chore: manuel service account generator (#210)

* chore: test passing name into login action * chore: modifiy deploy login process * chore: modify service account reference * chore: complete the manually run script for sa creation * chore: update the login credential use in all actions * chore: remove testing stanza from deploy staggered * chore: fix test workflow old * chore: fix xlog compare job * chore: change xlog credential to production
bcgov · Dec 5, 2024 · 89b90cf · 89b90cf
1 parent 449d73b
commit 89b90cf
Show file tree

Hide file tree

Showing 15 changed files with 590 additions and 24 deletions.
diff --git a/.github/workflows/deploy-staggered.yml b/.github/workflows/deploy-staggered.yml
@@ -37,10 +37,9 @@ jobs:
         with:
           namespace: $NAMESPACE
           oc-server-gold: ${{ secrets.OPENSHIFT_SERVER_GOLD }}
-          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD }}
+          oc-token-gold: ${{ secrets[format('OPENSHIFT_TOKEN_GOLD_{0}', github.event.inputs.project)] }}
           oc-server-golddr: ${{ secrets.OPENSHIFT_SERVER_GOLDDR }}
-          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR }}
-
+          oc-token-golddr: ${{ secrets[format('OPENSHIFT_TOKEN_GOLDDR_{0}', github.event.inputs.project)] }}
       - name: Set DR to active using main-dr branch
         run: |
           echo "Running on the $NAMESPACE namespace"
@@ -56,9 +55,9 @@ jobs:
         with:
           namespace: $NAMESPACE
           oc-server-gold: ${{ secrets.OPENSHIFT_SERVER_GOLD }}
-          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD }}
+          oc-token-gold: ${{ secrets[format('OPENSHIFT_TOKEN_GOLD_{0}', github.event.inputs.project)] }}
           oc-server-golddr: ${{ secrets.OPENSHIFT_SERVER_GOLDDR }}
-          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR }}
+          oc-token-golddr: ${{ secrets[format('OPENSHIFT_TOKEN_GOLDDR_{0}', github.event.inputs.project)] }}
 
       - name: Confirm GoldDR Endpoint is passing
         run: |

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -31,9 +31,9 @@ jobs:
         with:
           namespace: $NAMESPACE
           oc-server-gold: ${{ secrets.OPENSHIFT_SERVER_GOLD }}
-          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD }}
+          oc-token-gold: ${{ secrets[format('OPENSHIFT_TOKEN_GOLD_{0}', github.event.inputs.project)] }}
           oc-server-golddr: ${{ secrets.OPENSHIFT_SERVER_GOLDDR }}
-          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR }}
+          oc-token-golddr: ${{ secrets[format('OPENSHIFT_TOKEN_GOLDDR_{0}', github.event.inputs.project)] }}
 
       - name: Run transition script
         run: |

diff --git a/.github/workflows/preemptive-failover.yml b/.github/workflows/preemptive-failover.yml
@@ -34,9 +34,9 @@ jobs:
         with:
           namespace: $NAMESPACE
           oc-server-gold: ${{ secrets.OPENSHIFT_SERVER_GOLD }}
-          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD }}
+          oc-token-gold: ${{ secrets[format('OPENSHIFT_TOKEN_GOLD_{0}', github.event.inputs.project)] }}
           oc-server-golddr: ${{ secrets.OPENSHIFT_SERVER_GOLDDR }}
-          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR }}
+          oc-token-golddr: ${{ secrets[format('OPENSHIFT_TOKEN_GOLDDR_{0}', github.event.inputs.project)] }}
 
       - name: Install system dependencies
         run: |

diff --git a/.github/workflows/schedule-preemptive-failove.yml b/.github/workflows/schedule-preemptive-failove.yml
@@ -42,9 +42,9 @@ jobs:
         with:
           namespace: $NAMESPACE
           oc-server-gold: ${{ secrets.OPENSHIFT_SERVER_GOLD }}
-          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD }}
+          oc-token-gold: ${{ secrets[format('OPENSHIFT_TOKEN_GOLD_{0}', github.event.inputs.project)] }}
           oc-server-golddr: ${{ secrets.OPENSHIFT_SERVER_GOLDDR }}
-          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR }}
+          oc-token-golddr: ${{ secrets[format('OPENSHIFT_TOKEN_GOLDDR_{0}', github.event.inputs.project)] }}
 
       - name: Run transition script
         run: |

diff --git a/.github/workflows/set-dr-to-standby.yml b/.github/workflows/set-dr-to-standby.yml
@@ -36,9 +36,9 @@ jobs:
         with:
           namespace: $NAMESPACE
           oc-server-gold: ${{ secrets.OPENSHIFT_SERVER_GOLD }}
-          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD }}
+          oc-token-gold: ${{ secrets[format('OPENSHIFT_TOKEN_GOLD_{0}', github.event.inputs.project)] }}
           oc-server-golddr: ${{ secrets.OPENSHIFT_SERVER_GOLDDR }}
-          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR }}
+          oc-token-golddr: ${{ secrets[format('OPENSHIFT_TOKEN_GOLDDR_{0}', github.event.inputs.project)] }}
 
       - name: Run transition script
         run: |

diff --git a/.github/workflows/switch-to-golddr.yml b/.github/workflows/switch-to-golddr.yml
@@ -54,9 +54,9 @@ jobs:
         with:
           namespace: $NAMESPACE
           oc-server-gold: ${{ secrets.OPENSHIFT_SERVER_GOLD }}
-          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD }}
+          oc-token-gold: ${{ secrets[format('OPENSHIFT_TOKEN_GOLD_{0}', github.event.inputs.project)] }}
           oc-server-golddr: ${{ secrets.OPENSHIFT_SERVER_GOLDDR }}
-          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR }}
+          oc-token-golddr: ${{ secrets[format('OPENSHIFT_TOKEN_GOLDDR_{0}', github.event.inputs.project)] }}
 
       - name: Run transition script
         run: |

diff --git a/.github/workflows/test-failover-workflows.yml b/.github/workflows/test-failover-workflows.yml
@@ -50,9 +50,9 @@ jobs:
         with:
           namespace: $NAMESPACE
           oc-server-gold: ${{ secrets.OPENSHIFT_SERVER_GOLD }}
-          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD }}
+          oc-token-gold: ${{ secrets[format('OPENSHIFT_TOKEN_GOLD_{0}', github.event.inputs.project)] }}
           oc-server-golddr: ${{ secrets.OPENSHIFT_SERVER_GOLDDR }}
-          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR }}
+          oc-token-golddr: ${{ secrets[format('OPENSHIFT_TOKEN_GOLDDR_{0}', github.event.inputs.project)] }}
       - name: Install test dependencies
         run: |
           sudo apt update

diff --git a/.github/workflows/test-workflows-old.yml b/.github/workflows/test-workflows-old.yml
@@ -19,9 +19,9 @@ jobs:
         with:
           namespace: ${{ github.event.inputs.namespace }}
           oc-server-gold: ${{ secrets.OPENSHIFT_SERVER_GOLD }}
-          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD }}
+          oc-token-gold: ${{ secrets[format('OPENSHIFT_TOKEN_GOLD_{0}', github.event.inputs.project)] }}
           oc-server-golddr: ${{ secrets.OPENSHIFT_SERVER_GOLDDR }}
-          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR }}
+          oc-token-golddr: ${{ secrets[format('OPENSHIFT_TOKEN_GOLDDR_{0}', github.event.inputs.project)] }}
 
       - name: Run transition script
         run: |

diff --git a/.github/workflows/turn-off-gold-routing.yml b/.github/workflows/turn-off-gold-routing.yml
@@ -39,9 +39,9 @@ jobs:
         with:
           namespace: $NAMESPACE
           oc-server-gold: ${{ secrets.OPENSHIFT_SERVER_GOLD }}
-          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD }}
+          oc-token-gold: ${{ secrets[format('OPENSHIFT_TOKEN_GOLD_{0}', github.event.inputs.project)] }}
           oc-server-golddr: ${{ secrets.OPENSHIFT_SERVER_GOLDDR }}
-          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR }}
+          oc-token-golddr: ${{ secrets[format('OPENSHIFT_TOKEN_GOLDDR_{0}', github.event.inputs.project)] }}
       - name: Enable or Disable Gold Route
         run: |
           echo "Running on the $NAMESPACE namespace"

diff --git a/.github/workflows/xlog-cron-compare.yml b/.github/workflows/xlog-cron-compare.yml
@@ -16,9 +16,9 @@ jobs:
         with:
           namespace: ${{ github.event.inputs.namespace }}
           oc-server-gold: ${{ secrets.OPENSHIFT_SERVER_GOLD }}
-          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD }}
+          oc-token-gold: ${{ secrets.OPENSHIFT_TOKEN_GOLD_PRODUCTION }}
           oc-server-golddr: ${{ secrets.OPENSHIFT_SERVER_GOLDDR }}
-          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR }}
+          oc-token-golddr: ${{ secrets.OPENSHIFT_TOKEN_GOLDDR_PRODUCTION }}
 
       - name: Run xlog comparison
         run: |

diff --git a/service-account-generator/README.md b/service-account-generator/README.md
@@ -0,0 +1,30 @@
+# Generating service accounts for the CICD pipeline
+
+The github actions need service accounts to run. The script `generate_sa.sh` will create a service acount for the prod environment of a given openshift project and give that account the roles in the dev, test, and prod environments for deploying the keycloak site.
+
+## Generate the service accounts
+
+While logged into the **Gold** instance run:
+
+`
+./generate_sa.sh <<LICENCE_PLATE>> gold
+`
+
+The service account, roles, and rolebindings will be created.
+
+Log into the **GoldDR** cluster and repeat the same command.
+
+`
+./generate_sa.sh <<LICENCE_PLATE>> golddr
+`
+
+## Update the github action secrets
+
+The github actions rwquire 4 secrets to deploy resources in Gold and GoldDR.
+
+Each service account will generate a secret in the `-prod` namespace with the name `sso-action-deployer-<<LICENCE_PLATE>>-token-#####`.  Copy this token into the GithHub secrets on this repos.
+
+OPENSHIFT_TOKEN_GOLD_SANDBOX
+OPENSHIFT_TOKEN_GOLDDR_SANDBOX
+OPENSHIFT_TOKEN_GOLD_PRODUCTION
+OPENSHIFT_TOKEN_GOLDDR_PRODUCTION
diff --git a/service-account-generator/generate_sa.sh b/service-account-generator/generate_sa.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+set -e
+
+usage() {
+    cat <<EOF
+Creates a service account for the dev test and prod environments of the project with
+namespace licence plate arg.
+
+Usages:
+    $0 <project_licence_plate> <cluster>
+
+Available licence plates:
+    - e4ca1d
+    - eb75ad
+
+Available Clusters
+    - gold
+    - golddr
+
+Examples:
+    $ $0 e4ca1d gold
+EOF
+}
+
+if [ "$#" -lt 2 ]; then
+    usage
+    exit 1
+fi
+
+licence_plate=$1
+cluster=$2
+
+# create service account in prod
+oc -n "$licence_plate"-prod create sa sso-action-deployer-"$licence_plate"
+
+
+
+create_role_and_binding() {
+  if [ "$#" -lt 3 ]; then exit 1; fi
+  licence_plate=$1
+  env=$2
+  cluster=$3
+  namespace="$licence_plate-$env"
+
+  oc process -f ./templates/role-"$cluster".yaml -p NAMESPACE="$namespace" | oc -n "$namespace" apply -f -
+
+  oc -n "$namespace" create rolebinding sso-action-deployer-role-binding-"$namespace"   \
+  --role=sso-action-deployer-"$namespace" \
+  --serviceaccount="$licence_plate"-prod:sso-action-deployer-"$licence_plate"
+}
+
+# for dev, test and prod create the role and role binding
+create_role_and_binding "$licence_plate" "prod" "$cluster"
+
+create_role_and_binding "$licence_plate" "test" "$cluster"
+
+create_role_and_binding "$licence_plate" "dev" "$cluster"