-
Notifications
You must be signed in to change notification settings - Fork 10
222 lines (180 loc) · 8.17 KB
/
deploy-to.openshift-dev.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
name: Build & Deploy to DEV
env:
OPENSHIFT_SERVER: '${{ secrets.OPENSHIFT_SERVER }}'
OPENSHIFT_TOKEN: '${{ secrets.OPENSHIFT_TOKEN }}'
OPENSHIFT_NAMESPACE_DEV: '${{ secrets.ECAS_NAMESPACE_NO_ENV }}-dev'
CA_CERT: '${{ secrets.CA_CERT }}'
CERTIFICATE: '${{ secrets.CERT }}'
PRIVATE_KEY: '${{ secrets.PRIV_KEY }}'
IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}'
IMAGE_REGISTRY_USER: '${{ github.actor }}'
IMAGE_REGISTRY_PASSWORD: '${{ github.token }}'
IMAGE_NAME: ecas-frontend
DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote
ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca
APP_NAME: ecas
REPO_NAME: educ-ecas
BRANCH: test_github_actions
APP_NAME_FRONTEND: ecas-frontend
NAMESPACE: '${{ secrets.ECAS_NAMESPACE_NO_ENV }}'
NAMESPACE_TOOLS: '${{ secrets.ECAS_NAMESPACE_NO_ENV }}-tools'
TAG: latest
MIN_REPLICAS_DEV: '1'
MAX_REPLICAS_DEV: '2'
MIN_CPU: 300m
MAX_CPU: 600m
MIN_MEM: 250Mi
MAX_MEM: 500Mi
MIN_REPLICAS_TEST: '2'
MAX_REPLICAS_TEST: '3'
HOST_ROUTE: '${{ secrets.SITE_URL }}'
'on':
push:
branches:
- test_github_actions
jobs:
build-and-deploy-dev:
name: Build and deploy to DEV
runs-on: ubuntu-22.04
environment: dev
outputs:
ROUTE: '${{ steps.deploy-and-expose.outputs.route }}'
SELECTOR: '${{ steps.deploy-and-expose.outputs.selector }}'
steps:
- name: Check for required secrets
uses: actions/github-script@v6
with:
script: >
const secrets = {
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
};
const GHCR = "ghcr.io";
if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
core.info(`Image registry is ${GHCR} - no registry password required`);
}
else {
core.info("A registry password is required");
secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
}
const missingSecrets = Object.entries(secrets).filter(([ name, value
]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}
- name: Check out repository
uses: actions/checkout@v3
- name: Get Image Tag
id: get-image-hash
run: >
IMAGE_NAME ='${{ env.APP_NAME_FRONTEND }}'
TAG= '${{ env.TAG }}'
IMAGE_HASH = $(oc get istag "${IMAGE_NAME}:${TAG}" -o template --template = '{{.image.dockerImageREference}}' | awk -F'@' '{print $2}')
echo "IMAGE_HASH=${IMAGE_HASH}" >> $GITHUB_ENV
echo "Image hash retrieved: ${IMAGE_HASH}"
- name: TAG Image
id: tag_image
run: >
TEST ="test"
IMAGE_NAME ='${{ env.APP_NAME_FRONTEND }}'
TAG= '${{ env.TAG }}'
IMAGE_HASH='${{ env.IMAGE_HASH }}'
oc tag "${IMAGE_NAME}@${IMAGE_HASH}" "${IMAGE_NAME}:${TAG}" || echo "failed to tag the image"
TAGGED_IMAGE= "${IMAGE_NAME}:${TAG}"
echo "TAGGED_IMAGE=${TAGGED_IMAGE}" >> $GITHUB_ENV
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
registry: '${{ env.DOCKER_ARTIFACTORY_REPO }}'
username: '${{ secrets.DOCKER_HUB_USERNAME }}'
password: '${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}'
- name: Setup and Build
id: build-image-frontend
uses: redhat-actions/s2i-build@v2
with:
path_context: ./web-app
builder_image: registry.redhat.io/rhscl/php-73-rhel7
image: '${{ env.TAGGED_IMAGE }}'
- name: Push frontend to registry
id: push-image-frontend
uses: redhat-actions/push-to-registry@v2
with:
image: '${{ steps.build-image-frontend.outputs.image }}'
tags: '${{ steps.build-image-frontend.outputs.tags }}'
registry: '${{ env.IMAGE_REGISTRY }}'
username: '${{ env.IMAGE_REGISTRY_USER }}'
password: '${{ env.IMAGE_REGISTRY_PASSWORD }}'
- name: Install oc
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: 4
- uses: actions/checkout@v3
- name: Deploy
run: >
set -eux
# Login to OpenShift and select project
oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{
env.OPENSHIFT_SERVER }}
oc project ${{ env.OPENSHIFT_NAMESPACE_DEV }}
# Cancel any rollouts in progress
oc rollout cancel dc/${{ env.IMAGE_NAME }} 2> /dev/null \
|| true && echo "No rollout in progress"
# Create the image stream if it doesn't exist
oc create imagestream ${{ env.REPO_NAME }}-backend-${{ env.BRANCH }}
2> /dev/null || true && echo "Backend image stream in place"
oc create imagestream ${{ env.REPO_NAME }}-frontend-static 2>
/dev/null || true && echo "Frontend image stream in place"
oc tag ${{ steps.push-image-backend.outputs.registry-path }} ${{
env.REPO_NAME }}-backend-${{ env.BRANCH }}:${{ env.TAG }}
oc tag ${{ steps.push-image-frontend.outputs.registry-path }} ${{
env.REPO_NAME }}-frontend-static:${{ env.TAG }}
# Process and apply deployment template
oc process -f tools/openshift/backend.dc.yaml -p APP_NAME=${{
env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{
env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_DEV }} -p
TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_DEV }} -p
MAX_REPLICAS=${{ env.MAX_REPLICAS_DEV }} -p MIN_CPU=${{ env.MIN_CPU }}
-p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p
MAX_MEM=${{ env.MAX_MEM }} -p HOST_ROUTE=${{ env.HOST_ROUTE }}\
| oc apply -f -
# Process and apply deployment template
oc process -f tools/openshift/frontend-static.dc.yaml -p APP_NAME=${{
env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{
env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_DEV }} -p
TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_DEV }} -p
MAX_REPLICAS=${{ env.MAX_REPLICAS_DEV }} -p MIN_CPU=${{ env.MIN_CPU }}
-p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p
MAX_MEM=${{ env.MAX_MEM }} -p HOST_ROUTE=${{ env.HOST_ROUTE }} -p
CA_CERT="${{ env.CA_CERT }}" -p CERTIFICATE="${{ env.CERTIFICATE }}"
-p PRIVATE_KEY="${{ env.PRIVATE_KEY }}"\
| oc apply -f -
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME
}}/master/tools/config/update-configmap.sh | bash /dev/stdin dev ${{
env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{
env.PEN_NAMESPACE_DEV }} ${{ env.SPLUNK_TOKEN }}
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.IMAGE_NAME }} 2> /dev/null \
|| true && echo "Rollout in progress"
oc rollout latest dc/${{ env.APP_NAME_FRONTEND }} 2> /dev/null \
|| true && echo "Rollout in progress"
oc logs -f dc/${{ env.IMAGE_NAME }}
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.IMAGE_NAME }}
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
target: 'https://${{ env.HOST_ROUTE }}'