Automation #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "CI/CD:BUILD:AND:DEPLOY" | |
on: | |
push: | |
branches: [ "main", "production" ] | |
pull_request: | |
branches: [ "main", "production" ] | |
jobs: | |
build_prod: | |
if: github.ref == 'refs/heads/production' | |
env: | |
docker_org: "osmolabs" | |
docker_repo: "sqs" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: "SET:ENV:VARS" | |
run: | | |
echo "docker_tag=${GITHUB_SHA::7}" >> ${GITHUB_ENV} | |
echo "app_name=sqs" >> ${GITHUB_ENV} | |
echo "kubernetes_namespace=sqs" >> ${GITHUB_ENV} | |
echo "redis_docker_image=bitnami/redis:latest" >> ${GITHUB_ENV} | |
echo "redis_port=6379" >> ${GITHUB_ENV} | |
echo "redis_user=default" >> ${GITHUB_ENV} | |
echo "redis_password=${{ secrets.PROD_SQS_REDIS_PASSWORD }}" >> ${GITHUB_ENV} | |
echo "redis_name=article" >> ${GITHUB_ENV} | |
echo "redis_initial_delay_seconds=10" >> ${GITHUB_ENV} | |
echo "redis_period_seconds=10" >> ${GITHUB_ENV} | |
echo "replicas=1" >> ${GITHUB_ENV} | |
echo "min_ready_seconds=30" >> ${GITHUB_ENV} | |
echo "max_unavailable=0" >> ${GITHUB_ENV} | |
echo "max_surge=2" >> ${GITHUB_ENV} | |
echo "image_pull_secret=sqs" >> ${GITHUB_ENV} | |
echo "container_port=9092" >> ${GITHUB_ENV} | |
echo "service_port=80" >> ${GITHUB_ENV} | |
echo "initial_delay_seconds=30" >> ${GITHUB_ENV} | |
echo "period_seconds=10" >> ${GITHUB_ENV} | |
echo "debug=true" >> ${GITHUB_ENV} | |
echo "chain_id=osmosis-1" >> ${GITHUB_ENV} | |
echo "node_rpc=https://rpc.osmosis.zone:443" >> ${GITHUB_ENV} | |
echo "node_grpc=grpc.osmosis.zone:9090" >> ${GITHUB_ENV} | |
echo "domain_name=sqs.osmosis.zone" >> ${GITHUB_ENV} | |
echo "path=/" >> ${GITHUB_ENV} | |
echo "${{ secrets.PROD_KUBECONFIG }}" > temp_config.yaml | |
echo "KUBECONFIG=$(pwd)/temp_config.yaml" >> ${GITHUB_ENV} | |
- name: "DOCKER:BUILD:CHECK:PUSH" | |
uses: iDevOps-io/idevops-git-actions/docker_build_check_tag_and_push@main | |
with: | |
docker_username: "${{ secrets.DOCKER_USERNAME }}" | |
docker_password: "${{ secrets.DOCKER_PASSWORD }}" | |
docker_org: "${{ env.docker_org }}" | |
docker_image: "${{ env.docker_repo }}" | |
docker_tag: "${{ env.docker_tag }}" | |
docker_file_location: "./" | |
- name: "DOCKER:IMAGE:SCAN:ANCHORE" | |
if: contains(github.event.head_commit.message, '[docker scan]') | |
uses: iDevOps-io/idevops-git-actions/execute_docker_scan_grype@main | |
with: | |
docker_image_name: "${{ env.docker_org }}/${{ env.docker_repo }}:${{ env.docker_tag }}" | |
- name: "CREATE:DOCKER:SECRET:NAMESPACE" | |
run: | | |
echo "Create namespace if it doesn't exist." | |
kubectl create namespace ${kubernetes_namespace} || echo "Namespace Exists" | |
echo "Delete the image pull secret, and re-create to ensure it gets updated" | |
kubectl delete secret ${image_pull_secret} -n ${kubernetes_namespace} --ignore-not-found=true | |
kubectl create secret docker-registry ${image_pull_secret} \ | |
--docker-server="${docker_server_url}" \ | |
--docker-username="${{ secrets.DOCKER_USERNAME }}" \ | |
--docker-password="${{ secrets.DOCKER_PASSWORD }}" \ | |
--namespace ${kubernetes_namespace} | |
- name: "EXECUTE:TEMPLATE:REPLACEMENT:ON:FILE" | |
uses: iDevOps-io/idevops-git-actions/template_replace_file@main | |
with: | |
input_file: "manifests/deployment.yaml.template" | |
output_file: "manifests/deployment.yaml" | |
- name: "APPLY:KUBECONFIG" | |
run: | | |
echo "Apply the manifest and deploy the application and redis updates to the cluster" | |
kubectl apply -f manifests/deployment.yaml -n ${kubernetes_namespace} | |
- name: "CHECK:DEPLOYMENT:STATUS" | |
run: | | |
echo "Check the rollout status of redis. This will force pipeline to wait until its serving" | |
kubectl rollout status deployment/${app_name}-redis -n ${kubernetes_namespace} | |
echo "Check the rollout status of the deployment to prevent pipeline from continuing until new release is rolled out." | |
kubectl rollout status deployment/${app_name} -n ${kubernetes_namespace} | |
- name: "ZAProxy Scan Active/Passive OWASP TOP 10 Security" | |
if: contains(github.event.head_commit.message, '[zap scan]') | |
uses: iDevOps-io/idevops-git-actions/execute_zaproxy_owasp_security_can_on_endpoint@main | |
with: | |
web_url: "https://${{ env.domain_name }}" | |
build_dev: | |
if: github.ref == 'refs/heads/main' | |
env: | |
docker_org: "osmolabs" | |
docker_repo: "sqs-dev" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: "SET:ENV:VARS" | |
run: | | |
echo "docker_tag=${GITHUB_SHA::7}" >> ${GITHUB_ENV} | |
echo "app_name=sqs" >> ${GITHUB_ENV} | |
echo "kubernetes_namespace=sqs" >> ${GITHUB_ENV} | |
echo "redis_docker_image=bitnami/redis:latest" >> ${GITHUB_ENV} | |
echo "redis_port=6379" >> ${GITHUB_ENV} | |
echo "redis_user=default" >> ${GITHUB_ENV} | |
echo "redis_password=${{ secrets.DEV_SQS_REDIS_PASSWORD }}" >> ${GITHUB_ENV} | |
echo "redis_name=article" >> ${GITHUB_ENV} | |
echo "redis_initial_delay_seconds=10" >> ${GITHUB_ENV} | |
echo "redis_period_seconds=10" >> ${GITHUB_ENV} | |
echo "replicas=1" >> ${GITHUB_ENV} | |
echo "min_ready_seconds=30" >> ${GITHUB_ENV} | |
echo "max_unavailable=0" >> ${GITHUB_ENV} | |
echo "max_surge=2" >> ${GITHUB_ENV} | |
echo "image_pull_secret=sqs" >> ${GITHUB_ENV} | |
echo "container_port=9092" >> ${GITHUB_ENV} | |
echo "service_port=80" >> ${GITHUB_ENV} | |
echo "initial_delay_seconds=30" >> ${GITHUB_ENV} | |
echo "period_seconds=10" >> ${GITHUB_ENV} | |
echo "debug=true" >> ${GITHUB_ENV} | |
echo "chain_id=osmosis-1" >> ${GITHUB_ENV} | |
echo "node_rpc=https://rpc.testnet.osmosis.zone:443" >> ${GITHUB_ENV} | |
echo "node_grpc=grpc.testnet.osmosis.zone:9090" >> ${GITHUB_ENV} | |
echo "domain_name=sqs.dev-osmosis.zone" >> ${GITHUB_ENV} | |
echo "path=/" >> ${GITHUB_ENV} | |
echo "docker_server_url=https://index.docker.io/v1/" >> ${GITHUB_ENV} | |
echo "${{ secrets.DEV_KUBECONFIG }}" > temp_config.yaml | |
echo "KUBECONFIG=$(pwd)/temp_config.yaml" >> ${GITHUB_ENV} | |
- name: "DOCKER:BUILD:CHECK:PUSH" | |
uses: iDevOps-io/idevops-git-actions/docker_build_check_tag_and_push@main | |
with: | |
docker_username: "${{ secrets.DOCKER_USERNAME }}" | |
docker_password: "${{ secrets.DOCKER_PASSWORD }}" | |
docker_org: "${{ env.docker_org }}" | |
docker_image: "${{ env.docker_repo }}" | |
docker_tag: "${{ env.docker_tag }}" | |
docker_file_location: "./" | |
- name: "DOCKER:IMAGE:SCAN:ANCHORE" | |
if: contains(github.event.head_commit.message, '[docker scan]') | |
uses: iDevOps-io/idevops-git-actions/execute_docker_scan_grype@main | |
with: | |
docker_image_name: "${{ env.docker_org }}/${{ env.docker_repo }}:${{ env.docker_tag }}" | |
- name: "CREATE:DOCKER:SECRET:NAMESPACE" | |
run: | | |
echo "Create namespace if it doesn't exist." | |
kubectl create namespace ${kubernetes_namespace} || echo "Namespace Exists" | |
echo "Delete the image pull secret, and re-create to ensure it gets updated" | |
kubectl delete secret ${image_pull_secret} -n ${kubernetes_namespace} --ignore-not-found=true | |
kubectl create secret docker-registry ${image_pull_secret} \ | |
--docker-server="${docker_server_url}" \ | |
--docker-username="${{ secrets.DOCKER_USERNAME }}" \ | |
--docker-password="${{ secrets.DOCKER_PASSWORD }}" \ | |
--namespace ${kubernetes_namespace} | |
- name: "EXECUTE:TEMPLATE:REPLACEMENT:ON:FILE" | |
uses: iDevOps-io/idevops-git-actions/template_replace_file@main | |
with: | |
input_file: "manifests/deployment.yaml.template" | |
output_file: "manifests/deployment.yaml" | |
- name: "APPLY:KUBECONFIG" | |
run: | | |
echo "Apply the manifest and deploy the application and redis updates to the cluster" | |
kubectl apply -f manifests/deployment.yaml -n ${kubernetes_namespace} | |
- name: "CHECK:DEPLOYMENT:STATUS" | |
run: | | |
echo "Check the rollout status of redis. This will force pipeline to wait until its serving" | |
kubectl rollout status deployment/${app_name}-redis -n ${kubernetes_namespace} | |
echo "Check the rollout status of the deployment to prevent pipeline from continuing until new release is rolled out." | |
kubectl rollout status deployment/${app_name} -n ${kubernetes_namespace} | |
- name: "ZAProxy Scan Active/Passive OWASP TOP 10 Security" | |
if: contains(github.event.head_commit.message, '[zap scan]') | |
uses: iDevOps-io/idevops-git-actions/execute_zaproxy_owasp_security_can_on_endpoint@main | |
with: | |
web_url: "https://${{ env.domain_name }}" |