diff --git a/.github/workflows/deploy-to-openshift-frontend-dev.yml b/.github/workflows/deploy-to-openshift-frontend-dev.yml index 327d2e9d..9a20446e 100644 --- a/.github/workflows/deploy-to-openshift-frontend-dev.yml +++ b/.github/workflows/deploy-to-openshift-frontend-dev.yml @@ -1,32 +1,175 @@ -# This is a basic workflow that is manually triggered +# OFM Frontend DEV workflow name: 1 DEV - Deploy Frontend -# Controls when the action will run. Workflow runs when manually triggered using the UI -# or API. +env: + # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context. + # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. + # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + # 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace. + OPENSHIFT_NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }}-dev + + # SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }} + + # 🖊️ EDIT to change the image registry settings. + # Registries such as GHCR, Quay.io, and Docker Hub are supported. + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_REGISTRY_USER: ${{ github.actor }} + IMAGE_REGISTRY_PASSWORD: ${{ github.token }} + + DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote + ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca + + APP_NAME: 'ofm' + REPO_NAME: 'ecc-ofm' + #grabs the branch name from github dynamically + BRANCH: ${{ github.ref_name }} + APP_NAME_FRONTEND: 'frontend' + APP_FOLDER: 'frontend' + NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }} + #NAMESPACE_TOOLS: ${{ secrets.OFM_NAMESPACE_NO_ENV }}-tools + #COMMON_NAMESPACE: ${{ secrets.COMMON_NAMESPACE_NO_ENV }} + TAG: 'latest' + + MIN_REPLICAS: '1' + MAX_REPLICAS: '1' + MIN_CPU: '50m' + MAX_CPU: '100m' + MIN_MEM: '200Mi' + MAX_MEM: '250Mi' + # SITE_URL should have no scheme or port. It will be prepended with https:// + HOST_ROUTE: ${{ secrets.SITE_URL }} + CA_CERT: ${{ secrets.CA_CERT }} + CERTIFICATE: ${{ secrets.CERTIFICATE }} + PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }} + on: workflow_dispatch: - # Inputs the workflow accepts. - inputs: - name: - # Friendly description to be shown in the UI instead of 'name' - description: 'Person to greet' - # Default value if no value is explicitly provided - default: 'World' - # Input has to be provided for the workflow to run - required: true - # The data type of the input - type: string - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel + jobs: - # This workflow contains a single job called "greet" - greet: - # The type of runner that the job will run on - runs-on: ubuntu-latest + openshift-ci-cd: + name: Build and deploy Frontend to DEV + runs-on: ubuntu-20.04 + environment: dev + + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Runs a single command using the runners shell - - name: Send greeting - run: echo "Hello ${{ inputs.name }}" + - name: Check for required secrets + uses: actions/github-script@v4 + with: + script: | + const secrets = { + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const GHCR = "ghcr.io"; + if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { + core.info(`Image registry is ${GHCR} - no registry password required`); + } + else { + core.info("A registry password is required"); + secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; + } + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.error(`Secret "${name}" is not set`); + return true; + } + core.info(`✔️ Secret "${name}" is set`); + return false; + }); + + if (missingSecrets.length > 0) { + core.setFailed(`❌ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`✅ All the required secrets are set`); + } + + - name: Check out repository with branch [${{ env.BRANCH }}] + uses: actions/checkout@v2 + with: + ref: ${{ env.BRANCH }} + + - name: Login to Docker Hub + uses: docker/login-action@v1 + with: + registry: ${{ env.DOCKER_ARTIFACTORY_REPO }} + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + + - name: Build frontend from Dockerfile + id: build-image-frontend + uses: redhat-actions/buildah-build@v2 + with: + image: ${{ env.APP_NAME_FRONTEND }} + tags: 'latest' + + # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs + # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build + # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root. + dockerfiles: | + ./${{ env.APP_FOLDER }}/Dockerfile + context: ./${{ env.APP_FOLDER }} + + # https://github.com/redhat-actions/push-to-registry#readme + - name: Push frontend to registry + id: push-image-frontend + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build-image-frontend.outputs.image }} + tags: ${{ steps.build-image-frontend.outputs.tags }} + registry: ${{ env.IMAGE_REGISTRY }} + username: ${{ env.IMAGE_REGISTRY_USER }} + password: ${{ env.IMAGE_REGISTRY_PASSWORD }} + + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4 + + # https://github.com/redhat-actions/oc-login#readme + # - uses: actions/checkout@v2 + - name: Deploy + run: | + set -eux + # Login to OpenShift and select project + oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }} + oc project ${{ env.OPENSHIFT_NAMESPACE }} + # Cancel any rollouts in progress + oc rollout cancel dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }} 2> /dev/null \ + || true && echo "No rollout in progress" + + # Create the image stream if it doesn't exist + oc create imagestream ${{ env.REPO_NAME }}-${{ env.APP_NAME_FRONTEND }}-${{ env.BRANCH }} 2> /dev/null || true && echo "Frontend image stream in place" + + oc tag ${{ steps.push-image-frontend.outputs.registry-path }} ${{ env.REPO_NAME }}-${{ env.APP_NAME_FRONTEND }}-${{ env.BRANCH }}:${{ env.TAG }} + + # Process and apply deployment template + oc process -f tools/openshift/frontend.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} \ + -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \ + -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} -p HOST_ROUTE=${{ env.HOST_ROUTE }} \ + | oc apply -f - + + # Start rollout (if necessary) and follow it + oc rollout latest dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }} 2> /dev/null \ + || true && echo "Rollout in progress" + + # Get status, returns 0 if rollout is successful + oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }} + + # - name: ZAP Scan + # uses: zaproxy/action-full-scan@v0.3.0 + # with: + # target: 'https://${{ env.HOST_ROUTE }}' diff --git a/tools/openshift/frontend.dc.yaml b/tools/openshift/frontend.dc.yaml new file mode 100644 index 00000000..2c12a589 --- /dev/null +++ b/tools/openshift/frontend.dc.yaml @@ -0,0 +1,190 @@ +--- +apiVersion: template.openshift.io/v1 +kind: Template +labels: + template: '${REPO_NAME}-template' +metadata: + name: '${REPO_NAME}-frontend-dc' +objects: + - apiVersion: v1 + kind: DeploymentConfig + metadata: + annotations: + openshift.io/generated-by: OpenShiftNewApp + creationTimestamp: + labels: + app: '${APP_NAME}-${BRANCH}' + branch: '${BRANCH}' + name: '${APP_NAME}-frontend' + spec: + replicas: ${{MIN_REPLICAS}} + selector: + app: '${APP_NAME}-${BRANCH}' + deploymentconfig: '${APP_NAME}-frontend' + strategy: + resources: {} + type: Rolling + template: + metadata: + annotations: + openshift.io/generated-by: OpenShiftNewApp + creationTimestamp: + labels: + app: '${APP_NAME}-${BRANCH}' + deploymentconfig: '${APP_NAME}-frontend' + spec: + containers: + - image: image-registry.openshift-image-registry.svc:5000/${NAMESPACE}/${REPO_NAME}-frontend-${BRANCH}:${TAG} + imagePullPolicy: Always + volumeMounts: + - name: tls-certs + mountPath: '/etc/tls-certs' + readOnly: true + - name: config-env + mountPath: '/srv/js/config' + livenessProbe: + failureThreshold: 3 + httpGet: + path: '/' + port: 2015 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: '${APP_NAME}-frontend' + ports: + - containerPort: 2015 + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: '/' + port: 2015 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: '${MIN_CPU}' + memory: '${MIN_MEM}' + limits: + cpu: '${MAX_CPU}' + memory: '${MAX_MEM}' + volumes: + - name: tls-certs + secret: + secretName: ofm-frontend-cert + - name: config-env + configMap: + name: ofm-frontend-config-map + test: false + triggers: + - type: ConfigChange + - apiVersion: v1 + kind: Service + metadata: + annotations: + service.alpha.openshift.io/serving-cert-secret-name: 'ofm-frontend-cert' + openshift.io/generated-by: OpenShiftNewApp + creationTimestamp: + labels: + app: '${APP_NAME}-${BRANCH}' + name: '${APP_NAME}-frontend' + spec: + ports: + - name: 2015-tcp + port: 2015 + protocol: TCP + targetPort: 2015 + selector: + app: '${APP_NAME}-${BRANCH}' + deploymentconfig: '${APP_NAME}-frontend' + # - apiVersion: v1 + # kind: Route + # metadata: + # annotations: + # openshift.io/host.generated: 'true' + # labels: + # app: "${APP_NAME}-${BRANCH}" + # name: "${APP_NAME}-frontend-https" + # spec: + # host: "${HOST_ROUTE}" + # port: + # targetPort: 2015-tcp + # tls: + # caCertificate: "${CA_CERT}" + # certificate: "${CERTIFICATE}" + # insecureEdgeTerminationPolicy: Redirect + # key: "${PRIVATE_KEY}" + # termination: edge + # to: + # kind: Service + # name: "${APP_NAME}-frontend-${BRANCH}" + # weight: 100 + # wildcardPolicy: None + - apiVersion: autoscaling/v2 + kind: HorizontalPodAutoscaler + metadata: + name: '${APP_NAME}-frontend-cpu-autoscaler' + spec: + scaleTargetRef: + apiVersion: apps.openshift.io/v1 + kind: DeploymentConfig + name: '${APP_NAME}-frontend' + subresource: scale + minReplicas: ${{MIN_REPLICAS}} + maxReplicas: ${{MAX_REPLICAS}} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 90 +parameters: + - name: REPO_NAME + description: Application repository name + required: true + - name: BRANCH + description: Job identifier (i.e. 'pr-5' OR 'master') + required: true + - name: NAMESPACE + description: Target namespace reference (i.e. 'k8vopl-dev') + required: true + - name: APP_NAME + description: Application name + required: true + - name: HOST_ROUTE + description: The host the route will use to expose service outside cluster + required: true + - name: TAG + description: The identifying tag for this specific deployment + required: true + - name: MIN_REPLICAS + description: The minimum amount of replicas + required: true + - name: MAX_REPLICAS + description: The maximum amount of replicas + required: true + - name: MIN_CPU + description: The minimum amount of cpu + required: true + - name: MAX_CPU + description: The maximum amount of cpu + required: true + - name: MIN_MEM + description: The minimum amount of memory + required: true + - name: MAX_MEM + description: The maximum amount of memory + required: true +# - name: CA_CERT +# description: The CA Certificate +# required: true +# - name: CERTIFICATE +# description: The Certificate +# required: true +# - name: PRIVATE_KEY +# description: The private key +# required: true