diff --git a/.github/workflows/actions/deploy/action.yaml b/.github/workflows/actions/deploy/action.yaml new file mode 100644 index 00000000..9e0224fd --- /dev/null +++ b/.github/workflows/actions/deploy/action.yaml @@ -0,0 +1,113 @@ +name: Deploy +description: Deploy to OpenShift namespace + +inputs: + environment: + description: The environment to which the image will be deployed. + required: true + + # Image parameters + ghcr_token: + description: The token to use to login to the GHCR. + required: true + github_image_name: + description: The name of the image in the GHCR to be deployed. + required: true + image_digest: + description: The digest of the image to be deployed. Identifies the unique image tag in the GHCR. + required: true + openshift_image_name: + description: The name of the image to use when pushing to OpenShift. + required: true + + # OpenShift parameters + openshift_server_url: + description: The URL of the OpenShift server. + required: true + namespace: + description: The OpenShift namespace where the image is to be deployed. + required: true + deployment_configuration: + description: The name of the OpenShift deployment configuration triggered by the new image. + required: true + openshift_token: + description: The token used to authenticate with the OpenShift server. + required: true + + # rocket.chat notification parameters + rocketchat_webhook: + description: The URL to use for posting notifications to rocket.chat. + required: true + +runs: + using: composite + steps: + - name: Log in to the GHCR + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ inputs.ghcr_token }} + + - name: Setup Openshift CLI + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ inputs.openshift_server_url }} + openshift_token: ${{ inputs.openshift_token }} + + - name: Login in to OpenShift container registry + shell: bash + env: + REGISTRY_AUTH_PREFERENCE: docker + run: | + oc version + docker version + + # Openshift pipeline is currently running on 14.4.6 version and according to + # the new red hat article - https://access.redhat.com/articles/7042033 + # the Podman auth configuration locations are preferred over Docker configuration locations. + + # In order to avoid the "unauthorized: authentication required error" and + # make github actions job run successfully make sure when we try to login to openshift registry + # we need to define the oc registry login --to="${HOME}/.docker/config.json" in the oc login action step. + + # This was not an issue when Openshift pipeline was running on 14.2 or 14.3 version + # but since Openshift upgraded to 14.4 version it started giving warning + # message : the default reading order of registry auth file will be changed from "${HOME}/.docker/config.json" + # to podman registry config locations in the future version of oc. + # "${HOME}/.docker/config.json" is deprecated, but can still be used for storing credentials + # as a fallback. See https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md for the order + # of podman registry config locations. + oc registry login --to="${HOME}/.docker/config.json" + + - name: Tag the image in the GHCR as ${{ inputs.environment }} + shell: bash + run: | + docker pull ${{ inputs.github_image_name }}@${{ inputs.image_digest }} + docker tag ${{ inputs.github_image_name }}@${{ inputs.image_digest }} ${{ inputs.github_image_name }}:${{ inputs.environment }} + docker push ${{ inputs.github_image_name }}:${{ inputs.environment }} + + - name: Tag the image in the OpenShift container registry as ${{ inputs.environment }} + shell: bash + run: | + docker pull ${{ inputs.github_image_name }}@${{ inputs.image_digest }} + docker tag ${{ inputs.github_image_name }}@${{ inputs.image_digest }} ${{ inputs.openshift_image_name }}:${{ inputs.environment }} + docker push ${{ inputs.openshift_image_name}}:${{ inputs.environment }} + + - name: Trigger OpenShift rollout + shell: bash + run: | + echo starting rollout in ${{ inputs.namespace }} + oc -n ${{ inputs.namespace }} rollout status dc/${{ inputs.deployment_configuration }} --watch + + - name: Rocket.Chat Notification + uses: RocketChat/Rocket.Chat.GitHub.Action.Notification@1.1.1 + if: always() + with: + type: ${{ job.status }} + job_name: '*Deployment to ${{ inputs.environment }}*' + mention: 'here' + mention_if: 'failure' + channel: '#ditp-gha-notifications' + url: ${{ inputs.rocketchat_webhook }} + commit: true \ No newline at end of file diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml new file mode 100644 index 00000000..f3680678 --- /dev/null +++ b/.github/workflows/main.yaml @@ -0,0 +1,326 @@ +name: Build and Deploy Image + +on: + workflow_dispatch: + inputs: + service: + description: 'Service to build and deploy' + required: true + default: "" + push: + branches: + - inputs + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +env: + GITHUB_IMAGE_REPO: ghcr.io/bcgov/dts-endorser-service/ + OPENSHIFT_IMAGE_REPO: image-registry.apps.silver.devops.gov.bc.ca/4a9599-tools/ + APP_NAMES: aries-endorser-agent,aries-endorser-db,aries-endorser-backup,aries-endorser-proxy,aries-endorser-api + JSON_INPUT: ${{ github.event.inputs.service }} + +jobs: + build: + if: (github.repository == 'bcgov/dts-endorser-service') || (github.event_name == 'workflow_dispatch' && github.event.inputs.service) + name: Build Image + permissions: + packages: write + runs-on: ubuntu-latest + strategy: + matrix: + include: + - service: aries-endorser-agent + GIT_REPO_URL: ${{ inputs.service.endoser-agent.git_repo_url || 'hyperledger/aries-endorser-service' }} + GIT_REF: ${{ inputs.service.endoser-agent.git_ref || '' }} + DOCKER_FILE_PATH: ${{ inputs.service.endoser-agent.docker_file_path || 'Dockerfile.acapy' }} # The docker path, file, is the relative path to the docker file from the root of the repo. + SOURCE_CONTEXT_DIR: ${{ inputs.service.endoser-agent.source_context_dir || 'docker/acapy' }} # The context dir, context, sets the context for the build. i.e. where the build will source files from + SOURCE_IMAGE_REGISTRY: ${{ inputs.service.endoser-agent.source_image_registry || '' }} + SOURCE_IMAGE_NAME: ${{ inputs.service.endoser-agent.source_image_name || '' }} + SOURCE_IMAGE_TAG: ${{ inputs.service.endoser-agent.source_image_tag || '' }} + REGISTRY_USERNAME_SECRET_NAME: ${{ inputs.service.endoser-agent.username_secret_name || '' }} + REGISTRY_PASSWORD_SECRET_NAME: ${{ inputs.service.endoser-agent.password_secret_name || '' }} + - service: aries-endorser-db + GIT_REPO_URL: ${{ inputs.service.endoser-db.git_repo_url || 'hyperledger/aries-endorser-service' }} + GIT_REF: ${{ inputs.service.endoser-db.git_ref || '' }} + SOURCE_CONTEXT_DIR: ${{ inputs.service.endoser-db.source_context_dir || 'docker/wallet/config' }} + SOURCE_IMAGE_REGISTRY: ${{ inputs.service.endoser-db.source_image_registry || 'quay.io/' }} + SOURCE_IMAGE_NAME: ${{ inputs.service.endoser-db.source_image_name || 'fedora/postgresql-13' }} + SOURCE_IMAGE_TAG: ${{ inputs.service.endoser-db.source_image_tag || '13' }} + REGISTRY_USERNAME_SECRET_NAME: ${{ inputs.service.endoser-db.username_secret_name || '' }} + REGISTRY_PASSWORD_SECRET_NAME: ${{ inputs.service.endoser-db.password_secret_name || '' }} + - service: aries-endorser-backup + GIT_REPO_URL: BCDevOps/backup-container + GIT_REF: 2.5.1 + DOCKER_FILE_PATH: Dockerfile # The docker path, file, is the relative path to the docker file from the root of the repo. + SOURCE_CONTEXT_DIR: docker # The context dir, context, sets the context for the build. i.e. where the build will source files from + SOURCE_IMAGE_REGISTRY: artifacts.developer.gov.bc.ca/docker-remote/ + SOURCE_IMAGE_NAME: centos/postgresql-13-centos7 + SOURCE_IMAGE_TAG: 20210722-70dc4d3 + REGISTRY_USERNAME_SECRET_NAME: ${{ inputs.service.endoser-backup.username_secret_name || '' }} + REGISTRY_PASSWORD_SECRET_NAME: ${{ inputs.service.endoser-backup.password_secret_name || '' }} + - service: aries-endorser-proxy + GIT_REF: "" + DOCKER_FILE_PATH: Dockerfile # The docker path, file, is the relative path to the docker file from the root of the repo. + SOURCE_CONTEXT_DIR: proxy # The context dir, context, sets the context for the build. i.e. where the build will source files from + SOURCE_IMAGE_REGISTRY: "artifacts.developer.gov.bc.ca/docker-remote/" + SOURCE_IMAGE_NAME: caddy + SOURCE_IMAGE_TAG: latest + REGISTRY_USERNAME_SECRET_NAME: ${{ inputs.service.endoser-proxy.username_secret_name || '' }} + REGISTRY_PASSWORD_SECRET_NAME: ${{ inputs.service.endoser-proxy.password_secret_name || '' }} + - service: aries-endorser-api + GIT_REPO_URL: ${{ inputs.service.endoser-api.git_repo_url || 'hyperledger/aries-endorser-service' }} + GIT_REF: ${{ inputs.service.endoser-api.git_ref || '' }} + DOCKER_FILE_PATH: ${{ inputs.service.endoser-api.git_ref || 'Dockerfile.endorser' }} # The docker path, file, is the relative path to the docker file from the root of the repo. + SOURCE_CONTEXT_DIR: ${{ inputs.service.endoser-api.git_ref || 'endorser' }} # The context dir, context, sets the context for the build. i.e. where the build will source files from + SOURCE_IMAGE_REGISTRY: ${{ inputs.service.endoser-api.git_ref || 'artifacts.developer.gov.bc.ca/docker-remote/' }} + SOURCE_IMAGE_NAME: ${{ inputs.service.endoser-api.git_ref || 'python' }} + SOURCE_IMAGE_TAG: ${{ inputs.service.endoser-api.git_ref || '3.10-slim-buster' }} + REGISTRY_USERNAME_SECRET_NAME: ${{ inputs.service.endoser-api.username_secret_name || '' }} + REGISTRY_PASSWORD_SECRET_NAME: ${{ inputs.service.endoser-api.password_secret_name || '' }} + outputs: + aries-endorser-agent_digest: ${{ steps.digest.outputs.aries-endorser-agent_digest }} + aries-endorser-backup_digest: ${{ steps.digest.outputs.aries-endorser-backup_digest }} + aries-endorser-api_digest: ${{ steps.digest.outputs.aries-endorser-api_digest }} + aries-endorser-proxy_digest: ${{ steps.digest.outputs.aries-endorser-proxy_digest }} + aries-endorser-db_digest: ${{ steps.digests.outputs.aries-endorser-db_digest }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + repository: ${{ matrix.GIT_REPO_URL }} + ref: ${{ matrix.GIT_REF }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to image registry + if: matrix.REGISTRY_USERNAME_SECRET_NAME != ''&& matrix.SOURCE_IMAGE_REGISTRY != '' + uses: docker/login-action@v3 + with: + registry: ${{ matrix.SOURCE_IMAGE_REGISTRY }} + username: ${{ secrets[matrix.REGISTRY_USERNAME_SECRET_NAME]}} + password: ${{ secrets[matrix.REGISTRY_PASSWORD_SECRET_NAME]}} + + - name: Create Dockerfile for ${{ matrix.service }} + if: contains(fromJSON('["aries-endorser-proxy"]'), matrix.service) + run: | + BASE_IMAGE="${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" + echo "$BASE_IMAGE" + mkdir "${{ matrix.SOURCE_CONTEXT_DIR }}" && cd "${{ matrix.SOURCE_CONTEXT_DIR }}" + echo "FROM ${BASE_IMAGE}" > Dockerfile + echo "RUN chown 1001:root /usr/bin/caddy" >> Dockerfile + + - name: Prepare docker tags for image + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} + flavor: | + latest=true + tags: | + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha,value=latest + labels: | + ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} + ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} + + - name: Update Docker base image + if: matrix.SOURCE_IMAGE_REGISTRY != '' && contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) + run: | + BASE_IMAGE="${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" + sed -i -e "s;FROM .*;FROM ${BASE_IMAGE};g" "${{ matrix.SOURCE_CONTEXT_DIR }}/${{ matrix.DOCKER_FILE_PATH }}" + + - name: Extract Tags + id: extract + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + run: | + tags=$(echo "${{ steps.meta.outputs.tags }}" | grep -oE ':([^[:space:]]+)' | sed '/label/d' | sed 's/://g' | tr '\n' ' ') + single_tag=$(echo "$tags" | cut -d " " -f 1) + remaining_tags=$(echo "$tags" | cut -d' ' -f2-) + echo "tags=$tags" >> $GITHUB_OUTPUT + echo "single_tag=$single_tag" >> $GITHUB_OUTPUT + echo "remaining_tags=$remaining_tags" >> $GITHUB_OUTPUT + + - name: Pull database image + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + run: | + docker pull ${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }} + # The docs for redhat-actions/s2i-build imply that the pull should not be needed, yet in practice the build fails if the pull is not done first to make the image local. + + - name: Build database image + id: build_image + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + uses: redhat-actions/s2i-build@v2 + with: + path_context: ${{ matrix.SOURCE_CONTEXT_DIR}} + builder_image: "${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" + image: ${{ matrix.service }} + tags: ${{ steps.extract.outputs.single_tag }} + # labels would have to be added to the image after the S2I build + + - name: Apply Labels and tags to Database Image + id: apply_labels + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + run: | + echo "FROM ${{ steps.build_image.outputs.image }}:${{ steps.extract.outputs.single_tag }}" | docker build -t ${{ steps.build_image.outputs.image }}:${{ steps.extract.outputs.single_tag }} --label ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} --label ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} - + + - name: Apply Tags to Docker Image + run: | + remaining_tags="${{ steps.extract.outputs.remaining_tags }}" + image_name="${{ steps.build_image.outputs.image }}" + IFS=' ' read -r -a tags_array <<< "$remaining_tags" + # Loop through the tags and apply each one to the Docker image + for tag in "${tags_array[@]}"; do + docker tag "$image_name:${{ steps.extract.outputs.single_tag }}" "$image_name:$tag" + done + + - name: Push database image + id: push + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + uses: redhat-actions/push-to-registry@v2 + with: + tags: ${{ steps.build_image.outputs.tags }} + image: ${{ steps.build_image.outputs.image }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + registry: ${{ env.GITHUB_IMAGE_REPO }} + + - name: Log in to the GHCR + if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push Docker image + id: docker_build + if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) + uses: docker/build-push-action@v5 + with: + context: ${{ matrix.SOURCE_CONTEXT_DIR }} + file: ${{ matrix.SOURCE_CONTEXT_DIR }}/${{ matrix.DOCKER_FILE_PATH }} + push: true + tags: ${{ steps.meta.outputs.tags }} + outputs: type=image,name=target + labels: | + ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} + ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} + + - name: Display ${{ matrix.service }} image results + id: digests + if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) + run: | + echo "registry_path=${{ steps.push.outputs.registry-paths }}" + digest=${{ steps.push.outputs.digest }} + echo "digest=${digest}" + echo "${{ matrix.service }}_digest=${digest}" >> $GITHUB_OUTPUT + + - name: Display ${{ matrix.service}} image results + id: digest + if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) + run: | + echo 'imageid=${{ steps.docker_build.outputs.imageid }}' + digest=${{ steps.docker_build.outputs.digest }} + echo "digest=${digest}" + echo "${{ matrix.service }}_digest=${digest}" >> $GITHUB_OUTPUT + cat $GITHUB_OUTPUT + + # deploy2dev: + # needs: build + # env: + # ENVIRONMENT: dev + # permissions: + # packages: write + # runs-on: ubuntu-latest + # environment: dev + # strategy: + # # Serialize the deployments + # max-parallel: 1 + # matrix: + # include: + # - service: aries-endorser-db + # - service: aries-endorser-agent + # - service: aries-endorser-backup + # - service: aries-endorser-proxy + # - service: aries-endorser-api + + # steps: + # - name: Checkout + # uses: actions/checkout@v4 + + # - name: Deploy to ${{ env.ENVIRONMENT }} + # uses: ./.github/workflows/actions/deploy + # with: + # environment: ${{ env.ENVIRONMENT }} + # ghcr_token: ${{ secrets.GITHUB_TOKEN }} + # github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} + # image_digest: ${{ needs.build.outputs[format ('{0}_digest', matrix.service)] }} + # openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ matrix.service }} + # openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} + # namespace: ${{ vars.NAMESPACE }} + # deployment_configuration: ${{ matrix.service }} + # openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} + # rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }} + + # deploy2test: + # needs: [build, deploy2dev] + # env: + # ENVIRONMENT: test + # permissions: + # packages: write + # runs-on: ubuntu-latest + # environment: test + + # steps: + # - name: Checkout + # uses: actions/checkout@v3 + + # - name: deploy to ${{ env.ENVIRONMENT }} + # uses: ./.github/workflows/actions/deploy + # with: + # environment: ${{ env.ENVIRONMENT }} + # ghcr_token: ${{ secrets.GITHUB_TOKEN }} + # github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} + # image_digest: ${{ needs.build.outputs[format ('{0}_digest', matrix.service)] }} + # openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ matrix.service }} + # openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} + # namespace: ${{ vars.NAMESPACE }} + # deployment_configuration: ${{ matrix.service }} + # openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} + # rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }} + + # # deploy2prod: + # # needs: [build, deploy2dev, deploy2test] + # # env: + # # ENVIRONMENT: prod + # # permissions: + # # packages: write + # # runs-on: ubuntu-latest + # # environment: prod + + # # steps: + # # - name: Checkout + # # uses: actions/checkout@v3 + + # # - name: deploy to prod + # # uses: ./.github/workflows/actions/deploy + # # with: + # # environment: ${{ env.ENVIRONMENT }} + # # ghcr_token: ${{ secrets.GITHUB_TOKEN }} + # # github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ env.APP_NAME }} + # # image_digest: ${{ needs.build.outputs.image_digest }} + # # openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ env.APP_NAME }} + # # openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} + # # namespace: ${{ vars.NAMESPACE }} + # # deployment_configuration: ${{ env.APP_NAME }} + # # openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} + # # rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }}`` \ No newline at end of file