Skip to content

Merge pull request #2033 from bcgov/feature/EAC-33 #880

Merge pull request #2033 from bcgov/feature/EAC-33

Merge pull request #2033 from bcgov/feature/EAC-33 #880

name: Build & Deploy to DEV and TEST
env:
# 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
# To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
# 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
OPENSHIFT_NAMESPACE_DEV: ${{ secrets.EDX_NAMESPACE_NO_ENV }}-dev
OPENSHIFT_NAMESPACE_TEST: ${{ secrets.EDX_NAMESPACE_NO_ENV }}-test
PEN_NAMESPACE_DEV: ${{ secrets.PEN_NAMESPACE_NO_ENV }}-dev
PEN_NAMESPACE_TEST: ${{ secrets.PEN_NAMESPACE_NO_ENV }}-test
GRAD_DATA_COLLECTION_NAMESPACE_DEV: ${{ secrets.GRAD_DATA_COLLECTION_NAMESPACE_NO_ENV }}-dev
GRAD_DATA_COLLECTION_NAMESPACE_TEST: ${{ secrets.GRAD_DATA_COLLECTION_NAMESPACE_NO_ENV }}-test
EAS_NAMESPACE_DEV: ${{ secrets.EAS_NAMESPACE_NO_ENV }}-dev
EAS_NAMESPACE_TEST: ${{ secrets.EAS_NAMESPACE_NO_ENV }}-test
SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}
CA_CERT: ${{ secrets.CA_CERT }}
CERTIFICATE: ${{ secrets.CERT }}
PRIVATE_KEY: ${{ secrets.PRIV_KEY }}
# 🖊️ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
IMAGE_REGISTRY_USER: ${{ github.actor }}
IMAGE_REGISTRY_PASSWORD: ${{ github.token }}
IMAGE_NAME: edx-backend-master
DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote
ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca
APP_NAME: 'edx'
REPO_NAME: "educ-edx"
BRANCH: "master"
APP_NAME_BACKEND: "edx-backend-master"
APP_NAME_FRONTEND: "edx-frontend"
APP_NAME_FRONTEND_MASTER: "edx-frontend-master"
APP_NAME_FRONTEND_STATIC: "edx-frontend-static"
NAMESPACE: ${{ secrets.EDX_NAMESPACE_NO_ENV }}
NAMESPACE_TOOLS: ${{ secrets.EDX_NAMESPACE_NO_ENV }}-tools
COMMON_NAMESPACE: ${{ secrets.COMMON_NAMESPACE_NO_ENV }}
TAG: "latest"
MIN_REPLICAS_DEV: "1"
MAX_REPLICAS_DEV: "2"
MIN_CPU: "300m"
MAX_CPU: "600m"
MIN_MEM: "250Mi"
MAX_MEM: "500Mi"
MIN_REPLICAS_TEST: "2"
MAX_REPLICAS_TEST: "3"
# SITE_URL should have no scheme or port. It will be prepended with https://
HOST_ROUTE: ${{ secrets.SITE_URL }}
on:
push:
branches:
- master
jobs:
build-and-deploy-dev:
name: Build and deploy to DEV
# ubuntu-latest can also be used.
runs-on: ubuntu-22.04
environment: dev
outputs:
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
steps:
- name: Check for required secrets
uses: actions/github-script@v6
with:
script: |
const secrets = {
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
};
const GHCR = "ghcr.io";
if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
core.info(`Image registry is ${GHCR} - no registry password required`);
}
else {
core.info("A registry password is required");
secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
}
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}
- name: Check out repository
uses: actions/checkout@v3
- name: Determine app name
if: env.APP_NAME_BACKEND == ''
run: |
echo "APP_NAME_BACKEND=$(basename $PWD)" | tee -a $GITHUB_ENV
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
registry: ${{ env.DOCKER_ARTIFACTORY_REPO }}
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
# https://github.com/redhat-actions/buildah-build#readme
- name: Build backend from Dockerfile
id: build-image-backend
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.APP_NAME_BACKEND }}
tags: "latest"
# If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs
# Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build
# Otherwise, point this to your Dockerfile/Containerfile relative to the repository root.
dockerfiles: |
./backend/Dockerfile
context: ./backend
# https://github.com/redhat-actions/push-to-registry#readme
- name: Push backend to registry
id: push-image-backend
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image-backend.outputs.image }}
tags: ${{ steps.build-image-backend.outputs.tags }}
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ env.IMAGE_REGISTRY_USER }}
password: ${{ env.IMAGE_REGISTRY_PASSWORD }}
- name: Build frontend from Dockerfile
id: build-image-frontend
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.APP_NAME_FRONTEND }}
tags: "latest"
# If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs
# Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build
# Otherwise, point this to your Dockerfile/Containerfile relative to the repository root.
dockerfiles: |
./frontend/Dockerfile
context: ./frontend
# https://github.com/redhat-actions/push-to-registry#readme
- name: Push frontend to registry
id: push-image-frontend
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image-frontend.outputs.image }}
tags: ${{ steps.build-image-frontend.outputs.tags }}
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ env.IMAGE_REGISTRY_USER }}
password: ${{ env.IMAGE_REGISTRY_PASSWORD }}
- name: Install oc
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: 4
# https://github.com/redhat-actions/oc-login#readme
- uses: actions/checkout@v3
- name: Deploy
run: |
set -eux
# Login to OpenShift and select project
oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
oc project ${{ env.OPENSHIFT_NAMESPACE_DEV }}
# Cancel any rollouts in progress
oc rollout cancel dc/${{ env.IMAGE_NAME }} 2> /dev/null \
|| true && echo "No rollout in progress"
# Create the image stream if it doesn't exist
oc create imagestream ${{ env.REPO_NAME }}-backend-${{ env.BRANCH }} 2> /dev/null || true && echo "Backend image stream in place"
oc create imagestream ${{ env.REPO_NAME }}-frontend-static 2> /dev/null || true && echo "Frontend image stream in place"
oc tag ${{ steps.push-image-backend.outputs.registry-path }} ${{ env.REPO_NAME }}-backend-${{ env.BRANCH }}:${{ env.TAG }}
oc tag ${{ steps.push-image-frontend.outputs.registry-path }} ${{ env.REPO_NAME }}-frontend-static:${{ env.TAG }}
# Process and apply deployment template
oc process -f tools/openshift/backend.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_DEV }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_DEV }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_DEV }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} -p HOST_ROUTE=${{ env.HOST_ROUTE }}\
| oc apply -f -
# Process and apply deployment template
oc process -f tools/openshift/frontend-static.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_DEV }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_DEV }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_DEV }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} -p HOST_ROUTE=${{ env.HOST_ROUTE }} -p CA_CERT="${{ env.CA_CERT }}" -p CERTIFICATE="${{ env.CERTIFICATE }}" -p PRIVATE_KEY="${{ env.PRIVATE_KEY }}"\
| oc apply -f -
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/master/tools/config/update-configmap.sh | bash /dev/stdin dev ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.PEN_NAMESPACE_DEV }} ${{ env.GRAD_DATA_COLLECTION_NAMESPACE_DEV}} ${{ env.EAS_NAMESPACE_DEV}} ${{ env.SPLUNK_TOKEN }}
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.IMAGE_NAME }} 2> /dev/null \
|| true && echo "Rollout in progress"
oc rollout latest dc/${{ env.APP_NAME_FRONTEND_MASTER }} 2> /dev/null \
|| true && echo "Rollout in progress"
oc logs -f dc/${{ env.IMAGE_NAME }}
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.IMAGE_NAME }}
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
target: 'https://${{ env.HOST_ROUTE }}'
deploy-to-test:
name: Deploy to TEST
needs: build-and-deploy-dev
runs-on: ubuntu-22.04
environment: test
outputs:
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
steps:
- name: Check for required secrets
uses: actions/github-script@v6
with:
script: |
const secrets = {
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
};
const GHCR = "ghcr.io";
if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
core.info(`Image registry is ${GHCR} - no registry password required`);
}
else {
core.info("A registry password is required");
secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
}
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}
- name: Check out repository
uses: actions/checkout@v3
- name: Install oc
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: 4
- name: Deploy
run: |
set -eux
# Login to OpenShift and select project
oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
oc project ${{ env.OPENSHIFT_NAMESPACE_TEST }}
# Cancel any rollouts in progress
oc rollout cancel dc/${{ env.IMAGE_NAME }} 2> /dev/null \
|| true && echo "No rollout in progress"
oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-frontend-static:${{ env.TAG }} ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-frontend-static:${{ env.TAG }}
oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-backend-${{ env.BRANCH }}:${{ env.TAG }} ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-backend-${{ env.BRANCH }}:${{ env.TAG }}
# Process and apply deployment template
oc process -f tools/openshift/backend.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_TEST }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_TEST }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_TEST }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} -p HOST_ROUTE=${{ env.HOST_ROUTE }}\
| oc apply -f -
# Process and apply deployment template
oc process -f tools/openshift/frontend-static.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_TEST }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_TEST }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_TEST }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} -p HOST_ROUTE=${{ env.HOST_ROUTE }} -p CA_CERT="${{ env.CA_CERT }}" -p CERTIFICATE="${{ env.CERTIFICATE }}" -p PRIVATE_KEY="${{ env.PRIVATE_KEY }}"\
| oc apply -f -
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/master/tools/config/update-configmap.sh | bash /dev/stdin test ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.PEN_NAMESPACE_TEST }} ${{ env.GRAD_DATA_COLLECTION_NAMESPACE_TEST}} ${{ env.EAS_NAMESPACE_TEST}} ${{ env.SPLUNK_TOKEN }}
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.IMAGE_NAME }} 2> /dev/null \
|| true && echo "Rollout in progress"
oc rollout latest dc/${{ env.APP_NAME_FRONTEND_MASTER }} 2> /dev/null \
|| true && echo "Rollout in progress"
oc logs -f dc/${{ env.IMAGE_NAME }}
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.IMAGE_NAME }}
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
target: 'https://${{ env.HOST_ROUTE }}'