diff --git a/.github/workflows/ci-cd-pims-dev.yml b/.github/workflows/ci-cd-pims-dev.yml index d6f594abbd..8fef514267 100644 --- a/.github/workflows/ci-cd-pims-dev.yml +++ b/.github/workflows/ci-cd-pims-dev.yml @@ -24,6 +24,8 @@ env: TAG_DEV: "dev" TAG_TEST: "test" TAG_PROD: "prod" + DEPLOYMENT_NAMESPACE: "3cd915-dev" + on: pull_request_target: branches: [dev] @@ -83,7 +85,7 @@ jobs: ./openshift/4.0/player.sh build proxy -apply deploy: - name: Deploy frontend and api to OpenShift + name: Deploy to OpenShift needs: [build-frontend, build-api] runs-on: ubuntu-latest steps: @@ -96,11 +98,27 @@ jobs: openshift_token: ${{ env.OPENSHIFT_TOKEN }} insecure_skip_tls_verify: true namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} - - name: call scripts to deploy api and frontend + - name: Deploy PIMS frontend + shell: bash + run: | + oc tag pims-app:latest-$DESTINATION pims-app:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-app-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-app-$DESTINATION + - name: Deploy PIMS api + shell: bash + run: | + oc tag pims-api:latest-$DESTINATION pims-api:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-api-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-api-$DESTINATION + - name: Deploy geoserver proxy microservice + shell: bash run: | - ./openshift/4.0/player.sh deploy api $DESTINATION -apply - ./openshift/4.0/player.sh deploy app $DESTINATION -apply oc tag pims-proxy:latest-$DESTINATION pims-proxy:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-proxy-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-proxy-$DESTINATION + - name: Deploy mayan + shell: bash + run: | oc tag mayan-bcgov:latest-$DESTINATION mayan-bcgov:$DESTINATION # the command: diff --git a/.github/workflows/deploy-prod-start-argo.yml b/.github/workflows/deploy-prod-start-argo.yml new file mode 100644 index 0000000000..88f2c71b8b --- /dev/null +++ b/.github/workflows/deploy-prod-start-argo.yml @@ -0,0 +1,157 @@ +name: PIMS PROD Deployment (ArgoCD) +env: + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + # service account: gitaction + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + OPENSHIFT_TOOLS_NAMESPACE: "3cd915-tools" + MS_TEAMS_WEBHOOK_BUILD_CHANNEL: ${{ secrets.MS_TEAMS_WEBHOOK_URI_BUILD_CHANNEL }} + AUTH__KEYCLOAK__SECRET: ${{ secrets.KEYCLOAK_SECRET_PROD }} + AUTH__KEYCLOAK__SERVICEACCOUNT__SECRET: ${{ secrets.KEYCLOAK_SERVICEACCOUNT_SECRET }} + ASPNETCORE_ENVIRONMENT: "prod" + + APP_PORT: 8080 + DESTINATION: "prod" + OC_JOB_NAME: "master" + GIT_URL: "${{github.server_url}}/${{github.repository}}" + GIT_BRANCH: "master" + APP_NAME: "pims" + PROJ_PREFIX: "3cd915" + PROJ_TOOLS: "3cd915-tools" + PROJ_DEV: "dev" + PROJ_TEST: "test" + PROJ_PROD: "prod" + TAG_DEV: "dev" + TAG_TEST: "test" + TAG_PROD: "prod" + DEPLOYMENT_NAMESPACE: "3cd915-prod" + +on: + workflow_dispatch: + inputs: + OVERRIDE_VERSION: + description: "Enter the version tag for this release in format v..-. or enter nothing to use the most recently tagged version" + required: false + +jobs: + ci-cd-start-notification: + name: CI-CD Start Notification to Teams Channel + runs-on: ubuntu-latest + steps: + - name: Start notification to Teams Channel + uses: dragos-cojocari/ms-teams-notification@v1.0.2 + with: + github-token: ${{ github.token }} + ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }} + notification-summary: PIMS Deployment to PRODUCTION started. + notification-color: 17a2b8 + timezone: America/Los_Angeles + + deploy: + name: Deploy frontend and api to OpenShift + runs-on: ubuntu-latest + needs: ci-cd-start-notification + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + with: + ref: master + fetch-depth: 0 + - name: "Get Previous tag" + id: previoustag + uses: "WyriHaximus/github-action-get-previous-tag@v1" + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Display the maintenance page instead of the app + run: | + ./tools/cicd/maintenance/maintenance.sh prod on + - name: call scripts to deploy api and frontend + run: | + [[ -z ${{github.event.inputs.OVERRIDE_VERSION}} ]] && RELEASE_VERSION=${{steps.previoustag.outputs.tag}}-master || RELEASE_VERSION=${{github.event.inputs.OVERRIDE_VERSION}}-master + + oc tag pims-app:$RELEASE_VERSION pims-app:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-app-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-app-$DESTINATION + + oc tag pims-api:$RELEASE_VERSION pims-api:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-api-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-api-$DESTINATION + + oc tag pims-proxy:$RELEASE_VERSION pims-proxy:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-proxy-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-proxy-$DESTINATION + + oc tag mayan-bcgov:$RELEASE_VERSION mayan-bcgov:master + + # the command: + # 1) creates an openshift job with generated name to avoid name conflict, substituting the variables in the template. + # 2) greps the generated name from the previous step. + # 3) waits for the job to complete using the generated name. + database-upgrade: + name: Upgrade database + needs: [deploy] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-prod + - name: call scripts to upgrade database + shell: bash + run: | + JOB_NAME=$(oc process -f ./openshift/4.0/templates/jobs/db-deploy.yaml -p DB_SECRET_NAME=pims-database -p GIT_BRANCH=master -p SERVER_NAME=sqlprd.th.gov.bc.ca -p DB_NAME=PIMS_PRD -p NAMESPACE=3cd915-prod | oc create -f - | grep -oP "(?<=job\.batch/)[^\s]*") + oc wait --for=condition=complete job/$JOB_NAME --timeout=120s + oc get pods -o custom-columns=POD:.metadata.name --no-headers | grep -Eo $JOB_NAME-[^\s].* | (read POD_NAME; oc logs $POD_NAME) + + ## Call the mayan sync task three times, once for each mayan sync endpoint. The task will wait for the job to complete before exiting. + ## Note: this depends on the mayan-sync configmap for the target namespace being up to date. + mayan-sync: + name: sync mayan + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-prod + - name: call scripts to sync mayan + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-prod -p TOKEN_URL=https://loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-3cd915-prod.apps.silver.devops.gov.bc.ca/api/documents/sync/mayan/metadatatype -p KEYCLOAK_SECRET_NAME=pims-api-sso | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-prod -p TOKEN_URL=https://loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-3cd915-prod.apps.silver.devops.gov.bc.ca/documents/sync/documenttype -p KEYCLOAK_SECRET_NAME=pims-api-sso | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-prod -p TOKEN_URL=https://loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-3cd915-prod.apps.silver.devops.gov.bc.ca/api/documents/sync/mayan -p KEYCLOAK_SECRET_NAME=pims-api-sso | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + +## Call the tekton pipeline that executes the keycloak sync. Dependent on the pims-api being accessible. Can run in parallel with the mayan sync. + keycloak-sync: + name: sync keycloak + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-prod + - name: call scripts to sync keycloak + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/keycloak-sync-pipeline-run.yaml -p ASPNETCORE_ENVIRONMENT=$ASPNETCORE_ENVIRONMENT -p NAMESPACE=3cd915-prod -p BRANCH=$DESTINATION -p API_URL=http://pims-api:8080/api | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read PIPELINE_NAME; oc wait --for=condition=succeeded pipelineruns/$PIPELINE_NAME --timeout=500s) + diff --git a/.github/workflows/retag-dev-to-test.yml b/.github/workflows/retag-dev-to-test.yml index 727a156c70..89d979e77e 100644 --- a/.github/workflows/retag-dev-to-test.yml +++ b/.github/workflows/retag-dev-to-test.yml @@ -13,7 +13,6 @@ env: ## variables for scripts under git\openshift\4.0\scripts\oc-*.sh APP_PORT: 8080 DESTINATION: "test" - OC_JOB_NAME: "test" GIT_URL: "${{github.server_url}}/${{github.repository}}" GIT_BRANCH: "${{github.ref}}" APP_NAME: "pims" @@ -28,6 +27,7 @@ env: INSTANCE: "-test" NAMESPACE_OVERRIDE: "3cd915-dev" RELEASE_TAG: "dev" + DEPLOYMENT_NAMESPACE: "3cd915-dev" on: workflow_dispatch @@ -46,7 +46,7 @@ jobs: timezone: America/Los_Angeles deploy: - name: Retag/Deploy frontend and api to OpenShift + name: Retag/Deploy to OpenShift needs: ci-cd-start-notification runs-on: ubuntu-latest steps: @@ -59,12 +59,28 @@ jobs: openshift_token: ${{ env.OPENSHIFT_TOKEN }} insecure_skip_tls_verify: true namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} - - name: call scripts to deploy api and frontend + - name: Deploy PIMS frontend + shell: bash + run: | + oc tag pims-app:$RELEASE_TAG pims-app:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-app-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-app-$DESTINATION + - name: Deploy PIMS api + shell: bash + run: | + oc tag pims-api:$RELEASE_TAG pims-api:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-api-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-api-$DESTINATION + - name: Deploy geoserver proxy microservice + shell: bash + run: | + oc tag pims-proxy:$RELEASE_TAG pims-proxy:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-proxy-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-proxy-$DESTINATION + - name: Deploy mayan + shell: bash run: | - ./openshift/4.0/player.sh deploy api $DESTINATION -apply - ./openshift/4.0/player.sh deploy app $DESTINATION -apply - oc tag pims-proxy:dev pims-proxy:$DESTINATION - oc tag mayan-bcgov:dev mayan-bcgov:$DESTINATION + oc tag mayan-bcgov:$RELEASE_TAG mayan-bcgov:$DESTINATION # the command: # 1) creates an openshift job with generated name to avoid name conflict, substituting the variables in the template. diff --git a/.github/workflows/retag-test-to-uat-argo.yml b/.github/workflows/retag-test-to-uat-argo.yml new file mode 100644 index 0000000000..963b21dbf3 --- /dev/null +++ b/.github/workflows/retag-test-to-uat-argo.yml @@ -0,0 +1,193 @@ +name: CI-CD Release Test to UAT (ArgoCD) +env: + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + # service account: gitaction + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + OPENSHIFT_TOOLS_NAMESPACE: "3cd915-tools" + MS_TEAMS_WEBHOOK_BUILD_CHANNEL: ${{ secrets.MS_TEAMS_WEBHOOK_URI_BUILD_CHANNEL }} + AUTH__KEYCLOAK__SECRET: ${{ secrets.KEYCLOAK_SECRET_UAT }} + AUTH__KEYCLOAK__SERVICEACCOUNT__SECRET: ${{ secrets.KEYCLOAK_SERVICEACCOUNT_SECRET }} + sync-directory: ./tools/keycloak/sync + ASPNETCORE_ENVIRONMENT: "uat" + + ## variables for scripts under git\openshift\4.0\scripts\oc-*.sh + APP_PORT: 8080 + DESTINATION: "uat" + OC_JOB_NAME: "uat" + GIT_URL: "${{github.server_url}}/${{github.repository}}" + GIT_BRANCH: "${{github.ref}}" + APP_NAME: "pims" + PROJ_PREFIX: "3cd915" + PROJ_TOOLS: "3cd915-tools" + PROJ_DEV: "dev" + PROJ_TEST: "test" + PROJ_PROD: "prod" + TAG_DEV: "dev" + TAG_TEST: "test" + TAG_PROD: "prod" + INSTANCE: "-uat" + NAMESPACE_OVERRIDE: "3cd915-test" + RELEASE_TAG: "test" + DEPLOYMENT_NAMESPACE: "3cd915-test" + +on: workflow_dispatch + +jobs: + ci-cd-start-notification: + name: CI-CD Start Notification to Teams Channel + runs-on: ubuntu-latest + steps: + - name: Start notification to Teams Channel + uses: dragos-cojocari/ms-teams-notification@v1.0.2 + with: + github-token: ${{ github.token }} + ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }} + notification-summary: PIMS Release DEV to TST Started + notification-color: 17a2b8 + timezone: America/Los_Angeles + + deploy: + name: Retag/Deploy to OpenShift + needs: ci-cd-start-notification + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Deploy PIMS frontend + shell: bash + run: | + oc tag pims-app:$RELEASE_TAG pims-app:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-app-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-app-$DESTINATION + - name: Deploy PIMS api + shell: bash + run: | + oc tag pims-api:$RELEASE_TAG pims-api:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-api-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-api-$DESTINATION + - name: Deploy geoserver proxy microservice + shell: bash + run: | + oc tag pims-proxy:$RELEASE_TAG pims-proxy:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-proxy-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-proxy-$DESTINATION + - name: Deploy mayan + shell: bash + run: | + oc tag mayan-bcgov:$RELEASE_TAG mayan-bcgov:$DESTINATION + + # the command: + # 1) creates an openshift job with generated name to avoid name conflict, substituting the variables in the template. + # 2) greps the generated name from the previous step. + # 3) waits for the job to complete using the generated name. + database-upgrade: + name: Upgrade database + needs: [deploy] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-test + - name: call scripts to upgrade database + shell: bash + run: | + JOB_NAME=$(oc process -f ./openshift/4.0/templates/jobs/db-deploy.yaml -p DB_SECRET_NAME=pims-database-uat -p GIT_BRANCH=test -p SERVER_NAME=sqlprd.th.gov.bc.ca -p DB_NAME=PIMS_UAT -p NAMESPACE=3cd915-test | oc create -f - | grep -oP "(?<=job\.batch/)[^\s]*") + oc wait --for=condition=complete job/$JOB_NAME --timeout=120s + oc get pods -o custom-columns=POD:.metadata.name --no-headers | grep -Eo $JOB_NAME-[^\s].* | (read POD_NAME; oc logs $POD_NAME) + + ## Call the mayan sync task three times, once for each mayan sync endpoint. The task will wait for the job to complete before exiting. + ## Note: this depends on the mayan-sync configmap for the target namespace being up to date. + mayan-sync: + name: sync mayan + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-test + - name: call scripts to sync mayan + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-uat-3cd915-test.apps.silver.devops.gov.bc.ca/api/documents/sync/mayan/metadatatype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-uat-3cd915-test.apps.silver.devops.gov.bc.ca/api/documents/sync/documenttype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-uat-3cd915-test.apps.silver.devops.gov.bc.ca/api/documents/sync/mayan -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + + ## Call the tekton pipeline that executes the keycloak sync. Dependent on the pims-api being accessible. Can run in parallel with the mayan sync. + keycloak-sync: + name: sync keycloak + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.NAMESPACE_OVERRIDE }} + - name: call scripts to sync keycloak + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/keycloak-sync-pipeline-run.yaml -p ASPNETCORE_ENVIRONMENT=$ASPNETCORE_ENVIRONMENT -p NAMESPACE=$NAMESPACE_OVERRIDE -p BRANCH=test -p API_URL=http://pims-api-uat:8080/api -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat -p KEYCLOAK_SERVICE_ACCOUNT_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read PIPELINE_NAME; oc wait --for=condition=succeeded pipelineruns/$PIPELINE_NAME --timeout=500s) + + tag-release-image: + name: Release Tag + needs: [deploy] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-tools + - name: tag uat image such that it can be promoted to prod + shell: bash + run: | + VERSION=$(make version) + oc tag pims-app:uat pims-app:v${VERSION}-master + oc tag pims-api:uat pims-api:v${VERSION}-master + oc tag pims-proxy:uat pims-proxy:v${VERSION}-master + oc tag mayan-bcgov:uat mayan-bcgov:v${VERSION}-master + + ci-cd-end-notification: + name: CI-CD End Notification to Teams Channel + runs-on: ubuntu-latest + needs: [keycloak-sync, mayan-sync] + if: always() + steps: + - name: check workflow status + uses: martialonline/workflow-status@v4 + id: check + - name: End notification to Teams Channel + uses: dragos-cojocari/ms-teams-notification@v1.0.2 + with: + github-token: ${{ github.token }} + ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }} + notification-summary: PIMS Release TEST to UAT COMPLETED with status ${{ steps.check.outputs.status }} + notification-color: 17a2b8 + timezone: America/Los_Angeles diff --git a/.github/workflows/retag-test-to-uat.yml b/.github/workflows/retag-test-to-uat.yml index e7119db64c..065219d3e7 100644 --- a/.github/workflows/retag-test-to-uat.yml +++ b/.github/workflows/retag-test-to-uat.yml @@ -28,6 +28,7 @@ env: INSTANCE: "-uat" NAMESPACE_OVERRIDE: "3cd915-test" RELEASE_TAG: "test" + DEPLOYMENT_NAMESPACE: "3cd915-test" on: workflow_dispatch @@ -64,6 +65,13 @@ jobs: ./openshift/4.0/player.sh deploy api $DESTINATION -apply ./openshift/4.0/player.sh deploy app $DESTINATION -apply oc tag mayan-bcgov:test mayan-bcgov:$DESTINATION + # the proxy can only be deployed via DEPLOYMENTS (ArgoCD way) + - name: Deploy geoserver proxy microservice + shell: bash + run: | + oc tag pims-proxy:$RELEASE_TAG pims-proxy:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-proxy-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-proxy-$DESTINATION # the command: # 1) creates an openshift job with generated name to avoid name conflict, substituting the variables in the template. @@ -153,6 +161,7 @@ jobs: VERSION=$(make version) oc tag pims-app:uat pims-app:v${VERSION}-master oc tag pims-api:uat pims-api:v${VERSION}-master + oc tag pims-proxy:uat pims-proxy:v${VERSION}-master oc tag mayan-bcgov:uat mayan-bcgov:v${VERSION}-master ci-cd-end-notification: diff --git a/.github/workflows/uat_hotfix_argo.yml b/.github/workflows/uat_hotfix_argo.yml new file mode 100644 index 0000000000..6b656b22b9 --- /dev/null +++ b/.github/workflows/uat_hotfix_argo.yml @@ -0,0 +1,224 @@ +name: UAT Hotfix (ArgoCD) +env: + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + # service account: gitaction + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + OPENSHIFT_TOOLS_NAMESPACE: "3cd915-tools" + MS_TEAMS_WEBHOOK_BUILD_CHANNEL: ${{ secrets.MS_TEAMS_WEBHOOK_URI_BUILD_CHANNEL }} + AUTH__KEYCLOAK__SECRET: ${{ secrets.KEYCLOAK_SECRET_UAT }} + AUTH__KEYCLOAK__SERVICEACCOUNT__SECRET: ${{ secrets.KEYCLOAK_SERVICEACCOUNT_SECRET }} + ASPNETCORE_ENVIRONMENT: "uat" + + ## variables for scripts under git\openshift\4.0\scripts\oc-*.sh + APP_PORT: 8080 + DESTINATION: "uat" + OC_JOB_NAME: "test" + GIT_URL: "${{github.server_url}}/${{github.repository}}" + GIT_BRANCH: "test" + APP_NAME: "pims" + PROJ_PREFIX: "3cd915" + PROJ_TOOLS: "3cd915-tools" + PROJ_DEV: "dev" + PROJ_TEST: "test" + PROJ_PROD: "prod" + TAG_DEV: "dev" + TAG_TEST: "test" + TAG_PROD: "prod" + INSTANCE: "-uat" + NAMESPACE_OVERRIDE: "3cd915-test" + DEPLOYMENT_NAMESPACE: "3cd915-test" + +on: + workflow_dispatch: + +jobs: + ci-cd-start-notification: + name: CI-CD Start Notification to Teams Channel + runs-on: ubuntu-latest + steps: + - name: Start notification to Teams Channel + uses: dragos-cojocari/ms-teams-notification@v1.0.2 + with: + github-token: ${{ github.token }} + ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }} + notification-summary: PIMS UAT Hotfix started. + notification-color: 17a2b8 + timezone: America/Los_Angeles + + build-frontend: + name: Build frontend + needs: ci-cd-start-notification + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Call script to build frontend (pims-app and pims-app-base) + run: | + ./openshift/4.0/player.sh build app-base -apply + ./openshift/4.0/player.sh build app -apply + + build-api: + name: Build api + needs: ci-cd-start-notification + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Call script to build backend (pims-api) + run: | + ./openshift/4.0/player.sh build api -apply + ./openshift/4.0/player.sh build proxy -apply + + deploy: + name: Deploy to OpenShift + needs: [build-frontend, build-api] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Deploy PIMS frontend + shell: bash + run: | + oc tag pims-app:latest-$DESTINATION pims-app:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-app-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-app-$DESTINATION + - name: Deploy PIMS api + shell: bash + run: | + oc tag pims-api:latest-$DESTINATION pims-api:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-api-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-api-$DESTINATION + - name: Deploy geoserver proxy microservice + shell: bash + run: | + oc tag pims-proxy:latest-$DESTINATION pims-proxy:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-proxy-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-proxy-$DESTINATION + + # the command: + # 1) creates an openshift job with generated name to avoid name conflict, substituting the variables in the template. + # 2) greps the generated name from the previous step. + # 3) waits for the job to complete using the generated name. + database-upgrade: + name: Upgrade database + needs: [deploy] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-test + - name: call scripts to upgrade database + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/db-deploy.yaml -p DB_SECRET_NAME=pims-database-uat -p GIT_BRANCH=test -p SERVER_NAME=sqlprd.th.gov.bc.ca -p DB_NAME=PIMS_UAT -p NAMESPACE=3cd915-test | oc create -f - | grep -oP "(?<=job\.batch/)[^\s]*" | (read JOB_NAME; oc wait --for=condition=complete job/$JOB_NAME --timeout=120s) + + ## Call the mayan sync task three times, once for each mayan sync endpoint. The task will wait for the job to complete before exiting. + ## Note: this depends on the mayan-sync configmap for the target namespace being up to date. + mayan-sync: + name: sync mayan + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-test + - name: call scripts to sync mayan + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-uat-3cd915-test.apps.silver.devops.gov.bc.ca/api/documents/sync/mayan/metadatatype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-uat-3cd915-test.apps.silver.devops.gov.bc.ca/api/documents/sync/documenttype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-uat-3cd915-test.apps.silver.devops.gov.bc.ca/api/documents/sync/mayan -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + + ## Call the tekton pipeline that executes the keycloak sync. Dependent on the pims-api being accessible. Can run in parallel with the mayan sync. + keycloak-sync: + name: sync keycloak + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.NAMESPACE_OVERRIDE }} + - name: call scripts to sync keycloak + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/keycloak-sync-pipeline-run.yaml -p ASPNETCORE_ENVIRONMENT=$ASPNETCORE_ENVIRONMENT -p NAMESPACE=$NAMESPACE_OVERRIDE -p BRANCH=$DESTINATION -p API_URL=http://pims-api-uat:8080/api | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read PIPELINE_NAME; oc wait --for=condition=succeeded pipelineruns/$PIPELINE_NAME --timeout=500s) + + tag-release-image: + name: Release Tag + needs: [deploy] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-tools + - name: tag uat image such that it can be promoted to prod + shell: bash + run: | + VERSION=$(make version) + oc tag pims-app:uat pims-app:v${VERSION}-master + oc tag pims-api:uat pims-api:v${VERSION}-master + oc tag pims-proxy:uat pims-proxy:v${VERSION}-master + oc tag mayan-bcgov:uat mayan-bcgov:v${VERSION}-master + + ci-cd-end-notification: + if: always() + name: CI-CD End Notification to Teams Channel + runs-on: ubuntu-latest + needs: [mayan-sync, keycloak-sync] + steps: + - name: check workflow status + uses: martialonline/workflow-status@v4 + id: check + - name: End notification to Teams Channel + uses: dragos-cojocari/ms-teams-notification@v1.0.2 + with: + github-token: ${{ github.token }} + ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }} + notification-summary: PIMS UAT Hotfix complete with status ${{ steps.check.outputs.status }} + notification-color: 17a2b8 + timezone: America/Los_Angeles diff --git a/.github/workflows/uat_pre_release_hotfix_argo.yml b/.github/workflows/uat_pre_release_hotfix_argo.yml new file mode 100644 index 0000000000..6fb30a0591 --- /dev/null +++ b/.github/workflows/uat_pre_release_hotfix_argo.yml @@ -0,0 +1,272 @@ +name: UAT Pre-Release Hotfix (ArgoCD) +env: + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + # service account: gitaction + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + OPENSHIFT_TOOLS_NAMESPACE: "3cd915-tools" + MS_TEAMS_WEBHOOK_BUILD_CHANNEL: ${{ secrets.MS_TEAMS_WEBHOOK_URI_BUILD_CHANNEL }} + AUTH__KEYCLOAK__SECRET: ${{ secrets.KEYCLOAK_SECRET_UAT }} + AUTH__KEYCLOAK__SERVICEACCOUNT__SECRET: ${{ secrets.KEYCLOAK_SERVICEACCOUNT_SECRET }} + ASPNETCORE_ENVIRONMENT: "uat" + + ## variables for scripts under git\openshift\4.0\scripts\oc-*.sh + APP_PORT: 8080 + DESTINATION: "uat" + OC_JOB_NAME: "test" + GIT_URL: "${{github.server_url}}/${{github.repository}}" + GIT_BRANCH: "test" + APP_NAME: "pims" + PROJ_PREFIX: "3cd915" + PROJ_TOOLS: "3cd915-tools" + PROJ_DEV: "dev" + PROJ_TEST: "test" + PROJ_PROD: "prod" + TAG_DEV: "dev" + TAG_TEST: "test" + TAG_PROD: "prod" + INSTANCE: "-uat" + NAMESPACE_OVERRIDE: "3cd915-test" + DEPLOYMENT_NAMESPACE: "3cd915-test" + +on: + workflow_dispatch: + inputs: + HOTFIX_BRANCH: + description: "Enter the name of the branch containing the hotfix" + required: true + +jobs: + ci-cd-start-notification: + name: CI-CD Start Notification to Teams Channel + runs-on: ubuntu-latest + steps: + - name: Start notification to Teams Channel + uses: dragos-cojocari/ms-teams-notification@v1.0.2 + with: + github-token: ${{ github.token }} + ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }} + notification-summary: PIMS UAT Pre-Release Hotfix started. + notification-color: 17a2b8 + timezone: America/Los_Angeles + + create-builds: + name: create builds + needs: ci-cd-start-notification + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-tools + - name: create all PSP build configurations for branch + shell: bash + run: | + oc process -f ./openshift/s2i/nginx-runtime/nginx-runtime.yaml -p GIT_REF=${{github.event.inputs.HOTFIX_BRANCH}} -p OUTPUT_IMAGE_TAG="latest-${{github.event.inputs.HOTFIX_BRANCH}}" | oc create --selector ci_cd=true -f - + oc process -f ./openshift/4.0/templates/api/build.yaml -p GIT_REF=${{github.event.inputs.HOTFIX_BRANCH}} -p OUTPUT_IMAGE_TAG="latest-${{github.event.inputs.HOTFIX_BRANCH}}" | oc create --selector ci_cd=true -f - + oc process -f ./openshift/4.0/templates/app/build.yaml -p GIT_REF=${{github.event.inputs.HOTFIX_BRANCH}} -p OUTPUT_IMAGE_TAG="latest-${{github.event.inputs.HOTFIX_BRANCH}}" -p RUNTIMEIMAGE_TAG="latest-${{github.event.inputs.HOTFIX_BRANCH}}" | oc create --selector ci_cd=true -f - + + build-frontend: + name: Build frontend + needs: create-builds + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Call script to build frontend (pims-app and pims-app-base) + run: | + OC_JOB_NAME=${{github.event.inputs.HOTFIX_BRANCH}} && export OVERRIDE_APP_NAME=true && ./openshift/4.0/player.sh build nginx-runtime -apply + OC_JOB_NAME=${{github.event.inputs.HOTFIX_BRANCH}} && unset OVERRIDE_APP_NAME && ./openshift/4.0/player.sh build app-base -apply + OC_JOB_NAME=${{github.event.inputs.HOTFIX_BRANCH}} && ./openshift/4.0/player.sh build app -apply + + build-api: + name: Build api + needs: create-builds + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Call script to build backend (pims-api) + run: | + OC_JOB_NAME=${{github.event.inputs.HOTFIX_BRANCH}} && ./openshift/4.0/player.sh build api -apply + OC_JOB_NAME=${{github.event.inputs.HOTFIX_BRANCH}} && ./openshift/4.0/player.sh build proxy -apply + + deploy: + name: Deploy to OpenShift + needs: [build-frontend, build-api] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Deploy PIMS frontend + shell: bash + run: | + export RELEASE_TAG=latest-${{github.event.inputs.HOTFIX_BRANCH}} + oc tag pims-app:$RELEASE_TAG pims-app:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-app-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-app-$DESTINATION + - name: Deploy PIMS api + shell: bash + run: | + export RELEASE_TAG=latest-${{github.event.inputs.HOTFIX_BRANCH}} + oc tag pims-api:$RELEASE_TAG pims-api:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-api-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-api-$DESTINATION + - name: Deploy geoserver proxy microservice + shell: bash + run: | + export RELEASE_TAG=latest-${{github.event.inputs.HOTFIX_BRANCH}} + oc tag pims-proxy:$RELEASE_TAG pims-proxy:$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-proxy-$DESTINATION + oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-proxy-$DESTINATION + + # the command: + # 1) creates an openshift job with generated name to avoid name conflict, substituting the variables in the template. + # 2) greps the generated name from the previous step. + # 3) waits for the job to complete using the generated name. + database-upgrade: + name: Upgrade database + needs: [deploy] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-test + - name: call scripts to upgrade database + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/db-deploy.yaml -p DB_SECRET_NAME=pims-database-uat -p GIT_BRANCH=${{github.event.inputs.HOTFIX_BRANCH}} -p SERVER_NAME=sqlprd.th.gov.bc.ca -p DB_NAME=PIMS_UAT -p NAMESPACE=3cd915-test | oc create -f - | grep -oP "(?<=job\.batch/)[^\s]*" | (read JOB_NAME; oc wait --for=condition=complete job/$JOB_NAME --timeout=120s) + + ## Call the mayan sync task three times, once for each mayan sync endpoint. The task will wait for the job to complete before exiting. + ## Note: this depends on the mayan-sync configmap for the target namespace being up to date. + mayan-sync: + name: sync mayan + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-test + - name: call scripts to sync mayan + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-uat-3cd915-test.apps.silver.devops.gov.bc.ca/api/documents/sync/mayan/metadatatype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-uat-3cd915-test.apps.silver.devops.gov.bc.ca/api/documents/sync/documenttype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-uat-3cd915-test.apps.silver.devops.gov.bc.ca/api/documents/sync/mayan -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + + ## Call the tekton pipeline that executes the keycloak sync. Dependent on the pims-api being accessible. Can run in parallel with the mayan sync. + keycloak-sync: + name: sync keycloak + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.NAMESPACE_OVERRIDE }} + - name: call scripts to sync keycloak + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/keycloak-sync-pipeline-run.yaml -p ASPNETCORE_ENVIRONMENT=$ASPNETCORE_ENVIRONMENT -p NAMESPACE=$NAMESPACE_OVERRIDE -p BRANCH=$DESTINATION -p API_URL=http://pims-api-uat:8080/api | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read PIPELINE_NAME; oc wait --for=condition=succeeded pipelineruns/$PIPELINE_NAME --timeout=500s) + + tag-release-image: + name: Release Tag + needs: [deploy] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-tools + - name: tag uat image such that it can be promoted to prod + shell: bash + run: | + VERSION=$(make version) + oc tag pims-app:uat pims-app:v${VERSION}-master + oc tag pims-api:uat pims-api:v${VERSION}-master + oc tag pims-proxy:uat pims-api:v${VERSION}-master + + ci-cd-end-notification: + if: always() + name: CI-CD End Notification to Teams Channel + runs-on: ubuntu-latest + needs: [mayan-sync, keycloak-sync] + steps: + - name: check workflow status + uses: martialonline/workflow-status@v4 + id: check + - name: End notification to Teams Channel + uses: dragos-cojocari/ms-teams-notification@v1.0.2 + with: + github-token: ${{ github.token }} + ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }} + notification-summary: PIMS UAT Pre-Release Hotfix complete with status ${{ steps.check.outputs.status }} + notification-color: 17a2b8 + timezone: America/Los_Angeles + + cleanup-builds: + if: always() + name: cleanup builds + needs: ci-cd-end-notification + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-tools + - name: create all PSP build configurations for branch + shell: bash + run: | + oc delete bc --selector ci_cd=true