From 776cbbd590a79ff9d7787accc1724d579c7b3c50 Mon Sep 17 00:00:00 2001 From: devinleighsmith Date: Tue, 30 Jan 2024 19:45:18 -0800 Subject: [PATCH] add keycloak sync to all pipelines. add uat hotfix and pre-release hotfix pipelines. update builds/keycloak sync to support new configuration. --- .github/workflows/depoy-prod-start.yml | 73 ++++++ .github/workflows/keycloak-sync.yml | 36 +++ .github/workflows/retag-test-to-uat.yml | 52 +++- .github/workflows/uat_hotfix.yml | 190 ++++++++++++++ .github/workflows/uat_pre_release_hotfix.yml | 237 ++++++++++++++++++ openshift/4.0/scripts/oc-build.sh | 6 +- openshift/4.0/templates/api/build.yaml | 3 +- openshift/4.0/templates/app/build.yaml | 52 ++-- .../s2i/nginx-runtime/nginx-runtime.yaml | 16 +- .../sync/appsettings.development.json | 2 +- tools/keycloak/sync/appsettings.json | 2 +- tools/keycloak/sync/appsettings.test.json | 2 +- tools/keycloak/sync/appsettings.uat.json | 2 +- 13 files changed, 636 insertions(+), 37 deletions(-) create mode 100644 .github/workflows/keycloak-sync.yml create mode 100644 .github/workflows/uat_hotfix.yml create mode 100644 .github/workflows/uat_pre_release_hotfix.yml diff --git a/.github/workflows/depoy-prod-start.yml b/.github/workflows/depoy-prod-start.yml index 9ed633005f..233ef81288 100644 --- a/.github/workflows/depoy-prod-start.yml +++ b/.github/workflows/depoy-prod-start.yml @@ -5,6 +5,8 @@ env: OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} OPENSHIFT_TOOLS_NAMESPACE: "3cd915-tools" MS_TEAMS_WEBHOOK_BUILD_CHANNEL: ${{ secrets.MS_TEAMS_WEBHOOK_URI_BUILD_CHANNEL }} + sync-directory: ./tools/keycloak/sync + ASPNETCORE_ENVIRONMENT: "prod" APP_PORT: 8080 DESTINATION: "prod" @@ -70,3 +72,74 @@ jobs: [[ -z ${{github.event.inputs.OVERRIDE_VERSION}} ]] && RELEASE_VERSION=${{steps.previoustag.outputs.tag}}-master || RELEASE_VERSION=${{github.event.inputs.OVERRIDE_VERSION}}-master RELEASE_TAG=$RELEASE_VERSION ./openshift/4.0/player.sh deploy api $DESTINATION -apply RELEASE_TAG=$RELEASE_VERSION ./openshift/4.0/player.sh deploy app $DESTINATION -apply + + # the command: + # 1) creates an openshift job with generated name to avoid name conflict, substituting the variables in the template. + # 2) greps the generated name from the previous step. + # 3) waits for the job to complete using the generated name. + database-upgrade: + name: Upgrade database + needs: [deploy] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-prod + - name: call scripts to upgrade database + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/db-deploy.yaml -p DB_SECRET_NAME=pims-database -p GIT_BRANCH=master -p SERVER_NAME=sqlprd.th.gov.bc.ca -p DB_NAME=PIMS_PRD -p NAMESPACE=3cd915-prod | oc create -f - | grep -oP "(?<=job\.batch/)[^\s]*" | (read JOB_NAME; oc wait --for=condition=complete job/$JOB_NAME --timeout=120s) + + ## Call the mayan sync task three times, once for each mayan sync endpoint. The task will wait for the job to complete before exiting. + ## Note: this depends on the mayan-sync configmap for the target namespace being up to date. + mayan-sync: + name: sync mayan + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-prod + - name: call scripts to sync mayan + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-prod -p TOKEN_URL=https://loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://pims.th.gov.bc.ca/:443/api/documents/sync/mayan/metadatatype -p KEYCLOAK_SECRET_NAME=pims-api-sso | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-prod -p TOKEN_URL=https://loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://pims.th.gov.bc.ca/:443/api/documents/sync/documenttype -p KEYCLOAK_SECRET_NAME=pims-api-sso | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-prod -p TOKEN_URL=https://loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://pims.th.gov.bc.ca/:443/api/documents/sync/mayan -p KEYCLOAK_SECRET_NAME=pims-api-sso | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + + sync-keycloak: + name: Sync Keycloak + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + + - name: Setup .NET 8 + uses: actions/setup-dotnet@v3 + with: + dotnet-version: "8.0.x" + + - name: Install dependencies for keycloak sync + run: dotnet restore + working-directory: ${{env.sync-directory}} + + - name: Build keycloak sync + run: dotnet build + working-directory: ${{env.sync-directory}} + + - name: Start keycloak sync + run: dotnet run + working-directory: ${{env.sync-directory}} \ No newline at end of file diff --git a/.github/workflows/keycloak-sync.yml b/.github/workflows/keycloak-sync.yml new file mode 100644 index 0000000000..757ad3e6db --- /dev/null +++ b/.github/workflows/keycloak-sync.yml @@ -0,0 +1,36 @@ +name: Keycloak Sync +env: + OPENSHIFT_TOOLS_NAMESPACE: "3cd915-tools" + MS_TEAMS_WEBHOOK_BUILD_CHANNEL: ${{ secrets.MS_TEAMS_WEBHOOK_URI_BUILD_CHANNEL }} + AUTH__KEYCLOAK__SECRET: ${{ secrets.KEYCLOAK_SECRET }} + AUTH__KEYCLOAK__SERVICEACCOUNT__SECRET: ${{ secrets.KEYCLOAK_SERVICEACCOUNT_SECRET }} + sync-directory: ./tools/keycloak/sync + ASPNETCORE_ENVIRONMENT: "Development" + +on: + workflow_dispatch: + +jobs: + sync-keycloak: + name: Sync Keycloak + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + + - name: Setup .NET 8 + uses: actions/setup-dotnet@v3 + with: + dotnet-version: "8.0.x" + + - name: Install dependencies for keycloak sync + run: dotnet restore + working-directory: ${{env.sync-directory}} + + - name: Build keycloak sync + run: dotnet build + working-directory: ${{env.sync-directory}} + + - name: Start keycloak sync + run: dotnet run + working-directory: ${{env.sync-directory}} diff --git a/.github/workflows/retag-test-to-uat.yml b/.github/workflows/retag-test-to-uat.yml index f6ad08669a..5f2cb90526 100644 --- a/.github/workflows/retag-test-to-uat.yml +++ b/.github/workflows/retag-test-to-uat.yml @@ -8,6 +8,7 @@ env: AUTH__KEYCLOAK__SECRET: ${{ secrets.KEYCLOAK_SECRET_UAT }} AUTH__KEYCLOAK__SERVICEACCOUNT__SECRET: ${{ secrets.KEYCLOAK_SERVICEACCOUNT_SECRET }} sync-directory: ./tools/keycloak/sync + ASPNETCORE_ENVIRONMENT: "uat" ## variables for scripts under git\openshift\4.0\scripts\oc-*.sh APP_PORT: 8080 @@ -86,10 +87,59 @@ jobs: run: | oc process -f ./openshift/4.0/templates/jobs/db-deploy.yaml -p DB_SECRET_NAME=pims-database-uat -p GIT_BRANCH=test -p SERVER_NAME=sqlprd.th.gov.bc.ca -p DB_NAME=PIMS_UAT -p NAMESPACE=3cd915-test | oc create -f - | grep -oP "(?<=job\.batch/)[^\s]*" | (read JOB_NAME; oc wait --for=condition=complete job/$JOB_NAME --timeout=120s) + ## Call the mayan sync task three times, once for each mayan sync endpoint. The task will wait for the job to complete before exiting. + ## Note: this depends on the mayan-sync configmap for the target namespace being up to date. + mayan-sync: + name: sync mayan + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-test + - name: call scripts to sync mayan + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://uat-pims.th.gov.bc.ca/:443/api/documents/sync/mayan/metadatatype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://uat-pims.th.gov.bc.ca/:443/api/documents/sync/documenttype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://uat-pims.th.gov.bc.ca/:443/api/documents/sync/mayan -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + + sync-keycloak: + name: Sync Keycloak + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + + - name: Setup .NET 8 + uses: actions/setup-dotnet@v3 + with: + dotnet-version: "8.0.x" + + - name: Install dependencies for keycloak sync + run: dotnet restore + working-directory: ${{env.sync-directory}} + + - name: Build keycloak sync + run: dotnet build + working-directory: ${{env.sync-directory}} + + - name: Start keycloak sync + run: dotnet run + working-directory: ${{env.sync-directory}} + ci-cd-end-notification: name: CI-CD End Notification to Teams Channel runs-on: ubuntu-latest - needs: database-upgrade + needs: [sync-keycloak, mayan-sync] + if: always() steps: - name: check workflow status uses: martialonline/workflow-status@v4 diff --git a/.github/workflows/uat_hotfix.yml b/.github/workflows/uat_hotfix.yml new file mode 100644 index 0000000000..6069fdd692 --- /dev/null +++ b/.github/workflows/uat_hotfix.yml @@ -0,0 +1,190 @@ +name: UAT Hotfix +env: + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + # service account: gitaction + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + OPENSHIFT_TOOLS_NAMESPACE: "3cd915-tools" + MS_TEAMS_WEBHOOK_BUILD_CHANNEL: ${{ secrets.MS_TEAMS_WEBHOOK_URI_BUILD_CHANNEL }} + AUTH__KEYCLOAK__SECRET: ${{ secrets.KEYCLOAK_SECRET }} + AUTH__KEYCLOAK__SERVICEACCOUNT__SECRET: ${{ secrets.KEYCLOAK_SERVICEACCOUNT_SECRET }} + sync-directory: ./tools/keycloak/sync + ASPNETCORE_ENVIRONMENT: "uat" + + ## variables for scripts under git\openshift\4.0\scripts\oc-*.sh + APP_PORT: 8080 + DESTINATION: "uat" + OC_JOB_NAME: "test" + GIT_URL: "${{github.server_url}}/${{github.repository}}" + GIT_BRANCH: "test" + APP_NAME: "pims" + PROJ_PREFIX: "3cd915" + PROJ_TOOLS: "3cd915-tools" + PROJ_DEV: "dev" + PROJ_TEST: "test" + PROJ_PROD: "prod" + TAG_DEV: "dev" + TAG_TEST: "test" + TAG_PROD: "prod" + INSTANCE: "-uat" + NAMESPACE_OVERRIDE: "3cd915-test" + +on: + workflow_dispatch: + +jobs: + ci-cd-start-notification: + name: CI-CD Start Notification to Teams Channel + runs-on: ubuntu-latest + steps: + - name: Start notification to Teams Channel + uses: dragos-cojocari/ms-teams-notification@v1.0.2 + with: + github-token: ${{ github.token }} + ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }} + notification-summary: PIMS UAT Hotfix started. + notification-color: 17a2b8 + timezone: America/Los_Angeles + + build-frontend: + name: Build frontend + needs: ci-cd-start-notification + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Call script to build frontend (pims-app and pims-app-base) + run: | + ./openshift/4.0/player.sh build app-base -apply + ./openshift/4.0/player.sh build app -apply + + build-api: + name: Build api + needs: ci-cd-start-notification + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Call script to build backend (pims-api) + run: | + ./openshift/4.0/player.sh build api -apply + + deploy: + name: Deploy frontend and api to OpenShift + needs: [build-frontend, build-api] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: call scripts to deploy api and frontend + run: | + ./openshift/4.0/player.sh deploy api $DESTINATION -apply + ./openshift/4.0/player.sh deploy app $DESTINATION -apply + + # the command: + # 1) creates an openshift job with generated name to avoid name conflict, substituting the variables in the template. + # 2) greps the generated name from the previous step. + # 3) waits for the job to complete using the generated name. + database-upgrade: + name: Upgrade database + needs: [deploy] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-test + - name: call scripts to upgrade database + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/db-deploy.yaml -p DB_SECRET_NAME=pims-database-uat -p GIT_BRANCH=test -p SERVER_NAME=sqlprd.th.gov.bc.ca -p DB_NAME=PIMS_UAT -p NAMESPACE=3cd915-test | oc create -f - | grep -oP "(?<=job\.batch/)[^\s]*" | (read JOB_NAME; oc wait --for=condition=complete job/$JOB_NAME --timeout=120s) + +## Call the mayan sync task three times, once for each mayan sync endpoint. The task will wait for the job to complete before exiting. +## Note: this depends on the mayan-sync configmap for the target namespace being up to date. + mayan-sync: + name: sync mayan + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-test + - name: call scripts to sync mayan + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://uat-pims.th.gov.bc.ca/:443/api/documents/sync/mayan/metadatatype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://uat-pims.th.gov.bc.ca/:443/api/documents/sync/documenttype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://uat-pims.th.gov.bc.ca/:443/api/documents/sync/mayan -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + + sync-keycloak: + name: Sync Keycloak + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + + - name: Setup .NET 8 + uses: actions/setup-dotnet@v3 + with: + dotnet-version: "8.0.x" + + - name: Install dependencies for keycloak sync + run: dotnet restore + working-directory: ${{env.sync-directory}} + + - name: Build keycloak sync + run: dotnet build + working-directory: ${{env.sync-directory}} + + - name: Start keycloak sync + run: dotnet run + working-directory: ${{env.sync-directory}} + + ci-cd-end-notification: + if: always() + name: CI-CD End Notification to Teams Channel + runs-on: ubuntu-latest + needs: [mayan-sync, sync-keycloak] + steps: + - name: check workflow status + uses: martialonline/workflow-status@v4 + id: check + - name: End notification to Teams Channel + uses: dragos-cojocari/ms-teams-notification@v1.0.2 + with: + github-token: ${{ github.token }} + ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }} + notification-summary: PIMS UAT Hotfix complete with status ${{ steps.check.outputs.status }} + notification-color: 17a2b8 + timezone: America/Los_Angeles diff --git a/.github/workflows/uat_pre_release_hotfix.yml b/.github/workflows/uat_pre_release_hotfix.yml new file mode 100644 index 0000000000..9c5e35ecce --- /dev/null +++ b/.github/workflows/uat_pre_release_hotfix.yml @@ -0,0 +1,237 @@ +name: UAT Pre-Release Hotfix +env: + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + # service account: gitaction + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + OPENSHIFT_TOOLS_NAMESPACE: "3cd915-tools" + MS_TEAMS_WEBHOOK_BUILD_CHANNEL: ${{ secrets.MS_TEAMS_WEBHOOK_URI_BUILD_CHANNEL }} + AUTH__KEYCLOAK__SECRET: ${{ secrets.KEYCLOAK_SECRET }} + AUTH__KEYCLOAK__SERVICEACCOUNT__SECRET: ${{ secrets.KEYCLOAK_SERVICEACCOUNT_SECRET }} + sync-directory: ./tools/keycloak/sync + ASPNETCORE_ENVIRONMENT: "uat" + + ## variables for scripts under git\openshift\4.0\scripts\oc-*.sh + APP_PORT: 8080 + DESTINATION: "uat" + OC_JOB_NAME: "test" + GIT_URL: "${{github.server_url}}/${{github.repository}}" + GIT_BRANCH: "test" + APP_NAME: "pims" + PROJ_PREFIX: "3cd915" + PROJ_TOOLS: "3cd915-tools" + PROJ_DEV: "dev" + PROJ_TEST: "test" + PROJ_PROD: "prod" + TAG_DEV: "dev" + TAG_TEST: "test" + TAG_PROD: "prod" + INSTANCE: "-uat" + NAMESPACE_OVERRIDE: "3cd915-test" + +on: + workflow_dispatch: + inputs: + HOTFIX_BRANCH: + description: "Enter the name of the branch containing the hotfix" + required: true + +jobs: + ci-cd-start-notification: + name: CI-CD Start Notification to Teams Channel + runs-on: ubuntu-latest + steps: + - name: Start notification to Teams Channel + uses: dragos-cojocari/ms-teams-notification@v1.0.2 + with: + github-token: ${{ github.token }} + ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }} + notification-summary: PIMS UAT Pre-Release Hotfix started. + notification-color: 17a2b8 + timezone: America/Los_Angeles + + create-builds: + name: create builds + needs: ci-cd-start-notification + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-tools + - name: create all PSP build configurations for branch + shell: bash + run: | + oc process -f ./openshift/s2i/nginx-runtime/nginx-runtime.yaml -p GIT_REF=${{github.event.inputs.HOTFIX_BRANCH}} -p OUTPUT_IMAGE_TAG="latest-${{github.event.inputs.HOTFIX_BRANCH}}" | oc create --selector ci_cd=true -f - + oc process -f ./openshift/4.0/templates/api/build.yaml -p GIT_REF=${{github.event.inputs.HOTFIX_BRANCH}} -p OUTPUT_IMAGE_TAG="latest-${{github.event.inputs.HOTFIX_BRANCH}}" | oc create --selector ci_cd=true -f - + oc process -f ./openshift/4.0/templates/app/build.yaml -p GIT_REF=${{github.event.inputs.HOTFIX_BRANCH}} -p OUTPUT_IMAGE_TAG="latest-${{github.event.inputs.HOTFIX_BRANCH}}" -p RUNTIMEIMAGE_TAG="latest-${{github.event.inputs.HOTFIX_BRANCH}}" | oc create --selector ci_cd=true -f - + + build-frontend: + name: Build frontend + needs: create-builds + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Call script to build frontend (pims-app and pims-app-base) + run: | + OC_JOB_NAME=${{github.event.inputs.HOTFIX_BRANCH}} && export OVERRIDE_APP_NAME=true && ./openshift/4.0/player.sh build nginx-runtime -apply + OC_JOB_NAME=${{github.event.inputs.HOTFIX_BRANCH}} && unset OVERRIDE_APP_NAME && ./openshift/4.0/player.sh build app-base -apply + OC_JOB_NAME=${{github.event.inputs.HOTFIX_BRANCH}} && ./openshift/4.0/player.sh build app -apply + + build-api: + name: Build api + needs: create-builds + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: Call script to build backend (pims-api) + run: | + OC_JOB_NAME=${{github.event.inputs.HOTFIX_BRANCH}} && ./openshift/4.0/player.sh build api -apply + + deploy: + name: Deploy frontend and api to OpenShift + needs: [build-frontend, build-api] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }} + - name: call scripts to deploy api and frontend + run: | + OC_JOB_NAME=${{github.event.inputs.HOTFIX_BRANCH}} &&./openshift/4.0/player.sh deploy api $DESTINATION -apply + OC_JOB_NAME=${{github.event.inputs.HOTFIX_BRANCH}} &&./openshift/4.0/player.sh deploy app $DESTINATION -apply + + # the command: + # 1) creates an openshift job with generated name to avoid name conflict, substituting the variables in the template. + # 2) greps the generated name from the previous step. + # 3) waits for the job to complete using the generated name. + database-upgrade: + name: Upgrade database + needs: [deploy] + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-test + - name: call scripts to upgrade database + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/db-deploy.yaml -p DB_SECRET_NAME=pims-database-uat -p GIT_BRANCH=${{github.event.inputs.HOTFIX_BRANCH}} -p SERVER_NAME=sqlprd.th.gov.bc.ca -p DB_NAME=PIMS_UAT -p NAMESPACE=3cd915-test | oc create -f - | grep -oP "(?<=job\.batch/)[^\s]*" | (read JOB_NAME; oc wait --for=condition=complete job/$JOB_NAME --timeout=120s) + +## Call the mayan sync task three times, once for each mayan sync endpoint. The task will wait for the job to complete before exiting. +## Note: this depends on the mayan-sync configmap for the target namespace being up to date. + mayan-sync: + name: sync mayan + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-test + - name: call scripts to sync mayan + shell: bash + run: | + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://uat-pims.th.gov.bc.ca/:443/api/documents/sync/mayan/metadatatype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://uat-pims.th.gov.bc.ca/:443/api/documents/sync/documenttype -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-test -p TOKEN_URL=https://test.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://https://uat-pims.th.gov.bc.ca/:443/api/documents/sync/mayan -p KEYCLOAK_SECRET_NAME=pims-api-sso-uat | oc create -f - | grep -oP "(?<=\/)[^\s]*" | (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s) + + sync-keycloak: + name: Sync Keycloak + needs: database-upgrade + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + + - name: Setup .NET 8 + uses: actions/setup-dotnet@v3 + with: + dotnet-version: "8.0.x" + + - name: Install dependencies for keycloak sync + run: dotnet restore + working-directory: ${{env.sync-directory}} + + - name: Build keycloak sync + run: dotnet build + working-directory: ${{env.sync-directory}} + + - name: Start keycloak sync + run: dotnet run + working-directory: ${{env.sync-directory}} + + ci-cd-end-notification: + if: always() + name: CI-CD End Notification to Teams Channel + runs-on: ubuntu-latest + needs: [mayan-sync, sync-keycloak] + steps: + - name: check workflow status + uses: martialonline/workflow-status@v4 + id: check + - name: End notification to Teams Channel + uses: dragos-cojocari/ms-teams-notification@v1.0.2 + with: + github-token: ${{ github.token }} + ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }} + notification-summary: PIMS UAT Pre-Release Hotfix complete with status ${{ steps.check.outputs.status }} + notification-color: 17a2b8 + timezone: America/Los_Angeles + + cleanup-builds: + if: always() + name: cleanup builds + needs: ci-cd-end-notification + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v3 + - name: Login to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: 3cd915-tools + - name: create all PSP build configurations for branch + shell: bash + run: | + oc delete bc --selector ci_cd=true diff --git a/openshift/4.0/scripts/oc-build.sh b/openshift/4.0/scripts/oc-build.sh index 2ae03641f9..27dece290f 100755 --- a/openshift/4.0/scripts/oc-build.sh +++ b/openshift/4.0/scripts/oc-build.sh @@ -34,7 +34,11 @@ SHORTNAME=${1:-} # E.g. pims-api.dev # -BUILD_NAME="${APP_NAME}-${SHORTNAME}.${OC_JOB_NAME}" +if [ ! -z ${OVERRIDE_APP_NAME:-} ]; then + BUILD_NAME="${SHORTNAME}.${OC_JOB_NAME}" +else + BUILD_NAME="${APP_NAME}-${SHORTNAME}.${OC_JOB_NAME}" +fi # Cancel non complete builds and start a new build (apply or don't run) # diff --git a/openshift/4.0/templates/api/build.yaml b/openshift/4.0/templates/api/build.yaml index e5da9205e2..13eb04fe88 100644 --- a/openshift/4.0/templates/api/build.yaml +++ b/openshift/4.0/templates/api/build.yaml @@ -2,7 +2,7 @@ # It will build a new image from the specified source control repo # that will run your application. kind: Template -apiVersion: v1 +apiVersion: template.openshift.io/v1 metadata: name: pims-api-build annotations: @@ -115,6 +115,7 @@ objects: role: ${ROLE_NAME} env: ${ENV_NAME} branch: ${GIT_REF} + ci_cd: "true" spec: triggers: - type: ImageChange diff --git a/openshift/4.0/templates/app/build.yaml b/openshift/4.0/templates/app/build.yaml index 229a7f01d0..3399173ca6 100644 --- a/openshift/4.0/templates/app/build.yaml +++ b/openshift/4.0/templates/app/build.yaml @@ -1,5 +1,5 @@ kind: Template -apiVersion: v1 +apiVersion: template.openshift.io/v1 metadata: name: pims-app-build annotations: @@ -35,7 +35,7 @@ parameters: - name: BUILDIMAGE_TAG displayName: "Source Image Tag" description: "The s2i image tag which is used to build the code." - value: "1-1" + value: "1-5" - name: RUNTIMEIMAGE_NAME displayName: "Source Image Name" @@ -85,11 +85,11 @@ objects: namespace: ${PROJECT_NAMESPACE}-${ENV_NAME} annotations: description: Keeps track of changes to the intermediate frontend artifacts image - labels: - name: ${APP_NAME}-${ROLE_NAME}-base - app: ${APP_NAME} - role: ${ROLE_NAME} - env: ${ENV_NAME} + labels: + name: ${APP_NAME}-${ROLE_NAME}-base + app: ${APP_NAME} + role: ${ROLE_NAME} + env: ${ENV_NAME} # The build config that will be created and be named for the branch you created it for. - kind: BuildConfig @@ -99,17 +99,15 @@ objects: namespace: ${PROJECT_NAMESPACE}-${ENV_NAME} annotations: description: Intermediate build that generates the frontend artifacts (html, javascript, images, etc) - labels: - name: ${APP_NAME}-${ROLE_NAME}-base.${GIT_REF} - app: ${APP_NAME} - role: ${ROLE_NAME} - env: ${ENV_NAME} + labels: + name: ${APP_NAME}-${ROLE_NAME}-base.${GIT_REF} + app: ${APP_NAME} + role: ${ROLE_NAME} + env: ${ENV_NAME} + ci_cd: "true" spec: runPolicy: Parallel completionDeadlineSeconds: 1800 - triggers: - - type: ImageChange - - type: ConfigChange source: type: Git git: @@ -140,11 +138,11 @@ objects: namespace: ${PROJECT_NAMESPACE}-${ENV_NAME} annotations: description: Keeps track of changes to the final frontend image (embedded in nginx) - labels: - name: ${APP_NAME}-${ROLE_NAME} - app: ${APP_NAME} - role: ${ROLE_NAME} - env: ${ENV_NAME} + labels: + name: ${APP_NAME}-${ROLE_NAME} + app: ${APP_NAME} + role: ${ROLE_NAME} + env: ${ENV_NAME} # The build config that will be created and be named for the branch you created it for. - kind: BuildConfig @@ -154,17 +152,15 @@ objects: namespace: ${PROJECT_NAMESPACE}-${ENV_NAME} annotations: description: This (final) build takes the generated frontend artifacts and serves them through a static web server (nginx) - labels: - name: ${APP_NAME}-${ROLE_NAME}.${GIT_REF} - app: ${APP_NAME} - role: ${ROLE_NAME} - env: ${ENV_NAME} + labels: + name: ${APP_NAME}-${ROLE_NAME}.${GIT_REF} + app: ${APP_NAME} + role: ${ROLE_NAME} + env: ${ENV_NAME} + ci_cd: "true" spec: runPolicy: Parallel completionDeadlineSeconds: 1800 - triggers: - - type: ImageChange - - type: ConfigChange source: dockerfile: |- FROM ${APP_NAME}-${ROLE_NAME}-base:${OUTPUT_IMAGE_TAG} diff --git a/openshift/s2i/nginx-runtime/nginx-runtime.yaml b/openshift/s2i/nginx-runtime/nginx-runtime.yaml index 81d5839138..59396ec558 100644 --- a/openshift/s2i/nginx-runtime/nginx-runtime.yaml +++ b/openshift/s2i/nginx-runtime/nginx-runtime.yaml @@ -1,5 +1,5 @@ kind: Template -apiVersion: v1 +apiVersion: template.openshift.io/v1 metadata: name: nginx-runtime parameters: @@ -42,19 +42,31 @@ parameters: description: The tag of the nginx base image [e.g "mainline" or "latest"]. required: true value: mainline + - name: PROJECT_NAMESPACE + displayName: "OpenShift Project Namespace" + description: "The namespace of the OpenShift project containing the application." + required: true + value: "3cd915" + - name: ENV_NAME + displayName: "Environment name" + description: "The name for this environment [dev, test, prod, tools]" + required: true + value: "tools" objects: - kind: ImageStream apiVersion: v1 metadata: name: ${NAME} + namespace: ${PROJECT_NAMESPACE}-${ENV_NAME} - kind: BuildConfig apiVersion: v1 metadata: name: ${NAME}.${GIT_REF} labels: app: ${NAME} + ci_cd: "true" spec: - runPolicy: Serial + runPolicy: Parallel source: type: Git git: diff --git a/tools/keycloak/sync/appsettings.development.json b/tools/keycloak/sync/appsettings.development.json index 4364137539..e2874f06a3 100644 --- a/tools/keycloak/sync/appsettings.development.json +++ b/tools/keycloak/sync/appsettings.development.json @@ -21,6 +21,6 @@ "RetryAttempts": 3, "AbortAfterFailure": 1, "Api": { - "Uri": "https://pims-app-3cd915-dev.apps.silver.devops.gov.bc.ca/api" + "Uri": "https://pims-app-3cd915-dev.apps.silver.devops.gov.bc.ca/gitactions" } } diff --git a/tools/keycloak/sync/appsettings.json b/tools/keycloak/sync/appsettings.json index d7d7c59f3a..6ca9e201a9 100644 --- a/tools/keycloak/sync/appsettings.json +++ b/tools/keycloak/sync/appsettings.json @@ -31,7 +31,7 @@ "RetryAttempts": 2, "AbortAfterFailure": 1, "Api": { - "Uri": "https://pims-app-3cd915-prod.apps.silver.devops.gov.bc.ca/api" + "Uri": "https://pims-app-3cd915-prod.apps.silver.devops.gov.bc.ca/gitactions" }, "Serialization": { "Json": { diff --git a/tools/keycloak/sync/appsettings.test.json b/tools/keycloak/sync/appsettings.test.json index 05d215e1a2..56c88e7c44 100644 --- a/tools/keycloak/sync/appsettings.test.json +++ b/tools/keycloak/sync/appsettings.test.json @@ -18,6 +18,6 @@ "RetryAttempts": 3, "AbortAfterFailure": 1, "Api": { - "Uri": "https://pims-app-test-3cd915-dev.apps.silver.devops.gov.bc.ca/api" + "Uri": "https://pims-app-test-3cd915-dev.apps.silver.devops.gov.bc.ca/gitactions" } } diff --git a/tools/keycloak/sync/appsettings.uat.json b/tools/keycloak/sync/appsettings.uat.json index 73239227ac..7bc3d4dce9 100644 --- a/tools/keycloak/sync/appsettings.uat.json +++ b/tools/keycloak/sync/appsettings.uat.json @@ -18,7 +18,7 @@ "RetryAttempts": 2, "AbortAfterFailure": 1, "Api": { - "Uri": "https://pims-app-uat-3cd915-test.apps.silver.devops.gov.bc.ca/api" + "Uri": "https://pims-app-uat-3cd915-test.apps.silver.devops.gov.bc.ca/gitactions" }, "Serialization": { "Json": {