-
Notifications
You must be signed in to change notification settings - Fork 0
81 lines (70 loc) · 3.38 KB
/
read-only-apply.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
name: "Alfresco: Read-only apply"
on:
workflow_dispatch:
inputs:
environment:
description: Environment to make read-only
required: true
type: choice
options:
- poc
- dev
- test
- stage
- preprod
enable:
description: Enable (true) or disable (false) read-only mode
required: true
type: boolean
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
defaults:
run:
working-directory: alfresco-content-services
jobs:
nginx-ingress-read-only:
# Get this GitHub environment populated with action secrets by raising a CP pull request. See docs at:
# https://github.com/ministryofjustice/cloud-platform-terraform-serviceaccount?tab=readme-ov-file#input_github_environments
environment:
name: ${{ inputs.environment }}
runs-on: ubuntu-latest
steps:
- name: Checkout current repo
uses: actions/checkout@v3
- name: Install Kubernetes
uses: azure/[email protected]
with:
version: "v1.26.0" # default is latest stable
id: kubectl_install
- name: Deploy updated annotation to ${{ inputs.environment }} repository ingress
env:
KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
run: |
# See this link how github action secrets are created: https://github.com/ministryofjustice/cloud-platform-terraform-serviceaccount
# See this example on how to use github secrets: https://github.com/ministryofjustice/cloud-platform-example-application/blob/main/.github/workflows/deploy.yml#L38
echo "${{ secrets.KUBE_CERT }}" > ca.crt
kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }}
kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE}
kubectl config use-context ${KUBE_CLUSTER}
# For Alfresco, a k8s namespace will be an environment
kubectl config set-context --current --namespace=${KUBE_NAMESPACE}
# Get the current server-snippet annotation
CURRENT_SNIPPET=$(kubectl get ingress alfresco-content-services-alfresco-cs-repository -n ${KUBE_NAMESPACE} -o=jsonpath='{.metadata.annotations.nginx\.ingress\.kubernetes\.io\/server-snippet}')
# Define the new server-snippet
NEW_SNIPPET="if (\$request_method != GET) { return 403; }"
# If read-only mode is enabled, append the new snippet to the current one, otherwise remove it
if [[ ${{ inputs.enable }} == "true" ]]; then
if echo "$CURRENT_SNIPPET" | grep -q "$NEW_SNIPPET"; then
echo "Read-only mode is already enabled"
exit 0
else
FINAL_SNIPPET="$CURRENT_SNIPPET"$'\n'"$NEW_SNIPPET"
fi
else
FINAL_SNIPPET=$(echo "$CURRENT_SNIPPET" | sed -e "s/$NEW_SNIPPET//" -e '/^$/d')
fi
# Apply the new server-snippet
kubectl annotate ingress alfresco-content-services-alfresco-cs-repository -n ${KUBE_NAMESPACE} nginx.ingress.kubernetes.io/server-snippet="$FINAL_SNIPPET" --overwrite=true