Skip to content

2 QA - Deploy Backend #38

2 QA - Deploy Backend

2 QA - Deploy Backend #38

name: 2 QA - Deploy Backend
env:
# EDIT your repository secrets to log into your OpenShift cluster and set up the context.
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
# To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
# EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
OPENSHIFT_NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}-dev
SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}
# EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
IMAGE_REGISTRY_USER: ${{ github.actor }}
IMAGE_REGISTRY_PASSWORD: ${{ github.token }}
DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote
ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca
APP_NAME: 'ccof'
REPO_NAME: "educ-ccof"
#grabs the branch name from github dynamically
BRANCH: ${{ github.ref_name }}
IMAGE_NAME: "backend"
APP_ENVIRONMENT: "qa"
NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}
MIN_REPLICAS: "1"
MAX_REPLICAS: "2"
MIN_CPU: "50m"
MAX_CPU: "250m"
MIN_MEM: "200Mi"
MAX_MEM: "700Mi"
# SITE_URL should have no scheme or port. It will be prepended with https://
HOST_ROUTE: ${{ secrets.SITE_URL }}
on:
workflow_dispatch:
jobs:
openshift-ci-cd:
name: Deploy Backend to QA
runs-on: ubuntu-24.04
environment: qa
outputs:
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
steps:
- name: Check for required secrets
uses: actions/github-script@v4
with:
script: |
const secrets = {
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
};
const GHCR = "ghcr.io";
if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
core.info(`Image registry is ${GHCR} - no registry password required`);
}
else {
core.info("A registry password is required");
secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
}
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}
- name: Check out repository
uses: actions/checkout@v2
with:
ref: ${{ env.BRANCH }}
- name: Get latest tag
uses: actions-ecosystem/action-get-latest-tag@v1
id: get-latest-tag
- name: Install oc
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: 4.16
- name: Deploy
run: |
set -eux
# Login to OpenShift and select project
oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
oc project ${{ env.OPENSHIFT_NAMESPACE }}
# Cancel any rollouts in progress
oc rollout cancel dc/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
|| true && echo "No rollout in progress"
# Process and apply deployment template
oc process \
-f tools/openshift/backend-no-fb.dc.yaml \
-p APP_NAME=${{ env.APP_NAME }} \
-p REPO_NAME=${{ env.REPO_NAME }} \
-p BRANCH=${{ env.BRANCH }} \
-p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} \
-p TAG=${{ steps.get-latest-tag.outputs.tag }} \
-p MIN_REPLICAS=${{ env.MIN_REPLICAS }} \
-p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
-p MIN_CPU=${{ env.MIN_CPU }} \
-p MAX_CPU=${{ env.MAX_CPU }} \
-p MIN_MEM=${{ env.MIN_MEM }} \
-p MAX_MEM=${{ env.MAX_MEM }} \
-p HOST_ROUTE=${{ env.HOST_ROUTE }} \
-p APP_ENVIRONMENT=${{ env.APP_ENVIRONMENT }} \
| oc apply -f -
# Process update-configmap
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh \
| bash /dev/stdin \
${{ env.APP_ENVIRONMENT }} \
${{ env.APP_NAME }} \
${{ secrets.CCOF_NAMESPACE_NO_ENV }} \
${{ secrets.COMMON_NAMESPACE_NO_ENV }} \
${{ secrets.SOAM_CLIENT_ID }} \
${{ secrets.SOAM_CLIENT_ID_IDIR }} \
${{ secrets.SOAM_CLIENT_SECRET }} \
${{ secrets.SOAM_CLIENT_SECRET_IDIR }} \
${{ secrets.SPLUNK_TOKEN }} \
${{ secrets.REDIS_PASSWORD }} \
${{ secrets.D365_API_PREFIX }}
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
|| true && echo "Rollout in progress"
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }}
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
target: 'https://${{ env.HOST_ROUTE }}/api'