name: Build and deploy Bridgeman Accessible Hashicorp Vault Implementation on: push: branches: - main workflow_dispatch: jobs: deploy: runs-on: self-hosted steps: - name: Checkout code uses: actions/checkout@v4 # Build a new container image from the code - name: Update Image run: | # Parse information from the metadata.yaml file IMAGE_NAME=$(yq '.name' metadata.yaml) IMAGE_NAME=${IMAGE_NAME#\"} # Remove leading quote IMAGE_NAME=${IMAGE_NAME%\"} # Remove trailing quote echo "Image Name: $IMAGE_NAME" echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV LOCAL_VERSION=$(yq '.version' metadata.yaml) LOCAL_VERSION=${LOCAL_VERSION#\"} # Remove leading quote LOCAL_VERSION=${LOCAL_VERSION%\"} # Remove trailing quote echo "Image Local Version: $LOCAL_VERSION" REMOTE_TAGS_WORK_OUTPUT=$(skopeo list-tags docker://${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME 2>/dev/null || echo "") if [ -n "$REMOTE_TAGS_WORK_OUTPUT" ]; then IFS=' ' read -r -a REMOTE_TAGS <<< $(skopeo list-tags docker://${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME | jq -r '.Tags | @sh') else echo "Image not found in the repository. Will need to add it..." # Set a blank value so that it WON'T match the local version IFS=' ' read -r -a REMOTE_TAGS <<< "" fi echo "Remote Tags (number: ${#REMOTE_TAGS[@]}): ${REMOTE_TAGS[@]}" has_match='false' if [ ${#REMOTE_TAGS[@]} -gt 0 ]; then # Loop through the remote tags and check if any of them match the local version for REMOTE_TAG in ${REMOTE_TAGS[@]}; do REMOTE_TAG=${REMOTE_TAG#\'} # Remove leading quote REMOTE_TAG=${REMOTE_TAG%\'} # Remove trailing quote # Check if the remote tag is the same as the local tag if [ "$REMOTE_TAG" == "v$LOCAL_VERSION" ]; then echo "Remote version matches local version!" has_match='true' break fi done fi # If a remote tag that matches the local version already exists, increment the local version's patch version if [ "$has_match" == 'true' ]; then echo "Because the remote version matches the local version, we need to increment the local version's patch number." # Increment the patch version of the local version (Ex. 1.0.0 -> 1.0.1) IFS='.' read -r major minor patch <<< "$LOCAL_VERSION" patch=$((patch + 1)) NEW_LOCAL_VERSION="$major.$minor.$patch" echo "New Local Version: $NEW_LOCAL_VERSION" echo "Committing container version change..." sed -i "s|version: $LOCAL_VERSION|version: $NEW_LOCAL_VERSION|g" metadata.yaml LOCAL_VERSION=$NEW_LOCAL_VERSION # Update remote URL to use the GITHUB_TOKEN for authentication git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@git.bridgemanaccessible.ca/${{ github.repository }}.git # Setup git user details for committing the version change and tag git config user.name "Forgejo Actions" git config user.email "actions@git.bridgemanaccessible.ca" # Commit the version change to the `package.json` file git add metadata.yaml git commit -m "[Forgejo Actions] Update container version to $(yq -r '.version' metadata.yaml)" # Push the changes to the repository git push origin HEAD:main fi # Build and push the init container image to the repository docker build -t ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME:v$LOCAL_VERSION . docker push ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$IMAGE_NAME:v$LOCAL_VERSION # Note, this is the version NOT the tag # This is because the `update-k8s-deployment-image` script automatically prepends the `v` to the version echo "CONTAINER_IMAGE_VERSION=$LOCAL_VERSION" >> $GITHUB_ENV #- name: Update vault images in various deployments # run: | # # -- Setup Backup Sidecar metadata variables -- # # # Variable for the image name (so that there can't be typos etc...) # BACKUP_SIDECAR_IMAGE_NAME="backup-sidecar" # # # Get the available tags from the image registry # IFS=' ' read -r -a BACKUP_SIDECAR_TAGS <<< $(skopeo list-tags docker://${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$BACKUP_SIDECAR_IMAGE_NAME | jq -r '.Tags | @sh') # # # Get the latest tag from the list of tags # LATEST_BACKUP_SIDECAR_TAG=$(echo ${BACKUP_SIDECAR_TAGS[@]} | tr ' ' '\n' | sort -V | tail -n 1) # LATEST_BACKUP_SIDECAR_TAG=${LATEST_BACKUP_SIDECAR_TAG#\'} # Remove leading quote # LATEST_BACKUP_SIDECAR_TAG=${LATEST_BACKUP_SIDECAR_TAG%\'} # Remove trailing quote # echo "Latest Backup Sidecar Tag: $LATEST_BACKUP_SIDECAR_TAG" # # # Get/Generate the "full" image name (including the tag) for the backup sidecar # FULL_BACKUP_SIDECAR_IMAGE_NAME="${{ secrets.REPOSITORY_HOSTNAME }}/k8s/$BACKUP_SIDECAR_IMAGE_NAME:$LATEST_BACKUP_SIDECAR_TAG" # echo "Looking for backup sidecar: $FULL_BACKUP_SIDECAR_IMAGE_NAME" # # # -- END: Setup Backup Sidecar metadata variables -- # # echo "+-----------------------------------------+" # echo "| Updating Accounts Dashboard Vault Image |" # echo "+-----------------------------------------+" # # # Get the name of the running main pod (the one that has the backup sidecar container in it) # RUNNING_ACCOUNT_DASHBOARD_POD=$(kubectl -n ciam-account-dashboard get pods -o json | jq -r --arg img "$FULL_BACKUP_SIDECAR_IMAGE_NAME" '.items[] | select(.spec.containers[].image == $img) | .metadata.name') # echo "Running Accounts Dashboard Pod: $RUNNING_ACCOUNT_DASHBOARD_POD" # # # Make the request to create the backup # CREATE_BACKUP_OUTPUT=$(kubectl -n ciam-account-dashboard exec $RUNNING_ACCOUNT_DASHBOARD_POD -c account -- /bin/bash -c "curl -X PUT -sSL http://localhost:4000/backup/vault -o backup-output.txt && cat backup-output.txt") # echo "Create Account Dashboard Vault Backup Output: $CREATE_BACKUP_OUTPUT" # # # Parse the output to check if the backup was created successfully # BACKUP_OUTPUT_MESSAGE=$(echo $CREATE_BACKUP_OUTPUT | jq -r '.message') # if [ "$BACKUP_OUTPUT_MESSAGE" == "Backup created successfully" ]; then # echo "Account Dashboard backup created successfully." # else # echo "Error creating Account Dashboard backup: $BACKUP_OUTPUT_MESSAGE" # exit 1 # fi # # echo "Updating Account Dashboard Vault image..." # # # Update the Hashicorp Vault instance for the Account Dashboard # update-k8s-deployment-image \ # --image-version ${{ env.CONTAINER_IMAGE_VERSION }} \ # --namespace ciam-account-dashboard \ # --deployment-name account-pass-vault \ # --container-name account-pass-vault \ # --image-name ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/${{ env.IMAGE_NAME }} # # echo "Restoring vault from backup..." # # LATEST_VAULT_BACKUP=$(kubectl -n ciam-account-dashboard exec $RUNNING_ACCOUNT_DASHBOARD_POD -c account -- /bin/bash -c "curl -sSL http://localhost:4000/backups/vault -o latest-backup.json && cat latest-backup.json") # LATEST_VAULT_BACKUP=$(echo $LATEST_VAULT_BACKUP | jq -r '.backup') # echo "Latest Vault Backup: $LATEST_VAULT_BACKUP" # # CURR_DATETIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") # # echo "Restoring Vault Backup: $LATEST_VAULT_BACKUP at restore time: $CURR_DATETIME" # restore_output=$(kubectl -n ciam-account-dashboard exec $RUNNING_ACCOUNT_DASHBOARD_POD -c account -- /bin/bash -c "curl -s -X POST -H 'Content-Type: application/json' -d '{ \"backupName\": \"$LATEST_VAULT_BACKUP\", \"restoreTime\": \"$CURR_DATETIME\" }' http://localhost:4000/restore/vault -o restore-output.txt && cat restore-output.txt") # echo "Restore Output: $restore_output" # # #echo "+-----------------------------------------+" # #echo "| Updating Services Dashboard Vault Image |" # #echo "+-----------------------------------------+" # # # Get the name of the running main pod (the one that has the backup sidecar container in it) # #RUNNING_SERVICES_DASHBOARD_POD=$(kubectl -n ciam-services-dashboard get pods -o json | jq -r --arg img "$FULL_BACKUP_SIDECAR_IMAGE_NAME" '.items[] | select(.spec.containers[].image == $img) | .metadata.name') # #echo "Running Services Dashboard Pod: $RUNNING_SERVICES_DASHBOARD_POD" # # # Make the request to create the backup # #CREATE_BACKUP_OUTPUT=$(kubectl -n ciam-services-dashboard exec $RUNNING_SERVICES_DASHBOARD_POD -c services -- /bin/bash -c "curl -X PUT -sSL http://localhost:4000/backup/vault -o backup-output.txt && cat backup-output.txt") # #echo "Create Services Dashboard Vault Backup Output: $CREATE_BACKUP_OUTPUT" # # # Parse the output to check if the backup was created successfully # #BACKUP_OUTPUT_MESSAGE=$(echo $CREATE_BACKUP_OUTPUT | jq -r '.message') # #if [ "$BACKUP_OUTPUT_MESSAGE" == "Backup created successfully" ]; then # # echo "Services Dashboard backup created successfully." # #else # # echo "Error creating Services Dashboard backup: $BACKUP_OUTPUT_MESSAGE" # # exit 1 # #fi # # #echo "Updating Services Dashboard Vault image..." # # # Update the Hashicopr Vault instance for the Services Dashboard # #update-k8s-deployment-image \ # # --image-version ${{ env.CONTAINER_IMAGE_VERSION }} \ # # --namespace ciam-services-dashboard \ # # --deployment-name services-vault \ # # --container-name services-vault \ # # --image-name ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/${{ env.IMAGE_NAME }} # # #echo "Restoring vault from backup..." # # #LATEST_VAULT_BACKUP=$(kubectl -n ciam-services-dashboard exec $RUNNING_SERVICES_DASHBOARD_POD -c services -- /bin/bash -c "curl -sSL http://localhost:4000/backups/vault -o latest-backup.json && cat latest-backup.json") # #LATEST_VAULT_BACKUP=$(echo $LATEST_VAULT_BACKUP | jq -r '.backup') # #echo "Latest Vault Backup: $LATEST_VAULT_BACKUP" # # #CURR_DATETIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") # # #echo "Restoring Vault Backup: $LATEST_VAULT_BACKUP at restore time: $CURR_DATETIME" # #restore_output=$(kubectl -n ciam-services-dashboard exec $RUNNING_SERVICES_DASHBOARD_POD -c services -- /bin/bash -c "curl -s -X POST -H 'Content-Type: application/json' -d '{ \"backupName\": \"$LATEST_VAULT_BACKUP\", \"restoreTime\": \"$CURR_DATETIME\" }' http://localhost:4000/restore/vault -o restore-output.txt && cat restore-output.txt") # #echo "Restore Output: $restore_output" # # echo "+-------------------------------------------------------+" # echo "| Updating Accessible Events Platform (AEP) Vault Image |" # echo "+-------------------------------------------------------+" # # # Get the name of the running main pod (the one that has the backup sidecar container in it) # RUNNING_AEP_POD=$(kubectl -n aep get pods -o json | jq -r --arg img "$FULL_BACKUP_SIDECAR_IMAGE_NAME" '.items[] | select(.spec.containers[].image == $img) | .metadata.name') # echo "Running AEP Pod: $RUNNING_AEP_POD" # # # Make the request to create the backups # CREATE_BACKUP_OUTPUT=$(kubectl -n aep exec $RUNNING_AEP_POD -c aep -- /bin/bash -c "curl -X PUT -sSL http://localhost:4000/backup/vault -o backup-output.txt && cat backup-output.txt") # echo "Create AEP Vault Backup Output: $CREATE_BACKUP_OUTPUT" # # # Parse the output to check if the backup was created successfully # BACKUP_OUTPUT_MESSAGE=$(echo $CREATE_BACKUP_OUTPUT | jq -r '.message') # if [ "$BACKUP_OUTPUT_MESSAGE" == "Backup created successfully" ]; then # echo "AEP backup created successfully." # else # echo "Error creating AEP backup: $BACKUP_OUTPUT_MESSAGE" # exit 1 # fi # # echo "Updating AEP Vault image..." # # # Update the Hashicorp Vault instance for the Accessible Events Platform (AEP) # update-k8s-deployment-image \ # --image-version ${{ env.CONTAINER_IMAGE_VERSION }} \ # --namespace aep \ # --deployment-name aep-vault \ # --container-name aep-vault \ # --image-name ${{ secrets.REPOSITORY_HOSTNAME }}/k8s/${{ env.IMAGE_NAME }} # # echo "Restoring vault from backup..." # # LATEST_VAULT_BACKUP=$(kubectl -n aep exec $RUNNING_AEP_POD -c aep -- /bin/bash -c "curl -sSL http://localhost:4000/backups/vault -o latest-backup.json && cat latest-backup.json") # LATEST_VAULT_BACKUP=$(echo $LATEST_VAULT_BACKUP | jq -r '.backup') # echo "Latest Vault Backup: $LATEST_VAULT_BACKUP"\ # # CURR_DATETIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") # # echo "Restoring Vault Backup: $LATEST_VAULT_BACKUP at restore time: $CURR_DATETIME" # restore_output=$(kubectl -n aep exec $RUNNING_AEP_POD -c aep -- /bin/bash -c "curl -s -X POST -H 'Content-Type: application/json' -d '{ \"backupName\": \"$LATEST_VAULT_BACKUP\", \"restoreTime\": \"$CURR_DATETIME\" }' http://localhost:4000/restore/vault -o restore-output.txt && cat restore-output.txt") # echo "Restore Output: $restore_output"