🔧 Taskfile instead of makefile (#102)

* 🔧 Taskfile instead of makefile

* 🔨 use taskfile to deploy from gha

.github/workflows/cloud-platform-deploy-release.yml

@@ -1,37 +1,34 @@
-name: helm-releases
+name: Deploy Alfresco Content Services
 
 on:
   push:
-    branches:
-      - main
     paths:
       - .github/workflows/cloud-platform-deploy-release.yml
-      - alfresco-content-services/**
-
+      - kustomize/**
   workflow_dispatch:
 
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-defaults:
-  run:
-    working-directory: alfresco-content-services
 
 jobs:
   release:
     strategy:
       matrix:
-        include:
-        - environment: poc
-          values: values_poc.yaml
-        - environment: dev
-          values: values_dev.yaml
-        - environment: test
-          values: values_test.yaml
+        environment: [poc, dev, test, stage]
+        ref: 
+          - ${{ contains(github.ref, 'main') || startsWith(github.ref, 'refs/heads/v') }}
+        exclude:
+          - ref: false
+            environment: test
+          - ref: false
+            environment: stage
+    name: Deploy to ${{ matrix.environment }}
     # Get this GitHub environment populated with action secrets by raising a CP pull request. See docs at:
     # https://github.com/ministryofjustice/cloud-platform-terraform-serviceaccount?tab=readme-ov-file#input_github_environments
     environment:
       name: ${{ matrix.environment }}
+
     runs-on: ubuntu-latest
     steps:
       - name: Checkout current repo
@@ -66,16 +63,20 @@ jobs:
           # For Alfresco, a k8s namespace will be an environment
           kubectl config set-context --current --namespace=${KUBE_NAMESPACE}
 
-          # Helm will not deploy unless this secret is present. Create a new one if one does not already exist from env section
-          SECRET=$(awk '{print substr($0, 19)}' <<< $(kubectl get secrets alfresco-content-services-alfresco-repository-properties-secret -o jsonpath='{.data.alfresco-global\.properties}' | base64 -d)) 2> /dev/null
-          if [ -z ${SECRET} ]
-          then
-            SECRET=$(openssl rand -base64 20)
-          fi
+      - name: Install Task
+        uses: arduino/setup-task@v2
+        with:
+          version: 3.x
+
+      - name: Run Task
+        run: task helm_upgrade ENV=${{ matrix.environment }}
+
+      - name: Alert Slack failure
+        if: "${{ failure() && github.ref == 'refs/heads/main' }}"
+        run: |
+          curl --silent -X POST -H 'Content-type: application/json' --data '{"blocks":[{"type":"header","text":{"type":"plain_text","text":":fail: Deployment Failed"}},{"type":"divider"},{"type":"section","text":{"type":"mrkdwn","text":"Deployment to Alfresco `${{ matrix.environment }}` failed"},	"accessory": {"type": "button","text": {"type": "plain_text","text": ":github: View Job","emoji": true}, "value": "view-job", "url":"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "action_id": "button-action"}}]}' ${{ secrets.SLACK_WEBHOOK_URL }}
 
-          # Upgrad an existing release or create a new one if one does not exist
-          BUCKET_NAME=$(awk '{print substr($0, 0)}' <<< $(kubectl get secrets s3-bucket-output -o jsonpath='{.data.BUCKET_NAME}' | base64 -d))
-          helm upgrade --install alfresco-content-services . --values=./values.yaml --values=./${{ matrix.values }} \
-          --set s3connector.config.bucketName=$BUCKET_NAME \
-          --set global.tracking.sharedsecret=$SECRET \
-          --atomic
+      - name: Alert Slack Success
+        if: "${{ success() && github.ref == 'refs/heads/main' }}"
+        run: |
+            curl --silent -X POST -H 'Content-type: application/json' --data '{"blocks":[{"type":"header","text":{"type":"plain_text","text":":white_check_mark: Deployment Succeeded"}},{"type":"divider"},{"type":"section","text":{"type":"mrkdwn","text":"Deployment to Alfresco `${{ matrix.environment }}` succeeded."},	"accessory": {"type": "button","text": {"type": "plain_text","text": ":github: View Job","emoji": true}, "value": "view-job", "url":"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "action_id": "button-action"}}]}' ${{ secrets.SLACK_WEBHOOK_URL }}

Taskfile.yml

@@ -0,0 +1,105 @@
+version: "3"
+
+vars:
+  ENV: "{{.ENV}}"
+  NAMESPACE:
+    sh: if [ "{{.ENV}}" = "poc" ]; then echo "hmpps-delius-alfrsco-{{.ENV}}"; else echo "hmpps-delius-alfresco-{{.ENV}}"; fi
+  BUCKET_NAME:
+    sh: kubectl get secret s3-bucket-output -n {{.NAMESPACE}} -o jsonpath='{.data.BUCKET_NAME}' | base64 --decode
+  OPEN_SEARCH_PREFIX:
+    sh: kubectl get svc --namespace {{.NAMESPACE}} | grep 'opensearch-proxy-service-cloud-platform' | awk '{ print $1 }'
+  OPENSEARCH_HOST:
+    sh: echo "{{.OPEN_SEARCH_PREFIX}}.{{.NAMESPACE}}.svc.cluster.local"
+  ALLOWLIST:
+    sh: yq 'join(",")' ./kustomize/{{.ENV}}/allowlist.yaml
+  RDS_JDBC_URL:
+    sh: kubectl get secrets rds-instance-output --namespace {{.NAMESPACE}} -o json | jq -r ".data | map_values(@base64d) | .RDS_JDBC_URL"
+  DEBUG: "false"
+  DEBUG_FLAG:
+    sh: if [ "{{.DEBUG}}" = "true" ]; then echo "--debug"; else echo ""; fi
+  HELM_POST_RENDERER_ARGS:
+    sh: if [ "{{.DEBUG}}" = "true" ]; then echo "-d true"; else echo "-d false"; fi
+  ATOMIC: "true"
+  ATOMIC_FLAG:
+    sh: if [ "{{.ATOMIC}}" = "true" ]; then echo "--atomic"; else echo ""; fi
+  CHART_VERSION: "6.0.2"
+
+tasks:
+  helm_upgrade:
+    cmds:
+      - echo "NAMESPACE set to {{.NAMESPACE}}"
+      - echo "BUCKET_NAME set to {{.BUCKET_NAME}}"
+      - echo "OPEN_SEARCH_PREFIX set to {{.OPEN_SEARCH_PREFIX}}"
+      - echo "OPENSEARCH_HOST set to {{.OPENSEARCH_HOST}}"
+      - echo "RDS_JDBC_URL set to {{.RDS_JDBC_URL}}"
+      - echo "DEBUG set to {{.DEBUG}}"
+      - task: helm_repo_add
+      - task: update_allowlist
+      - task: helm_upgrade_install
+        vars:
+          NAMESPACE: "{{.NAMESPACE}}"
+          BUCKET_NAME: "{{.BUCKET_NAME}}"
+          OPENSEARCH_HOST: "{{.OPENSEARCH_HOST}}"
+          RDS_JDBC_URL: "{{.RDS_JDBC_URL}}"
+          DEBUG_FLAG: "{{.DEBUG_FLAG}}"
+          ATOMIC_FLAG: "{{.ATOMIC_FLAG}}"
+      - task: reset_allowlist
+    silent: true
+
+  prepare_namespace:
+    internal: true
+    cmds:
+      - |
+        export BUCKET_NAME=$(kubectl get secrets s3-bucket-output -o jsonpath='{.data.BUCKET_NAME}' | base64 -d)
+        if [ "${ENV}" = "poc" ]; then
+          export NAMESPACE=hmpps-delius-alfrsco-${ENV}
+        else
+          export NAMESPACE=hmpps-delius-alfresco-${ENV}
+        fi
+        export OPENSEARCH_PREFIX=$(kubectl get svc --namespace ${NAMESPACE} | grep 'opensearch-proxy-service-cloud-platform' | awk '{ print $1 }')
+        export OPENSEARCH_HOST=${OPENSEARCH_PREFIX}.${NAMESPACE}.svc.cluster.local
+        export RDS_JDBC_URL=$(kubectl get secrets rds-instance-output --namespace ${NAMESPACE} -o json | jq -r ".data | map_values(@base64d) | .RDS_JDBC_URL")
+        export EXTRACTED=$(yq 'join(",")' ./kustomize/${ENV}/allowlist.yaml)
+        echo "Using namespace: ${NAMESPACE}"
+
+  update_allowlist:
+    internal: true
+    dir: ./kustomize/{{.ENV}}
+    cmds:
+      - |
+        export ALLOWLIST={{.ALLOWLIST}}
+        yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = strenv(ALLOWLIST)' -i ./patch-ingress-repository.yaml
+        yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = strenv(ALLOWLIST)' -i ./patch-ingress-share.yaml
+
+  helm_repo_add:
+    internal: true
+    cmds:
+      - helm repo add alfresco https://kubernetes-charts.alfresco.com/stable --force-update
+
+  helm_upgrade_install:
+    internal: true
+    dir: ./kustomize/{{.ENV}}
+    cmds:
+      - |
+        helm upgrade --install alfresco-content-services alfresco/alfresco-content-services --version {{.CHART_VERSION}} --namespace {{.NAMESPACE}} \
+        --values=../base/values.yaml --values=values.yaml \
+        --set s3connector.config.bucketName={{.BUCKET_NAME}} \
+        --set database.url={{.RDS_JDBC_URL}} \
+        --set global.elasticsearch.host={{.OPENSEARCH_HOST}} \
+        --set alfresco-search-enterprise.searchIndex.host={{.OPENSEARCH_HOST}} \
+        --wait --timeout=20m \
+        --post-renderer ../kustomizer.sh --post-renderer-args "{{.HELM_POST_RENDERER_ARGS}}" \
+        {{.DEBUG_FLAG}} {{.ATOMIC_FLAG}}
+        echo " "
+        echo "***** Helm upgrade completed *****"
+        echo "Helm revision: $(helm list -n {{.NAMESPACE}} | grep alfresco-content-services | awk '{print $10}')"
+        echo "Chart version: $(helm list -n {{.NAMESPACE}} | grep alfresco-content-services | awk '{print $9}')"
+        echo "ACS Version: $(helm list -n {{.NAMESPACE}} | grep alfresco-content-services | awk '{print $10}')"
+        echo " "
+
+  reset_allowlist:
+    internal: true
+    dir: ./kustomize/{{.ENV}}
+    cmds:
+      - yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = "placeholder"' -i patch-ingress-repository.yaml
+      - yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = "placeholder"' -i patch-ingress-share.yaml