Skip to content

feat(FSADT1-1281): adding encryption to the connection #5001

feat(FSADT1-1281): adding encryption to the connection

feat(FSADT1-1281): adding encryption to the connection #5001

Workflow file for this run

name: Pull Request Open
on:
pull_request:
concurrency:
# PR open and close use the same group, allowing only one at a time
group: ${{ github.event.number }}
cancel-in-progress: true
jobs:
vars:
name: Variables
runs-on: ubuntu-24.04
outputs:
url: ${{ steps.calculate.outputs.url }}
steps:
# steps.calculate.outputs.url => needs.vars.outputs.url
- name: Calculate the deployment number
id: calculate
run: |
echo "url=${{ github.event.repository.name }}-$((${{ github.event.number }} % 50))-frontend.apps.silver.devops.gov.bc.ca" >> $GITHUB_OUTPUT
builds:
name: Builds
runs-on: ubuntu-24.04
permissions:
packages: write
strategy:
matrix:
package: [backend, database, frontend, legacy, legacydb, processor]
steps:
- uses: bcgov-nr/[email protected]
name: Build (${{ matrix.package }})
with:
package: ${{ matrix.package }}
tag: ${{ github.event.number }}
tag_fallback: latest
triggers: ('${{ matrix.package }}/')
build_args: |
APP_VERSION=${{ github.event.number }}
pre-tools:
name: Pre Deploy Tools
needs: [builds, vars]
environment: dev
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Install CLI tools from OpenShift Mirror
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: "4.13"
- name: Scale down legacy
continue-on-error: true
run: |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
oc scale dc/nr-forest-client-${{ github.event.number }}-legacy --replicas=0 -n ${{ secrets.OC_NAMESPACE }}
undesired_replicas=0
while true; do
available_replicas=$(oc get dc/nr-forest-client-${{ github.event.number }}-legacy -n ${{ secrets.OC_NAMESPACE }} -o jsonpath='{.status.availableReplicas}')
if [[ "$available_replicas" -ge "$undesired_replicas" ]]; then
echo "DeploymentConfig ${{ secrets.OC_NAMESPACE }}-${{ github.event.number }}-legacy is now available with $available_replicas replicas."
break
fi
echo "Waiting... ($available_replicas pods available)"
sleep 5
done
deploy-tools:
name: Deploy Tools
needs: [pre-tools, builds]
environment: tools
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Initializing Deployment
uses: bcgov-nr/[email protected]
with:
file: legacydb/openshift.deploy.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
oc_version: "4.13"
overwrite: false
parameters:
-p ZONE=tools
-p ORACLEDB_USER_W=THE
-p ORACLEDB_PASSWORD_W=${{ secrets.ORACLEDB_PASSWORD_W }}
-p TAG=latest
- name: Install CLI tools from OpenShift Mirror
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: "4.13"
- name: Remove the PR database
continue-on-error: true
run: |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
# This removes a new pluggable database, user and service for the PR
for i in {1..5}; do
POD_NAME=$(oc get pods -l app=nr-forest-client-tools -l deployment=nr-forest-client-tools-legacydb -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -n "$POD_NAME" ]; then
echo "Pod found: $POD_NAME"
oc exec $POD_NAME -- /opt/oracle/removeDatabase "THE" "PR_${{ github.event.number }}"
break
else
echo "Pod not found, retrying in 10 seconds... ($i/5)"
sleep 10
fi
done
if [ -z "$POD_NAME" ]; then
echo "Failed to find the pod after 5 attempts."
fi
- name: Create the PR database
continue-on-error: true
run: |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
# This creates a new pluggable database for the PR
for i in {1..5}; do
POD_NAME=$(oc get pods -l app=nr-forest-client-tools -l deployment=nr-forest-client-tools-legacydb -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -n "$POD_NAME" ]; then
echo "Pod found: $POD_NAME"
oc exec $POD_NAME -- /opt/oracle/createDatabase PR_${{ github.event.number }}
break
else
echo "Pod not found, retrying in 10 seconds... ($i/5)"
sleep 10
fi
done
if [ -z "$POD_NAME" ]; then
echo "Failed to find the pod after 5 attempts."
fi
- name: Create the PR user
continue-on-error: true
run: |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
# This creates a new pluggable database for the PR
for i in {1..5}; do
POD_NAME=$(oc get pods -l app=nr-forest-client-tools -l deployment=nr-forest-client-tools-legacydb -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -n "$POD_NAME" ]; then
echo "Pod found: $POD_NAME"
oc exec $POD_NAME -- /opt/oracle/createAppUser "THE" "${{ secrets.ORACLEDB_PASSWORD_W }}_${{ github.event.number }}" "PR_${{ github.event.number }}"
break
else
echo "Pod not found, retrying in 10 seconds... ($i/5)"
sleep 10
fi
done
if [ -z "$POD_NAME" ]; then
echo "Failed to find the pod after 5 attempts."
fi
- name: Migrate the PR database
continue-on-error: true
run: |
BRANCH_NAME="${{ github.head_ref }}"
# Escape slashes and other special characters
ESCAPED_BRANCH_NAME=$(echo "$BRANCH_NAME" | sed 's/[\/&]/\\&/g')
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
oc create job --from=cronjob/nr-forest-client-tools-migratedb migrate-pr${{ github.event.number }}-${{ github.run_attempt }}-$(date +%s) --dry-run=client -o yaml | sed "s/value: main/value: ${ESCAPED_BRANCH_NAME}/" | sed "s/value: \"0\"/value: \"${{ github.event.number }}\"/" | oc apply -f -
deploy:
name: Deploy Application
needs: [deploy-tools, builds, vars]
environment: dev
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Initializing Deployment
uses: bcgov-nr/[email protected]
with:
file: common/openshift.init.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
oc_version: "4.13"
overwrite: true
parameters:
-p ZONE=${{ github.event.number }}
-p ORACLEDB_USER=${{ secrets.ORACLEDB_USERNAME }}
-p ORACLEDB_PASSWORD=${{ secrets.ORACLEDB_PASSWORD }}
-p ORACLEDB_USER_W=THE
-p ORACLEDB_PASSWORD_W=${{ secrets.ORACLEDB_PASSWORD_W }}_${{ github.event.number }}
-p ORACLEDB_DATABASE=${{ secrets.ORACLEDB_DATABASE }}
-p ORACLEDB_HOST="nr-forest-client-tools-legacydb.d2723f-tools.svc.cluster.local"
-p ORACLEDB_SERVICENAME=PR_${{ github.event.number }}
-p ORACLEDB_SECRET=${{ secrets.ORACLEDB_SECRET }}
-p BCREGISTRY_KEY=${{ secrets.BCREGISTRY_KEY }}
-p BCREGISTRY_ACCOUNT=${{ secrets.BCREGISTRY_ACCOUNT }}
-p CHES_CLIENT_ID=${{ secrets.CHES_CLIENT_ID }}
-p CHES_CLIENT_SECRET=${{ secrets.CHES_CLIENT_SECRET }}
-p ADDRESS_COMPLETE_KEY=${{ secrets.ADDRESS_COMPLETE_KEY }}
-p DB_PASSWORD=$(echo ${{github.ref}}${{github.event.number}}|md5sum|cut -d' ' -f1)
-p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }}
-p COGNITO_ENVIRONMENT=DEV
-p CHES_MAIL_COPY=${{ secrets.CHES_MAIL_COPY }}
- name: Deploy Database Backup
uses: bcgov-nr/[email protected]
with:
file: database/openshift.backup.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
oc_version: "4.13"
overwrite: true
parameters:
-p ZONE=${{ github.event.number }}
-p TAG=${{ github.event.number }}
- name: Install CLI tools from OpenShift Mirror
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: "4.13"
- name: Backup database before update
continue-on-error: true
run: |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
# Run a backup before deploying a new version
oc create job --from=cronjob/${{ github.event.repository.name }}-${{ github.event.number }}-database-backup \
${{ github.event.repository.name }}-${{ github.event.number }}-database-backup-$(date +%Y%m%d%H%M%S)
- name: Deploy Database
uses: bcgov-nr/[email protected]
with:
file: database/openshift.deploy.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
oc_version: "4.13"
overwrite: false
parameters:
-p ZONE=${{ github.event.number }}
-p TAG=${{ github.event.number }}
- name: Deploy Legacy
uses: bcgov-nr/[email protected]
with:
file: legacy/openshift.deploy.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
oc_version: "4.13"
overwrite: true
verification_path: health
parameters:
-p ZONE=${{ github.event.number }}
-p TAG=${{ github.event.number }}
-p ENVIRONMENT=${{ secrets.OC_NAMESPACE }}
-p ORACLEDB_PORT=1521
- name: Deploy Processor
uses: bcgov-nr/[email protected]
with:
file: processor/openshift.deploy.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
oc_version: "4.13"
overwrite: true
verification_path: health
parameters:
-p ZONE=${{ github.event.number }}
-p TAG=${{ github.event.number }}
-p BCREGISTRY_URI='https://bcregistry-prod.apigee.net'
- name: Deploy Backend ConfigMap
uses: bcgov-nr/[email protected]
with:
file: backend/openshift.configmap.dev.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
oc_version: "4.13"
overwrite: true
parameters:
-p ZONE=${{ github.event.number }}
- name: Deploy Backend
uses: bcgov-nr/[email protected]
with:
file: backend/openshift.deploy.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
oc_version: "4.13"
overwrite: true
verification_path: health
parameters:
-p ZONE=${{ github.event.number }}
-p TAG=${{ github.event.number }}
-p CHES_TOKEN_URL='https://loginproxy.gov.bc.ca/auth/realms/comsvcauth/protocol/openid-connect/token'
-p CHES_API_URL='https://ches.api.gov.bc.ca/api/v1'
-p BCREGISTRY_URI='https://bcregistry-prod.apigee.net'
-p COGNITO_REGION=ca-central-1
-p FRONTEND_URL=${{ needs.vars.outputs.url }}
- name: Dev data replacement
uses: bcgov-nr/[email protected]
with:
file: database/openshift.dev.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
oc_version: "4.13"
overwrite: true
parameters: -p ZONE=${{ github.event.number }}
- name: Deploy Frontend ConfigMap
uses: bcgov-nr/[email protected]
with:
file: frontend/openshift.configmap.dev.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
oc_version: "4.13"
overwrite: true
parameters:
-p ZONE=${{ github.event.number }}
- name: Deploy Frontend
uses: bcgov-nr/[email protected]
with:
file: frontend/openshift.deploy.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
oc_version: "4.13"
overwrite: true
parameters:
-p ZONE=${{ github.event.number }}
-p TAG=${{ github.event.number }}
-p VITE_NODE_ENV=openshift-dev
-p URL=${{ needs.vars.outputs.url }}
-p GREEN_DOMAIN=${{ secrets.GREEN_DOMAIN }}
-p COGNITO_REGION=${{ secrets.COGNITO_REGION }}
-p COGNITO_CLIENT_ID=${{ secrets.COGNITO_CLIENT_ID }}
-p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }}
-p COGNITO_DOMAIN=${{ secrets.COGNITO_DOMAIN }}
-p COGNITO_ENVIRONMENT=DEV
-p LANDING_URL=${{ needs.vars.outputs.url }}
-p FRONTEND_URL=${{ needs.vars.outputs.url }}
cypress-run:
name: "User flow test"
runs-on: ubuntu-24.04
needs: [deploy, vars]
environment: tools
env:
URL: ${{ needs.vars.outputs.url }}
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: actions/setup-node@v4
name: Start node
with:
node-version: 18
- name: Run Cypress End-to-End
uses: cypress-io/github-action@v5
with:
working-directory: cypress
env:
CYPRESS_baseUrl: https://${{ env.URL }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CYPRESS_editor_password: ${{ secrets.UAT_EDITOR_PASSWORD }}
CYPRESS_editor_username: ${{ secrets.UAT_EDITOR_USERNAME }}
CYPRESS_admin_password: ${{ secrets.UAT_ADMIN_PASSWORD }}
CYPRESS_admin_username: ${{ secrets.UAT_ADMIN_USERNAME }}
CYPRESS_viewer_password: ${{ secrets.UAT_VIEWER_PASSWORD }}
CYPRESS_viewer_username: ${{ secrets.UAT_VIEWER_USERNAME }}
CYPRESS_bceid_password: ${{ secrets.UAT_BCEID_PASSWORD }}
CYPRESS_bceid_username: ${{ secrets.UAT_BCEID_USERNAME }}
CYPRESS_bcsc_password: ${{ secrets.UAT_BCSC_PASSWORD }}
CYPRESS_bcsc_username: ${{ secrets.UAT_BCSC_USERNAME }}
- name: Publish Cypress Results
uses: mikepenz/action-junit-report@v5
continue-on-error: true
if: always()
with:
report_paths: cypress/result.xml
commit: ${{ github.event.pull_request.head.sha }}
summary: Cypress Test Results
detailed_summary: true
job_name: User Journeys
- name: Check for Cypress Screenshots and Videos
run: |
if [ -d "cypress/cypress/screenshots" ] && [ "$(ls -A cypress/cypress/screenshots)" ]; then
echo "Screenshots folder is not empty, uploading artifacts."
echo "screenshots=true" >> $GITHUB_OUTPUT
else
echo "Screenshots folder is empty or does not exist."
echo "screenshots=false" >> $GITHUB_OUTPUT
fi
if [ -d "cypress/cypress/videos" ] && [ "$(ls -A cypress/cypress/videos)" ]; then
echo "Videos folder is not empty, uploading artifacts."
echo "videos=true" >> $GITHUB_OUTPUT
else
echo "Videos folder is empty or does not exist."
echo "videos=false" >> $GITHUB_OUTPUT
fi
id: check_artifacts
- uses: actions/upload-artifact@v4
name: Upload Cypress Screenshots
if: always()
with:
name: cypress-screenshots
path: cypress/cypress/screenshots
retention-days: 7
- uses: actions/upload-artifact@v4
name: Upload Cypress Videos
if: always()
with:
name: cypress-videos
path: cypress/cypress/videos
retention-days: 7
scale-down-after:
name: Scale down legacy
needs: [cypress-run]
environment: dev
if: always()
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Install CLI tools from OpenShift Mirror
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: "4.13"
- name: Stop the Legacy Service
continue-on-error: true
run: |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
oc scale dc/nr-forest-client-${{ github.event.number }}-legacy --replicas=0
undesired_replicas=0
while true; do
available_replicas=$(oc get dc/nr-forest-client-${{ github.event.number }}-legacy -n ${{ secrets.OC_NAMESPACE }} -o jsonpath='{.status.availableReplicas}')
if [[ "$available_replicas" -ge "$undesired_replicas" ]]; then
echo "DeploymentConfig ${{ secrets.OC_NAMESPACE }}-${{ github.event.number }}-legacy is now available with $available_replicas replicas."
break
fi
echo "Waiting... ($available_replicas pods available)"
sleep 5
done
recreate-database:
name: Recreate database
needs: [scale-down-after]
environment: tools
if: always()
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Install CLI tools from OpenShift Mirror
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: "4.13"
- name: Remove the PR database
continue-on-error: true
run: |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
# This removes a new pluggable database, user and service for the PR
for i in {1..5}; do
POD_NAME=$(oc get pods -l app=nr-forest-client-tools -l deployment=nr-forest-client-tools-legacydb -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -n "$POD_NAME" ]; then
echo "Pod found: $POD_NAME"
oc exec $POD_NAME -- /opt/oracle/removeDatabase "THE" "PR_${{ github.event.number }}"
break
else
echo "Pod not found, retrying in 10 seconds... ($i/5)"
sleep 10
fi
done
if [ -z "$POD_NAME" ]; then
echo "Failed to find the pod after 5 attempts."
fi
- name: Create the PR database
continue-on-error: true
run: |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
# This creates a new pluggable database for the PR
for i in {1..5}; do
POD_NAME=$(oc get pods -l app=nr-forest-client-tools -l deployment=nr-forest-client-tools-legacydb -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -n "$POD_NAME" ]; then
echo "Pod found: $POD_NAME"
oc exec $POD_NAME -- /opt/oracle/createDatabase PR_${{ github.event.number }}
break
else
echo "Pod not found, retrying in 10 seconds... ($i/5)"
sleep 10
fi
done
if [ -z "$POD_NAME" ]; then
echo "Failed to find the pod after 5 attempts."
fi
- name: Create the PR user
continue-on-error: true
run: |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
# This creates a new pluggable database for the PR
for i in {1..5}; do
POD_NAME=$(oc get pods -l app=nr-forest-client-tools -l deployment=nr-forest-client-tools-legacydb -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -n "$POD_NAME" ]; then
echo "Pod found: $POD_NAME"
oc exec $POD_NAME -- /opt/oracle/createAppUser "THE" "${{ secrets.ORACLEDB_PASSWORD_W }}_${{ github.event.number }}" "PR_${{ github.event.number }}"
break
else
echo "Pod not found, retrying in 10 seconds... ($i/5)"
sleep 10
fi
done
if [ -z "$POD_NAME" ]; then
echo "Failed to find the pod after 5 attempts."
fi
- name: Migrate the PR database
continue-on-error: true
run: |
BRANCH_NAME="${{ github.head_ref }}"
# Escape slashes and other special characters
ESCAPED_BRANCH_NAME=$(echo "$BRANCH_NAME" | sed 's/[\/&]/\\&/g')
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
oc create job --from=cronjob/nr-forest-client-tools-migratedb migrate-pr${{ github.event.number }}-${{ github.run_attempt }}-$(date +%s) --dry-run=client -o yaml | sed "s/value: main/value: ${ESCAPED_BRANCH_NAME}/" | sed "s/value: \"0\"/value: \"${{ github.event.number }}\"/" | oc apply -f -
scale-up-legacy:
name: Scale up legacy
needs: [recreate-database]
environment: dev
if: always()
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Install CLI tools from OpenShift Mirror
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: "4.13"
- name: Start the Legacy Service
continue-on-error: true
run: |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
oc project ${{ secrets.OC_NAMESPACE }} # Safeguard!
oc scale dc/nr-forest-client-${{ github.event.number }}-legacy --replicas=1
results:
name: PR Results
needs: [builds, pre-tools, deploy-tools, deploy, cypress-run, scale-down-after, recreate-database, scale-up-legacy]
if: always()
runs-on: ubuntu-24.04
steps:
- if: contains(needs.*.result, 'failure')
run: echo "At least one job has failed." && exit 1
- run: echo "Success!"