diff --git a/.github/workflows/create-git-and-image-tag.yml b/.github/workflows/create-git-and-image-tag.yml index 69c8a6fa..9f352607 100644 --- a/.github/workflows/create-git-and-image-tag.yml +++ b/.github/workflows/create-git-and-image-tag.yml @@ -1,32 +1,56 @@ -# This is a basic workflow that is manually triggered - name: Create Tag -# Controls when the action will run. Workflow runs when manually triggered using the UI -# or API. +env: + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + OPENSHIFT_NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }}-dev + + REPO_NAME: 'ecc-ofm' + BRANCH: ${{ github.ref_name }} + APP_NAME_BACKEND: 'd365api' + on: + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows workflow_dispatch: - # Inputs the workflow accepts. inputs: - name: - # Friendly description to be shown in the UI instead of 'name' - description: 'Person to greet' - # Default value if no value is explicitly provided - default: 'World' - # Input has to be provided for the workflow to run + version: + description: 'Version Number' required: true - # The data type of the input - type: string -# A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: - # This workflow contains a single job called "greet" - greet: - # The type of runner that the job will run on - runs-on: ubuntu-latest + openshift-ci-cd: + name: Tag Image + # ubuntu-20.04 can also be used. + runs-on: ubuntu-20.04 + environment: dev - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Runs a single command using the runners shell - - name: Send greeting - run: echo "Hello ${{ inputs.name }}" + - name: Check out repository + uses: actions/checkout@v2 + + - name: Create tag + uses: actions/github-script@v5 + with: + script: | + github.rest.git.createRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: 'refs/tags/${{ github.event.inputs.version }}', + sha: context.sha + }) + + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4 + + # https://github.com/redhat-actions/oc-login#readme + - uses: actions/checkout@v2 + - name: Tag in OpenShift + run: | + set -eux + # Login to OpenShift and select project + oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }} + oc project ${{ env.OPENSHIFT_NAMESPACE }} + + oc tag ${{ env.OPENSHIFT_NAMESPACE }}/${{ env.REPO_NAME }}-${{ env.APP_NAME_BACKEND }}:latest ${{ env.OPENSHIFT_NAMESPACE }}/${{ env.REPO_NAME }}-${{ env.APP_NAME_BACKEND }}:${{ github.event.inputs.version }} diff --git a/.github/workflows/deploy-to-openshift-dev.yml b/.github/workflows/deploy-to-openshift-dev.yml index a6a4ddfd..e3e1d970 100644 --- a/.github/workflows/deploy-to-openshift-dev.yml +++ b/.github/workflows/deploy-to-openshift-dev.yml @@ -153,7 +153,10 @@ jobs: oc tag ${{ steps.push-image-backend.outputs.registry-path }} ${{ env.REPO_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.BRANCH }}:${{ env.TAG }} # Process and apply deployment template - oc process -f tools/openshift/d365api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }}\ + oc process -f tools/openshift/d365api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} \ + -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \ + -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \ + -p ENVIRONMENT=dev \ | oc apply -f - # Start rollout (if necessary) and follow it @@ -161,4 +164,4 @@ jobs: || true && echo "Rollout in progress" # Get status, returns 0 if rollout is successful - oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }} + oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-dev diff --git a/.github/workflows/deploy-to-openshift-test.yml b/.github/workflows/deploy-to-openshift-test.yml index c6926aa6..4cbad5ee 100644 --- a/.github/workflows/deploy-to-openshift-test.yml +++ b/.github/workflows/deploy-to-openshift-test.yml @@ -1,32 +1,140 @@ -# This is a basic workflow that is manually triggered +# OFM Backend TEST workflow +name: 2 TEST - Deploy Backend -name: 2 TEST - Deploy Dynamics API +env: + # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context. + # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. + # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + # 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace. + OPENSHIFT_NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }}-dev + + # SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }} + + # 🖊️ EDIT to change the image registry settings. + # Registries such as GHCR, Quay.io, and Docker Hub are supported. + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_REGISTRY_USER: ${{ github.actor }} + IMAGE_REGISTRY_PASSWORD: ${{ github.token }} + + APP_NAME: 'ofm' + REPO_NAME: 'ecc-ofm' + #grabs the branch name from github dynamically + BRANCH: ${{ github.ref_name }} + APP_NAME_BACKEND: 'd365api' + + NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }} + + MIN_REPLICAS: '3' + MAX_REPLICAS: '5' + MIN_CPU: '50m' + MAX_CPU: '250m' + MIN_MEM: '200Mi' + MAX_MEM: '700Mi' + # SITE_URL should have no scheme or port. It will be prepended with https:// + HOST_ROUTE: ${{ secrets.SITE_URL }} + CA_CERT: ${{ secrets.CA_CERT }} + CERTIFICATE: ${{ secrets.CERTIFICATE }} + PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }} -# Controls when the action will run. Workflow runs when manually triggered using the UI -# or API. on: workflow_dispatch: - # Inputs the workflow accepts. - inputs: - name: - # Friendly description to be shown in the UI instead of 'name' - description: 'Person to greet' - # Default value if no value is explicitly provided - default: 'World' - # Input has to be provided for the workflow to run - required: true - # The data type of the input - type: string - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel + jobs: - # This workflow contains a single job called "greet" - greet: - # The type of runner that the job will run on + openshift-ci-cd: + name: Deploy Backend to TEST runs-on: ubuntu-latest + environment: test + + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Runs a single command using the runners shell - - name: Send greeting - run: echo "Hello ${{ inputs.name }}" + - name: Check for required secrets + uses: actions/github-script@v4 + with: + script: | + const secrets = { + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const GHCR = "ghcr.io"; + if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { + core.info(`Image registry is ${GHCR} - no registry password required`); + } + else { + core.info("A registry password is required"); + secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; + } + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.error(`Secret "${name}" is not set`); + return true; + } + core.info(`✔️ Secret "${name}" is set`); + return false; + }); + + if (missingSecrets.length > 0) { + core.setFailed(`❌ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`✅ All the required secrets are set`); + } + + - name: Check out repository with branch [${{ env.BRANCH }}] + uses: actions/checkout@v2 + with: + ref: ${{ env.BRANCH }} + + - name: Get latest tag + uses: actions-ecosystem/action-get-latest-tag@v1 + id: get-latest-tag + + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4 + + - name: Deploy + run: | + set -eux + # Login to OpenShift and select project + oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }} + oc project ${{ env.OPENSHIFT_NAMESPACE }} + # Cancel any rollouts in progress + oc rollout cancel dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }} 2> /dev/null \ + || true && echo "No rollout in progress" + + # Create tag for TEST env from DEV env image + # oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.BRANCH }}:${{ steps.get-latest-tag.outputs.tag }} ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.BRANCH }}:${{ steps.get-latest-tag.outputs.tag }} + + # Process and apply deployment template + oc process -f tools/openshift/backend.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} \ + -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p TAG=${{ steps.get-latest-tag.outputs.tag }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \ + -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \ + -p HOST_ROUTE=${{ env.HOST_ROUTE }} -p ENVIRONMENT=test \ + | oc apply -f - + + # Process update-configmap + # curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh | bash /dev/stdin test ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.SPLUNK_TOKEN }} + + # Start rollout (if necessary) and follow it + oc rollout latest dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}} 2> /dev/null \ + || true && echo "Rollout in progress" + + # Get status, returns 0 if rollout is successful + oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-test + + - name: ZAP Scan + uses: zaproxy/action-full-scan@v0.3.0 + with: + target: 'https://${{ env.HOST_ROUTE }}/api' diff --git a/tools/openshift/d365api.dc.yaml b/tools/openshift/d365api.dc.yaml index d5350598..093f7530 100644 --- a/tools/openshift/d365api.dc.yaml +++ b/tools/openshift/d365api.dc.yaml @@ -15,12 +15,12 @@ objects: labels: app: '${APP_NAME}-${BRANCH}' branch: '${BRANCH}' - name: '${APP_NAME}-d365api' + name: '${APP_NAME}-d365api-${ENVIRONMENT}' spec: replicas: ${{MIN_REPLICAS}} selector: app: '${APP_NAME}-${BRANCH}' - deploymentconfig: '${APP_NAME}-d365api' + deploymentconfig: '${APP_NAME}-d365api-${ENVIRONMENT}' strategy: resources: {} type: Rolling @@ -31,7 +31,7 @@ objects: creationTimestamp: labels: app: '${APP_NAME}-${BRANCH}' - deploymentconfig: '${APP_NAME}-d365api' + deploymentconfig: '${APP_NAME}-d365api-${ENVIRONMENT}' spec: containers: - image: image-registry.openshift-image-registry.svc:5000/${NAMESPACE}/${REPO_NAME}-d365api-${BRANCH}:${TAG} @@ -55,7 +55,7 @@ objects: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 - name: '${APP_NAME}-d365api' + name: '${APP_NAME}-d365api-${ENVIRONMENT}' ports: - containerPort: 5091 protocol: TCP @@ -83,7 +83,7 @@ objects: emptyDir: {} - name: config-env configMap: - name: ofm-d365api-config-map + name: ofm-d365api-${ENVIRONMENT}-config-map # - name: tls-certs # secret: # secretName: ofm-backend-cert @@ -99,7 +99,7 @@ objects: creationTimestamp: labels: app: '${APP_NAME}-${BRANCH}' - name: '${APP_NAME}-d365api' + name: '${APP_NAME}-d365api-${ENVIRONMENT}' spec: ports: - name: 5091-tcp @@ -112,11 +112,11 @@ objects: targetPort: 443 selector: app: '${APP_NAME}-${BRANCH}' - deploymentconfig: '${APP_NAME}-d365api' + deploymentconfig: '${APP_NAME}-d365api-${ENVIRONMENT}' - apiVersion: v1 kind: Route metadata: - name: '${APP_NAME}-d365api' + name: '${APP_NAME}-d365api--${ENVIRONMENT}' labels: app: '${APP_NAME}-${BRANCH}' annotations: @@ -128,7 +128,7 @@ objects: spec: to: kind: Service - name: '${APP_NAME}-d365api' + name: '${APP_NAME}-d365api-${ENVIRONMENT}' weight: 100 port: targetPort: 5091-tcp @@ -139,7 +139,7 @@ objects: - apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: '${APP_NAME}-d365api-cpu-autoscaler' + name: '${APP_NAME}-d365api-cpu-autoscaler-${ENVIRONMENT}' spec: scaleTargetRef: apiVersion: apps.openshift.io/v1 @@ -165,6 +165,9 @@ parameters: - name: NAMESPACE description: Target namespace reference (i.e. 'k8vopl-dev') required: true + - name: ENVIRONMENT + description: The environment being created ('dev', 'test', 'uat', 'prod') + required: true - name: APP_NAME description: Application name required: true