Alfresco: Read-only apply #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Alfresco: Read-only apply" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: Environment to make read-only | |
| required: true | |
| type: choice | |
| options: | |
| - poc | |
| - dev | |
| - test | |
| - stage | |
| - preprod | |
| enable: | |
| description: Enable (true) or disable (false) read-only mode | |
| required: true | |
| type: boolean | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| defaults: | |
| run: | |
| working-directory: alfresco-content-services | |
| jobs: | |
| nginx-ingress-read-only: | |
| # Get this GitHub environment populated with action secrets by raising a CP pull request. See docs at: | |
| # https://github.com/ministryofjustice/cloud-platform-terraform-serviceaccount?tab=readme-ov-file#input_github_environments | |
| environment: | |
| name: ${{ inputs.environment }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout current repo | |
| uses: actions/checkout@v3 | |
| - name: Install Kubernetes | |
| uses: azure/[email protected] | |
| with: | |
| version: "v1.26.0" # default is latest stable | |
| id: kubectl_install | |
| - name: Deploy updated annotation to ${{ inputs.environment }} repository ingress | |
| env: | |
| KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} | |
| KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} | |
| run: | | |
| # See this link how github action secrets are created: https://github.com/ministryofjustice/cloud-platform-terraform-serviceaccount | |
| # See this example on how to use github secrets: https://github.com/ministryofjustice/cloud-platform-example-application/blob/main/.github/workflows/deploy.yml#L38 | |
| echo "${{ secrets.KUBE_CERT }}" > ca.crt | |
| kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} | |
| kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} | |
| kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} | |
| kubectl config use-context ${KUBE_CLUSTER} | |
| # For Alfresco, a k8s namespace will be an environment | |
| kubectl config set-context --current --namespace=${KUBE_NAMESPACE} | |
| # Get the current server-snippet annotation | |
| CURRENT_SNIPPET=$(kubectl get ingress alfresco-content-services-alfresco-cs-repository -n ${KUBE_NAMESPACE} -o=jsonpath='{.metadata.annotations.nginx\.ingress\.kubernetes\.io\/server-snippet}') | |
| # Define the new server-snippet | |
| NEW_SNIPPET="if (\$request_method != GET) { return 403; }" | |
| # If read-only mode is enabled, append the new snippet to the current one, otherwise remove it | |
| if [[ ${{ inputs.enable }} == "true" ]]; then | |
| if echo "$CURRENT_SNIPPET" | grep -q "$NEW_SNIPPET"; then | |
| echo "Read-only mode is already enabled" | |
| exit 0 | |
| else | |
| FINAL_SNIPPET="$CURRENT_SNIPPET"$'\n'"$NEW_SNIPPET" | |
| fi | |
| else | |
| FINAL_SNIPPET=$(echo "$CURRENT_SNIPPET" | sed -e "s/$NEW_SNIPPET//" -e '/^$/d') | |
| fi | |
| # Apply the new server-snippet | |
| kubectl annotate ingress alfresco-content-services-alfresco-cs-repository -n ${KUBE_NAMESPACE} nginx.ingress.kubernetes.io/server-snippet="$FINAL_SNIPPET" --overwrite=true |