NIT-994 pipeline for installing helm charts #44
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: helm-releases | |
| on: | |
| push: | |
| branches: [NIT-994-alfresco-pipeline-for-deployments-helm, main] | |
| # Ecluding path as they are specifig to building Share container image | |
| paths-ignore: | |
| - 'docker-files/Dockerfile-share' | |
| - '.github/workflows/cloud-platform-build-push-share.yml' | |
| workflow_dispatch: | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| defaults: | |
| run: | |
| working-directory: alfresco-content-services | |
| jobs: | |
| poc-release: | |
| # Get this GitHub environment populated with action secrets by raising a CP pull request. See docs at: | |
| # https://github.com/ministryofjustice/cloud-platform-terraform-serviceaccount?tab=readme-ov-file#input_github_environments | |
| environment: poc | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout current repo | |
| uses: actions/checkout@v3 | |
| - name: Configure aws credentials for ECR | |
| uses: aws-actions/[email protected] | |
| with: | |
| role-to-assume: ${{ secrets.SHARE_ECR_ROLE_TO_ASSUME }} | |
| aws-region: ${{ vars.SHARE_ECR_REGION }} | |
| - name: ECR login | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| id: login-ecr | |
| - name: Alfresco Enterprise image repository login | |
| run: docker login quay.io -u ${{ secrets.ALFRESCO_QUAY_IO_USERNAME }} -p ${{ secrets.ALFRESCO_QUAY_IO_PASSWORD }} | |
| - name: Install Kubernetes | |
| uses: azure/[email protected] | |
| with: | |
| version: 'v1.26.0' # default is latest stable | |
| id: kubectl_install | |
| - name: Install Helm | |
| uses: azure/[email protected] | |
| with: | |
| version: 'v3.9.0' | |
| id: helm_install | |
| - name: PoC release | |
| env: | |
| KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} | |
| KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} | |
| run: | | |
| # See this link how github action secrets are created: https://github.com/ministryofjustice/cloud-platform-terraform-serviceaccount | |
| # See this example on how to use github secrets: https://github.com/ministryofjustice/cloud-platform-example-application/blob/main/.github/workflows/deploy.yml#L38 | |
| echo "${{ secrets.KUBE_CERT }}" > ca.crt | |
| kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} | |
| kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} | |
| kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} | |
| kubectl config use-context ${KUBE_CLUSTER} | |
| # For Alfresco, a k8s namespace will be an environment | |
| kubectl config set-context --current --namespace=${KUBE_NAMESPACE} | |
| # Helm will not deploy unless this secret is present. Create a new one if one does not already exist from env section | |
| SECRET=$(awk '{print substr($0, 19)}' <<< $(kubectl get secrets alfresco-content-services-alfresco-repository-properties-secret -o jsonpath='{.data.alfresco-global\.properties}' | base64 -d)) 2> /dev/null | |
| if [ -z ${SECRET} ] | |
| then | |
| SECRET=$(openssl rand -base64 20) | |
| fi | |
| echo "Secret value = $SECRET" | |
| # Upgrad an existing release or create a new one if one does not exist | |
| BUCKET_NAME=$(awk '{print substr($0, 0)}' <<< $(kubectl get secrets s3-bucket-output -o jsonpath='{.data.bucket_name}' | base64 -d)) | |
| helm upgrade --install alfresco-content-services . --values=./values.yaml \ | |
| --set s3connector.config.bucketName=$BUCKET_NAME \ | |
| --set global.tracking.sharedsecret=$SECRET \ | |
| --atomic | |
| dev-release: | |
| needs: poc-release | |
| environment: dev | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Dev release | |
| run: | | |
| echo "This job will only run in sequence and only after the above job is completed successfully" |