Add TEST environment and complete the promotion chain#247
Merged
Conversation
Brings the pipeline to the full DEV → TEST → SANDBOX → PRODUCTION model.
Each tier gets its own isolated stack. TEST is the new build target;
SANDBOX and PRODUCTION receive promoted images via crane copy.
Infrastructure:
- envs/test: clone of sandbox at VPC 10.42.0.0/16, EKS ctdl-xtra-test,
RDS db.t4g.small Single-AZ, EFS, t3.medium 1× app + 1× system nodes,
3 ECR repos ctdl-xtra-test/{api,worker,base}
- envs/sandbox: base ECR removed (builds no longer happen here); only
api+worker remain. Drops 2 resources (ECR repo + lifecycle policy)
- github-ci-oidc: TestReadWrite policy added (push to ctdl-xtra-test/*),
SandboxPromote tightened (no longer write-from-source), ctdl-xtra-test
cluster added to eks:DescribeCluster
Manifests:
- k8s-manifests/test: clone of sandbox with env labels, IRSA, image refs,
hostname (xtra-test.credentialengineregistry.org), secret keys
CI/CD:
- release.yml pushes to ctdl-xtra-test/{api,worker}
- deploy-test.yml (new): workflow_run on Release success auto-deploys
to ctdl-xtra-test — the "automatic when possible" tier per design doc
- promote-sandbox.yml now crane-copies test→sandbox before deploying
- promote-production.yml unchanged (still crane-copies sandbox→prod)
- build-base.yml pushes to ctdl-xtra-test/base
- Dockerfile + worker.Dockerfile FROM ctdl-xtra-test/base:latest
Docs (INFRASTRUCTURE-SUMMARY, CI-CD) updated for 3-env model.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the pipeline to the full
DEV → TEST → SANDBOX → PRODUCTIONmodel from the xTRA Design Document. Each tier is isolated; TEST is now the build target, and SANDBOX and PROD receive promoted images viacrane copy.Infrastructure
infra/terraform/envs/test/(new): VPC10.42.0.0/16, EKSctdl-xtra-test, RDSdb.t4g.smallSingle-AZ, EFS, 1× t3.medium system + 1× t3.medium app, ECR reposctdl-xtra-test/{api,worker,base}infra/terraform/envs/sandbox/: drops thebaseECR (builds happen in test now). 2 resources destroyed (repo + lifecycle policy). No impact on running sandbox pods — the images they're running embed the base layers.github-ci-oidc/: addsTestReadWritepolicy forctdl-xtra-test/*, tightensSandboxPromote(formerlySandboxReadWrite) since sandbox is promote-only now, adds thectdl-xtra-testcluster toeks:DescribeClusterManifests
k8s-manifests/test/: clone of sandbox set, hostxtra-test.credentialengineregistry.org, IRSA + secret keys retargetedCI/CD
release.yml— pushes toctdl-xtra-test/{api,worker}(was sandbox)deploy-test.yml(new) — triggered byworkflow_runon Release success; auto-deploys the just-built image toctdl-xtra-test. This is the "automatic when possible" deployment the design doc specifies for TEST.promote-sandbox.yml— nowcrane copys test → sandbox before deployingpromote-production.yml— unchanged (still crane-copies sandbox → prod)build-base.yml— pushes toctdl-xtra-test/baseDockerfile+worker.Dockerfile—FROM ctdl-xtra-test/base:latestDocs
INFRASTRUCTURE-SUMMARY.mdandCI-CD.mdupdated for the 3-env model.Apply plan (post-merge)
terraform applygithub-ci-oidc/(0 add + 2 changed)terraform applyenvs/test/(79 adds, ~15 min)terraform applyenvs/sandbox/(0 add + 2 destroy: drops the unused base repo)Build Base Imageto populatectdl-xtra-test/base:latestk8s-manifests/test/addons/install-foundation.shRelease→ pushes images to test ECR →Deploy to TESTauto-fires → app reachable atxtra-test.credentialengineregistry.orgxtra-test.*→ new ALBProduction untouched. Sandbox keeps running its current images (the next promote-sandbox will pull from test).
Test plan
terraform fmt && terraform validateclean for all three stacksterraform planclean: test 79 add, sandbox 2 destroy, oidc 2 changehttps://xtra-test.credentialengineregistry.org