Merge pull request #560 from bcgov/ccfri-3591-efx-env

feat: add efx environment and adjust adjacent deply flows

.github/workflows/deploy-to-openshift-backend-efx.yml

@@ -0,0 +1,171 @@
+name: 4 EFX - Deploy Backend
+
+env:
+  # EDIT your repository secrets to log into your OpenShift cluster and set up the context.
+  # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
+  # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
+  OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
+  OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
+  # EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
+  OPENSHIFT_NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}-test
+
+  SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}
+
+  # EDIT to change the image registry settings.
+  # Registries such as GHCR, Quay.io, and Docker Hub are supported.
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  IMAGE_REGISTRY_USER: ${{ github.actor }}
+  IMAGE_REGISTRY_PASSWORD: ${{ github.token }}
+
+  DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote
+  ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca
+
+  APP_NAME: 'ccof'
+  REPO_NAME: "educ-ccof"
+  #grabs the branch name from github dynamically
+  BRANCH: ${{ github.ref_name }}
+  IMAGE_NAME: "backend"
+  APP_ENVIRONMENT: "efx"
+
+  NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}
+
+  MIN_REPLICAS: "2"
+  MAX_REPLICAS: "3"
+  MIN_CPU: "50m"
+  MAX_CPU: "250m"
+  MIN_MEM: "200Mi"
+  MAX_MEM: "700Mi"
+  # SITE_URL should have no scheme or port. It will be prepended with https://
+  HOST_ROUTE: ${{ secrets.SITE_URL }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'The image tag to deploy'
+        required: true
+        type: string
+jobs:
+  openshift-ci-cd:
+    name: Deploy Backend to EFX
+    runs-on: ubuntu-24.04
+    environment: efx
+
+    outputs:
+      ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
+      SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
+
+    steps:
+    - name: Print Workflow Dispatch Inputs and Env Vars
+      uses: shayki5/print-workflow-dispatch-inputs@v1
+      with:
+        add_to_summary: 'true'
+        print_env_vars: 'false'
+
+    - name: Check for required secrets
+      uses: actions/github-script@v4
+      with:
+        script: |
+          const secrets = {
+            OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
+            OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
+          };
+
+          const GHCR = "ghcr.io";
+          if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
+            core.info(`Image registry is ${GHCR} - no registry password required`);
+          }
+          else {
+            core.info("A registry password is required");
+            secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
+          }
+
+          const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
+            if (value.length === 0) {
+              core.error(`Secret "${name}" is not set`);
+              return true;
+            }
+            core.info(`Secret "${name}" is set`);
+            return false;
+          });
+
+          if (missingSecrets.length > 0) {
+            core.setFailed(`At least one required secret is not set in the repository. \n` +
+              "You can add it using:\n" +
+              "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
+              "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
+              "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
+          }
+          else {
+            core.info(`All the required secrets are set`);
+          }
+
+    - name: Check out repository
+      uses: actions/checkout@v2
+      with:
+        ref: ${{ env.BRANCH }}
+
+    - name: Install oc
+      uses: redhat-actions/openshift-tools-installer@v1
+      with:
+        oc: 4.16
+
+    - name: Deploy
+      run: |
+        set -eux
+        # Login to OpenShift and select project
+        oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
+        oc project ${{ env.OPENSHIFT_NAMESPACE }}
+        # Cancel any rollouts in progress
+        oc rollout cancel deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
+            || true && echo "No rollout in progress"
+
+        # Create tag for TEST env from DEV env image
+        oc tag \
+           ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.IMAGE_NAME }}-${{ env.BRANCH }}:${{ inputs.tag }} \
+           ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.IMAGE_NAME }}-${{ env.BRANCH }}:${{ inputs.tag }}
+
+        # Process and apply deployment template
+        oc process \
+           -f tools/openshift/backend.deployment.yaml \
+           -p APP_NAME=${{ env.APP_NAME }} \
+           -p REPO_NAME=${{ env.REPO_NAME }} \
+           -p BRANCH=${{ env.BRANCH }} \
+           -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} \
+           -p TAG=${{ inputs.tag }} \
+           -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} \
+           -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
+           -p MIN_CPU=${{ env.MIN_CPU }} \
+           -p MAX_CPU=${{ env.MAX_CPU }} \
+           -p MIN_MEM=${{ env.MIN_MEM }} \
+           -p MAX_MEM=${{ env.MAX_MEM }} \
+           -p HOST_ROUTE=${{ env.HOST_ROUTE }} \
+           -p APP_ENVIRONMENT=${{ env.APP_ENVIRONMENT }} \
+            | oc apply -f -
+
+        # Process update-configmap
+        curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh \
+          | bash /dev/stdin \
+            ${{ env.APP_ENVIRONMENT }} \
+            ${{ env.APP_NAME }} \
+            ${{ secrets.CCOF_NAMESPACE_NO_ENV }} \
+            ${{ secrets.COMMON_NAMESPACE_NO_ENV }} \
+            ${{ secrets.SOAM_CLIENT_ID }} \
+            ${{ secrets.SOAM_CLIENT_ID_IDIR }} \
+            ${{ secrets.SOAM_CLIENT_SECRET }} \
+            ${{ secrets.SOAM_CLIENT_SECRET_IDIR }} \
+            ${{ secrets.SPLUNK_TOKEN }} \
+            ${{ secrets.REDIS_PASSWORD }} \
+            ${{ secrets.D365_API_PREFIX }}
+
+        # Start rollout (if necessary) and follow it
+        oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }}} 2> /dev/null \
+            || true && echo "Rollout in progress"
+
+        # Get status, returns 0 if rollout is successful
+        oc rollout status deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }}
+
+    - name: ZAP Scan
+      uses: zaproxy/[email protected]
+      with:
+        target: 'https://${{ env.HOST_ROUTE }}/api'

.github/workflows/deploy-to-openshift-backend-prod.yml

@@ -1,4 +1,4 @@
-name: 4 PROD - Deploy Backend
+name: 5 PROD - Deploy Backend
 
 env:
   # EDIT your repository secrets to log into your OpenShift cluster and set up the context.
@@ -160,7 +160,7 @@ jobs:
             ${{ secrets.D365_API_PREFIX }}
 
         # Start rollout (if necessary) and follow it
-        oc rollout latest deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
+        oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
             || true && echo "Rollout in progress"
 
         # Get status, returns 0 if rollout is successful

.github/workflows/deploy-to-openshift-backend-qa.yml

@@ -155,7 +155,7 @@ jobs:
             ${{ secrets.D365_API_PREFIX }}
 
         # Start rollout (if necessary) and follow it
-        oc rollout latest deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
+        oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
             || true && echo "Rollout in progress"
 
         # Get status, returns 0 if rollout is successful

.github/workflows/deploy-to-openshift-backend-uat.yml

@@ -29,8 +29,8 @@ env:
 
   NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}
 
-  MIN_REPLICAS: "3"
-  MAX_REPLICAS: "5"
+  MIN_REPLICAS: "2"
+  MAX_REPLICAS: "3"
   MIN_CPU: "50m"
   MAX_CPU: "250m"
   MIN_MEM: "200Mi"
@@ -160,7 +160,7 @@ jobs:
             ${{ secrets.D365_API_PREFIX }}
 
         # Start rollout (if necessary) and follow it
-        oc rollout latest deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }}} 2> /dev/null \
+        oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }}} 2> /dev/null \
             || true && echo "Rollout in progress"
 
         # Get status, returns 0 if rollout is successful

.github/workflows/deploy-to-openshift-frontend-efx.yml

@@ -0,0 +1,166 @@
+name: 4 EFX - Deploy Frontend
+
+env:
+  # EDIT your repository secrets to log into your OpenShift cluster and set up the context.
+  # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
+  # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
+  OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
+  OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
+  # EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
+  OPENSHIFT_NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}-test
+
+  # SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}
+
+  # EDIT to change the image registry settings.
+  # Registries such as GHCR, Quay.io, and Docker Hub are supported.
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  IMAGE_REGISTRY_USER: ${{ github.actor }}
+  IMAGE_REGISTRY_PASSWORD: ${{ github.token }}
+
+  DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote
+  ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca
+
+  APP_NAME: 'ccof'
+  REPO_NAME: "educ-ccof"
+  #grabs the branch name from github dynamically
+  BRANCH: ${{ github.ref_name }}
+  IMAGE_NAME: "frontend"
+  APP_ENVIRONMENT: "efx"
+
+  NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}
+
+  MIN_REPLICAS: "2"
+  MAX_REPLICAS: "3"
+  MIN_CPU: "50m"
+  MAX_CPU: "100m"
+  MIN_MEM: "200Mi"
+  MAX_MEM: "250Mi"
+  # SITE_URL should have no scheme or port. It will be prepended with https://
+  HOST_ROUTE: ${{ secrets.SITE_URL }}
+  CA_CERT: ${{ secrets.CA_CERT }}
+  CERTIFICATE: ${{ secrets.CERTIFICATE }}
+  PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'The image tag to deploy'
+        required: true
+        type: string
+
+jobs:
+  openshift-ci-cd:
+    name: Deploy Frontend to EFX
+    runs-on: ubuntu-24.04
+    environment: efx
+
+    outputs:
+      ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
+      SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
+
+    steps:
+    - name: Print Workflow Dispatch Inputs and Env Vars
+      uses: shayki5/print-workflow-dispatch-inputs@v1
+      with:
+        add_to_summary: 'true'
+        print_env_vars: 'false'
+
+    - name: Check for required secrets
+      uses: actions/github-script@v4
+      with:
+        script: |
+          const secrets = {
+            OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
+            OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
+          };
+
+          const GHCR = "ghcr.io";
+          if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
+            core.info(`Image registry is ${GHCR} - no registry password required`);
+          }
+          else {
+            core.info("A registry password is required");
+            secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
+          }
+
+          const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
+            if (value.length === 0) {
+              core.error(`Secret "${name}" is not set`);
+              return true;
+            }
+            core.info(`Secret "${name}" is set`);
+            return false;
+          });
+
+          if (missingSecrets.length > 0) {
+            core.setFailed(`At least one required secret is not set in the repository. \n` +
+              "You can add it using:\n" +
+              "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
+              "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
+              "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
+          }
+          else {
+            core.info(`All the required secrets are set`);
+          }
+
+    - name: Check out repository
+      uses: actions/checkout@v2
+      with:
+        ref: ${{ env.BRANCH }}
+
+    - name: Install oc
+      uses: redhat-actions/openshift-tools-installer@v1
+      with:
+        oc: 4.16
+
+    - name: Deploy
+      run: |
+        set -eux
+        # Login to OpenShift and select project
+        oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
+        oc project ${{ env.OPENSHIFT_NAMESPACE }}
+        # Cancel any rollouts in progress
+        oc rollout cancel deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
+            || true && echo "No rollout in progress"
+
+        # Create tag for TEST env from DEV env image
+        oc tag \
+           ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.IMAGE_NAME }}-${{ env.BRANCH }}:${{ inputs.tag }} \
+           ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.IMAGE_NAME }}-${{ env.BRANCH }}:${{ inputs.tag }}
+
+        # Process and apply deployment template
+        oc process \
+          -f tools/openshift/frontend.deployment.yaml \
+          -p APP_NAME=${{ env.APP_NAME }} \
+          -p REPO_NAME=${{ env.REPO_NAME }} \
+          -p BRANCH=${{ env.BRANCH }} \
+          -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} \
+          -p TAG=${{ inputs.tag }} \
+          -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} \
+          -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
+          -p MIN_CPU=${{ env.MIN_CPU }} \
+          -p MAX_CPU=${{ env.MAX_CPU }} \
+          -p MIN_MEM=${{ env.MIN_MEM }} \
+          -p MAX_MEM=${{ env.MAX_MEM }} \
+          -p HOST_ROUTE=${{ env.HOST_ROUTE }} \
+          -p CA_CERT="${{ env.CA_CERT }}" \
+          -p CERTIFICATE="${{ env.CERTIFICATE }}" \
+          -p PRIVATE_KEY="${{ env.PRIVATE_KEY }}" \
+          -p APP_ENVIRONMENT=${{ env.APP_ENVIRONMENT }} \
+          -p BANNER_COLOR=${{ vars.BANNER_COLOR }} \
+          -p BANNER_ENVIRONMENT=${{ vars.BANNER_ENVIRONMENT }} \
+          -p VUE_APP_BCEID_REG_URL='${{ secrets.VUE_APP_BCEID_REG_URL }}' \
+          | oc apply -f -
+
+        # Start rollout (if necessary) and follow it
+        oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
+            || true && echo "Rollout in progress"
+
+        # Get status, returns 0 if rollout is successful
+        oc rollout status deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }}
+
+    - name: ZAP Scan
+      uses: zaproxy/[email protected]
+      with:
+        target: 'https://${{ env.HOST_ROUTE }}'

.github/workflows/deploy-to-openshift-frontend-prod.yml

@@ -1,4 +1,4 @@
-name: 4 PROD - Deploy Frontend
+name: 5 PROD - Deploy Frontend
 
 env:
   # EDIT your repository secrets to log into your OpenShift cluster and set up the context.
@@ -156,7 +156,7 @@ jobs:
           | oc apply -f -
 
         # Start rollout (if necessary) and follow it
-        oc rollout latest deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
+        oc rollout restart deployment/${{ env.APP_NAME }}-${{ env.IMAGE_NAME }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
             || true && echo "Rollout in progress"
 
         # Get status, returns 0 if rollout is successful