Revert "Avoid socket hangup: enhance Keycloak auth in group service w… #2750
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Deploy | |
on: | |
push: | |
branches: [feature/*, dev, test] | |
env: | |
REGISTRY: ghcr.io | |
REGISTRY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }} | |
REGISTRY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }} | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Docker meta | |
id: docker_meta | |
uses: docker/metadata-action@v3 | |
with: | |
images: ${{ env.REGISTRY }}/bcgov/api-services-portal/api-services-portal | |
- name: Set DEPLOY_ID which will deploy a custom deploy to 'dev' environment | |
run: | | |
echo '::set-output name=DEPLOY_ID::${{ steps.docker_meta.outputs.version }}' | |
echo '::set-output name=APP_VERSION::${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.version'] }}' | |
echo '::set-output name=APP_REVISION::${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.revision'] }}' | |
id: set-deploy-id | |
- name: Get deploy ID | |
run: echo "The DEPLOY_ID is ${{ steps.set-deploy-id.outputs.DEPLOY_ID }}" | |
- uses: actions/checkout@v2 | |
- name: Install oc | |
uses: redhat-actions/oc-installer@v1 | |
with: | |
version: '4.6' | |
- name: Authenticate to silver and set context | |
uses: redhat-actions/oc-login@v1 | |
with: | |
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | |
openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
# Disables SSL cert checking. Use this if you don't have the certificate authority data. | |
insecure_skip_tls_verify: true | |
namespace: ${{ env.OPENSHIFT_NAMESPACE }} | |
- name: Login to DockerHub | |
uses: docker/login-action@v1 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ env.REGISTRY_USERNAME }} | |
password: ${{ env.REGISTRY_PASSWORD }} | |
- uses: actions/cache@v2 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-buildx-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-buildx- | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v1 | |
- name: Build | |
uses: docker/build-push-action@v2 | |
with: | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache | |
context: . | |
file: Dockerfile | |
tags: ${{ steps.docker_meta.outputs.tags }} | |
load: true | |
build-args: | | |
GITHUB_API_TOKEN=${{ secrets.CONTAINER_REGISTRY_PASSWORD }} | |
APP_VERSION=${{ steps.set-deploy-id.outputs.APP_VERSION }} | |
APP_REVISION=${{ steps.set-deploy-id.outputs.APP_REVISION }} | |
- name: Push | |
run: docker push ${{ steps.docker_meta.outputs.tags }} | |
- name: 'Get Helm' | |
if: github.ref != 'refs/heads/dev' | |
run: | | |
curl -L -O https://get.helm.sh/helm-v3.4.2-linux-amd64.tar.gz | |
tar -xf helm-v3.4.2-linux-amd64.tar.gz | |
- name: 'Deploy Database' | |
if: github.ref != 'refs/heads/dev' | |
run: | | |
export PATH=$PATH:`pwd`/linux-amd64 | |
echo ' | |
image: | |
registry: docker.pkg.github.com | |
repository: bcgov-dss/api-serv-infra/mongodb | |
tag: 5.0-7a639fba | |
pullPolicy: IfNotPresent | |
pullSecrets: | |
- dev-github-read-packages-creds | |
auth: | |
rootPassword: "s3cr3t" | |
serviceAccount: | |
create: false | |
name: asp-service-account | |
arbiter: | |
enabled: false | |
rbac: | |
create: true | |
updateStrategy: | |
type: RollingUpdate | |
rollingUpdate: | |
maxSurge: 0 | |
maxUnavailable: 100% | |
readinessProbe: | |
timeoutSeconds: 30 | |
periodSeconds: 120 | |
livenessProbe: | |
timeoutSeconds: 30 | |
periodSeconds: 120 | |
persistence: | |
enabled: true | |
size: 2Gi | |
resources: | |
requests: | |
cpu: 85m | |
memory: 480M | |
limits: | |
cpu: 300m | |
memory: 720M | |
podSecurityContext: | |
enabled: true | |
fsGroup: ${{ secrets.RUNNING_UID_GID }} | |
containerSecurityContext: | |
enabled: true | |
runAsUser: ${{ secrets.RUNNING_UID_GID }} | |
' > values.yaml | |
helm repo add bitnami https://charts.bitnami.com/bitnami | |
helm upgrade --install proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-db --version 12.1.31 -f values.yaml --history-max 3 bitnami/mongodb | |
- name: 'Deploy Backend' | |
if: github.ref != 'refs/heads/dev' | |
run: | | |
export PATH=$PATH:`pwd`/linux-amd64 | |
echo " | |
podAnnotations: | |
sha: $GITHUB_SHA | |
replicaCount: 1 | |
rollingUpdate: | |
maxUnavailable: 100% | |
maxSurge: 0% | |
image: | |
repository: ${{ env.REGISTRY }}/bcgov/api-services-portal/api-services-portal | |
tag: ${{ steps.set-deploy-id.outputs.DEPLOY_ID }} | |
pullPolicy: Always | |
imagePullSecrets: | |
- name: dev-github-read-packages-creds | |
podSecurityContext: | |
fsGroup: ${{ secrets.RUNNING_UID_GID }} | |
securityContext: | |
runAsUser: ${{ secrets.RUNNING_UID_GID }} | |
containerPort: 3000 | |
resources: | |
requests: | |
cpu: 20m | |
memory: 400M | |
limits: | |
cpu: 100m | |
memory: 800M | |
serviceAccount: | |
create: false | |
name: asp-service-account | |
oauthProxy: | |
enabled: true | |
image: | |
repository: ${{ env.REGISTRY }}/bcgov-dss/api-serv-infra/oauth2-proxy | |
tag: 7.2.1-8c743f0c | |
pullPolicy: IfNotPresent | |
config: | |
upstream: http://127.0.0.1:3000 | |
client-id: ${{ secrets.OIDC_CLIENT_ID }} | |
client-secret: ${{ secrets.OIDC_CLIENT_SECRET }} | |
oidc-issuer-url: ${{ secrets.OIDC_ISSUER }} | |
redirect-url: https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca/oauth2/callback | |
skip-auth-regex: '/login|/health|/public|/docs|/redirect|/_next|/images|/devportal|/manager|/about|/maintenance|/admin/session|/ds/api|/feed/|/signout|/content|^[/]$' | |
whitelist-domain: authz-apps-gov-bc-ca.dev.api.gov.bc.ca | |
skip-provider-button: 'true' | |
profile-url: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/userinfo | |
insecure-oidc-allow-unverified-email: 'true' | |
oidc-email-claim: 'sub' | |
pass-basic-auth: 'false' | |
pass-access-token: 'true' | |
set-xauthrequest: 'true' | |
skip-jwt-bearer-tokens: 'false' | |
set-authorization-header: 'false' | |
pass-authorization-header: 'false' | |
env: | |
SESSION_SECRET: | |
value: '234873290483290' | |
secure: true | |
AUTH_STRATEGY: | |
value: Oauth2Proxy | |
KONG_URL: | |
value: '${{ secrets.KONG_URL_DEV}}' | |
MONGO_URL: | |
value: 'mongodb://proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-db-mongodb:27017' | |
MONGO_USER: | |
value: root | |
secure: true | |
MONGO_PASSWORD: | |
value: s3cr3t | |
secure: true | |
FEEDER_URL: | |
value: 'http://proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-feeder-generic-api' | |
GITHUB_API_TOKEN: | |
value: '${{ secrets.GH_TOKEN_FOR_CONTENT}}' | |
secure: true | |
OIDC_ISSUER: | |
value: '${{ secrets.OIDC_ISSUER }}' | |
JWKS_URL: | |
value: '${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/certs' | |
EXTERNAL_URL: | |
value: 'https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca' | |
SSR_API_ROOT: | |
value: 'http://localhost:7999' | |
NEXT_PUBLIC_API_ROOT: | |
value: 'https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca' | |
NEXT_PUBLIC_GRAFANA_URL: | |
value: 'https://grafana-apps-gov-bc-ca.dev.api.gov.bc.ca' | |
NEXT_PUBLIC_KUBE_CLUSTER: | |
value: 'feature-silver' | |
NEXT_PUBLIC_HELP_DESK_URL: | |
value: 'https://dpdd.atlassian.net/servicedesk/customer/portal/1/group/2' | |
NEXT_PUBLIC_HELP_CHAT_URL: | |
value: 'https://chat.developer.gov.bc.ca/channel/aps-ops' | |
NEXT_PUBLIC_HELP_ISSUE_URL: | |
value: 'https://github.com/bcgov/api-services-portal/issues' | |
NEXT_PUBLIC_HELP_API_DOCS_URL: | |
value: '/ds/api/v3/console/' | |
NEXT_PUBLIC_HELP_SUPPORT_URL: | |
value: 'https://developer.gov.bc.ca/docs/default/component/aps-infra-platform-docs/' | |
NEXT_PUBLIC_HELP_RELEASE_URL: | |
value: 'https://developer.gov.bc.ca/docs/default/component/aps-infra-platform-docs/reference/releases/' | |
NEXT_PUBLIC_HELP_STATUS_URL: | |
value: 'https://uptime.com/s/bcgov-dss' | |
NEXT_PUBLIC_DEVELOPER_IDS: | |
value: 'idir,bceid,bcsc,github' | |
NEXT_PUBLIC_PROVIDER_IDS: | |
value: 'idir' | |
NEXT_PUBLIC_ACCOUNT_BCEID_URL: | |
value: 'https://www.test.bceid.ca/logon.aspx?returnUrl=/profile_management' | |
NEXT_PUBLIC_ACCOUNT_BCSC_URL: | |
value: 'https://id.gov.bc.ca/account/' | |
GWA_API_URL: | |
value: 'https://gwa-api-gov-bc-ca.dev.api.gov.bc.ca' | |
GWA_PROD_ENV_SLUG: | |
value: 'FB000000' | |
GWA_RES_SVR_CLIENT_ID: | |
value: '${{ secrets.OIDC_CLIENT_ID }}' | |
secure: true | |
GWA_RES_SVR_CLIENT_SECRET: | |
value: '${{ secrets.OIDC_CLIENT_SECRET }}' | |
secure: true | |
KEYCLOAK_AUTH_URL: | |
value: '${{ secrets.KEYCLOAK_AUTH }}' | |
KEYCLOAK_REALM: | |
value: '${{ secrets.KEYCLOAK_REALM }}' | |
COOKIE_SECURE: | |
value: 'true' | |
LOG_LEVEL: | |
value: 'debug' | |
DISABLE_LOGGING: | |
value: 'true' | |
EMAIL_ENABLED: | |
value: 'true' | |
EMAIL_FROM: | |
value: '[email protected]' | |
EMAIL_HOST: | |
value: 'apps.smtp.gov.bc.ca' | |
readinessProbe: | |
exec: | |
command: | |
- sh | |
- -c | |
- 'state=\$(curl -XGET -m 2 --silent -f -H \"Accept: application/json\" http://localhost:3000/health | jq -r \".status | ascii_downcase\"); if [ ! \"\$state\" == \"ready\" ]; then exit 1; fi' | |
timeoutSeconds: 3 | |
periodSeconds: 10 | |
" > values.yaml | |
helm repo add bcgov http://bcgov.github.io/helm-charts | |
helm upgrade --install proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }} -f values.yaml --history-max 3 bcgov/generic-api | |
- name: 'Deploy Routes' | |
if: github.ref != 'refs/heads/dev' | |
run: | | |
export PATH=$PATH:`pwd`/linux-amd64 | |
echo " | |
routes: | |
- host: api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca | |
targetPort: http | |
service: proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-generic-api | |
wildcardPolicy: None | |
tls: | |
termination: edge | |
" > values.yaml | |
helm repo add bcgov http://bcgov.github.io/helm-charts | |
helm upgrade --install proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-routes -f values.yaml --history-max 3 bcgov/ocp-route | |
- name: 'Seed Data' | |
if: github.ref != 'refs/heads/dev' | |
run: | | |
export PATH=$PATH:`pwd`/linux-amd64 | |
cd .github/workflows | |
SERVICE=proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-feeder-generic-api \ | |
PORTAL_URL=https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca \ | |
OIDC_ISSUER=${{ secrets.OIDC_ISSUER }} \ | |
OIDC_CLIENT_ID=${{ secrets.OIDC_CLIENT_ID }} \ | |
OIDC_CLIENT_SECRET=${{ secrets.OIDC_CLIENT_SECRET }} \ | |
./scripts/init.sh | |
- name: Authenticate to Gold and set context | |
if: github.ref == 'refs/heads/test' | |
uses: redhat-actions/oc-login@v1 | |
with: | |
openshift_server_url: ${{ secrets.OPENSHIFT_GOLD_SERVER }} | |
openshift_token: ${{ secrets.OPENSHIFT_GOLD_TOKEN }} | |
insecure_skip_tls_verify: true | |
namespace: ${{ secrets.OPENSHIFT_GOLD_TEST_NAMESPACE }} | |
- name: 'Restart Portal in Gold Test Namespace' | |
if: github.ref == 'refs/heads/test' | |
run: | | |
oc rollout restart deployment/bcgov-aps-portal-generic-api -n ${{ secrets.OPENSHIFT_GOLD_TEST_NAMESPACE }} | |
oc rollout restart deployment/bcgov-aps-portal-batch-generic-api -n ${{ secrets.OPENSHIFT_GOLD_TEST_NAMESPACE }} | |
- name: 'Create Pull Request for Release' | |
if: github.ref == 'refs/heads/test' | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
const { repo, owner } = context.repo; | |
const openPrs = await github.rest.pulls.list({ | |
owner, | |
repo, | |
head: '${{ github.ref_name }}', | |
base: 'main', | |
state: 'open' | |
}) | |
if(openPrs.data.length === 0){ | |
await github.rest.pulls.create({ | |
title: 'Create Latest Release', | |
owner, | |
repo, | |
head: '${{ github.ref_name }}', | |
base: 'main', | |
body: [ | |
'This Pull Request is auto-created by [actions/github-script](https://github.com/actions/github-script).', | |
'Please update this PR with appropriate labels to target specific type of release' | |
].join('\n\n'), | |
draft: true | |
}); | |
} else { | |
console.log("There is already an open Pull Request in place.\n") | |
openPrs.data.forEach((item) => { | |
console.log(item.html_url) | |
}) | |
} |