diff --git a/.github/workflows/deploy-to-openshift-backend-efx.yml b/.github/workflows/deploy-to-openshift-backend-efx.yml new file mode 100644 index 00000000..2f0a33ef --- /dev/null +++ b/.github/workflows/deploy-to-openshift-backend-efx.yml @@ -0,0 +1,171 @@ +name: 4 EFX - Deploy Backend + +env: + # EDIT your repository secrets to log into your OpenShift cluster and set up the context. + # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. + # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + # EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace. + OPENSHIFT_NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}-test + + SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }} + + # EDIT to change the image registry settings. + # Registries such as GHCR, Quay.io, and Docker Hub are supported. + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_REGISTRY_USER: ${{ github.actor }} + IMAGE_REGISTRY_PASSWORD: ${{ github.token }} + + DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote + ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca + + APP_NAME: 'ccof' + REPO_NAME: "educ-ccof" + #grabs the branch name from github dynamically + BRANCH: ${{ github.ref_name }} + IMAGE_NAME: "backend" + APP_ENVIRONMENT: "efx" + + NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }} + + MIN_REPLICAS: "2" + MAX_REPLICAS: "3" + MIN_CPU: "50m" + MAX_CPU: "250m" + MIN_MEM: "200Mi" + MAX_MEM: "700Mi" + # SITE_URL should have no scheme or port. It will be prepended with https:// + HOST_ROUTE: ${{ secrets.SITE_URL }} + +on: + workflow_dispatch: + inputs: + tag: + description: 'The image tag to deploy' + required: true + type: string +jobs: + openshift-ci-cd: + name: Deploy Backend to EFX + runs-on: ubuntu-24.04 + environment: efx + + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + + steps: + - name: Print Workflow Dispatch Inputs and Env Vars + uses: shayki5/print-workflow-dispatch-inputs@v1 + with: + add_to_summary: 'true' + print_env_vars: 'false' + + - name: Check for required secrets + uses: actions/github-script@v4 + with: + script: | + const secrets = { + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const GHCR = "ghcr.io"; + if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { + core.info(`Image registry is ${GHCR} - no registry password required`); + } + else { + core.info("A registry password is required"); + secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; + } + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.error(`Secret "${name}" is not set`); + return true; + } + core.info(`Secret "${name}" is set`); + return false; + }); + + if (missingSecrets.length > 0) { + core.setFailed(`At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`All the required secrets are set`); + } + + - name: Check out repository + uses: actions/checkout@v2 + with: + ref: ${{ env.BRANCH }} + + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4.16 + + - name: Deploy + run: | + set -eux + # Login to OpenShift and select project + oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }} + oc project ${{ env.OPENSHIFT_NAMESPACE }} + # Cancel any rollouts in progress + oc rollout cancel deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ + || true && echo "No rollout in progress" + + # Create tag for TEST env from DEV env image + oc tag \ + ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.IMAGE_NAME }}-${{ env.BRANCH }}:${{ inputs.tag }} \ + ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.IMAGE_NAME }}-${{ env.BRANCH }}:${{ inputs.tag }} + + # Process and apply deployment template + oc process \ + -f tools/openshift/backend.deployment.yaml \ + -p APP_NAME=${{ env.APP_NAME }} \ + -p REPO_NAME=${{ env.REPO_NAME }} \ + -p BRANCH=${{ env.BRANCH }} \ + -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} \ + -p TAG=${{ inputs.tag }} \ + -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} \ + -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \ + -p MIN_CPU=${{ env.MIN_CPU }} \ + -p MAX_CPU=${{ env.MAX_CPU }} \ + -p MIN_MEM=${{ env.MIN_MEM }} \ + -p MAX_MEM=${{ env.MAX_MEM }} \ + -p HOST_ROUTE=${{ env.HOST_ROUTE }} \ + -p APP_ENVIRONMENT=${{ env.APP_ENVIRONMENT }} \ + | oc apply -f - + + # Process update-configmap + curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh \ + | bash /dev/stdin \ + ${{ env.APP_ENVIRONMENT }} \ + ${{ env.APP_NAME }} \ + ${{ secrets.CCOF_NAMESPACE_NO_ENV }} \ + ${{ secrets.COMMON_NAMESPACE_NO_ENV }} \ + ${{ secrets.SOAM_CLIENT_ID }} \ + ${{ secrets.SOAM_CLIENT_ID_IDIR }} \ + ${{ secrets.SOAM_CLIENT_SECRET }} \ + ${{ secrets.SOAM_CLIENT_SECRET_IDIR }} \ + ${{ secrets.SPLUNK_TOKEN }} \ + ${{ secrets.REDIS_PASSWORD }} \ + ${{ secrets.D365_API_PREFIX }} + + # Start rollout (if necessary) and follow it + oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }}} 2> /dev/null \ + || true && echo "Rollout in progress" + + # Get status, returns 0 if rollout is successful + oc rollout status deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} + + - name: ZAP Scan + uses: zaproxy/action-full-scan@v0.8.0 + with: + target: 'https://${{ env.HOST_ROUTE }}/api' diff --git a/.github/workflows/deploy-to-openshift-backend-prod.yml b/.github/workflows/deploy-to-openshift-backend-prod.yml index 3d31ddab..de46be04 100644 --- a/.github/workflows/deploy-to-openshift-backend-prod.yml +++ b/.github/workflows/deploy-to-openshift-backend-prod.yml @@ -1,4 +1,4 @@ -name: 4 PROD - Deploy Backend +name: 5 PROD - Deploy Backend env: # EDIT your repository secrets to log into your OpenShift cluster and set up the context. @@ -160,7 +160,7 @@ jobs: ${{ secrets.D365_API_PREFIX }} # Start rollout (if necessary) and follow it - oc rollout latest deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ + oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ || true && echo "Rollout in progress" # Get status, returns 0 if rollout is successful diff --git a/.github/workflows/deploy-to-openshift-backend-qa.yml b/.github/workflows/deploy-to-openshift-backend-qa.yml index d4a449d1..538f85df 100644 --- a/.github/workflows/deploy-to-openshift-backend-qa.yml +++ b/.github/workflows/deploy-to-openshift-backend-qa.yml @@ -155,7 +155,7 @@ jobs: ${{ secrets.D365_API_PREFIX }} # Start rollout (if necessary) and follow it - oc rollout latest deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ + oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ || true && echo "Rollout in progress" # Get status, returns 0 if rollout is successful diff --git a/.github/workflows/deploy-to-openshift-backend-uat.yml b/.github/workflows/deploy-to-openshift-backend-uat.yml index e81c1aed..507d6800 100644 --- a/.github/workflows/deploy-to-openshift-backend-uat.yml +++ b/.github/workflows/deploy-to-openshift-backend-uat.yml @@ -29,8 +29,8 @@ env: NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }} - MIN_REPLICAS: "3" - MAX_REPLICAS: "5" + MIN_REPLICAS: "2" + MAX_REPLICAS: "3" MIN_CPU: "50m" MAX_CPU: "250m" MIN_MEM: "200Mi" @@ -160,7 +160,7 @@ jobs: ${{ secrets.D365_API_PREFIX }} # Start rollout (if necessary) and follow it - oc rollout latest deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }}} 2> /dev/null \ + oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }}} 2> /dev/null \ || true && echo "Rollout in progress" # Get status, returns 0 if rollout is successful diff --git a/.github/workflows/deploy-to-openshift-frontend-efx.yml b/.github/workflows/deploy-to-openshift-frontend-efx.yml new file mode 100644 index 00000000..529cd322 --- /dev/null +++ b/.github/workflows/deploy-to-openshift-frontend-efx.yml @@ -0,0 +1,166 @@ +name: 4 EFX - Deploy Frontend + +env: + # EDIT your repository secrets to log into your OpenShift cluster and set up the context. + # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. + # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + # EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace. + OPENSHIFT_NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}-test + + # SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }} + + # EDIT to change the image registry settings. + # Registries such as GHCR, Quay.io, and Docker Hub are supported. + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_REGISTRY_USER: ${{ github.actor }} + IMAGE_REGISTRY_PASSWORD: ${{ github.token }} + + DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote + ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca + + APP_NAME: 'ccof' + REPO_NAME: "educ-ccof" + #grabs the branch name from github dynamically + BRANCH: ${{ github.ref_name }} + IMAGE_NAME: "frontend" + APP_ENVIRONMENT: "efx" + + NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }} + + MIN_REPLICAS: "2" + MAX_REPLICAS: "3" + MIN_CPU: "50m" + MAX_CPU: "100m" + MIN_MEM: "200Mi" + MAX_MEM: "250Mi" + # SITE_URL should have no scheme or port. It will be prepended with https:// + HOST_ROUTE: ${{ secrets.SITE_URL }} + CA_CERT: ${{ secrets.CA_CERT }} + CERTIFICATE: ${{ secrets.CERTIFICATE }} + PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }} + +on: + workflow_dispatch: + inputs: + tag: + description: 'The image tag to deploy' + required: true + type: string + +jobs: + openshift-ci-cd: + name: Deploy Frontend to EFX + runs-on: ubuntu-24.04 + environment: efx + + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + + steps: + - name: Print Workflow Dispatch Inputs and Env Vars + uses: shayki5/print-workflow-dispatch-inputs@v1 + with: + add_to_summary: 'true' + print_env_vars: 'false' + + - name: Check for required secrets + uses: actions/github-script@v4 + with: + script: | + const secrets = { + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const GHCR = "ghcr.io"; + if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { + core.info(`Image registry is ${GHCR} - no registry password required`); + } + else { + core.info("A registry password is required"); + secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; + } + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.error(`Secret "${name}" is not set`); + return true; + } + core.info(`Secret "${name}" is set`); + return false; + }); + + if (missingSecrets.length > 0) { + core.setFailed(`At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`All the required secrets are set`); + } + + - name: Check out repository + uses: actions/checkout@v2 + with: + ref: ${{ env.BRANCH }} + + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4.16 + + - name: Deploy + run: | + set -eux + # Login to OpenShift and select project + oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }} + oc project ${{ env.OPENSHIFT_NAMESPACE }} + # Cancel any rollouts in progress + oc rollout cancel deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ + || true && echo "No rollout in progress" + + # Create tag for TEST env from DEV env image + oc tag \ + ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.IMAGE_NAME }}-${{ env.BRANCH }}:${{ inputs.tag }} \ + ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.IMAGE_NAME }}-${{ env.BRANCH }}:${{ inputs.tag }} + + # Process and apply deployment template + oc process \ + -f tools/openshift/frontend.deployment.yaml \ + -p APP_NAME=${{ env.APP_NAME }} \ + -p REPO_NAME=${{ env.REPO_NAME }} \ + -p BRANCH=${{ env.BRANCH }} \ + -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} \ + -p TAG=${{ inputs.tag }} \ + -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} \ + -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \ + -p MIN_CPU=${{ env.MIN_CPU }} \ + -p MAX_CPU=${{ env.MAX_CPU }} \ + -p MIN_MEM=${{ env.MIN_MEM }} \ + -p MAX_MEM=${{ env.MAX_MEM }} \ + -p HOST_ROUTE=${{ env.HOST_ROUTE }} \ + -p CA_CERT="${{ env.CA_CERT }}" \ + -p CERTIFICATE="${{ env.CERTIFICATE }}" \ + -p PRIVATE_KEY="${{ env.PRIVATE_KEY }}" \ + -p APP_ENVIRONMENT=${{ env.APP_ENVIRONMENT }} \ + -p BANNER_COLOR=${{ vars.BANNER_COLOR }} \ + -p BANNER_ENVIRONMENT=${{ vars.BANNER_ENVIRONMENT }} \ + -p VUE_APP_BCEID_REG_URL='${{ secrets.VUE_APP_BCEID_REG_URL }}' \ + | oc apply -f - + + # Start rollout (if necessary) and follow it + oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ + || true && echo "Rollout in progress" + + # Get status, returns 0 if rollout is successful + oc rollout status deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} + + - name: ZAP Scan + uses: zaproxy/action-full-scan@v0.8.0 + with: + target: 'https://${{ env.HOST_ROUTE }}' diff --git a/.github/workflows/deploy-to-openshift-frontend-prod.yml b/.github/workflows/deploy-to-openshift-frontend-prod.yml index 22161eca..c9631561 100644 --- a/.github/workflows/deploy-to-openshift-frontend-prod.yml +++ b/.github/workflows/deploy-to-openshift-frontend-prod.yml @@ -1,4 +1,4 @@ -name: 4 PROD - Deploy Frontend +name: 5 PROD - Deploy Frontend env: # EDIT your repository secrets to log into your OpenShift cluster and set up the context. @@ -156,7 +156,7 @@ jobs: | oc apply -f - # Start rollout (if necessary) and follow it - oc rollout latest deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ + oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ || true && echo "Rollout in progress" # Get status, returns 0 if rollout is successful diff --git a/.github/workflows/deploy-to-openshift-frontend-qa.yml b/.github/workflows/deploy-to-openshift-frontend-qa.yml index b6fd6131..900cd5ae 100644 --- a/.github/workflows/deploy-to-openshift-frontend-qa.yml +++ b/.github/workflows/deploy-to-openshift-frontend-qa.yml @@ -149,7 +149,7 @@ jobs: | oc apply -f - # Start rollout (if necessary) and follow it - oc rollout latest deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ + oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ || true && echo "Rollout in progress" # Get status, returns 0 if rollout is successful diff --git a/.github/workflows/deploy-to-openshift-frontend-uat.yml b/.github/workflows/deploy-to-openshift-frontend-uat.yml index 2f3f5383..23bb0510 100644 --- a/.github/workflows/deploy-to-openshift-frontend-uat.yml +++ b/.github/workflows/deploy-to-openshift-frontend-uat.yml @@ -29,10 +29,8 @@ env: NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }} - - - MIN_REPLICAS: "3" - MAX_REPLICAS: "5" + MIN_REPLICAS: "2" + MAX_REPLICAS: "3" MIN_CPU: "50m" MAX_CPU: "100m" MIN_MEM: "200Mi" @@ -156,7 +154,7 @@ jobs: | oc apply -f - # Start rollout (if necessary) and follow it - oc rollout latest deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ + oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \ || true && echo "Rollout in progress" # Get status, returns 0 if rollout is successful