[Future-Playground] Adding future playground to deployment pipeline (#214)

* add future playground

Signed-off-by: Tao Liu <liutaoaz@amazon.com>

* add future yml file

Signed-off-by: Tao Liu <liutaoaz@amazon.com>

---------

Signed-off-by: Tao Liu <liutaoaz@amazon.com>

Author: Flyingliuhub

.github/workflows/README.md

@@ -46,6 +46,15 @@ The current workflows folder contains one deployment workflow(os-osd-deployment.
 >> - `additional_args`: JSON string of additional options for the build. Default value is `'{}'`.
 >> - `build_number`: The build number. This parameter is optional.
 
+> trigger-future-deployment.yaml
+>> This GitHub Actions workflow is responsible for deploying OpenSearch and OpenSearch Dashboards in the future playground environment. It provides options for both fresh deployment and upgrade deployment. The input parameters as following:
+>> - `deploy_fresh`: Specifies whether to perform a fresh deployment of OpenSearch and OpenSearch Dashboards. Default is `false`.
+>> - `deploy_upgrade`: Specifies whether to perform an upgrade deployment of OpenSearch and OpenSearch Dashboards. Default is `true`.
+>> - `osd_image_tag`: The image tag for OpenSearch Dashboards.
+>> - `osd_image_repo`: The image repository for OpenSearch Dashboards.
+>> - `os_image_tag`: The image tag for OpenSearch.
+>> - `os_image_repo`: The image repository for OpenSearch.
+
 ## Appendix
 
 - GitHub workflow: https://docs.github.com/en/actions/using-workflows/about-workflows

.github/workflows/trigger-future-deployment.yml

@@ -0,0 +1,108 @@
+name: Future Playground Deployment
+
+on:
+  workflow_dispatch:
+    inputs:
+      deploy_fresh:
+        required: false
+        type: boolean
+        description: 'Fresh Deploy OpenSearch and OpenSearch Dashboards'
+        default: false
+      deploy_upgrade:
+        required: false
+        type: boolean
+        description: 'Upgrade OpenSearch and OpenSearch Dashboards'
+        default: true
+      osd_image_tag:
+        required: true
+        type: string
+        description: 'Image tag for OpenSearch Dashboards'
+        default: '3.0.0-8219474312'
+      osd_image_repo:
+        required: true
+        type: string
+        description: 'Image repo for OpenSearch Dashboards'
+        default: 'public.ecr.aws/y0r0d3v8/actionrunner'
+      os_image_tag:
+        required: false
+        type: string
+        description: 'Image tag for OpenSearch'
+        default: '3.0.0'
+      os_image_repo:
+        required: false
+        type: string
+        description: 'Image repo for OpenSearch'
+        default: 'opensearchstaging/opensearch'
+
+jobs:
+
+  Future-OS-OSD-Deployment:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Replace Tokens for opensearch-dashboards.yml
+        uses: cschleiden/replace-tokens@v1
+        with:
+          files: '["${{ github.workspace }}/config/playground/helm/future/helm-opensearch-dashboards.yaml"]'
+          tokenPrefix: '${'
+          tokenSuffix: '}'
+        env:
+          OPENID_CLIENT_ID: ${{ secrets.OPENID_CLIENT_ID_FUTURE }}
+          OPENID_CLIENT_SECRET: ${{ secrets.OPENID_CLIENT_SECRET_FUTURE }}
+          OPENID_BASE_REDIRECT_URL: ${{ secrets.OPENID_BASE_REDIRECT_URL_FUTURE }}
+          OPENID_LOGOUT_URL: ${{ secrets.OPENID_LOGOUT_URL_FUTURE }}
+          GA_TRACKING_ID: ${{ secrets.GA_TRACKING_ID_FUTURE }}
+          CERTIFICATE_ARN: ${{ secrets.CERTIFICATE_ARN_FUTURE }}
+          KIBANASERVER: ${{ secrets.KIBANASERVER }}
+          OSD_IMAGE_TAG: ${{ inputs.osd_image_tag }}
+          OSD_IMAGE_REPO: ${{ inputs.osd_image_repo }}
+      - name: Replace Token in opensearch.yml
+        uses: cschleiden/replace-tokens@v1
+        with:
+          files: '["${{ github.workspace }}/config/playground/helm/future/helm-opensearch.yaml"]'
+          tokenPrefix: '${'
+          tokenSuffix: '}'
+        env:
+          ESNODE_CERT: ${{ secrets.esnode_cert }}
+          ESNODE_KEY_CERT: ${{ secrets.esnode_key_cert }}
+          ROOT_CA_CERT: ${{ secrets.root_ca_cert }}
+          OS_IMAGE_TAG: ${{ inputs.os_image_tag }}
+          OS_IMAGE_REPO: ${{ inputs.os_image_repo }}
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_PINK }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PINK }}
+          aws-region: ${{ secrets.AWS_REGION_PINK }}
+      - name: Fresh Deploy OpenSearch and OpenSearch Dashboards By Helm Chart
+        if: ${{ inputs.deploy_fresh }}
+        uses: elastic-analytics/dashboards-action@main
+        env:
+          KUBE_CONFIG_DATA: ${{ secrets.KUBE_CONFIG_DATA_PINK }}
+        with:
+          plugins: "" # optional, list of Helm plugins. eg. helm-secrets or helm-diff.
+          # Teardown the current OS and OSD and then install the lastest version
+          # of OS and OSD as it only takes 23 seconds for the process, will add
+          # blue/green deployment later.
+          command: |
+            helm uninstall opensearch --namespace default
+            helm uninstall dashboards --namespace default
+            kubectl get pvc | grep opensearch-cluster-leader-opensearch-cluster-leader- | awk '{print $1}'| xargs kubectl delete pvc
+            helm install opensearch opensearch/opensearch -f config/playground/helm/future/helm-opensearch.yaml
+            helm install dashboards opensearch/opensearch-dashboards -f config/playground/helm/future/helm-opensearch-dashboards.yaml
+
+      - name: Upgrade Deploy OpenSearch/OpenSearch Dashboards By Helm Chart
+        if: ${{ inputs.deploy_upgrade }}
+        uses: elastic-analytics/dashboards-action@main
+        env:
+          KUBE_CONFIG_DATA: ${{ secrets.KUBE_CONFIG_DATA_PINK }}
+        with:
+          plugins: "" # optional, list of Helm plugins. eg. helm-secrets or helm-diff.
+          # Teardown the current OS and OSD and then install the lastest version
+          # of OS and OSD as it only takes 23 seconds for the process, will add
+          # blue/green deployment later.
+          command: |
+            helm upgrade opensearch opensearch/opensearch -f config/playground/helm/future/helm-opensearch.yaml
+            helm upgrade dashboards opensearch/opensearch-dashboards -f config/playground/helm/future/helm-opensearch-dashboards.yaml
+

config/playground/helm/future/helm-opensearch-dashboards.yaml

@@ -0,0 +1,246 @@
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# Default values for opensearch-dashboards.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+opensearchHosts: "https://opensearch-cluster-leader:9200"
+replicaCount: 2
+
+image:
+  repository: ${OSD_IMAGE_REPO}
+  # override image tag, which is .Chart.AppVersion by default
+  tag: ${OSD_IMAGE_TAG}
+  pullPolicy: "Always"
+
+startupProbe:
+  tcpSocket:
+    port: 5601
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 20
+  successThreshold: 1
+  initialDelaySeconds: 10
+
+livenessProbe:
+  tcpSocket:
+    port: 5601
+  periodSeconds: 20
+  timeoutSeconds: 5
+  failureThreshold: 10
+  successThreshold: 1
+  initialDelaySeconds: 10
+
+readinessProbe:
+  tcpSocket:
+    port: 5601
+  periodSeconds: 20
+  timeoutSeconds: 5
+  failureThreshold: 10
+  successThreshold: 1
+  initialDelaySeconds: 10
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+rbac:
+  create: true
+
+# A list of secrets and their paths to mount inside the pod
+# This is useful for mounting certificates for security and for mounting
+# the X-Pack license
+secretMounts: []
+
+podAnnotations: {}
+
+extraEnvs: []
+
+envFrom: []
+
+extraVolumes: []
+
+extraVolumeMounts: []
+
+extraInitContainers: ""
+
+extraContainers: ""
+
+podSecurityContext: {}
+
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  # readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+
+config:
+  # Default OpenSearch Dashboards configuration from docker image of Dashboards
+  opensearch_dashboards.yml:
+    opensearch.hosts: [https://localhost:9200]
+    opensearch.ssl.verificationMode: none
+    opensearch.username: kibanaserver
+    opensearch.password: ${KIBANASERVER}
+    opensearch.requestHeadersWhitelist: [authorization, securitytenant]
+    opensearch_security.auth.anonymous_auth_enabled: true
+    opensearch_security.multitenancy.enabled: true
+    opensearch_security.multitenancy.tenants.enable_global: true
+    opensearch_security.multitenancy.tenants.enable_private: true
+    opensearch_security.multitenancy.tenants.preferred: [Global, Private]
+    opensearch_security.readonly_mode.roles: [kibana_read_only]
+    # Use this setting if you are running opensearch-dashboards without https
+    opensearch_security.cookie.secure: false
+    server.host: '0.0.0.0'
+    # Use the consolidated menu and global header bar
+    opensearchDashboards.branding.useExpandedHeader: false
+    # Enable multiple datasource
+    data_source.enabled: true
+    data_source.endpointDeniedIPs: [
+      '127.0.0.0/8',
+      '::1/128',
+      '169.254.0.0/16',
+      'fe80::/10',
+      '10.0.0.0/8',
+      '172.16.0.0/12',
+      '192.168.0.0/16',
+      'fc00::/7',
+      '0.0.0.0/8',
+      '100.64.0.0/10',
+      '192.0.0.0/24',
+      '192.0.2.0/24',
+      '198.18.0.0/15',
+      '192.88.99.0/24',
+      '198.51.100.0/24',
+      '203.0.113.0/24',
+      '224.0.0.0/4',
+      '240.0.0.0/4',
+      '255.255.255.255/32',
+      '::/128',
+      '2001:db8::/32',
+      'ff00::/8',
+    ]
+    # Enable ml_commons_dashboards
+    # ml_commons_dashboards.enabled: true
+    # Content security policy(csp) settings
+    csp.rules: [ "connect-src 'self' www.google-analytics.com vectors.maps.opensearch.org tiles.maps.opensearch.org maps.opensearch.org;" ]
+    csp.warnLegacyBrowsers: false
+    google_analytics_plugin.trackingID: ${GA_TRACKING_ID}
+
+    # security plugin for openid
+    opensearch_security.auth.type: ['Basicauth','openid']
+    opensearch_security.auth.multiple_auth_enabled: true
+    opensearch_security.ui.openid.login.buttonname: "Log in with Google account"
+    opensearch_security.ui.openid.login.brandimage: "https://opensearch.org/assets/brand/PNG/Mark/opensearch_mark_default.png"
+    opensearch_security.ui.openid.login.showbrandimage: true
+    opensearch_security.openid.base_redirect_url: ${OPENID_REDIRECT_URL}
+    opensearch_security.openid.scope: 'openid profile email'
+    opensearch_security.openid.verify_hostnames: false
+    opensearch_security.openid.refresh_tokens: false
+
+    opensearch_security.openid.connect_url: "https://accounts.google.com/.well-known/openid-configuration"
+    opensearch_security.openid.client_id: ${OPENID_CLIENT_ID}
+    opensearch_security.openid.client_secret: ${OPENID_CLIENT_SECRET}
+    opensearch_security.openid.logout_url: ${OPENID_LOGOUT_URL}
+
+    uiSettings:
+      overrides:
+        "theme:next": true
+        "theme:darkMode": false
+
+priorityClassName: ""
+
+opensearchAccount:
+  secret: ""
+  keyPassphrase:
+    enabled: false
+
+labels: {}
+
+hostAliases: []
+
+serverHost: "0.0.0.0"
+
+service:
+  type: NodePort
+  # The IP family and IP families options are to set the behaviour in a dual-stack environment
+  # Omitting these values will let the service fall back to whatever the CNI dictates the defaults
+  # should be
+  #
+  # ipFamilyPolicy: SingleStack
+  # ipFamilies:
+  # - IPv4
+  port: 5601
+  #targetPort: 5601
+  loadBalancerIP: ""
+  nodePort: ""
+  labels: {}
+  annotations: {}
+  loadBalancerSourceRanges: []
+  # 0.0.0.0/0
+  httpPortName: http
+
+ingress:
+  enabled: true
+  ingressClassName: alb
+  annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/certificate-arn: ${CERTIFICATE_ARN}
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
+  labels: {}
+  hosts:
+    - host: future.playground.opensearch.org
+      paths:
+        - path: /
+          backend: 
+              service:
+                name: "dashboards-opensearch-dashboards"
+                port:
+                  number: 5601
+  tls: []
+
+resources:
+  requests:
+    cpu: "1"
+    memory: "8G"
+  limits:
+    cpu: "3"
+    memory: "24G"
+
+autoscaling:
+  # This requires metrics server to be installed, to install use kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+  # See https://github.com/kubernetes-sigs/metrics-server
+  enabled: false
+  minReplicas: 2
+  maxReplicas: 10
+  targetCPUUtilizationPercentage: 80
+
+updateStrategy:
+  type: "Recreate"
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+# -- Array of extra K8s manifests to deploy
+extraObjects: []
+
+# specify the external plugins to install
+plugins:
+  enabled: true
+  installList: ["https://github.com/BionIT/google-analytics-plugin/releases/download/3.0.0/googleAnalytics-3.0.0.zip"]