ministryofjustice · murdo-moj · Mar 11, 2024 · Mar 6, 2024 · Mar 6, 2024 · Mar 6, 2024
@@ -0,0 +1,111 @@
+name: Deploy
+
+on:
+  workflow_call:
+    inputs:
+      env:
+        description: "which environment to deploy to"
+        required: true
+        type: string
+      ecr_repository:
+        description: "ecr repo to hold container image"
+        required: true
+        type: string
+      ecr_region:
+        description: "ecr region to hold container image"
+        required: true
+        type: string
+    secrets:
+      kube_namespace:
+        description: "the kubernetes namespace to deploy to"
+        required: true
+      kube_cert:
+        description: "cert used to verify identity to cluster"
+        required: true
+      kube_cluster:
+        description: "address of the cluster to connect to"
+        required: true
+      kube_token:
+        description: "used to authenticate to the cluster"
+        required: true
+      ecr_role_to_assume:
+        description: "role to authenticate ecr image repository push"
+        required: true
+      secret_key:
+        description: "secret key"
+        required: true
+      catalogue_token:
+        description: "token to authenticate with the catalogue"
+        required: true
+
+jobs:
+  deploy:
+    name: Deploy Helm chart into Cloud Platform
+    environment: ${{ inputs.env }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read # This is required for actions/checkout
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }}
+          aws-region: ${{ inputs.ECR_REGION }}
+
+      - name: Login to ECR
+        id: login-to-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Build Docker image
+        id: build-docker-image
+        env:
+          REGISTRY: ${{ steps.login-to-ecr.outputs.registry }}
+          REPOSITORY: ${{ inputs.ECR_REPOSITORY }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
+
+      - name: Push Docker image to ECR
+        id: push-docker-image-to-ecr
+        env:
+          REGISTRY: ${{ steps.login-to-ecr.outputs.registry }}
+          REPOSITORY: ${{ inputs.ECR_REPOSITORY }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
+
+      - name: Prepare Helm deployment
+        id: prepare-helm-deployment
+        env:
+          CATALOGUE_URL: ${{ env.CATALOGUE_URL }}
+          DEBUG: ${{ env.DEBUG }}
+          DJANGO_ALLOWED_HOSTS: ${{ env.DJANGO_ALLOWED_HOSTS }}
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
+          CATALOGUE_TOKEN: ${{ secrets.CATALOGUE_TOKEN }}
+          IMAGE_TAG: ${{ github.sha }}
+          REGISTRY: ${{ steps.login-to-ecr.outputs.registry }}
+          REPOSITORY: ${{ inputs.ECR_REPOSITORY }}
+          NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+        run: |
+          cat deployments/templates/deployment.yml | envsubst > deployments/deployment.yml
+          cat deployments/templates/ingress.yml | envsubst > deployments/ingress.yml
+          cat deployments/templates/service.yml | envsubst > deployments/service.yml
+          cat deployments/templates/secrets.yml | envsubst > deployments/secrets.yml
+
+      - name: Configure Kubernetes cluster
+        id: configure-kubernetes-cluster
+        env:
+          KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+          KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
+        run: |
+          echo "${{ secrets.KUBE_CERT }}" > ca.crt
+          kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
+          kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }}
+          kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE}
+          kubectl config use-context ${KUBE_CLUSTER}
+
+      - name: Apply Helm deployment
+        id: apply-helm-deployment
+        env:
+          KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+        run: kubectl -n ${KUBE_NAMESPACE} apply -f deployments/
@@ -2,57 +2,52 @@ name: deploy
 
 on:
   push:
-    branches:
-      [main]
-  workflow_dispatch:
-
-permissions: {}
-concurrency: dev
+    branches: [main]
 
 jobs:
-  ecr:
-    runs-on: ubuntu-latest
-    environment: dev
-    permissions:
-      id-token: write # This is required for requesting the JWT
-      contents: read # This is required for actions/checkout
-    steps:
-      - uses: actions/checkout@v4
-      - uses: aws-actions/configure-aws-credentials@v2
-        with:
-          role-to-assume: ${{ secrets.DEV_ECR_ROLE_TO_ASSUME }}
-          aws-region: ${{ vars.DEV_ECR_REGION }}
-      - uses: aws-actions/amazon-ecr-login@v2
-        id: login-ecr
-      - run: |
-          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
-          docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
-        env:
-          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          REPOSITORY: ${{ vars.DEV_ECR_REPOSITORY }}
-          IMAGE_TAG: ${{ github.sha }}
-      - run: |
-          cat deployments/templates/deployment.yml | envsubst > deployments/deployment.yml
-          cat deployments/templates/ingress.yml | envsubst > deployments/ingress.yml
-          cat deployments/templates/service.yml | envsubst > deployments/service.yml
-          cat deployments/templates/secrets.yml | envsubst > deployments/secrets.yml
-        env:
-          CATALOGUE_URL: ${{ vars.CATALOGUE_URL }}
-          DEBUG: ${{ vars.DEBUG }}
-          DJANGO_ALLOWED_HOSTS: ${{ vars.DJANGO_ALLOWED_HOSTS }}
-          SECRET_KEY: ${{ secrets.SECRET_KEY }}
-          CATALOGUE_TOKEN: ${{ secrets.CATALOGUE_TOKEN }}
-          IMAGE_TAG: ${{ github.sha }}
-          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          REPOSITORY: ${{ vars.DEV_ECR_REPOSITORY }}
-          NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
-      - run: |
-          echo "${{ secrets.KUBE_CERT }}" > ca.crt
-          kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
-          kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }}
-          kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE}
-          kubectl config use-context ${KUBE_CLUSTER}
-          kubectl -n ${KUBE_NAMESPACE} apply -f deployments/
-        env:
-          KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
-          KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
+  test:
+    uses: "./.github/workflows/deploy-generic.yml"
+    with:
+      env: "test"
+      ecr_repository: ${{ vars.TEST_ECR_REPOSITORY }}
+      ecr_region: ${{ vars.TEST_ECR_REGION }}
+    secrets:
+      kube_namespace: ${{ secrets.KUBE_NAMESPACE }}
+      kube_cert: ${{ secrets.KUBE_CERT }}
+      kube_cluster: ${{ secrets.KUBE_CLUSTER }}
+      kube_token: ${{ secrets.KUBE_TOKEN }}
+      ecr_role_to_assume: ${{ secrets.TEST_ECR_ROLE_TO_ASSUME }}
+      secret_key: ${{ secrets.SECRET_KEY }}
+      catalogue_token: ${{ secrets.CATALOGUE_TOKEN }}
+
+  dev:
+    uses: "./.github/workflows/deploy-generic.yml"
+    needs: test
+    with:
+      env: "dev"
+      ecr_repository: ${{ vars.DEV_ECR_REPOSITORY }}
+      ecr_region: ${{ vars.DEV_ECR_REGION }}
+    secrets:
+      kube_namespace: ${{ secrets.KUBE_NAMESPACE }}
+      kube_cert: ${{ secrets.KUBE_CERT }}
+      kube_cluster: ${{ secrets.KUBE_CLUSTER }}
+      kube_token: ${{ secrets.KUBE_TOKEN }}
+      ecr_role_to_assume: ${{ secrets.DEV_ECR_ROLE_TO_ASSUME }}
+      secret_key: ${{ secrets.SECRET_KEY }}
+      catalogue_token: ${{ secrets.CATALOGUE_TOKEN }}
+
+  preprod:
+    uses: "./.github/workflows/deploy-generic.yml"
+    needs: dev
+    with:
+      env: "preprod"
+      ecr_repository: ${{ vars.PREPROD_ECR_REPOSITORY }}
+      ecr_region: ${{ vars.PREPROD_ECR_REGION }}
+    secrets:
+      kube_namespace: ${{ secrets.KUBE_NAMESPACE }}
+      kube_cert: ${{ secrets.KUBE_CERT }}
+      kube_cluster: ${{ secrets.KUBE_CLUSTER }}
+      kube_token: ${{ secrets.KUBE_TOKEN }}
+      ecr_role_to_assume: ${{ secrets.PREPROD_ECR_ROLE_TO_ASSUME }}
+      secret_key: ${{ secrets.SECRET_KEY }}
+      catalogue_token: ${{ secrets.CATALOGUE_TOKEN }}
@@ -10,7 +10,7 @@ on:
       - main
 
 jobs:
-  test:
+  unit:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -53,7 +53,7 @@ jobs:
         if: steps.fast-tests.outcome == 'success'
         run: poetry run pytest -m 'slow' --chromedriver-path=$(npm root -g)/chromedriver/bin/chromedriver
 
-  test_javascript:
+  javascript:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -81,3 +81,18 @@ jobs:
 
       - name: Run javascript tests
         run: npm test
+
+  deploy:
+    uses: "./.github/workflows/deploy-generic.yml"
+    with:
+      env: "test"
+      ecr_repository: ${{ vars.TEST_ECR_REPOSITORY }}
+      ecr_region: ${{ vars.TEST_ECR_REGION }}
+    secrets:
+      kube_namespace: ${{ secrets.KUBE_NAMESPACE }}
+      kube_cert: ${{ secrets.KUBE_CERT }}
+      kube_cluster: ${{ secrets.KUBE_CLUSTER }}
+      kube_token: ${{ secrets.KUBE_TOKEN }}
+      ecr_role_to_assume: ${{ secrets.TEST_ECR_ROLE_TO_ASSUME }}
+      secret_key: ${{ secrets.SECRET_KEY }}
+      catalogue_token: ${{ secrets.CATALOGUE_TOKEN }}