🚀 Find moj data deployment #9
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD dev | |
on: | |
pull_request: | |
branches-ignore: | |
- dependabot/** | |
workflow_dispatch: | |
permissions: {} | |
concurrency: dev | |
jobs: | |
build-push-dev: | |
name: Build & Push New Image | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: write # This is required for actions/checkout | |
environment: dev | |
outputs: | |
new_tag: ${{ steps.set-version-tag-output.outputs.new_tag }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Bump version and push tag | |
uses: anothrNick/[email protected] | |
id: bump-id | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
WITH_V: true | |
DEFAULT_BUMP: patch | |
PRERELEASE: true | |
PRERELEASE_SUFFIX: dev | |
- name: Set Version tag output | |
id: set-version-tag-output | |
run: echo "new_tag=${{ steps.bump-id.outputs.new_tag }}" >> $GITHUB_OUTPUT | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Configure AWS Data Account Credentials | |
uses: aws-actions/configure-aws-credentials@v2 | |
with: | |
role-to-assume: "arn:aws:iam::${{ secrets.DATA_ACCOUNT_ID }}:role/github-actions-ecr-oidc" | |
role-session-name: githubactionsiamsession | |
aws-region: eu-west-1 | |
- name: Login to Amazon ECR | |
id: login-data-acct-ecr | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Build | |
env: | |
NEW_TAG_V: ${{ steps.set-version-tag-output.outputs.new_tag }} | |
shell: bash | |
run: | | |
docker build . -t working_image:$NEW_TAG_V | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v2 | |
with: | |
role-to-assume: ${{ secrets.DEV_ECR_ROLE_TO_ASSUME }} | |
aws-region: ${{ vars.DEV_ECR_REGION }} | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Tag, and push image to Amazon ECR | |
env: | |
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
ECR_REPOSITORY: ${{ vars.DEV_ECR_REPOSITORY }} | |
NEW_TAG_V: ${{ steps.set-version-tag-output.outputs.new_tag }} | |
shell: bash | |
run: | | |
docker tag working_image:$NEW_TAG_V $ECR_REGISTRY/$ECR_REPOSITORY:$NEW_TAG_V | |
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$NEW_TAG_V | |
deploy-dev: | |
needs: build-push-dev | |
if: github.event_name == 'pull_request' | |
name: Deploy Helm Chart into Cloud Platform | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write # This is required for actions/checkout | |
id-token: write # This is required for requesting the JWT | |
environment: dev | |
steps: | |
- name: Authenticate to the cluster | |
env: | |
KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} | |
KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} | |
run: | | |
echo "${{ secrets.KUBE_CERT }}" > ca.crt | |
kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} | |
kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} | |
kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${{ secrets.KUBE_NAMESPACE }} | |
kubectl config use-context ${KUBE_CLUSTER} | |
- name: add helm repo | |
continue-on-error: true | |
run: | | |
helm repo add mojanalytics http://moj-analytics-helm-repo.s3-website-eu-west-1.amazonaws.com/ | |
- name: update helm repo | |
continue-on-error: true | |
run: | | |
helm repo update mojanalytics | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v2 | |
with: | |
role-to-assume: ${{ secrets.DEV_ECR_ROLE_TO_ASSUME }} | |
aws-region: ${{ vars.DEV_ECR_REGION }} | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Upgrade the Helm chart | |
env: | |
APP_ROLE_ARN: ${{ secrets.APP_ROLE_ARN }} | |
AUTH0_CALLBACK_URL: ${{ vars.AUTH0_CALLBACK_URL }} | |
AUTH0_CLIENT_ID: ${{ secrets.AUTH0_CLIENT_ID }} | |
AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_CLIENT_SECRET }} | |
AUTH0_DOMAIN: ${{ vars.AUTH0_DOMAIN }} | |
AUTH0_PASSWORDLESS: ${{ vars.AUTH0_PASSWORDLESS }} | |
AUTH0_TOKEN_ALG: ${{ vars.AUTH0_TOKEN_ALG }} | |
AUTHENTICATION_REQUIRED: ${{ vars.AUTHENTICATION_REQUIRED }} | |
COOKIE_SECRET: ${{ secrets.COOKIE_SECRET }} | |
ECR_REPO_AUTH0: ${{ steps.login-ecr.outputs.registry }}/analytical-platform/ap-auth-proxy-prod-ecr | |
ECR_REPO_WEBAPP: ${{ steps.login-ecr.outputs.registry }}/${{ vars.DEV_ECR_REPOSITORY }} | |
IP_RANGES: ${{ secrets.IP_RANGES }} | |
KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} | |
NEW_TAG_V: ${{ needs.build-push-dev.outputs.new_tag }} | |
RELEASE_NAME: ${{ github.event.repository.name }}-dev | |
SECRETS_CONTEXT: ${{ toJson(secrets) }} | |
VARS_CONTEXT: ${{ toJson(vars) }} | |
run: | | |
process_ip_range=$(echo $IP_RANGES | sed "s/,/\\\,/g") | |
combined_json=$(jq -n \ | |
--argjson secrets_json "$SECRETS_CONTEXT" \ | |
--argjson vars_json "$VARS_CONTEXT" \ | |
'$secrets_json + $vars_json') | |
custom_variables="" | |
for row in $(echo "${combined_json}" | jq -r 'to_entries[] | @base64'); do | |
key=$(echo ${row} | base64 --decode | jq -r '.key') | |
value=$(echo ${row} | base64 --decode | jq -r '.value') | |
if [[ $key == XXX* ]]; then | |
custom_key=$(echo $key | sed 's/^XXX_/Secrets.WebApp.Parameters./') | |
custom_variables="$custom_variables --set $custom_key=$value" | |
fi | |
done | |
helm upgrade --install --wait --timeout 10m0s --namespace $KUBE_NAMESPACE $RELEASE_NAME mojanalytics/webapp-cp \ | |
--set AuthProxy.Env.Auth0Domain=$AUTH0_DOMAIN \ | |
--set AuthProxy.Env.Auth0Passwordless=$AUTH0_PASSWORDLESS \ | |
--set AuthProxy.Env.Auth0TokenAlg=$AUTH0_TOKEN_ALG \ | |
--set AuthProxy.Env.AuthenticationRequired=$AUTHENTICATION_REQUIRED \ | |
--set AuthProxy.Env.IPRanges=$process_ip_range \ | |
--set AuthProxy.Image.Repository=$ECR_REPO_AUTH0 \ | |
--set AuthProxy.Image.Tag="latest" \ | |
--set Namespace=$KUBE_NAMESPACE \ | |
--set Secrets.Auth0.ClientId=$AUTH0_CLIENT_ID \ | |
--set Secrets.Auth0.ClientSecret=$AUTH0_CLIENT_SECRET \ | |
--set Secrets.Auth0.CookieSecret=$COOKIE_SECRET \ | |
--set ServiceAccount.RoleARN=$APP_ROLE_ARN \ | |
--set WebApp.Image.Repository=$ECR_REPO_WEBAPP \ | |
--set WebApp.Image.Tag=$NEW_TAG_V \ | |
--set WebApp.Name=$KUBE_NAMESPACE \ | |
$custom_variables |