Skip to content

feat: vault

feat: vault #96

Workflow file for this run

name: Build and Deploy of Job on Pull Request to Main
on:
pull_request:
branches:
- main
paths-ignore:
- 'charts/**'
concurrency:
# PR open and close use the same group, allowing only one at a time
group: pr-${{ github.workflow }}-${{ github.event.number }}
cancel-in-progress: true
jobs:
builds:
name: Builds
if: '!github.event.pull_request.head.repo.fork'
runs-on: ubuntu-22.04
permissions:
packages: write
strategy:
matrix:
package: [nr-oracle-service, nr-oracle-service-init]
include:
- package: nr-oracle-service
build_file: Dockerfile
build_context: .
triggers: ('src/' 'pom.xml')
- package: nr-oracle-service-init
build_file: Dockerfile.certs
build_context: .
triggers: ('get_certs.sh' 'Dockerfile.certs')
steps:
- uses: actions/checkout@v4
- uses: bcgov-nr/[email protected]
with:
package: ${{ matrix.package }}
tag: ${{ github.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
build_file: ${{ matrix.build_file }}
build_context: ${{ matrix.build_context }}
triggers: ${{ matrix.triggers }}
- uses: shrink/actions-docker-registry-tag@v3
with:
registry: ghcr.io
repository: ${{ github.repository }}/${{ matrix.package }}
target: ${{ github.sha }}
tags: pr-${{ github.event.number }}
deploys:
name: Deploys
needs:
- builds
runs-on: ubuntu-22.04
environment: test
env:
project_name: nr-oracle
app_name: nr-oracle-service
environment: development
secret_path_env: dev # this path is different from the path in the broker
steps:
- uses: actions/checkout@v4
- name: Broker
id: broker
uses: bcgov-nr/[email protected]
with:
broker_jwt: ${{ secrets.BROKER_JWT }}
provision_role_id: ${{ secrets.PROVISION_ROLE }}
project_name: ${{ env.project_name }}
app_name: ${{ env.app_name }}
environment: ${{ env.environment }}
- name: Import Secrets
id: secrets
uses: hashicorp/[email protected]
with:
url: https://vault-iit.apps.silver.devops.gov.bc.ca
token: ${{ steps.broker.outputs.vault_token }}
exportEnv: 'false'
secrets: |
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/rar dbHost | DB_HOST;
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/rar dbName | DB_NAME;
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/rar dbPassword | DB_PWD;
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/rar dbUser | DB_USER;
- name: Deploy to OpenShift
shell: bash
run: |
# Allow pipefail, since we could be catching oc create errors
set +o pipefail
# Login to OpenShift (NOTE: project command is a safeguard)
oc login --token=${{ secrets.oc_token }} --server=${{ vars.oc_server }}
oc project ${{ vars.oc_namespace }}
# Deploy Helm Chart
helm upgrade --install nr-oracle-service-${{ github.event.number }} \
--set-string image.tag=${{ github.sha }} \
--set-string app.envs.DB_HOST=${{ steps.secrets.outputs.DB_HOST }} \
--set-string app.envs.DB_NAME=${{ steps.secrets.outputs.DB_NAME }} \
--set-string app.envs.DB_PASSWORD=${{ steps.secrets.outputs.DB_PWD }} \
--set-string app.envs.DB_USER=${{ steps.secrets.outputs.DB_USER }} \
--set-string app.envs.DB_PORT="${{ secrets.DB_PORT }}" \
--set-string image.repository="ghcr.io/${{ github.repository }}/nr-oracle-service" \
--set-string image.repositoryInit="ghcr.io/${{ github.repository }}/nr-oracle-service-init" \
--set-string namespace=${{ vars.oc_namespace }} \
--timeout 10m charts/nr-oracle-service