From 014752470fa3e19f4f84820b018374c1c61aab3c Mon Sep 17 00:00:00 2001 From: Rajpal Chauhan Date: Fri, 8 Mar 2024 10:04:36 -0800 Subject: [PATCH] Adding labels to endorser-db to match other services Signed-off-by: Rajpal Chauhan --- .github/workflows/actions/deploy/action.yaml | 113 +++++++ .github/workflows/main.yaml | 317 +++++++++++++++++++ 2 files changed, 430 insertions(+) create mode 100644 .github/workflows/actions/deploy/action.yaml create mode 100644 .github/workflows/main.yaml diff --git a/.github/workflows/actions/deploy/action.yaml b/.github/workflows/actions/deploy/action.yaml new file mode 100644 index 00000000..76cc7584 --- /dev/null +++ b/.github/workflows/actions/deploy/action.yaml @@ -0,0 +1,113 @@ +name: Deploy +description: Deploy to OpenShift namespace + +inputs: + environment: + description: The environment to which the image will be deployed. + required: true + + # Image parameters + ghcr_token: + description: The token to use to login to the GHCR. + required: true + github_image_name: + description: The name of the image in the GHCR to be deployed. + required: true + image_digest: + description: The digest of the image to be deployed. Identifies the unique image tag in the GHCR. + required: true + openshift_image_name: + description: The name of the image to use when pushing to OpenShift. + required: true + + # OpenShift parameters + openshift_server_url: + description: The URL of the OpenShift server. + required: true + namespace: + description: The OpenShift namespace where the image is to be deployed. + required: true + deployment_configuration: + description: The name of the OpenShift deployment configuration triggered by the new image. + required: true + openshift_token: + description: The token used to authenticate with the OpenShift server. + required: true + + # rocket.chat notification parameters + rocketchat_webhook: + description: The URL to use for posting notifications to rocket.chat. + required: true + +runs: + using: composite + steps: + - name: Log in to the GHCR + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ inputs.ghcr_token }} + + - name: Setup Openshift CLI + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ inputs.openshift_server_url }} + openshift_token: ${{ inputs.openshift_token }} + + - name: Login in to OpenShift container registry + shell: bash + env: + REGISTRY_AUTH_PREFERENCE: docker + run: | + oc version + docker version + + # Openshift pipeline is currently running on 14.4.6 version and according to + # the new red hat article - https://access.redhat.com/articles/7042033 + # the Podman auth configuration locations are preferred over Docker configuration locations. + + # In order to avoid the "unauthorized: authentication required error" and + # make github actions job run successfully make sure when we try to login to openshift registry + # we need to define the oc registry login --to="${HOME}/.docker/config.json" in the oc login action step. + + # This was not an issue when Openshift pipeline was running on 14.2 or 14.3 version + # but since Openshift upgraded to 14.4 version it started giving warning + # message : the default reading order of registry auth file will be changed from "${HOME}/.docker/config.json" + # to podman registry config locations in the future version of oc. + # "${HOME}/.docker/config.json" is deprecated, but can still be used for storing credentials + # as a fallback. See https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md for the order + # of podman registry config locations. + oc registry login --to="${HOME}/.docker/config.json" + + - name: Tag the image in the GHCR as ${{ inputs.environment }} + shell: bash + run: | + docker pull ${{ inputs.github_image_name }}@${{ inputs.image_digest }} + docker tag ${{ inputs.github_image_name }}@${{ inputs.image_digest }} ${{ inputs.github_image_name }}:${{ inputs.environment }} + docker push ${{ inputs.github_image_name }}:${{ inputs.environment }} + + - name: Tag the image in the OpenShift container registry as ${{ inputs.environment }} + shell: bash + run: | + docker pull ${{ inputs.github_image_name }}@${{ inputs.image_digest }} + docker tag ${{ inputs.github_image_name }}@${{ inputs.image_digest }} ${{ inputs.openshift_image_name }}:${{ inputs.environment }} + docker push ${{ inputs.openshift_image_name}}:${{ inputs.environment }} + + - name: Trigger OpenShift rollout + shell: bash + run: | + echo starting rollout in ${{ inputs.namespace }} + oc -n ${{ inputs.namespace }} rollout status dc/${{ inputs.deployment_configuration }} --watch + + # - name: Rocket.Chat Notification + # uses: RocketChat/Rocket.Chat.GitHub.Action.Notification@1.1.1 + # if: always() + # with: + # type: ${{ job.status }} + # job_name: '*Deployment to ${{ inputs.environment }}*' + # mention: 'here' + # mention_if: 'failure' + # channel: '#ditp-gha-notifications' + # url: ${{ inputs.rocketchat_webhook }} + # commit: true \ No newline at end of file diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml new file mode 100644 index 00000000..6b4c7c8a --- /dev/null +++ b/.github/workflows/main.yaml @@ -0,0 +1,317 @@ +name: Build and Deploy Image + +on: + workflow_dispatch: + push: + branches: + - label + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +env: + GITHUB_IMAGE_REPO: ghcr.io/bcgov/dts-endorser-service/ + OPENSHIFT_IMAGE_REPO: image-registry.apps.silver.devops.gov.bc.ca/4a9599-tools/ + APP_NAMES: aries-endorser-agent,aries-endorser-db,aries-endorser-backup,aries-endorser-proxy,aries-endorser-api + +jobs: + build: + if: (github.repository == 'bcgov/dts-endorser-service') || (github.event_name == 'workflow_dispatch' && github.event.inputs.service) + name: Build Image + permissions: + packages: write + runs-on: ubuntu-latest + strategy: + matrix: + include: + - service: aries-endorser-agent + GIT_REPO_URL: ${{ github.event.inputs.endorser_agent_git_repo_url || 'hyperledger/aries-endorser-service' }} + GIT_REF: "" + DOCKER_FILE_PATH: Dockerfile.acapy # The docker path, file, is the relative path to the docker file from the root of the repo. + SOURCE_CONTEXT_DIR: docker/acapy # The context dir, context, sets the context for the build. i.e. where the build will source files from + SOURCE_IMAGE_REGISTRY: "" + SOURCE_IMAGE_NAME: "" + SOURCE_IMAGE_TAG: "" + REGISTRY_USERNAME_SECRET_NAME: "" + REGISTRY_PASSWORD_SECRET_NAME: "" + - service: aries-endorser-db + GIT_REPO_URL: hyperledger/aries-endorser-service + GIT_REF: "" + SOURCE_CONTEXT_DIR: docker/wallet/config + SOURCE_IMAGE_REGISTRY: "quay.io/" + SOURCE_IMAGE_NAME: "fedora/postgresql-13" + SOURCE_IMAGE_TAG: "13" + - service: aries-endorser-backup + GIT_REPO_URL: BCDevOps/backup-container + GIT_REF: 2.5.1 + DOCKER_FILE_PATH: Dockerfile # The docker path, file, is the relative path to the docker file from the root of the repo. + SOURCE_CONTEXT_DIR: docker # The context dir, context, sets the context for the build. i.e. where the build will source files from + SOURCE_IMAGE_REGISTRY: artifacts.developer.gov.bc.ca/docker-remote/ + SOURCE_IMAGE_NAME: centos/postgresql-13-centos7 + SOURCE_IMAGE_TAG: 20210722-70dc4d3 + REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME + REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD + - service: aries-endorser-proxy + GIT_REF: "" + DOCKER_FILE_PATH: Dockerfile # The docker path, file, is the relative path to the docker file from the root of the repo. + SOURCE_CONTEXT_DIR: proxy # The context dir, context, sets the context for the build. i.e. where the build will source files from + SOURCE_IMAGE_REGISTRY: "artifacts.developer.gov.bc.ca/docker-remote/" + SOURCE_IMAGE_NAME: caddy + SOURCE_IMAGE_TAG: latest + REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME + REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD + - service: aries-endorser-api + GIT_REPO_URL: hyperledger/aries-endorser-service + GIT_REF: "" + DOCKER_FILE_PATH: Dockerfile.endorser # The docker path, file, is the relative path to the docker file from the root of the repo. + SOURCE_CONTEXT_DIR: endorser # The context dir, context, sets the context for the build. i.e. where the build will source files from + SOURCE_IMAGE_REGISTRY: artifacts.developer.gov.bc.ca/docker-remote/ + SOURCE_IMAGE_NAME: python + SOURCE_IMAGE_TAG: 3.10-slim-buster + REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME + REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD + outputs: + aries-endorser-agent_digest: ${{ steps.digest.outputs.aries-endorser-agent_digest }} + aries-endorser-backup_digest: ${{ steps.digest.outputs.aries-endorser-backup_digest }} + aries-endorser-api_digest: ${{ steps.digest.outputs.aries-endorser-api_digest }} + aries-endorser-proxy_digest: ${{ steps.digest.outputs.aries-endorser-proxy_digest }} + aries-endorser-db_digest: ${{ steps.digests.outputs.aries-endorser-db_digest }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + repository: ${{ matrix.GIT_REPO_URL }} + ref: ${{ matrix.GIT_REF }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to image registry + if: matrix.REGISTRY_USERNAME_SECRET_NAME != ''&& matrix.SOURCE_IMAGE_REGISTRY != '' + uses: docker/login-action@v3 + with: + registry: ${{ matrix.SOURCE_IMAGE_REGISTRY }} + username: ${{ secrets[matrix.REGISTRY_USERNAME_SECRET_NAME]}} + password: ${{ secrets[matrix.REGISTRY_PASSWORD_SECRET_NAME]}} + + - name: Create Dockerfile for ${{ matrix.service }} + if: contains(fromJSON('["aries-endorser-proxy"]'), matrix.service) + run: | + BASE_IMAGE="${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" + echo "$BASE_IMAGE" + mkdir "${{ matrix.SOURCE_CONTEXT_DIR }}" && cd "${{ matrix.SOURCE_CONTEXT_DIR }}" + echo "FROM ${BASE_IMAGE}" > Dockerfile + echo "RUN chown 1001:root /usr/bin/caddy" >> Dockerfile + + - name: Prepare docker tags for image + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} + flavor: | + latest=true + tags: | + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha,value=latest + labels: | + ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} + ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} + + - name: Update Docker base image + if: matrix.SOURCE_IMAGE_REGISTRY != '' && contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) + run: | + BASE_IMAGE="${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" + sed -i -e "s;FROM .*;FROM ${BASE_IMAGE};g" "${{ matrix.SOURCE_CONTEXT_DIR }}/${{ matrix.DOCKER_FILE_PATH }}" + + - name: Extract Tags + id: extract + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + run: | + tags=$(echo "${{ steps.meta.outputs.tags }}" | grep -oE ':([^[:space:]]+)' | sed '/label/d' | sed 's/://g' | tr '\n' ' ') + single_tag=$(echo "$tags" | cut -d " " -f 1) + remaining_tags=$(echo "$tags" | cut -d' ' -f2-) + echo "tags=$tags" >> $GITHUB_OUTPUT + echo "single_tag=$single_tag" >> $GITHUB_OUTPUT + echo "remaining_tags=$remaining_tags" >> $GITHUB_OUTPUT + + - name: Pull database image + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + run: | + docker pull ${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }} + # The docs for redhat-actions/s2i-build imply that the pull should not be needed, yet in practice the build fails if the pull is not done first to make the image local. + + - name: Build database image + id: build_image + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + uses: redhat-actions/s2i-build@v2 + with: + path_context: ${{ matrix.SOURCE_CONTEXT_DIR}} + builder_image: "${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" + image: ${{ matrix.service }} + tags: ${{ steps.extract.outputs.tags }} + # labels would have to be added to the image after the S2I build + + - name: Apply Labels and tags to Database Image + id: apply_labels + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + run: | + echo "FROM ${{ steps.build_image.outputs.image }}:${{ steps.extract.outputs.single_tag }}" | docker build -t ${{ steps.build_image.outputs.image }}:${{ steps.extract.outputs.single_tag }} --label ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} --label ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} - + - name: Apply Tags to Docker Image + run: | + remaining_tags="${{ steps.extract.outputs.remaining_tags }}" + image_name="${{ steps.build_image.outputs.image }}" + IFS=' ' read -r -a tags_array <<< "$remaining_tags" + # Loop through the tags and apply each one to the Docker image + for tag in "${tags_array[@]}"; do + docker tag "$image_name:${{ steps.extract.outputs.single_tag }}" "$image_name:$tag" + done + + - name: Push database image + id: push + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + uses: redhat-actions/push-to-registry@v2 + with: + tags: ${{ steps.build_image.outputs.tags }} + image: ${{ steps.build_image.outputs.image }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + registry: ${{ env.GITHUB_IMAGE_REPO }} + + - name: Log in to the GHCR + if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push Docker image + id: docker_build + if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) + uses: docker/build-push-action@v5 + with: + context: ${{ matrix.SOURCE_CONTEXT_DIR }} + file: ${{ matrix.SOURCE_CONTEXT_DIR }}/${{ matrix.DOCKER_FILE_PATH }} + push: true + tags: ${{ steps.meta.outputs.tags }} + outputs: type=image,name=target + labels: | + ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} + ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} + + - name: Display ${{ matrix.service }} image results + id: digests + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + run: | + echo "registry_path=${{ steps.push.outputs.registry-paths }}" + digest=${{ steps.push.outputs.digest }} + echo "digest=${digest}" + echo "${{ matrix.service }}_digest=${digest}" >> $GITHUB_OUTPUT + + - name: Display ${{ matrix.service}} image results + id: digest + if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) + run: | + echo 'imageid=${{ steps.docker_build.outputs.imageid }}' + digest=${{ steps.docker_build.outputs.digest }} + echo "digest=${digest}" + echo "${{ matrix.service }}_digest=${digest}" >> $GITHUB_OUTPUT + cat $GITHUB_OUTPUT + + # deploy2dev: + # needs: build + # env: + # ENVIRONMENT: dev + # permissions: + # packages: write + # runs-on: ubuntu-latest + # environment: dev + # strategy: + # # Serialize the deployments + # max-parallel: 1 + # matrix: + # include: + # - service: aries-endorser-db + # - service: aries-endorser-agent + # - service: aries-endorser-backup + # - service: aries-endorser-proxy + # - service: aries-endorser-api + + # steps: + # - name: Checkout + # uses: actions/checkout@v4 + + # - name: Deploy to ${{ env.ENVIRONMENT }} + # uses: ./.github/workflows/actions/deploy + # with: + # environment: ${{ env.ENVIRONMENT }} + # ghcr_token: ${{ secrets.GITHUB_TOKEN }} + # github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} + # image_digest: ${{ needs.build.outputs[format ('{0}_digest', matrix.service)] }} + # openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ matrix.service }} + # openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} + # namespace: ${{ vars.NAMESPACE }} + # deployment_configuration: ${{ matrix.service }} + # openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} + # rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }} + + # deploy2test: + # needs: [build, deploy2dev] + # env: + # ENVIRONMENT: test + # permissions: + # packages: write + # runs-on: ubuntu-latest + # environment: test + + # steps: + # - name: Checkout + # uses: actions/checkout@v3 + + # - name: deploy to ${{ env.ENVIRONMENT }} + # uses: ./.github/workflows/actions/deploy + # with: + # environment: ${{ env.ENVIRONMENT }} + # ghcr_token: ${{ secrets.GITHUB_TOKEN }} + # github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} + # image_digest: ${{ needs.build.outputs[format ('{0}_digest', matrix.service)] }} + # openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ matrix.service }} + # openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} + # namespace: ${{ vars.NAMESPACE }} + # deployment_configuration: ${{ matrix.service }} + # openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} + # rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }} + + # # deploy2prod: + # # needs: [build, deploy2dev, deploy2test] + # # env: + # # ENVIRONMENT: prod + # # permissions: + # # packages: write + # # runs-on: ubuntu-latest + # # environment: prod + + # # steps: + # # - name: Checkout + # # uses: actions/checkout@v3 + + # # - name: deploy to prod + # # uses: ./.github/workflows/actions/deploy + # # with: + # # environment: ${{ env.ENVIRONMENT }} + # # ghcr_token: ${{ secrets.GITHUB_TOKEN }} + # # github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ env.APP_NAME }} + # # image_digest: ${{ needs.build.outputs.image_digest }} + # # openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ env.APP_NAME }} + # # openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} + # # namespace: ${{ vars.NAMESPACE }} + # # deployment_configuration: ${{ env.APP_NAME }} + # # openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} + # # rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }}`` \ No newline at end of file