Skip to content

Commit

Permalink
Ofmcc 638 setup prod (#277)
Browse files Browse the repository at this point in the history 
* Initial frontend script.

* Backend and confifmap updates.

* Fixed configmap.

* Fixed reference.

* Updates for SOAM_KC.

* Formatting fix.

* Alternate approach.

* URL update.

* fix: replicas & minor details

* feat: pass certs to dc that uses tls in the route

* feat: tweak configmap for prod

* fix: missing quotes around multiline param

* fix: remove redundant optional params

* feat: pass in and require HOST_ROUTE

* fix: typo

* chore: simplify url & certificate params

* feat: tls support for API route

* fix: URL reference

* feat: require all operational secrets in prod

* fix: the other URL reference

* Updates cookie settings to match non-tls files.

---------

Co-authored-by: weskubo-cgi <[email protected]>
Co-authored-by: Trevor Richards <[email protected]>
  • Loading branch information
@weskubo-cgi @trev-dev
3 people authored Jul 24, 2024
1 parent 2ad9b7e commit 9e8133c
Show file tree
Hide file tree
Showing 5 changed files with 749 additions and 56 deletions.
180 changes: 155 additions & 25 deletions .github/workflows/deploy-to-openshift-backend-prod.yml
View file
Original file line number Diff line number Diff line change
@@ -1,32 +1,162 @@
# This is a basic workflow that is manually triggered
# OFM Backend PROD workflow
name: 4 PROD - Deploy Backend

name: 5 PROD - Deploy Backend
env:
# 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
# To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
# 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
OPENSHIFT_NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }}-prod
COMMON_NAMESPACE: ${{ secrets.COMMON_NAMESPACE_NO_ENV }}

# SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}

# 🖊️ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
IMAGE_REGISTRY_USER: ${{ github.actor }}
IMAGE_REGISTRY_PASSWORD: ${{ github.token }}

APP_NAME: 'ofm'
REPO_NAME: 'ecc-ofm'
#grabs the branch name from github dynamically
BRANCH: ${{ github.ref_name }}
IMAGE_NAME: 'ecc-ofm-backend'
APP_NAME_BACKEND: 'backend'
# We have multiple environments in each openshift namespace dev, test in DEV and uat, efx in TEST. This setting will help name the deployment config and routes for each.
APP_ENVIRONMENT: 'prod'

NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }}

MIN_REPLICAS: '3'
MAX_REPLICAS: '5'
MIN_CPU: '50m'
MAX_CPU: '250m'
MIN_MEM: '200Mi'
MAX_MEM: '700Mi'

# Controls when the action will run. Workflow runs when manually triggered using the UI
# or API.
on:
workflow_dispatch:
# Inputs the workflow accepts.
inputs:
name:
# Friendly description to be shown in the UI instead of 'name'
description: 'Person to greet'
# Default value if no value is explicitly provided
default: 'World'
# Input has to be provided for the workflow to run
required: true
# The data type of the input
type: string

# A workflow run is made up of one or more jobs that can run sequentially or in parallel

jobs:
# This workflow contains a single job called "greet"
greet:
# The type of runner that the job will run on
runs-on: ubuntu-latest
openshift-ci-cd:
name: Deploy Backend to PROD
runs-on: ubuntu-24.04
environment: prod

outputs:
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}

# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Runs a single command using the runners shell
- name: Send greeting
run: echo "Hello ${{ inputs.name }}"
- name: Check for required secrets
uses: actions/github-script@v6
with:
script: |
const secrets = {
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
};
const GHCR = "ghcr.io";
if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
core.info(`Image registry is ${GHCR} - no registry password required`);
}
else {
core.info("A registry password is required");
secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
}
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}
- name: Check out repository with branch [${{ env.BRANCH }}]
uses: actions/checkout@v3
with:
ref: ${{ env.BRANCH }}

- name: Get latest tag
uses: actions-ecosystem/action-get-latest-tag@v1
id: get-latest-tag

- name: Install oc
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: 4.16

- name: Deploy
run: |
set -eux
# Login to OpenShift and select project
oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
oc project ${{ env.OPENSHIFT_NAMESPACE }}
# Cancel any rollouts in progress
oc rollout cancel dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
|| true && echo "No rollout in progress"
# Create the image stream if it doesn't exist
oc create imagestream ${{ env.IMAGE_NAME }} 2> /dev/null || true && echo "backend image stream in place"
# Create tag for PROD env from DEV env image
oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.APP_NAME_BACKEND }}:${{ steps.get-latest-tag.outputs.tag }} ${{ env.NAMESPACE }}-prod/${{ env.REPO_NAME }}-${{ env.APP_NAME_BACKEND }}:${{ steps.get-latest-tag.outputs.tag }}
# Process and apply deployment template
oc process -f tools/openshift/backend-tls.dc.yaml \
-p APP_NAME=${{ env.APP_NAME }} \
-p REPO_NAME=${{ env.REPO_NAME }} \
-p BRANCH=${{ env.BRANCH }} \
-p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} \
-p TAG=${{ steps.get-latest-tag.outputs.tag }} \
-p MIN_REPLICAS=${{ env.MIN_REPLICAS }} \
-p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
-p MIN_CPU=${{ env.MIN_CPU }} \
-p MAX_CPU=${{ env.MAX_CPU }} \
-p MIN_MEM=${{ env.MIN_MEM }} \
-p MAX_MEM=${{ env.MAX_MEM }} \
-p HOST_ROUTE=${{ secrets.SITE_URL }} \
-p CA_CERT='${{ secrets.CA_CERT }}' \
-p CERTIFICATE='${{ secrets.CERTIFICATE }}' \
-p PRIVATE_KEY='${{ secrets.PRIVATE_KEY }}' \
-p ENVIRONMENT=${{ env.APP_ENVIRONMENT }} \
| oc apply -f -
# Process update-configmap
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh \
| bash /dev/stdin \
prod \
${{ env.APP_NAME }} \
${{ env.NAMESPACE }} \
${{ env.COMMON_NAMESPACE }} \
${{ secrets.D365_API_PREFIX }} \
${{ secrets.D365_API_KEY_HEADER }} \
${{ secrets.D365_API_KEY_VALUE }} \
${{ secrets.SOAM_CLIENT_ID }} \
${{ secrets.SOAM_CLIENT_SECRET }} \
${{ secrets.SOAM_IDP_HINT_BCEID }} \
${{ secrets.SOAM_IDP_HINT_IDIR }}
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
|| true && echo "Rollout in progress"
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.APP_ENVIRONMENT }}
177 changes: 152 additions & 25 deletions .github/workflows/deploy-to-openshift-frontend-prod.yml
View file
Original file line number Diff line number Diff line change
@@ -1,32 +1,159 @@
# This is a basic workflow that is manually triggered
# OFM Frontend PROD workflow
name: 4 PROD - Deploy Frontend

name: 5 PROD - Deploy Frontend
env:
# 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
# To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
# 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
OPENSHIFT_NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }}-prod

# SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}

# 🖊️ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
IMAGE_REGISTRY_USER: ${{ github.actor }}
IMAGE_REGISTRY_PASSWORD: ${{ github.token }}

APP_NAME: 'ofm'
REPO_NAME: 'ecc-ofm'
#grabs the branch name from github dynamically
BRANCH: ${{ github.ref_name }}
IMAGE_NAME: 'ecc-ofm-frontend'
APP_NAME_FRONTEND: 'frontend'
# We have multiple environments in each openshift namespace dev, test in DEV and uat, efx in TEST. This setting will help name the deployment config and routes for each.
APP_ENVIRONMENT: 'prod'

NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }}

MIN_REPLICAS: '3'
MAX_REPLICAS: '5'
MIN_CPU: '50m'
MAX_CPU: '100m'
MIN_MEM: '200Mi'
MAX_MEM: '250Mi'

# Frontend configuration
BANNER_ENVIRONMENT: ''
BANNER_COLOR: ''
TDAD_CONTACT_EMAIL: '[email protected]'
CCOF_URL: 'https://mychildcareservices.gov.bc.ca'
IRREGULAR_EXPENSE_FORM_URL: 'https://www2.gov.bc.ca/assets/download/80DAA65E3FA44EFCA61F4557C6FAEE59'

# Controls when the action will run. Workflow runs when manually triggered using the UI
# or API.
on:
workflow_dispatch:
# Inputs the workflow accepts.
inputs:
name:
# Friendly description to be shown in the UI instead of 'name'
description: 'Person to greet'
# Default value if no value is explicitly provided
default: 'World'
# Input has to be provided for the workflow to run
required: true
# The data type of the input
type: string

# A workflow run is made up of one or more jobs that can run sequentially or in parallel

jobs:
# This workflow contains a single job called "greet"
greet:
# The type of runner that the job will run on
runs-on: ubuntu-latest
openshift-ci-cd:
name: Deploy Frontend to PROD
runs-on: ubuntu-24.04
environment: prod

outputs:
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}

# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Runs a single command using the runners shell
- name: Send greeting
run: echo "Hello ${{ inputs.name }}"
- name: Check for required secrets
uses: actions/github-script@v6
with:
script: |
const secrets = {
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
};
const GHCR = "ghcr.io";
if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
core.info(`Image registry is ${GHCR} - no registry password required`);
}
else {
core.info("A registry password is required");
secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
}
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}
- name: Check out repository with branch [${{ env.BRANCH }}]
uses: actions/checkout@v3
with:
ref: ${{ env.BRANCH }}

- name: Get latest tag
uses: actions-ecosystem/action-get-latest-tag@v1
id: get-latest-tag

- name: Install oc
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: 4.16

- name: Deploy
run: |
set -eux
# Login to OpenShift and select project
oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
oc project ${{ env.OPENSHIFT_NAMESPACE }}
# Cancel any rollouts in progress
oc rollout cancel dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
|| true && echo "No rollout in progress"
# Create the image stream if it doesn't exist
oc create imagestream ${{ env.IMAGE_NAME }} 2> /dev/null || true && echo "frontend image stream in place"
# Create tag for PROD env from DEV env image
oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.APP_NAME_FRONTEND }}:${{ steps.get-latest-tag.outputs.tag }} ${{ env.NAMESPACE }}-prod/${{ env.REPO_NAME }}-${{ env.APP_NAME_FRONTEND }}:${{ steps.get-latest-tag.outputs.tag }}
# Process and apply deployment template
oc process \
-f tools/openshift/frontend-tls.dc.yaml \
-p APP_NAME=${{ env.APP_NAME }} \
-p REPO_NAME=${{ env.REPO_NAME }} \
-p BRANCH=${{ env.BRANCH }} \
-p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} \
-p TAG=${{ steps.get-latest-tag.outputs.tag }} \
-p MIN_REPLICAS=${{ env.MIN_REPLICAS }} \
-p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
-p MIN_CPU=${{ env.MIN_CPU }} \
-p MAX_CPU=${{ env.MAX_CPU }} \
-p MIN_MEM=${{ env.MIN_MEM }} \
-p MAX_MEM=${{ env.MAX_MEM }} \
-p ENVIRONMENT=${{ env.APP_ENVIRONMENT }} \
-p BANNER_ENVIRONMENT=${{ env.BANNER_ENVIRONMENT }} \
-p BANNER_COLOR=${{ env.BANNER_COLOR }} \
-p TDAD_CONTACT_EMAIL=${{ env.TDAD_CONTACT_EMAIL }} \
-p CCOF_URL=${{ env.CCOF_URL }} \
-p IRREGULAR_EXPENSE_FORM_URL=${{ env.IRREGULAR_EXPENSE_FORM_URL }} \
-p HOST_ROUTE=${{ secrets.SITE_URL }} \
-p CA_CERT='${{ secrets.CA_CERT }}' \
-p CERTIFICATE='${{ secrets.CERTIFICATE }}' \
-p PRIVATE_KEY='${{ secrets.PRIVATE_KEY }}' \
| oc apply -f -
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
|| true && echo "Rollout in progress"
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }}-${{ env.APP_ENVIRONMENT }}
Loading

0 comments on commit 9e8133c

Please sign in to comment.