diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml new file mode 100644 index 0000000..452d41e --- /dev/null +++ b/.forgejo/workflows/deploy.yml @@ -0,0 +1,247 @@ +name: Build and deploy Bridgeman Accessible Hashicorp Vault Implementation + +on: + push: + branches: + - main + workflow_dispatch: + +jobs: + deploy: + runs-on: self-hosted + steps: + - name: Checkout code + uses: actions/checkout@v4 + + # Build a new container image from the code + #- name: Update Image + # run: | + # # Parse information from the metadata.yaml file + # IMAGE_NAME=$(yq '.name' metadata.yaml) + # IMAGE_NAME=${IMAGE_NAME#\"} # Remove leading quote + # IMAGE_NAME=${IMAGE_NAME%\"} # Remove trailing quote + # echo "Image Name: $IMAGE_NAME" + # echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV + # + # LOCAL_VERSION=$(yq '.version' metadata.yaml) + # LOCAL_VERSION=${LOCAL_VERSION#\"} # Remove leading quote + # LOCAL_VERSION=${LOCAL_VERSION%\"} # Remove trailing quote + # echo "Image Local Version: $LOCAL_VERSION" + # + # REMOTE_TAGS_WORK_OUTPUT=$(skopeo list-tags docker://${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME 2>/dev/null || echo "") + # if [ -n "$REMOTE_TAGS_WORK_OUTPUT" ]; then + # IFS=' ' read -r -a REMOTE_TAGS <<< $(skopeo list-tags docker://${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME | jq -r '.Tags | @sh') + # else + # echo "Image not found in the repository. Will need to add it..." + # + # # Set a blank value so that it WON'T match the local version + # IFS=' ' read -r -a REMOTE_TAGS <<< "" + # fi + # + # echo "Remote Tags (number: ${#REMOTE_TAGS[@]}): ${REMOTE_TAGS[@]}" + # + # has_match='false' + # if [ ${#REMOTE_TAGS[@]} -gt 0 ]; then + # # Loop through the remote tags and check if any of them match the local version + # for REMOTE_TAG in ${REMOTE_TAGS[@]}; do + # REMOTE_TAG=${REMOTE_TAG#\'} # Remove leading quote + # REMOTE_TAG=${REMOTE_TAG%\'} # Remove trailing quote + # + # # Check if the remote tag is the same as the local tag + # if [ "$REMOTE_TAG" == "v$LOCAL_VERSION" ]; then + # echo "Remote version matches local version!" + # has_match='true' + # break + # fi + # done + # fi + # + # # If a remote tag that matches the local version already exists, increment the local version's patch version + # if [ "$has_match" == 'true' ]; then + # echo "Because the remote version matches the local version, we need to increment the local version's patch number." + # + # # Increment the patch version of the local version (Ex. 1.0.0 -> 1.0.1) + # IFS='.' read -r major minor patch <<< "$LOCAL_VERSION" + # patch=$((patch + 1)) + # NEW_LOCAL_VERSION="$major.$minor.$patch" + # + # echo "New Local Version: $NEW_LOCAL_VERSION" + # echo "Committing container version change..." + # + # sed -i "s|version: $LOCAL_VERSION|version: $NEW_LOCAL_VERSION|g" metadata.yaml + # + # LOCAL_VERSION=$NEW_LOCAL_VERSION + # + # # Update remote URL to use the GITHUB_TOKEN for authentication + # git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git + # + # # Setup git user details for committing the version change and tag + # git config user.name "GitHub Actions" + # git config user.email "actions@github.com" + # + # # Commit the version change to the `package.json` file + # git add metadata.yaml + # git commit -m "[Github Actions] Update container version to $(yq -r '.version' metadata.yaml)" + # + # # Push the changes to the repository + # git push origin HEAD:main + # fi + # + # # Build and push the init container image to the repository + # docker build -t ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME:v$LOCAL_VERSION . + # docker push ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME:v$LOCAL_VERSION + # + # # Note, this is the version NOT the tag + # # This is because the `update-k8s-deployment-image` script automatically prepends the `v` to the version + # echo "CONTAINER_IMAGE_VERSION=$LOCAL_VERSION" >> $GITHUB_ENV + + #- name: Update vault images in various deployments + # run: | + # # -- Setup Backup Sidecar metadata variables -- + # + # # Variable for the image name (so that there can't be typos etc...) + # BACKUP_SIDECAR_IMAGE_NAME="backup-sidecar" + # + # # Get the available tags from the image registry + # IFS=' ' read -r -a BACKUP_SIDECAR_TAGS <<< $(skopeo list-tags docker://${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$BACKUP_SIDECAR_IMAGE_NAME | jq -r '.Tags | @sh') + # + # # Get the latest tag from the list of tags + # LATEST_BACKUP_SIDECAR_TAG=$(echo ${BACKUP_SIDECAR_TAGS[@]} | tr ' ' '\n' | sort -V | tail -n 1) + # LATEST_BACKUP_SIDECAR_TAG=${LATEST_BACKUP_SIDECAR_TAG#\'} # Remove leading quote + # LATEST_BACKUP_SIDECAR_TAG=${LATEST_BACKUP_SIDECAR_TAG%\'} # Remove trailing quote + # echo "Latest Backup Sidecar Tag: $LATEST_BACKUP_SIDECAR_TAG" + # + # # Get/Generate the "full" image name (including the tag) for the backup sidecar + # FULL_BACKUP_SIDECAR_IMAGE_NAME="${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$BACKUP_SIDECAR_IMAGE_NAME:$LATEST_BACKUP_SIDECAR_TAG" + # echo "Looking for backup sidecar: $FULL_BACKUP_SIDECAR_IMAGE_NAME" + # + # # -- END: Setup Backup Sidecar metadata variables -- + # + # echo "+-----------------------------------------+" + # echo "| Updating Accounts Dashboard Vault Image |" + # echo "+-----------------------------------------+" + # + # # Get the name of the running main pod (the one that has the backup sidecar container in it) + # RUNNING_ACCOUNT_DASHBOARD_POD=$(kubectl -n ciam-account-dashboard get pods -o json | jq -r --arg img "$FULL_BACKUP_SIDECAR_IMAGE_NAME" '.items[] | select(.spec.containers[].image == $img) | .metadata.name') + # echo "Running Accounts Dashboard Pod: $RUNNING_ACCOUNT_DASHBOARD_POD" + # + # # Make the request to create the backup + # CREATE_BACKUP_OUTPUT=$(kubectl -n ciam-account-dashboard exec $RUNNING_ACCOUNT_DASHBOARD_POD -c account -- /bin/bash -c "curl -X PUT -sSL http://localhost:4000/backup/vault -o backup-output.txt && cat backup-output.txt") + # echo "Create Account Dashboard Vault Backup Output: $CREATE_BACKUP_OUTPUT" + # + # # Parse the output to check if the backup was created successfully + # BACKUP_OUTPUT_MESSAGE=$(echo $CREATE_BACKUP_OUTPUT | jq -r '.message') + # if [ "$BACKUP_OUTPUT_MESSAGE" == "Backup created successfully" ]; then + # echo "Account Dashboard backup created successfully." + # else + # echo "Error creating Account Dashboard backup: $BACKUP_OUTPUT_MESSAGE" + # exit 1 + # fi + # + # echo "Updating Account Dashboard Vault image..." + # + # # Update the Hashicorp Vault instance for the Account Dashboard + # update-k8s-deployment-image \ + # --image-version ${{ env.CONTAINER_IMAGE_VERSION }} \ + # --namespace ciam-account-dashboard \ + # --deployment-name account-pass-vault \ + # --container-name account-pass-vault \ + # --image-name ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/${{ env.IMAGE_NAME }} + # + # echo "Restoring vault from backup..." + # + # LATEST_VAULT_BACKUP=$(kubectl -n ciam-account-dashboard exec $RUNNING_ACCOUNT_DASHBOARD_POD -c account -- /bin/bash -c "curl -sSL http://localhost:4000/backups/vault -o latest-backup.json && cat latest-backup.json") + # LATEST_VAULT_BACKUP=$(echo $LATEST_VAULT_BACKUP | jq -r '.backup') + # echo "Latest Vault Backup: $LATEST_VAULT_BACKUP" + # + # CURR_DATETIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + # + # echo "Restoring Vault Backup: $LATEST_VAULT_BACKUP at restore time: $CURR_DATETIME" + # restore_output=$(kubectl -n ciam-account-dashboard exec $RUNNING_ACCOUNT_DASHBOARD_POD -c account -- /bin/bash -c "curl -s -X POST -H 'Content-Type: application/json' -d '{ \"backupName\": \"$LATEST_VAULT_BACKUP\", \"restoreTime\": \"$CURR_DATETIME\" }' http://localhost:4000/restore/vault -o restore-output.txt && cat restore-output.txt") + # echo "Restore Output: $restore_output" + # + # #echo "+-----------------------------------------+" + # #echo "| Updating Services Dashboard Vault Image |" + # #echo "+-----------------------------------------+" + # + # # Get the name of the running main pod (the one that has the backup sidecar container in it) + # #RUNNING_SERVICES_DASHBOARD_POD=$(kubectl -n ciam-services-dashboard get pods -o json | jq -r --arg img "$FULL_BACKUP_SIDECAR_IMAGE_NAME" '.items[] | select(.spec.containers[].image == $img) | .metadata.name') + # #echo "Running Services Dashboard Pod: $RUNNING_SERVICES_DASHBOARD_POD" + # + # # Make the request to create the backup + # #CREATE_BACKUP_OUTPUT=$(kubectl -n ciam-services-dashboard exec $RUNNING_SERVICES_DASHBOARD_POD -c services -- /bin/bash -c "curl -X PUT -sSL http://localhost:4000/backup/vault -o backup-output.txt && cat backup-output.txt") + # #echo "Create Services Dashboard Vault Backup Output: $CREATE_BACKUP_OUTPUT" + # + # # Parse the output to check if the backup was created successfully + # #BACKUP_OUTPUT_MESSAGE=$(echo $CREATE_BACKUP_OUTPUT | jq -r '.message') + # #if [ "$BACKUP_OUTPUT_MESSAGE" == "Backup created successfully" ]; then + # # echo "Services Dashboard backup created successfully." + # #else + # # echo "Error creating Services Dashboard backup: $BACKUP_OUTPUT_MESSAGE" + # # exit 1 + # #fi + # + # #echo "Updating Services Dashboard Vault image..." + # + # # Update the Hashicopr Vault instance for the Services Dashboard + # #update-k8s-deployment-image \ + # # --image-version ${{ env.CONTAINER_IMAGE_VERSION }} \ + # # --namespace ciam-services-dashboard \ + # # --deployment-name services-vault \ + # # --container-name services-vault \ + # # --image-name ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/${{ env.IMAGE_NAME }} + # + # #echo "Restoring vault from backup..." + # + # #LATEST_VAULT_BACKUP=$(kubectl -n ciam-services-dashboard exec $RUNNING_SERVICES_DASHBOARD_POD -c services -- /bin/bash -c "curl -sSL http://localhost:4000/backups/vault -o latest-backup.json && cat latest-backup.json") + # #LATEST_VAULT_BACKUP=$(echo $LATEST_VAULT_BACKUP | jq -r '.backup') + # #echo "Latest Vault Backup: $LATEST_VAULT_BACKUP" + # + # #CURR_DATETIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + # + # #echo "Restoring Vault Backup: $LATEST_VAULT_BACKUP at restore time: $CURR_DATETIME" + # #restore_output=$(kubectl -n ciam-services-dashboard exec $RUNNING_SERVICES_DASHBOARD_POD -c services -- /bin/bash -c "curl -s -X POST -H 'Content-Type: application/json' -d '{ \"backupName\": \"$LATEST_VAULT_BACKUP\", \"restoreTime\": \"$CURR_DATETIME\" }' http://localhost:4000/restore/vault -o restore-output.txt && cat restore-output.txt") + # #echo "Restore Output: $restore_output" + # + # echo "+-------------------------------------------------------+" + # echo "| Updating Accessible Events Platform (AEP) Vault Image |" + # echo "+-------------------------------------------------------+" + # + # # Get the name of the running main pod (the one that has the backup sidecar container in it) + # RUNNING_AEP_POD=$(kubectl -n aep get pods -o json | jq -r --arg img "$FULL_BACKUP_SIDECAR_IMAGE_NAME" '.items[] | select(.spec.containers[].image == $img) | .metadata.name') + # echo "Running AEP Pod: $RUNNING_AEP_POD" + # + # # Make the request to create the backups + # CREATE_BACKUP_OUTPUT=$(kubectl -n aep exec $RUNNING_AEP_POD -c aep -- /bin/bash -c "curl -X PUT -sSL http://localhost:4000/backup/vault -o backup-output.txt && cat backup-output.txt") + # echo "Create AEP Vault Backup Output: $CREATE_BACKUP_OUTPUT" + # + # # Parse the output to check if the backup was created successfully + # BACKUP_OUTPUT_MESSAGE=$(echo $CREATE_BACKUP_OUTPUT | jq -r '.message') + # if [ "$BACKUP_OUTPUT_MESSAGE" == "Backup created successfully" ]; then + # echo "AEP backup created successfully." + # else + # echo "Error creating AEP backup: $BACKUP_OUTPUT_MESSAGE" + # exit 1 + # fi + # + # echo "Updating AEP Vault image..." + # + # # Update the Hashicorp Vault instance for the Accessible Events Platform (AEP) + # update-k8s-deployment-image \ + # --image-version ${{ env.CONTAINER_IMAGE_VERSION }} \ + # --namespace aep \ + # --deployment-name aep-vault \ + # --container-name aep-vault \ + # --image-name ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/${{ env.IMAGE_NAME }} + # + # echo "Restoring vault from backup..." + # + # LATEST_VAULT_BACKUP=$(kubectl -n aep exec $RUNNING_AEP_POD -c aep -- /bin/bash -c "curl -sSL http://localhost:4000/backups/vault -o latest-backup.json && cat latest-backup.json") + # LATEST_VAULT_BACKUP=$(echo $LATEST_VAULT_BACKUP | jq -r '.backup') + # echo "Latest Vault Backup: $LATEST_VAULT_BACKUP"\ + # + # CURR_DATETIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + # + # echo "Restoring Vault Backup: $LATEST_VAULT_BACKUP at restore time: $CURR_DATETIME" + # restore_output=$(kubectl -n aep exec $RUNNING_AEP_POD -c aep -- /bin/bash -c "curl -s -X POST -H 'Content-Type: application/json' -d '{ \"backupName\": \"$LATEST_VAULT_BACKUP\", \"restoreTime\": \"$CURR_DATETIME\" }' http://localhost:4000/restore/vault -o restore-output.txt && cat restore-output.txt") + # echo "Restore Output: $restore_output" \ No newline at end of file diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml deleted file mode 100644 index 50c0418..0000000 --- a/.github/workflows/deploy.yml +++ /dev/null @@ -1,122 +0,0 @@ -name: Build and deploy Bridgeman Accessible Hashicorp Vault Implementation - -on: - push: - branches: - - main - workflow_dispatch: - -jobs: - deploy: - runs-on: self-hosted - steps: - - name: Checkout code - uses: actions/checkout@v4 - - # Build a new container image from the code - - name: Update Image - run: | - # Parse information from the metadata.yaml file - IMAGE_NAME=$(yq '.name' metadata.yaml) - IMAGE_NAME=${IMAGE_NAME#\"} # Remove leading quote - IMAGE_NAME=${IMAGE_NAME%\"} # Remove trailing quote - echo "Image Name: $IMAGE_NAME" - echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV - - LOCAL_VERSION=$(yq '.version' metadata.yaml) - LOCAL_VERSION=${LOCAL_VERSION#\"} # Remove leading quote - LOCAL_VERSION=${LOCAL_VERSION%\"} # Remove trailing quote - echo "Image Local Version: $LOCAL_VERSION" - - REMOTE_TAGS_WORK_OUTPUT=$(skopeo list-tags docker://${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME 2>/dev/null || echo "") - if [ -n "$REMOTE_TAGS_WORK_OUTPUT" ]; then - IFS=' ' read -r -a REMOTE_TAGS <<< $(skopeo list-tags docker://${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME | jq -r '.Tags | @sh') - else - echo "Image not found in the repository. Will need to add it..." - - # Set a blank value so that it WON'T match the local version - IFS=' ' read -r -a REMOTE_TAGS <<< "" - fi - - echo "Remote Tags (number: ${#REMOTE_TAGS[@]}): ${REMOTE_TAGS[@]}" - - has_match='false' - if [ ${#REMOTE_TAGS[@]} -gt 0 ]; then - # Loop through the remote tags and check if any of them match the local version - for REMOTE_TAG in ${REMOTE_TAGS[@]}; do - REMOTE_TAG=${REMOTE_TAG#\'} # Remove leading quote - REMOTE_TAG=${REMOTE_TAG%\'} # Remove trailing quote - - # Check if the remote tag is the same as the local tag - if [ "$REMOTE_TAG" == "v$LOCAL_VERSION" ]; then - echo "Remote version matches local version!" - has_match='true' - break - fi - done - fi - - # If a remote tag that matches the local version already exists, increment the local version's patch version - if [ "$has_match" == 'true' ]; then - echo "Because the remote version matches the local version, we need to increment the local version's patch number." - - # Increment the patch version of the local version (Ex. 1.0.0 -> 1.0.1) - IFS='.' read -r major minor patch <<< "$LOCAL_VERSION" - patch=$((patch + 1)) - NEW_LOCAL_VERSION="$major.$minor.$patch" - - echo "New Local Version: $NEW_LOCAL_VERSION" - echo "Committing container version change..." - - sed -i "s|version: $LOCAL_VERSION|version: $NEW_LOCAL_VERSION|g" metadata.yaml - - LOCAL_VERSION=$NEW_LOCAL_VERSION - - # Update remote URL to use the GITHUB_TOKEN for authentication - git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git - - # Setup git user details for committing the version change and tag - git config user.name "GitHub Actions" - git config user.email "actions@github.com" - - # Commit the version change to the `package.json` file - git add metadata.yaml - git commit -m "[Github Actions] Update container version to $(jq -r '.version' package.json)" - - # Push the changes to the repository - git push origin HEAD:main - fi - - # Build and push the init container image to the repository - docker build -t ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME:v$LOCAL_VERSION . - docker push ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME:v$LOCAL_VERSION - - # Note, this is the version NOT the tag - # This is because the `update-k8s-deployment-image` script automatically prepends the `v` to the version - echo "CONTAINER_IMAGE_VERSION=$LOCAL_VERSION" >> $GITHUB_ENV - - - name: Update vault images in various deployments - run: | - # Update the Hashicorp Vault instance for the Account Dashboard - update-k8s-deployment-image \ - --image-version ${{ env.CONTAINER_IMAGE_VERSION }} \ - --namespace ciam-account-dashboard \ - --deployment-name account-pass-vault \ - --container-name account-pass-vault \ - --image-name ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/${{ env.IMAGE_NAME }} - - # Update the Hashicopr Vault instance for the Services Dashboard - #update-k8s-deployment-image \ - # --image-version ${{ env.CONTAINER_IMAGE_VERSION }} \ - # --namespace ciam-services-dashboard \ - # --deployment-name services-vault \ - # --container-name services-vault \ - # --image-name ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/${{ env.IMAGE_NAME }} - - # Update the Hashicorp Vault instance for the Accessible Events Platform (AEP) - update-k8s-deployment-image \ - --image-version ${{ env.CONTAINER_IMAGE_VERSION }} \ - --namespace aep \ - --deployment-name aep-vault \ - --container-name aep-vault \ - --image-name ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/${{ env.IMAGE_NAME }} \ No newline at end of file