From 7aea787f8e479769da8db45291c06703544f9bb5 Mon Sep 17 00:00:00 2001 From: SoLetsDev <74216496+SoLetsDev@users.noreply.github.com> Date: Mon, 18 Sep 2023 09:09:56 -0700 Subject: [PATCH] reverting changes made to test github actions deploy flow to be done via a PR. --- .github/workflows/api.yml | 4 +- .github/workflows/deploy-to.openshift-dev.yml | 174 ------------------ tools/config/update-configmap.sh | 87 --------- tools/jenkins/update-configmap.sh | 11 +- tools/openshift/api.dc.yaml | 34 ++-- 5 files changed, 25 insertions(+), 285 deletions(-) delete mode 100644 .github/workflows/deploy-to.openshift-dev.yml delete mode 100644 tools/config/update-configmap.sh diff --git a/.github/workflows/api.yml b/.github/workflows/api.yml index a7a2a78..08501cb 100644 --- a/.github/workflows/api.yml +++ b/.github/workflows/api.yml @@ -30,8 +30,8 @@ jobs: working-directory: api steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@v2 + - uses: actions/setup-node@v1 with: node-version: '14.x' - run: npm ci diff --git a/.github/workflows/deploy-to.openshift-dev.yml b/.github/workflows/deploy-to.openshift-dev.yml deleted file mode 100644 index 8d0a10b..0000000 --- a/.github/workflows/deploy-to.openshift-dev.yml +++ /dev/null @@ -1,174 +0,0 @@ -name: Build & Deploy to DEV - -env: - # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context. - # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. - # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions - OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} - OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} - OPENSHIFT_NAMESPACE_DEV: ${{ secrets.PEN_NAMESPACE_NO_ENV }}-dev - - SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }} - CDOGS_CLIENT_ID: ${{ secrets.CDOGS_CLIENT_ID }} - CDOGS_CLIENT_SECRET: ${{ secrets.CDOGS_CLIENT_SECRET }} - CDOGS_TOKEN_ENDPOINT: ${{ secrets.CDOGS_TOKEN_ENDPOINT }} - CDOGS_BASE_URL: ${{ secrets.CDOGS_BASE_URL }} - - # 🖊️ EDIT to change the image registry settings. - # Registries such as GHCR, Quay.io, and Docker Hub are supported. - IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} - IMAGE_REGISTRY_USER: ${{ github.actor }} - IMAGE_REGISTRY_PASSWORD: ${{ github.token }} - - # 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below. - IMAGE_TAGS: "" - - IMAGE_NAME: pen-report-generation-api-main - DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote - ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca - - APP_NAME: "pen-report-generation-api" - REPO_NAME: "educ-pen-report-generation-api" - #grabs the branch name from github dynamically - BRANCH: ${{ github.ref_name }} - APP_NAME_FULL: "pen-report-generation-api-main" - NAMESPACE: ${{ secrets.PEN_NAMESPACE_NO_ENV }} - COMMON_NAMESPACE: ${{ secrets.COMMON_NAMESPACE_NO_ENV }} - TAG: "latest" - MIN_REPLICAS_DEV: "1" - MAX_REPLICAS_DEV: "1" - MIN_CPU: "40m" - MAX_CPU: "80m" - MIN_MEM: "200Mi" - MAX_MEM: "400Mi" - -on: - push: - branches: - - main - workflow_dispatch: - -jobs: - build-and-deploy-dev: - name: Build and deploy to OpenShift DEV - # ubuntu-20.04 can also be used. - runs-on: ubuntu-20.04 - environment: dev - - outputs: - ROUTE: ${{ steps.deploy-and-expose.outputs.route }} - SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} - - steps: - - name: Check for required secrets - uses: actions/github-script@v6 - with: - script: | - const secrets = { - OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, - OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, - }; - const GHCR = "ghcr.io"; - if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { - core.info(`Image registry is ${GHCR} - no registry password required`); - } - else { - core.info("A registry password is required"); - secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; - } - const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { - if (value.length === 0) { - core.error(`Secret "${name}" is not set`); - return true; - } - core.info(`✔️ Secret "${name}" is set`); - return false; - }); - if (missingSecrets.length > 0) { - core.setFailed(`❌ At least one required secret is not set in the repository. \n` + - "You can add it using:\n" + - "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + - "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + - "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); - } - else { - core.info(`✅ All the required secrets are set`); - } - - name: Check out repository - uses: actions/checkout@v3 - - - name: Determine image tags - if: env.IMAGE_TAGS == '' - run: | - echo "IMAGE_TAGS=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV - - name: Login to Docker Hub - uses: docker/login-action@v2 - with: - registry: ${{ env.DOCKER_ARTIFACTORY_REPO }} - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - # https://github.com/redhat-actions/buildah-build#readme - - name: Build from Dockerfile - id: build-image - uses: redhat-actions/buildah-build@v2 - with: - image: ${{ env.APP_NAME_FULL }} - tags: ${{ env.IMAGE_TAGS }} - - # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs - # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build - # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root. - dockerfiles: | - ./api/Dockerfile - context: ./api - # https://github.com/redhat-actions/push-to-registry#readme - - name: Push to registry - id: push-image - uses: redhat-actions/push-to-registry@v2 - with: - image: ${{ steps.build-image.outputs.image }} - tags: ${{ steps.build-image.outputs.tags }} - registry: ${{ env.IMAGE_REGISTRY }} - username: ${{ env.IMAGE_REGISTRY_USER }} - password: ${{ env.IMAGE_REGISTRY_PASSWORD }} - - # The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }} - - - name: Install oc - uses: redhat-actions/openshift-tools-installer@v1 - with: - oc: 4 - - # https://github.com/redhat-actions/oc-login#readme - - uses: actions/checkout@v3 - - - name: Deploy API - run: | - set -eu - # Login to OpenShift and select project - oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }} - oc project ${{ env.OPENSHIFT_NAMESPACE_DEV }} - # Cancel any rollouts in progress - oc rollout cancel dc/${{ env.IMAGE_NAME }} 2> /dev/null \ - || true && echo "No rollout in progress" - - oc tag ${{ steps.push-image.outputs.registry-path }} ${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }} - - # Process and apply deployment template - oc process -f tools/openshift/api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_DEV }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_DEV }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_DEV }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \ - | oc apply -f - - - curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/main/tools/config/update-configmap.sh | bash /dev/stdin dev ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.SPLUNK_TOKEN }} ${{ env.CDOGS_CLIENT_ID }} ${{ env.CDOGS_CLIENT_SECRET }} ${{ env.CDOGS_TOKEN_ENDPOINT }} ${{ env.CDOGS_BASE_URL }} - - # Start rollout (if necessary) and follow it - oc rollout latest dc/${{ env.IMAGE_NAME }} 2> /dev/null \ - || true && echo "Rollout in progress" - oc logs -f dc/${{ env.IMAGE_NAME }} - # Get status, returns 0 if rollout is successful - oc rollout status dc/${{ env.IMAGE_NAME }} -# TODO CHECK IF WE NEED TO DO ZAP SCAN -# - name: ZAP Scan -# uses: zaproxy/action-api-scan@v0.5.0 -# with: -# target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_DEV }}.apps.silver.devops.gov.bc.ca/v3/api-docs' \ No newline at end of file diff --git a/tools/config/update-configmap.sh b/tools/config/update-configmap.sh deleted file mode 100644 index cf00188..0000000 --- a/tools/config/update-configmap.sh +++ /dev/null @@ -1,87 +0,0 @@ -envValue=$1 -APP_NAME=$2 -PEN_NAMESPACE=$3 -COMMON_NAMESPACE=$4 -SPLUNK_TOKEN=$5 -CDOGS_CLIENT_ID=$6 -CDOGS_CLIENT_SECRET=$7 -CDOGS_TOKEN_ENDPOINT=$8 -CDOGS_BASE_URL=$9 - -TZVALUE="America/Vancouver" -SOAM_KC_REALM_ID="master" -SOAM_KC=soam-$envValue.apps.silver.devops.gov.bc.ca -NATS_URL="nats://nats.${COMMON_NAMESPACE}-${envValue}.svc.cluster.local:4222" - -SOAM_KC_LOAD_USER_ADMIN=$(oc -n "$COMMON_NAMESPACE-$envValue" -o json get secret sso-admin-"${envValue}" | sed -n 's/.*"username": "\(.*\)"/\1/p' | base64 --decode) -SOAM_KC_LOAD_USER_PASS=$(oc -n "$COMMON_NAMESPACE-$envValue" -o json get secret sso-admin-"${envValue}" | sed -n 's/.*"password": "\(.*\)",/\1/p' | base64 --decode) - -echo Fetching SOAM token -TKN=$(curl -s \ - -d "client_id=admin-cli" \ - -d "username=$SOAM_KC_LOAD_USER_ADMIN" \ - -d "password=$SOAM_KC_LOAD_USER_PASS" \ - -d "grant_type=password" \ - "https://$SOAM_KC/auth/realms/$SOAM_KC_REALM_ID/protocol/openid-connect/token" | jq -r '.access_token') - -echo -echo Writing scope GENERATE_PEN_REPORT -curl -sX POST "https://$SOAM_KC/auth/admin/realms/$SOAM_KC_REALM_ID/client-scopes" \ - -H "Content-Type: application/json" \ - -H "Authorization: Bearer $TKN" \ - -d "{\"description\": \"Generate reports related to PEN\",\"id\": \"GENERATE_PEN_REPORT\",\"name\": \"GENERATE_PEN_REPORT\",\"protocol\": \"openid-connect\",\"attributes\" : {\"include.in.token.scope\" : \"true\",\"display.on.consent.screen\" : \"false\"}}" - -########################################################### -#Setup for student-admin-flb-sc-config-map -########################################################### - -SPLUNK_URL="gww.splunk.educ.gov.bc.ca" -FLB_CONFIG="[SERVICE] - Flush 1 - Daemon Off - Log_Level debug - HTTP_Server On - HTTP_Listen 0.0.0.0 - HTTP_Port 2020 - Parsers_File parsers.conf -[INPUT] - Name tail - Path /mnt/log/* - Exclude_Path *.gz,*.zip - Parser docker - Mem_Buf_Limit 20MB - Buffer_Chunk_Size 5MB - Buffer_Max_Size 5MB -[FILTER] - Name record_modifier - Match * - Record hostname \${HOSTNAME} -[OUTPUT] - Name stdout - Match * -[OUTPUT] - Name splunk - Match * - Host $SPLUNK_URL - Port 443 - TLS On - TLS.Verify Off - Message_Key $APP_NAME - Splunk_Token $SPLUNK_TOKEN -" -PARSER_CONFIG=" -[PARSER] - Name docker - Format json -" - - -echo Creating config map "$APP_NAME"-config-map -oc create -n "$PEN_NAMESPACE"-"$envValue" configmap "$APP_NAME"-config-map --from-literal=TZ=$TZVALUE --from-literal=JWKS_URL="https://$SOAM_KC/auth/realms/$SOAM_KC_REALM_ID/protocol/openid-connect/certs" --from-literal=LOG_LEVEL=info --from-literal=REDIS_HOST=redis --from-literal=REDIS_PORT=6379 --from-literal=BODY_LIMIT="50MB" --from-literal=NATS_URL="$NATS_URL" --from-literal=CDOGS_TOKEN_ENDPOINT="$CDOGS_TOKEN_ENDPOINT" --from-literal=CDOGS_CLIENT_SECRET="$CDOGS_CLIENT_SECRET" --from-literal=CDOGS_CLIENT_ID="$CDOGS_CLIENT_ID" --from-literal=CDOGS_BASE_URL="$CDOGS_BASE_URL" --from-literal=NATS_MAX_RECONNECT=60 --dry-run -o yaml | oc apply -f - - -echo -echo Setting environment variables for "$APP_NAME-main" application -oc -n "$PEN_NAMESPACE-$envValue" set env --from=configmap/"$APP_NAME"-config-map dc/"$APP_NAME-main" - -echo Creating config map "$APP_NAME-flb-sc-config-map" -oc create -n "$PEN_NAMESPACE-$envValue" configmap "$APP_NAME"-flb-sc-config-map --from-literal=fluent-bit.conf="$FLB_CONFIG" --from-literal=parsers.conf="$PARSER_CONFIG" --dry-run -o yaml | oc apply -f - diff --git a/tools/jenkins/update-configmap.sh b/tools/jenkins/update-configmap.sh index cf00188..957b9e8 100644 --- a/tools/jenkins/update-configmap.sh +++ b/tools/jenkins/update-configmap.sh @@ -2,11 +2,7 @@ envValue=$1 APP_NAME=$2 PEN_NAMESPACE=$3 COMMON_NAMESPACE=$4 -SPLUNK_TOKEN=$5 -CDOGS_CLIENT_ID=$6 -CDOGS_CLIENT_SECRET=$7 -CDOGS_TOKEN_ENDPOINT=$8 -CDOGS_BASE_URL=$9 +APP_NAME_UPPER=${APP_NAME^^} TZVALUE="America/Vancouver" SOAM_KC_REALM_ID="master" @@ -34,6 +30,11 @@ curl -sX POST "https://$SOAM_KC/auth/admin/realms/$SOAM_KC_REALM_ID/client-scope ########################################################### #Setup for student-admin-flb-sc-config-map ########################################################### +CDOGS_CLIENT_ID=$(oc -n "$PEN_NAMESPACE-$envValue" -o json get configmaps "${APP_NAME}-${envValue}"-setup-config | sed -n "s/.*\"CDOGS_CLIENT_ID\": \"\(.*\)\",/\1/p") +CDOGS_CLIENT_SECRET=$(oc -n "$PEN_NAMESPACE-$envValue" -o json get configmaps "${APP_NAME}-${envValue}"-setup-config | sed -n "s/.*\"CDOGS_CLIENT_SECRET\": \"\(.*\)\",/\1/p") +CDOGS_TOKEN_ENDPOINT=$(oc -n "$PEN_NAMESPACE-$envValue" -o json get configmaps "${APP_NAME}-${envValue}"-setup-config | sed -n "s/.*\"CDOGS_TOKEN_ENDPOINT\": \"\(.*\)\",/\1/p") +CDOGS_BASE_URL=$(oc -n "$PEN_NAMESPACE-$envValue" -o json get configmaps "${APP_NAME}-${envValue}"-setup-config | sed -n "s/.*\"CDOGS_BASE_URL\": \"\(.*\)\",/\1/p") +SPLUNK_TOKEN=$(oc -n "$PEN_NAMESPACE-$envValue" -o json get configmaps "${APP_NAME}-${envValue}-setup-config" | sed -n "s/.*\"SPLUNK_TOKEN_${APP_NAME_UPPER}\": \"\(.*\)\"/\1/p") SPLUNK_URL="gww.splunk.educ.gov.bc.ca" FLB_CONFIG="[SERVICE] diff --git a/tools/openshift/api.dc.yaml b/tools/openshift/api.dc.yaml index 32f9185..8cf3a42 100644 --- a/tools/openshift/api.dc.yaml +++ b/tools/openshift/api.dc.yaml @@ -13,13 +13,13 @@ objects: openshift.io/generated-by: OpenShiftNewApp creationTimestamp: labels: - app: "${APP_NAME}-${BRANCH}" - name: "${APP_NAME}-${BRANCH}" + app: "${APP_NAME}-${JOB_NAME}" + name: "${APP_NAME}-${JOB_NAME}" spec: replicas: ${{MIN_REPLICAS}} selector: - app: "${APP_NAME}-${BRANCH}" - deploymentconfig: "${APP_NAME}-${BRANCH}" + app: "${APP_NAME}-${JOB_NAME}" + deploymentconfig: "${APP_NAME}-${JOB_NAME}" strategy: resources: {} type: Rolling @@ -29,11 +29,11 @@ objects: openshift.io/generated-by: OpenShiftNewApp creationTimestamp: labels: - app: "${APP_NAME}-${BRANCH}" - deploymentconfig: "${APP_NAME}-${BRANCH}" + app: "${APP_NAME}-${JOB_NAME}" + deploymentconfig: "${APP_NAME}-${JOB_NAME}" spec: containers: - - image: image-registry.openshift-image-registry.svc:5000/${NAMESPACE}/${REPO_NAME}-${BRANCH}:${TAG} + - image: image-registry.openshift-image-registry.svc:5000/${NAMESPACE}/${REPO_NAME}-${JOB_NAME}:${TAG} imagePullPolicy: Always volumeMounts: - name: tls-certs @@ -51,7 +51,7 @@ objects: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 - name: "${APP_NAME}-${BRANCH}" + name: "${APP_NAME}-${JOB_NAME}" ports: - containerPort: 3000 protocol: TCP @@ -75,7 +75,7 @@ objects: cpu: "${MAX_CPU}" memory: "${MAX_MEM}" - image: artifacts.developer.gov.bc.ca/docker-remote/fluent/fluent-bit:1.5.7 - name: "${APP_NAME}-${BRANCH}-fluent-bit-sidecar" + name: "${APP_NAME}-${JOB_NAME}-fluent-bit-sidecar" imagePullPolicy: Always imagePullSecrets: - name: artifactory-creds @@ -132,8 +132,8 @@ objects: service.alpha.openshift.io/serving-cert-secret-name: "pen-report-generation-api-cert" creationTimestamp: labels: - app: "${APP_NAME}-${BRANCH}" - name: "${APP_NAME}-${BRANCH}" + app: "${APP_NAME}-${JOB_NAME}" + name: "${APP_NAME}-${JOB_NAME}" spec: ports: - name: 3000-tcp @@ -145,17 +145,17 @@ objects: protocol: TCP targetPort: 443 selector: - app: "${APP_NAME}-${BRANCH}" - deploymentconfig: "${APP_NAME}-${BRANCH}" + app: "${APP_NAME}-${JOB_NAME}" + deploymentconfig: "${APP_NAME}-${JOB_NAME}" - apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: "${APP_NAME}-${BRANCH}-cpu-auto-scale" + name: "${APP_NAME}-${JOB_NAME}-cpu-auto-scale" spec: scaleTargetRef: apiVersion: apps.openshift.io/v1 kind: DeploymentConfig - name: "${APP_NAME}-backend-${BRANCH}" + name: "${APP_NAME}-backend-${JOB_NAME}" subresource: scale minReplicas: ${{MIN_REPLICAS}} maxReplicas: ${{MAX_REPLICAS}} @@ -170,7 +170,7 @@ parameters: - name: REPO_NAME description: Application repository name required: true -- name: BRANCH +- name: JOB_NAME description: Job identifier (i.e. 'pr-5' OR 'master') required: true - name: NAMESPACE @@ -181,7 +181,7 @@ parameters: required: true - name: HOST_ROUTE description: The host the route will use to expose service outside cluster - required: false + required: true - name: TAG description: The identifying tag for this specific deployment required: true