Skip to content

Commit

Permalink
fix: iac implementation
Browse files Browse the repository at this point in the history 
Store secrets in files to avoid mutating JSON secrets and having them echo'd out
  • Loading branch information
@trev-dev
trev-dev committed May 21, 2024
1 parent 758e46f commit 59e08b2
Show file tree
Hide file tree
Showing 4 changed files with 148 additions and 28 deletions.
55 changes: 48 additions & 7 deletions .github/workflows/deploy-to-openshift-dev.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,23 +148,64 @@ jobs:
oc project ${{ env.OPENSHIFT_NAMESPACE }}
# Cancel any rollouts in progress
oc rollout cancel dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
|| true && echo "No rollout in progress"
|| true && echo "No rollout in progress"
# Create the image stream if it doesn't exist
oc create imagestream ${{ env.IMAGE_NAME }} 2> /dev/null || true && echo "D365 API image stream in place"
oc tag ${{ steps.push-image-backend.outputs.registry-path }} ${{ env.IMAGE_NAME }}:${{ env.TAG }}
# Process and apply deployment template
oc process -f tools/openshift/d365api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} \
-p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
-p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \
-p ENVIRONMENT=${{ env.APP_ENVIRONMENT }} -p HAPROXY_IP_WHITELIST=${{ env.HAPROXY_IP_WHITELIST }} \
| oc apply -f -
oc process \
-f tools/openshift/d365api.dc.yaml \
-p APP_NAME=${{ env.APP_NAME }} \
-p REPO_NAME=${{ env.REPO_NAME }} \
-p BRANCH=${{ env.BRANCH }} \
-p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} \
-p TAG=${{ env.TAG }} \
-p MIN_REPLICAS=${{ env.MIN_REPLICAS }} \
-p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
-p MIN_CPU=${{ env.MIN_CPU }} \
-p MAX_CPU=${{ env.MAX_CPU }} \
-p MIN_MEM=${{ env.MIN_MEM }} \
-p MAX_MEM=${{ env.MAX_MEM }} \
-p ENVIRONMENT=${{ env.APP_ENVIRONMENT }} \
-p HAPROXY_IP_WHITELIST=${{ env.HAPROXY_IP_WHITELIST }} \
| oc apply -f -
# Process update-configmap
cat << JSON > /tmp/key_scheme
${{ secrets.D365_API_KEY_SCHEME }}
JSON
cat << JSON > /tmp/api_auth_settings
${{ secrets.D365_API_AUTH_SETTINGS }}
JSON
cat << JSON > /tmp/recipients
${{ secrets.D365_RECIPIENTS }}
JSON
cat << JSON > /tmp/bc_registry_api
${{ secrets.D365_BC_REGISTRY_API }}
JSON
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh \
| bash /dev/stdin \
dev \
${{ env.APP_NAME }} \
${{ env.OPENSHIFT_NAMESPACE }} \
/tmp/key_scheme \
/tmp/api_auth_settings \
${{ secrets.D365_DEFAULT_SENDER_ID }} \
${{ secrets.D365_DEFAULT_CONTACT_ID }} \
/tmp/recipients \
/tmp/bc_registry_api \
${{ secrets.D365_BCCAS_API_URL }}
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
|| true && echo "Rollout in progress"
|| true && echo "Rollout in progress"
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.APP_ENVIRONMENT }}
Expand Down
54 changes: 46 additions & 8 deletions .github/workflows/deploy-to-openshift-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,24 +112,62 @@ jobs:
oc project ${{ env.OPENSHIFT_NAMESPACE }}
# Cancel any rollouts in progress
oc rollout cancel dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }} 2> /dev/null \
|| true && echo "No rollout in progress"
|| true && echo "No rollout in progress"
# Create tag for TEST env from DEV env image
# oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.BRANCH }}:${{ steps.get-latest-tag.outputs.tag }} ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.BRANCH }}:${{ steps.get-latest-tag.outputs.tag }}
# Process and apply deployment template
oc process -f tools/openshift/d365api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} \
-p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p TAG=${{ steps.get-latest-tag.outputs.tag }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
-p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \
-p ENVIRONMENT=${{ env.APP_ENVIRONMENT }} -p HAPROXY_IP_WHITELIST=${{ env.HAPROXY_IP_WHITELIST }} \
| oc apply -f -
oc process \
-f tools/openshift/d365api.dc.yaml \
-p APP_NAME=${{ env.APP_NAME }} \
-p REPO_NAME=${{ env.REPO_NAME }} \
-p BRANCH=${{ env.BRANCH }} \
-p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} \
-p TAG=${{ steps.get-latest-tag.outputs.tag }} \
-p MIN_REPLICAS=${{ env.MIN_REPLICAS }} \
-p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
-p MIN_CPU=${{ env.MIN_CPU }} \
-p MAX_CPU=${{ env.MAX_CPU }} \
-p MIN_MEM=${{ env.MIN_MEM }} \
-p MAX_MEM=${{ env.MAX_MEM }} \
-p ENVIRONMENT=${{ env.APP_ENVIRONMENT }} \
-p HAPROXY_IP_WHITELIST=${{ env.HAPROXY_IP_WHITELIST }} \
| oc apply -f -
# Process update-configmap
# curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh | bash /dev/stdin test ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.SPLUNK_TOKEN }}
cat << JSON > /tmp/key_scheme
${{ secrets.D365_API_KEY_SCHEME }}
JSON
cat << JSON > /tmp/api_auth_settings
${{ secrets.D365_API_AUTH_SETTINGS }}
JSON
cat << JSON > /tmp/recipients
${{ secrets.D365_RECIPIENTS }}
JSON
cat << JSON > /tmp/bc_registry_api
${{ secrets.D365_BC_REGISTRY_API }}
JSON
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh \
| bash /dev/stdin \
test \
${{ env.APP_NAME }} \
${{ env.OPENSHIFT_NAMESPACE }} \
/tmp/key_scheme \
/tmp/api_auth_settings \
${{ secrets.D365_DEFAULT_SENDER_ID }} \
${{ secrets.D365_DEFAULT_CONTACT_ID }} \
/tmp/recipients \
/tmp/bc_registry_api \
${{ secrets.D365_BCCAS_API_URL }}
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
|| true && echo "Rollout in progress"
|| true && echo "Rollout in progress"
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.APP_ENVIRONMENT }}
52 changes: 45 additions & 7 deletions .github/workflows/deploy-to-openshift-uat.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,18 +122,56 @@ jobs:
oc tag ${{ env.NAMESPACE }}-dev/${{ env.IMAGE_NAME }}:${{ steps.get-latest-tag.outputs.tag }} ${{ env.NAMESPACE }}-test/${{ env.IMAGE_NAME }}:${{ steps.get-latest-tag.outputs.tag }}
# Process and apply deployment template
oc process -f tools/openshift/d365api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} \
-p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p TAG=${{ steps.get-latest-tag.outputs.tag }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
-p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \
-p ENVIRONMENT=${{ env.APP_ENVIRONMENT }} -p HAPROXY_IP_WHITELIST=${{ env.HAPROXY_IP_WHITELIST }} \
| oc apply -f -
oc process \
-f tools/openshift/d365api.dc.yaml \
-p APP_NAME=${{ env.APP_NAME }} \
-p REPO_NAME=${{ env.REPO_NAME }} \
-p BRANCH=${{ env.BRANCH }} \
-p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} \
-p TAG=${{ steps.get-latest-tag.outputs.tag }} \
-p MIN_REPLICAS=${{ env.MIN_REPLICAS }} \
-p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
-p MIN_CPU=${{ env.MIN_CPU }} \
-p MAX_CPU=${{ env.MAX_CPU }} \
-p MIN_MEM=${{ env.MIN_MEM }} \
-p MAX_MEM=${{ env.MAX_MEM }} \
-p ENVIRONMENT=${{ env.APP_ENVIRONMENT }} \
-p HAPROXY_IP_WHITELIST=${{ env.HAPROXY_IP_WHITELIST }} \
| oc apply -f -
# Process update-configmap
# curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh | bash /dev/stdin test ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.SPLUNK_TOKEN }}
cat << JSON > /tmp/key_scheme
${{ secrets.D365_API_KEY_SCHEME }}
JSON
cat << JSON > /tmp/api_auth_settings
${{ secrets.D365_API_AUTH_SETTINGS }}
JSON
cat << JSON > /tmp/recipients
${{ secrets.D365_RECIPIENTS }}
JSON
cat << JSON > /tmp/bc_registry_api
${{ secrets.D365_BC_REGISTRY_API }}
JSON
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh \
| bash /dev/stdin \
uat \
${{ env.APP_NAME }} \
${{ env.OPENSHIFT_NAMESPACE }} \
/tmp/key_scheme \
/tmp/api_auth_settings \
${{ secrets.D365_DEFAULT_SENDER_ID }} \
${{ secrets.D365_DEFAULT_CONTACT_ID }} \
/tmp/recipients \
/tmp/bc_registry_api \
${{ secrets.D365_BCCAS_API_URL }}
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
|| true && echo "Rollout in progress"
|| true && echo "Rollout in progress"
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.APP_ENVIRONMENT }}
15 changes: 9 additions & 6 deletions tools/config/update-configmap.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ if [ "$ENV_VAL" != "prod" ]; then
fi
readonly D365_EMAIL_SAFE_LIST_ENABLE

D365_CONFIGURATION=$(cat << JSON
D365_CONFIGURATION=$(jq << JSON
{
"Logging": $D365_LOG_LEVEL,
"AllowedHosts": "*",
Expand All @@ -64,10 +64,10 @@ D365_CONFIGURATION=$(cat << JSON
},
"AuthenticationSettings": {
"Schemes": {
"ApiKeyScheme": $D365_API_KEY_SCHEME
"ApiKeyScheme": $(cat "$D365_API_KEY_SCHEME")
}
},
"D365AuthSettings": $D365_API_AUTH_SETTINGS,
"D365AuthSettings": $(cat "$D365_API_AUTH_SETTINGS"),
"DocumentSettings": {
"MaxFileSize": 3999999,
"AcceptedFommat": [
Expand Down Expand Up @@ -133,7 +133,7 @@ D365_CONFIGURATION=$(cat << JSON
"EmailSafeList": {
"Enable": $D365_EMAIL_SAFE_LIST_ENABLE,
"DefaultContactId": "$D365_DEFAULT_CONTACT_ID",
"Recipients": $D365_RECIPIENTS
"Recipients": $(cat "$D365_RECIPIENTS")
},
"fundingUrl": "$SERVER_FRONTEND/funding",
"fundingTabUrl": "$SERVER_FRONTEND/funding/overview"
Expand Down Expand Up @@ -161,7 +161,7 @@ D365_CONFIGURATION=$(cat << JSON
}
},
"ExternalServices": {
"BCRegistryApi": $D365_BC_REGISTRY_API,
"BCRegistryApi": $(cat "$D365_BC_REGISTRY_API"),
"BCCASApi": {
"Enable": true,
"Url": "$D365_BCCAS_API_URL",
Expand Down Expand Up @@ -200,11 +200,14 @@ D365_CONFIGURATION=$(cat << JSON
JSON
)
readonly D365_CONFIGURATION
echo "$D365_CONFIGURATION" > /tmp/appsettings.json

echo
echo Creating D365 config map "$APP_NAME-d365api-$ENV_VAL-config-map"
oc create -n "$OPENSHIFT_NAMESPACE" configmap \
--from-literal="appsettings.json=$D365_CONFIGURATION"
"$APP_NAME-d365api-$ENV_VAL-config-map" \
--from-file="appsettings.json=/tmp/appsettings.json" \
--dry-run -o yaml | oc apply -f -

echo
echo Setting environment variables for "$APP_NAME-d365api-$ENV_VAL" application
Expand Down

0 comments on commit 59e08b2

Please sign in to comment.