
+
+
+
+
+
+
+
 

.helm/templates/12-backend.yaml

@@ -20,8 +20,7 @@ spec:
       labels:
         service: backend
     spec:
-      imagePullSecrets:
-        - name: github-werfio
+{{- include "imagePullSecrets" . | indent 6 }}
       priorityClassName: {{ pluck .Values.werf.env .Values.priorityClassName | first | default .Values.priorityClassName._default }}
 {{- include "clusterPlacement" . | indent 6 }}
       containers:

.helm/templates/14-tuf-router.yaml

@@ -17,8 +17,7 @@ spec:
       labels:
         service: tuf-router
     spec:
-      imagePullSecrets:
-        - name: github-werfio
+{{- include "imagePullSecrets" . | indent 6 }}
       priorityClassName: {{ pluck .Values.werf.env .Values.priorityClassName | first | default .Values.priorityClassName._default }}
 {{- include "clusterPlacement" . | indent 6 }}
       containers:

.helm/templates/20-ingress-tuf-router.yaml

@@ -3,7 +3,11 @@
 {{- $host = ( printf "%s.%s" .Values.werf.env (pluck "dev" .Values.host | first | default .Values.host._default ) | lower ) }}
 {{- end }}
 {{- $targetCluster := include "targetCluster" . }}
+{{- $ruConfig := .Values.productionDeploy.ru }}
 {{- $ruHost := printf "ru.%s" $host }}
+{{- if and (eq .Values.werf.env "production") (eq $targetCluster "ru") }}
+{{- $ruHost = $ruConfig.hostOverride | default $ruHost }}
+{{- end }}
 
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -12,6 +16,7 @@ metadata:
   annotations: {}
 spec:
   ingressClassName: {{ pluck .Values.werf.env .Values.ingressClassName | first | default .Values.ingressClassName._default }}
+{{- if or (ne .Values.werf.env "production") (ne $targetCluster "ru") $ruConfig.tlsEnabled }}
   tls:
   - hosts:
 {{- if eq .Values.werf.env "production" }}
@@ -25,6 +30,7 @@ spec:
       - {{ $host }}
       - ru-{{ $host }}
     secretName: {{ pluck .Values.werf.env .Values.ingressSecretName | first | default .Values.ingressSecretName._default }}
+{{- end }}
 {{- end }}
   rules:
 {{- if or (ne .Values.werf.env "production") (eq $targetCluster "eu") }}

.helm/templates/20-ingress.yaml

@@ -3,7 +3,11 @@
 {{- $host = ( printf "%s.%s" .Values.werf.env (pluck "dev" .Values.host | first | default .Values.host._default ) | lower ) }}
 {{- end }}
 {{- $targetCluster := include "targetCluster" . }}
+{{- $ruConfig := .Values.productionDeploy.ru }}
 {{- $ruHost := printf "ru.%s" $host }}
+{{- if and (eq .Values.werf.env "production") (eq $targetCluster "ru") }}
+{{- $ruHost = $ruConfig.hostOverride | default $ruHost }}
+{{- end }}
 {{- $wwwHost := printf "www.%s" $host }}
 {{- if eq .Values.werf.env "production" }}
 ---
@@ -20,6 +24,7 @@ metadata:
     nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
 spec:
   ingressClassName: {{ pluck .Values.werf.env .Values.ingressClassName | first | default .Values.ingressClassName._default }}
+{{- if or (eq $targetCluster "eu") $ruConfig.tlsEnabled }}
   tls:
   - hosts:
 {{- if eq $targetCluster "ru" }}
@@ -29,6 +34,7 @@ spec:
       - {{ $wwwHost }}
 {{- end }}
     secretName: tls-{{ $host }}
+{{- end }}
   rules:
 {{- if eq $targetCluster "eu" }}
   - host: {{ $host }}
@@ -118,7 +124,7 @@ spec:
               name: http
 {{- end }}
 
-{{- if and (eq .Values.werf.env "production") (eq $targetCluster "ru") }}
+{{- if and (eq .Values.werf.env "production") (eq $targetCluster "ru") $ruConfig.certificateEnabled }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate

.helm/templates/_helpers.tpl

@@ -6,6 +6,15 @@ resources:
     memory: {{ pluck .Values.werf.env .Values.resources.requests.memory | first | default .Values.resources.requests.memory._default }}
 {{- end }}
 
+{{- define "imagePullSecrets" }}
+{{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+{{- range . }}
+  - name: {{ . | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{- define "targetCluster" }}
 {{- if eq .Values.werf.env "production" }}
 {{- $targetCluster := .Values.global.targetCluster | default "" -}}

.helm/values.yaml

@@ -1,6 +1,15 @@
 global:
   targetCluster: ""
 
+imagePullSecrets:
+  - github-werfio
+
+productionDeploy:
+  ru:
+    hostOverride: ""
+    tlsEnabled: true
+    certificateEnabled: true
+
 clusters:
   eu:
     placement: