NIT-994 pipeline for installing helm charts #36
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: helm-releases | |
| on: | |
| push: | |
| branches: [NIT-994-alfresco-pipeline-for-deployments-helm, main] | |
| # Ecluding path as they are specifig to building Share container image | |
| paths-ignore: | |
| - 'docker-files/Dockerfile-share' | |
| - '.github/workflows/cloud-platform-build-push-share.yml' | |
| workflow_dispatch: | |
| jobs: | |
| poc-deployment-job: | |
| # Get this GitHub environment populated with action secrets by raising a CP pull request. See docs at: | |
| # https://github.com/ministryofjustice/cloud-platform-terraform-serviceaccount?tab=readme-ov-file#input_github_environments | |
| environment: poc | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| steps: | |
| - name: Checkout current repo | |
| uses: actions/checkout@v3 | |
| - name: Configure aws credentials for ECR | |
| uses: aws-actions/[email protected] | |
| with: | |
| role-to-assume: ${{ secrets.SHARE_ECR_ROLE_TO_ASSUME }} | |
| aws-region: ${{ vars.SHARE_ECR_REGION }} | |
| - name: ECR login | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| id: login-ecr | |
| - name: Alfresco Enterprise image repository login | |
| run: docker login quay.io -u ${{ secrets.ALFRESCO_QUAY_IO_USERNAME }} -p ${{ secrets.ALFRESCO_QUAY_IO_PASSWORD }} | |
| - name: Install Kubernetes | |
| uses: azure/[email protected] | |
| with: | |
| version: 'v1.26.0' # default is latest stable | |
| id: kubectl_install | |
| - name: Install Helm | |
| uses: azure/[email protected] | |
| with: | |
| version: 'v3.9.0' | |
| id: helm_install | |
| - name: PoC deployment | |
| env: | |
| KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} | |
| KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} | |
| SECRET: $(awk '{print substr($0, 19)}' <<< $(kubectl get secrets alfresco-content-services-alfresco-repository-properties-secret -o jsonpath='{.data.alfresco-global\.properties}' | base64 -d)) 2> /dev/null | |
| BUCKET_NAME: $(awk '{print substr($0, 0)}' <<< $(kubectl get secrets s3-bucket-output -o jsonpath='{.data.bucket_name}' | base64 -d)) | |
| working-directory: ./alfresco-content-services | |
| # shell: bash | |
| run: | | |
| # See this link how github action secrets are created: https://github.com/ministryofjustice/cloud-platform-terraform-serviceaccount | |
| # See this example on how to use github secrets: https://github.com/ministryofjustice/cloud-platform-example-application/blob/main/.github/workflows/deploy.yml#L38 | |
| echo "${{ secrets.KUBE_CERT }}" > ca.crt | |
| kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} | |
| kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} | |
| kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} | |
| kubectl config use-context ${KUBE_CLUSTER} | |
| # For Alfresco, we only use one single namespace | |
| kubectl config set-context --current --namespace=${KUBE_NAMESPACE} | |
| # Helm will not deploy unless this secret is present. Create a new one if one does not already exist from env section | |
| if [ -z ${SECRET} ] | |
| then | |
| SECRET=$(openssl rand -base64 20) | |
| fi | |
| echo "===== secret value = ${SECRET}" | |
| # Upgrad an existing release or create a new one if one does not exist | |
| helm upgrade --install alfresco-content-services . --values=./values.yaml \ | |
| --set s3connector.config.bucketName=${BUCKET_NAME} \ | |
| --set global.tracking.sharedsecret=${SECRET} \ | |
| --atomic |