Skip to content

Commit

Permalink
Added initial frontend workflow and deployment config.
Browse files Browse the repository at this point in the history
  • Loading branch information
weskubo-cgi authored and weskubo-cgi committed Sep 18, 2023
1 parent 0826899 commit 564c4e0
Show file tree
Hide file tree
Showing 2 changed files with 357 additions and 24 deletions.
191 changes: 167 additions & 24 deletions .github/workflows/deploy-to-openshift-frontend-dev.yml
Original file line number Diff line number Diff line change
@@ -1,32 +1,175 @@
# This is a basic workflow that is manually triggered
# OFM Frontend DEV workflow

name: 1 DEV - Deploy Frontend

# Controls when the action will run. Workflow runs when manually triggered using the UI
# or API.
env:
# 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
# To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
# 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
OPENSHIFT_NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }}-dev

# SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}

# 🖊️ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
IMAGE_REGISTRY_USER: ${{ github.actor }}
IMAGE_REGISTRY_PASSWORD: ${{ github.token }}

DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote
ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca

APP_NAME: 'ofm'
REPO_NAME: 'ecc-ofm'
#grabs the branch name from github dynamically
BRANCH: ${{ github.ref_name }}
APP_NAME_FRONTEND: 'frontend'
APP_FOLDER: 'frontend'
NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }}
#NAMESPACE_TOOLS: ${{ secrets.OFM_NAMESPACE_NO_ENV }}-tools
#COMMON_NAMESPACE: ${{ secrets.COMMON_NAMESPACE_NO_ENV }}
TAG: 'latest'

MIN_REPLICAS: '1'
MAX_REPLICAS: '1'
MIN_CPU: '50m'
MAX_CPU: '100m'
MIN_MEM: '200Mi'
MAX_MEM: '250Mi'
# SITE_URL should have no scheme or port. It will be prepended with https://
HOST_ROUTE: ${{ secrets.SITE_URL }}
CA_CERT: ${{ secrets.CA_CERT }}
CERTIFICATE: ${{ secrets.CERTIFICATE }}
PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}

on:
workflow_dispatch:
# Inputs the workflow accepts.
inputs:
name:
# Friendly description to be shown in the UI instead of 'name'
description: 'Person to greet'
# Default value if no value is explicitly provided
default: 'World'
# Input has to be provided for the workflow to run
required: true
# The data type of the input
type: string

# A workflow run is made up of one or more jobs that can run sequentially or in parallel

jobs:
# This workflow contains a single job called "greet"
greet:
# The type of runner that the job will run on
runs-on: ubuntu-latest
openshift-ci-cd:
name: Build and deploy Frontend to DEV
runs-on: ubuntu-20.04
environment: dev

outputs:
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}

# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Runs a single command using the runners shell
- name: Send greeting
run: echo "Hello ${{ inputs.name }}"
- name: Check for required secrets
uses: actions/github-script@v4
with:
script: |
const secrets = {
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
};
const GHCR = "ghcr.io";
if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
core.info(`Image registry is ${GHCR} - no registry password required`);
}
else {
core.info("A registry password is required");
secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
}
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}
- name: Check out repository with branch [${{ env.BRANCH }}]
uses: actions/checkout@v2
with:
ref: ${{ env.BRANCH }}

- name: Login to Docker Hub
uses: docker/login-action@v1
with:
registry: ${{ env.DOCKER_ARTIFACTORY_REPO }}
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

- name: Build frontend from Dockerfile
id: build-image-frontend
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.APP_NAME_FRONTEND }}
tags: 'latest'

# If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs
# Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build
# Otherwise, point this to your Dockerfile/Containerfile relative to the repository root.
dockerfiles: |
./${{ env.APP_FOLDER }}/Dockerfile
context: ./${{ env.APP_FOLDER }}

# https://github.com/redhat-actions/push-to-registry#readme
- name: Push frontend to registry
id: push-image-frontend
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image-frontend.outputs.image }}
tags: ${{ steps.build-image-frontend.outputs.tags }}
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ env.IMAGE_REGISTRY_USER }}
password: ${{ env.IMAGE_REGISTRY_PASSWORD }}

- name: Install oc
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: 4

# https://github.com/redhat-actions/oc-login#readme
# - uses: actions/checkout@v2
- name: Deploy
run: |
set -eux
# Login to OpenShift and select project
oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
oc project ${{ env.OPENSHIFT_NAMESPACE }}
# Cancel any rollouts in progress
oc rollout cancel dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }} 2> /dev/null \
|| true && echo "No rollout in progress"
# Create the image stream if it doesn't exist
oc create imagestream ${{ env.REPO_NAME }}-${{ env.APP_NAME_FRONTEND }}-${{ env.BRANCH }} 2> /dev/null || true && echo "Frontend image stream in place"
oc tag ${{ steps.push-image-frontend.outputs.registry-path }} ${{ env.REPO_NAME }}-${{ env.APP_NAME_FRONTEND }}-${{ env.BRANCH }}:${{ env.TAG }}
# Process and apply deployment template
oc process -f tools/openshift/frontend.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} \
-p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
-p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} -p HOST_ROUTE=${{ env.HOST_ROUTE }} \
| oc apply -f -
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }} 2> /dev/null \
|| true && echo "Rollout in progress"
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }}
# - name: ZAP Scan
# uses: zaproxy/[email protected]
# with:
# target: 'https://${{ env.HOST_ROUTE }}'
190 changes: 190 additions & 0 deletions tools/openshift/frontend.dc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,190 @@
---
apiVersion: template.openshift.io/v1
kind: Template
labels:
template: '${REPO_NAME}-template'
metadata:
name: '${REPO_NAME}-frontend-dc'
objects:
- apiVersion: v1
kind: DeploymentConfig
metadata:
annotations:
openshift.io/generated-by: OpenShiftNewApp
creationTimestamp:
labels:
app: '${APP_NAME}-${BRANCH}'
branch: '${BRANCH}'
name: '${APP_NAME}-frontend'
spec:
replicas: ${{MIN_REPLICAS}}
selector:
app: '${APP_NAME}-${BRANCH}'
deploymentconfig: '${APP_NAME}-frontend'
strategy:
resources: {}
type: Rolling
template:
metadata:
annotations:
openshift.io/generated-by: OpenShiftNewApp
creationTimestamp:
labels:
app: '${APP_NAME}-${BRANCH}'
deploymentconfig: '${APP_NAME}-frontend'
spec:
containers:
- image: image-registry.openshift-image-registry.svc:5000/${NAMESPACE}/${REPO_NAME}-frontend-${BRANCH}:${TAG}
imagePullPolicy: Always
volumeMounts:
- name: tls-certs
mountPath: '/etc/tls-certs'
readOnly: true
- name: config-env
mountPath: '/srv/js/config'
livenessProbe:
failureThreshold: 3
httpGet:
path: '/'
port: 2015
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: '${APP_NAME}-frontend'
ports:
- containerPort: 2015
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: '/'
port: 2015
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: '${MIN_CPU}'
memory: '${MIN_MEM}'
limits:
cpu: '${MAX_CPU}'
memory: '${MAX_MEM}'
volumes:
- name: tls-certs
secret:
secretName: ofm-frontend-cert
- name: config-env
configMap:
name: ofm-frontend-config-map
test: false
triggers:
- type: ConfigChange
- apiVersion: v1
kind: Service
metadata:
annotations:
service.alpha.openshift.io/serving-cert-secret-name: 'ofm-frontend-cert'
openshift.io/generated-by: OpenShiftNewApp
creationTimestamp:
labels:
app: '${APP_NAME}-${BRANCH}'
name: '${APP_NAME}-frontend'
spec:
ports:
- name: 2015-tcp
port: 2015
protocol: TCP
targetPort: 2015
selector:
app: '${APP_NAME}-${BRANCH}'
deploymentconfig: '${APP_NAME}-frontend'
# - apiVersion: v1
# kind: Route
# metadata:
# annotations:
# openshift.io/host.generated: 'true'
# labels:
# app: "${APP_NAME}-${BRANCH}"
# name: "${APP_NAME}-frontend-https"
# spec:
# host: "${HOST_ROUTE}"
# port:
# targetPort: 2015-tcp
# tls:
# caCertificate: "${CA_CERT}"
# certificate: "${CERTIFICATE}"
# insecureEdgeTerminationPolicy: Redirect
# key: "${PRIVATE_KEY}"
# termination: edge
# to:
# kind: Service
# name: "${APP_NAME}-frontend-${BRANCH}"
# weight: 100
# wildcardPolicy: None
- apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: '${APP_NAME}-frontend-cpu-autoscaler'
spec:
scaleTargetRef:
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
name: '${APP_NAME}-frontend'
subresource: scale
minReplicas: ${{MIN_REPLICAS}}
maxReplicas: ${{MAX_REPLICAS}}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 90
parameters:
- name: REPO_NAME
description: Application repository name
required: true
- name: BRANCH
description: Job identifier (i.e. 'pr-5' OR 'master')
required: true
- name: NAMESPACE
description: Target namespace reference (i.e. 'k8vopl-dev')
required: true
- name: APP_NAME
description: Application name
required: true
- name: HOST_ROUTE
description: The host the route will use to expose service outside cluster
required: true
- name: TAG
description: The identifying tag for this specific deployment
required: true
- name: MIN_REPLICAS
description: The minimum amount of replicas
required: true
- name: MAX_REPLICAS
description: The maximum amount of replicas
required: true
- name: MIN_CPU
description: The minimum amount of cpu
required: true
- name: MAX_CPU
description: The maximum amount of cpu
required: true
- name: MIN_MEM
description: The minimum amount of memory
required: true
- name: MAX_MEM
description: The maximum amount of memory
required: true
# - name: CA_CERT
# description: The CA Certificate
# required: true
# - name: CERTIFICATE
# description: The Certificate
# required: true
# - name: PRIVATE_KEY
# description: The private key
# required: true

0 comments on commit 564c4e0

Please sign in to comment.