From 84943ec9df97658a68bf3753533a1b4506374bd0 Mon Sep 17 00:00:00 2001 From: Marco Villeneuve Date: Wed, 6 Nov 2024 12:29:00 -0800 Subject: [PATCH] Adding superintendent and secretary treasurer roles for now. --- .../deploy-to.openshift-dev-and-test.yml | 172 +++++++++--------- tools/config/update-configmap.sh | 2 +- 2 files changed, 87 insertions(+), 87 deletions(-) diff --git a/.github/workflows/deploy-to.openshift-dev-and-test.yml b/.github/workflows/deploy-to.openshift-dev-and-test.yml index 7e22fd12..d65522ea 100644 --- a/.github/workflows/deploy-to.openshift-dev-and-test.yml +++ b/.github/workflows/deploy-to.openshift-dev-and-test.yml @@ -184,89 +184,89 @@ jobs: with: target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_DEV }}.apps.silver.devops.gov.bc.ca/v3/api-docs' -# deploy-test: -# name: Deploy to OpenShift TEST -# needs: build-and-deploy-dev -# runs-on: ubuntu-22.04 -# environment: test -# -# outputs: -# ROUTE: ${{ steps.deploy-and-expose.outputs.route }} -# SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} -# -# steps: -# - name: Check for required secrets -# uses: actions/github-script@v6 -# with: -# script: | -# const secrets = { -# OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, -# OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, -# }; -# -# const GHCR = "ghcr.io"; -# if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { -# core.info(`Image registry is ${GHCR} - no registry password required`); -# } -# else { -# core.info("A registry password is required"); -# secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; -# } -# -# const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { -# if (value.length === 0) { -# core.error(`Secret "${name}" is not set`); -# return true; -# } -# core.info(`✔️ Secret "${name}" is set`); -# return false; -# }); -# -# if (missingSecrets.length > 0) { -# core.setFailed(`❌ At least one required secret is not set in the repository. \n` + -# "You can add it using:\n" + -# "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + -# "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + -# "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); -# } -# else { -# core.info(`✅ All the required secrets are set`); -# } -# -# - name: Check out repository -# uses: actions/checkout@v3 -# -# - name: Install oc -# uses: redhat-actions/openshift-tools-installer@v1 -# with: -# oc: 4 -# -# - name: Deploy API -# run: | -# set -eu -# # Login to OpenShift and select project -# oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }} -# oc project ${{ env.OPENSHIFT_NAMESPACE_TEST }} -# # Cancel any rollouts in progress -# oc rollout cancel dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \ -# || true && echo "No rollout in progress" -# -# oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }} ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }} -# -# # Process and apply deployment template -# oc process -f tools/openshift/api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_TEST }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_TEST }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_TEST }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \ -# | oc apply -f - -# -# curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/master/tools/config/update-configmap.sh | bash /dev/stdin test ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.DB_JDBC_CONNECT_STRING }} ${{ env.DB_PWD }} ${{ env.DB_USER }} ${{ env.SPLUNK_TOKEN }} ${{ env.CHES_CLIENT_ID }} ${{ env.CHES_CLIENT_SECRET }} ${{ env.CHES_TOKEN_URL }} ${{ env.CHES_ENDPOINT_URL }} ${{ env.SITE_URL }} -# -# # Start rollout (if necessary) and follow it -# oc rollout latest dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \ -# || true && echo "Rollout in progress" -# oc logs -f dc/${{ env.SPRING_BOOT_IMAGE_NAME }} -# # Get status, returns 0 if rollout is successful -# oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }} -# -# - name: ZAP Scan -# uses: zaproxy/action-api-scan@v0.7.0 -# with: -# target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_TEST }}.apps.silver.devops.gov.bc.ca/v3/api-docs' + deploy-test: + name: Deploy to OpenShift TEST + needs: build-and-deploy-dev + runs-on: ubuntu-22.04 + environment: test + + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + + steps: + - name: Check for required secrets + uses: actions/github-script@v6 + with: + script: | + const secrets = { + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const GHCR = "ghcr.io"; + if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { + core.info(`Image registry is ${GHCR} - no registry password required`); + } + else { + core.info("A registry password is required"); + secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; + } + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.error(`Secret "${name}" is not set`); + return true; + } + core.info(`✔️ Secret "${name}" is set`); + return false; + }); + + if (missingSecrets.length > 0) { + core.setFailed(`❌ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`✅ All the required secrets are set`); + } + + - name: Check out repository + uses: actions/checkout@v3 + + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4 + + - name: Deploy API + run: | + set -eu + # Login to OpenShift and select project + oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }} + oc project ${{ env.OPENSHIFT_NAMESPACE_TEST }} + # Cancel any rollouts in progress + oc rollout cancel dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \ + || true && echo "No rollout in progress" + + oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }} ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }} + + # Process and apply deployment template + oc process -f tools/openshift/api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_TEST }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_TEST }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_TEST }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \ + | oc apply -f - + + curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/master/tools/config/update-configmap.sh | bash /dev/stdin test ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.DB_JDBC_CONNECT_STRING }} ${{ env.DB_PWD }} ${{ env.DB_USER }} ${{ env.SPLUNK_TOKEN }} ${{ env.CHES_CLIENT_ID }} ${{ env.CHES_CLIENT_SECRET }} ${{ env.CHES_TOKEN_URL }} ${{ env.CHES_ENDPOINT_URL }} ${{ env.SITE_URL }} + + # Start rollout (if necessary) and follow it + oc rollout latest dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \ + || true && echo "Rollout in progress" + oc logs -f dc/${{ env.SPRING_BOOT_IMAGE_NAME }} + # Get status, returns 0 if rollout is successful + oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }} + + - name: ZAP Scan + uses: zaproxy/action-api-scan@v0.7.0 + with: + target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_TEST }}.apps.silver.devops.gov.bc.ca/v3/api-docs' diff --git a/tools/config/update-configmap.sh b/tools/config/update-configmap.sh index 420eff5b..da366a23 100644 --- a/tools/config/update-configmap.sh +++ b/tools/config/update-configmap.sh @@ -416,7 +416,7 @@ ROLES_ALLOW_LIST="EDX_DISTRICT_ADMIN,EDX_SCHOOL_ADMIN,STUDENT_DATA_COLLECTION,SE if [ "$envValue" = "prod" ] then - ROLES_ALLOW_LIST="EDX_DISTRICT_ADMIN,EDX_SCHOOL_ADMIN,SECURE_EXCHANGE_SCHOOL,SECURE_EXCHANGE_DISTRICT,EDX_EDIT_SCHOOL,EDX_EDIT_DISTRICT" + ROLES_ALLOW_LIST="EDX_DISTRICT_ADMIN,EDX_SCHOOL_ADMIN,SECURE_EXCHANGE_SCHOOL,SECURE_EXCHANGE_DISTRICT,EDX_EDIT_SCHOOL,EDX_EDIT_DISTRICT,DIS_SDC_RO,SCH_SDC_RO,SCHOOL_SDC,DISTRICT_SDC,SUPERINT,SECR_TRES,GRAD_SCH_ADMIN,GRAD_DIS_ADMIN" fi SCHEDULED_JOBS_EXTRACT_UNCOMPLETED_SAGAS_CRON="0 0/1 * * * *"