diff --git a/.github/workflows/deploy-to.openshift-dev-and-test.yml b/.github/workflows/deploy-to.openshift-dev.yml similarity index 63% rename from .github/workflows/deploy-to.openshift-dev-and-test.yml rename to .github/workflows/deploy-to.openshift-dev.yml index 275136a8..15f4e949 100644 --- a/.github/workflows/deploy-to.openshift-dev-and-test.yml +++ b/.github/workflows/deploy-to.openshift-dev.yml @@ -1,4 +1,4 @@ -name: Build & Deploy to DEV and TEST +name: Build & Deploy to DEV env: # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context. @@ -7,7 +7,6 @@ env: OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} OPENSHIFT_NAMESPACE_DEV: ${{ secrets.INSTITUTE_NAMESPACE_NO_ENV }}-dev - OPENSHIFT_NAMESPACE_TEST: ${{ secrets.INSTITUTE_NAMESPACE_NO_ENV }}-test DB_JDBC_CONNECT_STRING: ${{ secrets.DB_JDBC_CONNECT_STRING }} DB_PWD: ${{ secrets.DB_PWD }} @@ -42,13 +41,6 @@ env: MIN_MEM_DEV: "400Mi" MAX_MEM_DEV: "800Mi" - MIN_REPLICAS_TEST: "2" - MAX_REPLICAS_TEST: "2" - MIN_CPU_TEST: "5m" - MAX_CPU_TEST: "150m" - MIN_MEM_TEST: "400Mi" - MAX_MEM_TEST: "800Mi" - on: # https://docs.github.com/en/actions/reference/events-that-trigger-workflows push: @@ -185,89 +177,3 @@ jobs: with: target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_DEV }}-dev.apps.silver.devops.gov.bc.ca/v3/api-docs' - deploy-test: - name: Deploy to OpenShift TEST - needs: build-and-deploy-dev - runs-on: ubuntu-20.04 - environment: test - - outputs: - ROUTE: ${{ steps.deploy-and-expose.outputs.route }} - SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} - - steps: - - name: Check for required secrets - uses: actions/github-script@v6 - with: - script: | - const secrets = { - OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, - OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, - }; - - const GHCR = "ghcr.io"; - if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { - core.info(`Image registry is ${GHCR} - no registry password required`); - } - else { - core.info("A registry password is required"); - secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; - } - - const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { - if (value.length === 0) { - core.error(`Secret "${name}" is not set`); - return true; - } - core.info(`✔️ Secret "${name}" is set`); - return false; - }); - - if (missingSecrets.length > 0) { - core.setFailed(`❌ At least one required secret is not set in the repository. \n` + - "You can add it using:\n" + - "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + - "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + - "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); - } - else { - core.info(`✅ All the required secrets are set`); - } - - - name: Check out repository - uses: actions/checkout@v3 - - - name: Install oc - uses: redhat-actions/openshift-tools-installer@v1 - with: - oc: 4 - - - name: Deploy API - run: | - set -eu - # Login to OpenShift and select project - oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }} - oc project ${{ env.OPENSHIFT_NAMESPACE_TEST }} - # Cancel any rollouts in progress - oc rollout cancel dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \ - || true && echo "No rollout in progress" - - oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }} ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }} - - # Process and apply deployment template - oc process -f tools/openshift/api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_TEST }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_TEST }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_TEST }} -p MIN_CPU=${{ env.MIN_CPU_TEST }} -p MAX_CPU=${{ env.MAX_CPU_TEST }} -p MIN_MEM=${{ env.MIN_MEM_TEST }} -p MAX_MEM=${{ env.MAX_MEM_TEST }} \ - | oc apply -f - - - curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/master/tools/config/update-configmap.sh | bash /dev/stdin test ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.DB_JDBC_CONNECT_STRING }} ${{ env.DB_PWD }} ${{ env.DB_USER }} ${{ env.SPLUNK_TOKEN }} - - # Start rollout (if necessary) and follow it - oc rollout latest dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \ - || true && echo "Rollout in progress" - oc logs -f dc/${{ env.SPRING_BOOT_IMAGE_NAME }} - # Get status, returns 0 if rollout is successful - oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }} - - - name: ZAP Scan - uses: zaproxy/action-api-scan@v0.2.0 - with: - target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_TEST }}-dev.apps.silver.devops.gov.bc.ca/v3/api-docs' diff --git a/.github/workflows/deploy-to.openshift-test.yml b/.github/workflows/deploy-to.openshift-test.yml new file mode 100644 index 00000000..8fa92714 --- /dev/null +++ b/.github/workflows/deploy-to.openshift-test.yml @@ -0,0 +1,137 @@ +name: Deploy to TEST + +env: + # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context. + # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. + # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions + # Added this comment + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + OPENSHIFT_NAMESPACE: ${{ secrets.INSTITUTE_NAMESPACE_NO_ENV }}-test + + DB_JDBC_CONNECT_STRING: ${{ secrets.DB_JDBC_CONNECT_STRING }} + DB_PWD: ${{ secrets.DB_PWD }} + DB_USER: ${{ secrets.DB_USER }} + SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }} + + # 🖊️ EDIT to change the image registry settings. + # Registries such as GHCR, Quay.io, and Docker Hub are supported. + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_REGISTRY_USER: ${{ github.actor }} + IMAGE_REGISTRY_PASSWORD: ${{ github.token }} + + SPRING_BOOT_IMAGE_NAME: institute-api-master + + APP_NAME: 'institute-api' + DB_NAME: 'institute_api' + REPO_NAME: "educ-institute-api" + BRANCH: "master" + NAMESPACE: ${{ secrets.INSTITUTE_NAMESPACE_NO_ENV }} + COMMON_NAMESPACE: ${{ secrets.COMMON_NAMESPACE_NO_ENV }} + TAG: "latest" + TARGET_ENV: "test" + MIN_REPLICAS: "2" + MAX_REPLICAS: "2" + MIN_CPU: "5m" + MAX_CPU: "150m" + MIN_MEM: "400Mi" + MAX_MEM: "800Mi" + +on: + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + workflow_dispatch: + +jobs: + openshift-ci-cd: + name: Deploy to OpenShift TEST + # ubuntu-20.04 can also be used. + runs-on: ubuntu-20.04 + environment: test + + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + + steps: + - name: Check for required secrets + uses: actions/github-script@v6 + with: + script: | + const secrets = { + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const GHCR = "ghcr.io"; + if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { + core.info(`Image registry is ${GHCR} - no registry password required`); + } + else { + core.info("A registry password is required"); + secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; + } + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.error(`Secret "${name}" is not set`); + return true; + } + core.info(`✔️ Secret "${name}" is set`); + return false; + }); + + if (missingSecrets.length > 0) { + core.setFailed(`❌ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`✅ All the required secrets are set`); + } + + - name: Check out repository + uses: actions/checkout@v3 + + - name: Get latest tag + uses: actions-ecosystem/action-get-latest-tag@v1 + id: get-latest-tag + + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4 + + # https://github.com/redhat-actions/oc-login#readme + - uses: actions/checkout@v3 + - name: Deploy + run: | + set -eux + # Login to OpenShift and select project + oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }} + oc project ${{ env.OPENSHIFT_NAMESPACE }} + # Cancel any rollouts in progress + oc rollout cancel dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \ + || true && echo "No rollout in progress" + + oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ steps.get-latest-tag.outputs.tag }} ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ steps.get-latest-tag.outputs.tag }} + + echo "::add-mask::$(oc -n ${{ env.OPENSHIFT_NAMESPACE }} -o json get secret ${{ env.APP_NAME }}-patroni | sed -n 's/.*"username-appuser": "\(.*\)",/\1/p' | base64 --decode)" + echo "::add-mask::$(oc -n ${{ env.OPENSHIFT_NAMESPACE }} -o json get secret ${{ env.APP_NAME }}-patroni | sed -n 's/.*"password-appuser": "\(.*\)",/\1/p' | base64 --decode)" + + DB_USERNAME=$(oc -n ${{ env.OPENSHIFT_NAMESPACE }} -o json get secret ${{ env.APP_NAME }}-patroni | sed -n 's/.*"username-appuser": "\(.*\)",/\1/p' | base64 --decode) >> /dev/null 2>&1 + DB_PASS=$(oc -n ${{ env.OPENSHIFT_NAMESPACE }} -o json get secret ${{ env.APP_NAME }}-patroni | sed -n 's/.*"password-appuser": "\(.*\)",/\1/p' | base64 --decode) >> /dev/null 2>&1 + + # Process and apply deployment template + oc process -f tools/openshift/api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p TAG=${{ steps.get-latest-tag.outputs.tag }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \ + | oc apply -f - + + curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ steps.get-latest-tag.outputs.tag }}/tools/config/update-configmap.sh | bash /dev/stdin ${{ env.TARGET_ENV }} ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.DB_JDBC_CONNECT_STRING }} ${{ env.DB_PWD }} ${{ env.DB_USER }} ${{ env.SPLUNK_TOKEN }} + + # Start rollout (if necessary) and follow it + oc rollout latest dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \ + || true && echo "Rollout in progress" + oc logs -f dc/${{ env.SPRING_BOOT_IMAGE_NAME }} + # Get status, returns 0 if rollout is successful + oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }}