From a558f4ed83194da2a590813392ce332513f1bf9a Mon Sep 17 00:00:00 2001 From: George Taylor Date: Fri, 6 Sep 2024 09:42:36 +0100 Subject: [PATCH] :wrench: Taskfile instead of makefile (#102) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * :wrench: Taskfile instead of makefile * 🔨 use taskfile to deploy from gha --- .../cloud-platform-deploy-release.yml | 55 ++++----- Taskfile.yml | 105 ++++++++++++++++++ makefile | 57 ---------- 3 files changed, 133 insertions(+), 84 deletions(-) create mode 100644 Taskfile.yml delete mode 100644 makefile diff --git a/.github/workflows/cloud-platform-deploy-release.yml b/.github/workflows/cloud-platform-deploy-release.yml index b7f5f74..cd3251b 100644 --- a/.github/workflows/cloud-platform-deploy-release.yml +++ b/.github/workflows/cloud-platform-deploy-release.yml @@ -1,37 +1,34 @@ -name: helm-releases +name: Deploy Alfresco Content Services on: push: - branches: - - main paths: - .github/workflows/cloud-platform-deploy-release.yml - - alfresco-content-services/** - + - kustomize/** workflow_dispatch: permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout -defaults: - run: - working-directory: alfresco-content-services jobs: release: strategy: matrix: - include: - - environment: poc - values: values_poc.yaml - - environment: dev - values: values_dev.yaml - - environment: test - values: values_test.yaml + environment: [poc, dev, test, stage] + ref: + - ${{ contains(github.ref, 'main') || startsWith(github.ref, 'refs/heads/v') }} + exclude: + - ref: false + environment: test + - ref: false + environment: stage + name: Deploy to ${{ matrix.environment }} # Get this GitHub environment populated with action secrets by raising a CP pull request. See docs at: # https://github.com/ministryofjustice/cloud-platform-terraform-serviceaccount?tab=readme-ov-file#input_github_environments environment: name: ${{ matrix.environment }} + runs-on: ubuntu-latest steps: - name: Checkout current repo @@ -66,16 +63,20 @@ jobs: # For Alfresco, a k8s namespace will be an environment kubectl config set-context --current --namespace=${KUBE_NAMESPACE} - # Helm will not deploy unless this secret is present. Create a new one if one does not already exist from env section - SECRET=$(awk '{print substr($0, 19)}' <<< $(kubectl get secrets alfresco-content-services-alfresco-repository-properties-secret -o jsonpath='{.data.alfresco-global\.properties}' | base64 -d)) 2> /dev/null - if [ -z ${SECRET} ] - then - SECRET=$(openssl rand -base64 20) - fi + - name: Install Task + uses: arduino/setup-task@v2 + with: + version: 3.x + + - name: Run Task + run: task helm_upgrade ENV=${{ matrix.environment }} + + - name: Alert Slack failure + if: "${{ failure() && github.ref == 'refs/heads/main' }}" + run: | + curl --silent -X POST -H 'Content-type: application/json' --data '{"blocks":[{"type":"header","text":{"type":"plain_text","text":":fail: Deployment Failed"}},{"type":"divider"},{"type":"section","text":{"type":"mrkdwn","text":"Deployment to Alfresco `${{ matrix.environment }}` failed"}, "accessory": {"type": "button","text": {"type": "plain_text","text": ":github: View Job","emoji": true}, "value": "view-job", "url":"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "action_id": "button-action"}}]}' ${{ secrets.SLACK_WEBHOOK_URL }} - # Upgrad an existing release or create a new one if one does not exist - BUCKET_NAME=$(awk '{print substr($0, 0)}' <<< $(kubectl get secrets s3-bucket-output -o jsonpath='{.data.BUCKET_NAME}' | base64 -d)) - helm upgrade --install alfresco-content-services . --values=./values.yaml --values=./${{ matrix.values }} \ - --set s3connector.config.bucketName=$BUCKET_NAME \ - --set global.tracking.sharedsecret=$SECRET \ - --atomic + - name: Alert Slack Success + if: "${{ success() && github.ref == 'refs/heads/main' }}" + run: | + curl --silent -X POST -H 'Content-type: application/json' --data '{"blocks":[{"type":"header","text":{"type":"plain_text","text":":white_check_mark: Deployment Succeeded"}},{"type":"divider"},{"type":"section","text":{"type":"mrkdwn","text":"Deployment to Alfresco `${{ matrix.environment }}` succeeded."}, "accessory": {"type": "button","text": {"type": "plain_text","text": ":github: View Job","emoji": true}, "value": "view-job", "url":"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "action_id": "button-action"}}]}' ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/Taskfile.yml b/Taskfile.yml new file mode 100644 index 0000000..84a87cd --- /dev/null +++ b/Taskfile.yml @@ -0,0 +1,105 @@ +version: "3" + +vars: + ENV: "{{.ENV}}" + NAMESPACE: + sh: if [ "{{.ENV}}" = "poc" ]; then echo "hmpps-delius-alfrsco-{{.ENV}}"; else echo "hmpps-delius-alfresco-{{.ENV}}"; fi + BUCKET_NAME: + sh: kubectl get secret s3-bucket-output -n {{.NAMESPACE}} -o jsonpath='{.data.BUCKET_NAME}' | base64 --decode + OPEN_SEARCH_PREFIX: + sh: kubectl get svc --namespace {{.NAMESPACE}} | grep 'opensearch-proxy-service-cloud-platform' | awk '{ print $1 }' + OPENSEARCH_HOST: + sh: echo "{{.OPEN_SEARCH_PREFIX}}.{{.NAMESPACE}}.svc.cluster.local" + ALLOWLIST: + sh: yq 'join(",")' ./kustomize/{{.ENV}}/allowlist.yaml + RDS_JDBC_URL: + sh: kubectl get secrets rds-instance-output --namespace {{.NAMESPACE}} -o json | jq -r ".data | map_values(@base64d) | .RDS_JDBC_URL" + DEBUG: "false" + DEBUG_FLAG: + sh: if [ "{{.DEBUG}}" = "true" ]; then echo "--debug"; else echo ""; fi + HELM_POST_RENDERER_ARGS: + sh: if [ "{{.DEBUG}}" = "true" ]; then echo "-d true"; else echo "-d false"; fi + ATOMIC: "true" + ATOMIC_FLAG: + sh: if [ "{{.ATOMIC}}" = "true" ]; then echo "--atomic"; else echo ""; fi + CHART_VERSION: "6.0.2" + +tasks: + helm_upgrade: + cmds: + - echo "NAMESPACE set to {{.NAMESPACE}}" + - echo "BUCKET_NAME set to {{.BUCKET_NAME}}" + - echo "OPEN_SEARCH_PREFIX set to {{.OPEN_SEARCH_PREFIX}}" + - echo "OPENSEARCH_HOST set to {{.OPENSEARCH_HOST}}" + - echo "RDS_JDBC_URL set to {{.RDS_JDBC_URL}}" + - echo "DEBUG set to {{.DEBUG}}" + - task: helm_repo_add + - task: update_allowlist + - task: helm_upgrade_install + vars: + NAMESPACE: "{{.NAMESPACE}}" + BUCKET_NAME: "{{.BUCKET_NAME}}" + OPENSEARCH_HOST: "{{.OPENSEARCH_HOST}}" + RDS_JDBC_URL: "{{.RDS_JDBC_URL}}" + DEBUG_FLAG: "{{.DEBUG_FLAG}}" + ATOMIC_FLAG: "{{.ATOMIC_FLAG}}" + - task: reset_allowlist + silent: true + + prepare_namespace: + internal: true + cmds: + - | + export BUCKET_NAME=$(kubectl get secrets s3-bucket-output -o jsonpath='{.data.BUCKET_NAME}' | base64 -d) + if [ "${ENV}" = "poc" ]; then + export NAMESPACE=hmpps-delius-alfrsco-${ENV} + else + export NAMESPACE=hmpps-delius-alfresco-${ENV} + fi + export OPENSEARCH_PREFIX=$(kubectl get svc --namespace ${NAMESPACE} | grep 'opensearch-proxy-service-cloud-platform' | awk '{ print $1 }') + export OPENSEARCH_HOST=${OPENSEARCH_PREFIX}.${NAMESPACE}.svc.cluster.local + export RDS_JDBC_URL=$(kubectl get secrets rds-instance-output --namespace ${NAMESPACE} -o json | jq -r ".data | map_values(@base64d) | .RDS_JDBC_URL") + export EXTRACTED=$(yq 'join(",")' ./kustomize/${ENV}/allowlist.yaml) + echo "Using namespace: ${NAMESPACE}" + + update_allowlist: + internal: true + dir: ./kustomize/{{.ENV}} + cmds: + - | + export ALLOWLIST={{.ALLOWLIST}} + yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = strenv(ALLOWLIST)' -i ./patch-ingress-repository.yaml + yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = strenv(ALLOWLIST)' -i ./patch-ingress-share.yaml + + helm_repo_add: + internal: true + cmds: + - helm repo add alfresco https://kubernetes-charts.alfresco.com/stable --force-update + + helm_upgrade_install: + internal: true + dir: ./kustomize/{{.ENV}} + cmds: + - | + helm upgrade --install alfresco-content-services alfresco/alfresco-content-services --version {{.CHART_VERSION}} --namespace {{.NAMESPACE}} \ + --values=../base/values.yaml --values=values.yaml \ + --set s3connector.config.bucketName={{.BUCKET_NAME}} \ + --set database.url={{.RDS_JDBC_URL}} \ + --set global.elasticsearch.host={{.OPENSEARCH_HOST}} \ + --set alfresco-search-enterprise.searchIndex.host={{.OPENSEARCH_HOST}} \ + --wait --timeout=20m \ + --post-renderer ../kustomizer.sh --post-renderer-args "{{.HELM_POST_RENDERER_ARGS}}" \ + {{.DEBUG_FLAG}} {{.ATOMIC_FLAG}} + echo " " + echo "***** Helm upgrade completed *****" + echo "Helm revision: $(helm list -n {{.NAMESPACE}} | grep alfresco-content-services | awk '{print $10}')" + echo "Chart version: $(helm list -n {{.NAMESPACE}} | grep alfresco-content-services | awk '{print $9}')" + echo "ACS Version: $(helm list -n {{.NAMESPACE}} | grep alfresco-content-services | awk '{print $10}')" + echo " " + + reset_allowlist: + internal: true + dir: ./kustomize/{{.ENV}} + cmds: + - yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = "placeholder"' -i patch-ingress-repository.yaml + - yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = "placeholder"' -i patch-ingress-share.yaml diff --git a/makefile b/makefile deleted file mode 100644 index 4e9b820..0000000 --- a/makefile +++ /dev/null @@ -1,57 +0,0 @@ -# Define the Helm chart name and release name -CHART_NAME := alfresco-content-services -DEBUG := false -ATOMIC := true - -# Environment variable (ensure this is set or default it) -ENV ?= poc - -# Helm upgrade/install command -helm_upgrade: - @$(eval BUCKET_NAME := $(shell kubectl get secrets s3-bucket-output -o jsonpath='{.data.BUCKET_NAME}' | base64 -d)) - if [ "$(ENV)" == "poc" ]; then \ - NAMESPACE=hmpps-delius-alfrsco-$(ENV); \ - else \ - NAMESPACE=hmpps-delius-alfresco-$(ENV); \ - fi; \ - echo "Using namespace: $${NAMESPACE}"; \ - DEBUG_FLAG=""; \ - HELM_POST_RENDERER_ARGS="-d false"; \ - if [ "$(DEBUG)" = "true" ]; then \ - DEBUG_FLAG="--debug"; \ - HELM_POST_RENDERER_ARGS="-d true"; \ - fi; \ - ATOMIC_FLAG=""; \ - if [ "$(ATOMIC)" = "true" ]; then \ - ATOMIC_FLAG="--atomic"; \ - fi; \ - echo "BUCKET_NAME: $(BUCKET_NAME)"; \ - cd ./kustomize/$${ENV}; \ - OPENSEARCH_PREFIX=$$(kubectl get svc --namespace $${NAMESPACE} | grep 'opensearch-proxy-service-cloud-platform' | awk '{print $$1}'); \ - OPENSEARCH_HOST=$${OPENSEARCH_PREFIX}.$${NAMESPACE}.svc.cluster.local; \ - echo "OpenSearch Host: $${OPENSEARCH_HOST}"; \ - RDS_JDBC_URL=$$(kubectl get secrets rds-instance-output --namespace $${NAMESPACE} -o json | jq -r ".data | map_values(@base64d) | .RDS_JDBC_URL"); \ - extracted=$$(yq 'join(",")' ./allowlist.yaml); \ - export extracted; \ - echo "Whitelist: $${extracted}"; \ - yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = strenv(extracted)' -i ./patch-ingress-repository.yaml; \ - yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = strenv(extracted)' -i ./patch-ingress-share.yaml; \ - helm repo add alfresco https://kubernetes-charts.alfresco.com/stable --force-update; \ - helm upgrade --install $(CHART_NAME) alfresco/alfresco-content-services --version 6.0.2 --namespace $${NAMESPACE} \ - --values=../base/values.yaml --values=./values.yaml \ - --set s3connector.config.bucketName=$(BUCKET_NAME) \ - --set database.url=$${RDS_JDBC_URL} \ - --set global.elasticsearch.host=$${OPENSEARCH_HOST} \ - --set alfresco-search-enterprise.searchIndex.host=$${OPENSEARCH_HOST} \ - --wait --timeout=20m \ - --post-renderer ../kustomizer.sh --post-renderer-args "$${HELM_POST_RENDERER_ARGS}" \ - $${DEBUG_FLAG} $${ATOMIC_FLAG}; \ - yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = "placeholder"' -i ./patch-ingress-repository.yaml; \ - yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = "placeholder"' -i ./patch-ingress-share.yaml - -# Default target -.PHONY: default -default: helm_upgrade - -# Phony targets -.PHONY: helm_upgrade