Demo1 testing

.github/TEMPLATES/secret-mapping-opencrvs-deps.yml

@@ -1,11 +1,3 @@
-
-backup-encryption-secret:
-  type: Opaque
-  data:
-  # This is the password that is used to encrypt all the backups that OpenCRVS creates from
-  # a production server and that are stored on the backup server. Use this passphrase to decrypt the backups.
-  - BACKUP_ENCRYPTION_PASSPHRASE:backup_encryption_key
-
 elasticsearch-admin-user:
   type: Opaque
   data:
@@ -47,3 +39,27 @@ traefik-cert:
   data:
     - TRAEFIK_CERT: cert
     - TRAEFIK_KEY: key
+
+# If backup is configured then workflow will use GitHub secrets for current environment
+# If restore is configured then workflow will fetch secrets from source environment (usually production)
+backup-server-ssh-credentials:
+  type: Opaque
+  data:
+    - BACKUP_SERVER_USER: user
+    - BACKUP_HOST_PRIVATE_KEY: ssh_key
+    - BACKUP_HOST: host
+
+backup-encryption-secret:
+  type: Opaque
+  data:
+  # This is the password that is used to encrypt all the backups that OpenCRVS creates from
+  # a production server and that are stored on the backup server. Use this passphrase to decrypt the backups.
+  - BACKUP_ENCRYPTION_PASSPHRASE: backup_encryption_key
+
+
+# RESTORE_ENCRYPTION_PASSPHRASE is fetched from source environment (usually production)
+# Check workflow: github-to-k8s-sync-env.yml
+restore-encryption-secret:
+  type: Opaque
+  data:
+  - RESTORE_ENCRYPTION_PASSPHRASE: backup_encryption_key

.github/workflows/deploy-dependencies.yml

@@ -9,7 +9,9 @@ on:
         default: "dev"
         type: choice
         options:
-          - ""
+          - demo1
+          - production
+          - staging
 jobs:
   approve:
     environment: ${{ inputs.environment }}

.github/workflows/deploy-opencrvs.yml

@@ -25,7 +25,9 @@ on:
         default: "dev"
         type: choice
         options:
-          - ""
+          - demo1
+          - production
+          - staging
 
 jobs:
   approve:

.github/workflows/get-secret-from-environment.yml

@@ -0,0 +1,102 @@
+name: Reusable Fetch Secret Workflow
+# TODO: Check if this workflow can be simplified
+on:
+  workflow_call:
+    inputs:
+      secret_name:
+        required: true
+        type: string
+      env_name:
+        required: true
+        type: string
+    outputs:
+      secret_value:
+        description: 'Secret value, encrypted with the encryption key'
+        value: ${{ jobs.fetch-credentials.outputs.secret_value }}
+      environment_exists:
+        description: 'Whether the environment exists or not'
+        value: ${{ jobs.check-environment.outputs.environment_exists }}
+    secrets:
+      gh_token:
+        required: true
+      encryption_key:
+        required: true
+      # All secrets that are we want to allow access to need
+      # to be defined in this list
+      BACKUP_ENCRYPTION_PASSPHRASE:
+        required: false
+      BACKUP_HOST_PRIVATE_KEY:
+        required: false
+      BACKUP_HOST:
+        required: false
+      BACKUP_SERVER_USER:
+        required: false
+
+jobs:
+  check-environment:
+    name: Check if Environment Exists
+    runs-on: ubuntu-24.04
+    outputs:
+      environment_exists: ${{ steps.check-env.outputs.exists }}
+    steps:
+      - name: Check if GITHUB_TOKEN is set
+        id: check-token
+        run: |
+          if [ -z "${{ secrets.gh_token }}" ]; then
+            echo "Environment secret GITHUB_TOKEN is not set. Make sure you add a correct Github API token before running this pipeline."
+            exit 1
+          fi
+
+      - name: Verify GitHub token validity
+        id: verify-token
+        run: |
+          RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${{ secrets.gh_token }}" \
+                            "https://api.github.com/user")
+          if [ "$RESPONSE" -ne 200 ]; then
+            echo "Invalid or expired GitHub token."
+            exit 1
+          fi
+          echo "GitHub token is valid."
+
+      - name: Check if environment exists
+        id: check-env
+        run: |
+          ENV_NAME="${{ inputs.env_name }}"
+          RESPONSE=$(curl -s -H "Authorization: Bearer ${{ secrets.gh_token }}" \
+                            "https://api.github.com/repos/${{ github.repository }}/environments/$ENV_NAME")
+          if echo "$RESPONSE" | grep -q '"name": "'$ENV_NAME'"'; then
+            echo "Environment $ENV_NAME exists."
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "Environment $ENV_NAME does not exist."
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+  fetch-credentials:
+    name: Fetch Secret
+    runs-on: ubuntu-24.04
+    environment: ${{ inputs.env_name }}
+    needs: check-environment
+    # Without this Github actions will create the environment when it doesnt exist
+    if: needs.check-environment.outputs.environment_exists == 'true'
+    outputs:
+      secret_value: ${{ steps.fetch-credentials.outputs.secret_value }}
+    steps:
+      - name: Fetch the secret
+        id: fetch-credentials
+        env:
+          SECRET_NAME: ${{ inputs.secret_name }}
+        run: |
+          SECRET_VALUE="${{ secrets[env.SECRET_NAME] }}"
+          if [ -z "$SECRET_VALUE" ]; then
+            echo "Secret ${{ inputs.secret_name }} is empty. Usually this means you have not explicitly stated the secrets"
+            echo "in both the workflow file get-secrets-from-environment and in the file you are using the reusable workflow from."
+            echo "Please make sure you have added the secret to the workflow files and retry."
+            exit 1
+          fi
+          echo -n "$SECRET_VALUE" | openssl enc -aes-256-cbc -pbkdf2 -salt -k "${{ secrets.encryption_key }}" -out encrypted_key.bin
+          ENCODED_ENCRYPTED_SECRET=$(base64 < encrypted_key.bin)
+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+          echo "secret_value<<$EOF" >> $GITHUB_OUTPUT
+          echo "$ENCODED_ENCRYPTED_SECRET" >> $GITHUB_OUTPUT
+          echo "$EOF" >> $GITHUB_OUTPUT

.github/workflows/github-to-k8s-sync-env.yml

@@ -7,10 +7,12 @@ on:
       environment:
         description: "Target environment"
         required: true
-        default: "development"
+        default: "staging"
         type: choice
         options:
-          - ""
+          - demo1
+          - production
+          - staging
       namespace_template:
         description: "Secrets mapping template"
         default: "opencrvs"
@@ -25,10 +27,84 @@ on:
         default: dev
       namespace_template:
         type: string
-        default: opencrvs 
+        default: opencrvs
 
 jobs:
+  get-restore-env-name:
+    name: Get restore environment name
+    outputs:
+      restore_env_name: ${{ steps.set-restore-env.outputs.restore-env-name }}
+    runs-on: ubuntu-24.04
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Set restore environment name
+        id: set-restore-env
+        run: |
+          if [ "${{ vars.RESTORE_ENVIRONMENT_NAME }}" != "false" ]; then
+          echo "restore-env-name=${{ vars.RESTORE_ENVIRONMENT_NAME }}"
+          echo "restore-env-name=${{ vars.RESTORE_ENVIRONMENT_NAME }}" >> $GITHUB_OUTPUT
+          fi
+      - name: "Env name: ${{ steps.set-restore-env.outputs.restore-env-name }}"
+        run: |
+          echo "Determined restore environment name: ${{ steps.set-restore-env.outputs.restore-env-name }}"
+
+  get-restore-encryption-key:
+    needs: get-restore-env-name
+    if: needs.get-restore-env-name.outputs.restore_env_name
+    name: Get backup encryption key
+    uses: ./.github/workflows/get-secret-from-environment.yml
+    with:
+      secret_name: 'BACKUP_ENCRYPTION_PASSPHRASE'
+      env_name: ${{ needs.get-restore-env-name.outputs.restore_env_name }}
+    secrets:
+      gh_token: ${{ secrets.GH_TOKEN }}
+      encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }}
+      BACKUP_ENCRYPTION_PASSPHRASE: ${{ secrets.BACKUP_ENCRYPTION_PASSPHRASE }}
+  get-restore-ssh-key:
+    needs: get-restore-env-name
+    if: needs.get-restore-env-name.outputs.restore_env_name
+    name: Get backup ssh key
+    uses: ./.github/workflows/get-secret-from-environment.yml
+    with:
+      secret_name: 'BACKUP_HOST_PRIVATE_KEY'
+      env_name: ${{ needs.get-restore-env-name.outputs.restore_env_name }}
+    secrets:
+      gh_token: ${{ secrets.GH_TOKEN }}
+      encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }}
+      BACKUP_HOST_PRIVATE_KEY: ${{ secrets.BACKUP_HOST_PRIVATE_KEY }}
+  get-restore-host:
+    needs: get-restore-env-name
+    if: needs.get-restore-env-name.outputs.restore_env_name
+    name: Get backup host
+    uses: ./.github/workflows/get-secret-from-environment.yml
+    with:
+      secret_name: 'BACKUP_HOST'
+      env_name: ${{ needs.get-restore-env-name.outputs.restore_env_name }}
+    secrets:
+      gh_token: ${{ secrets.GH_TOKEN }}
+      encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }}
+      BACKUP_HOST: ${{ secrets.BACKUP_HOST }}
+  get-restore-ssh-user:
+    needs: get-restore-env-name
+    if: needs.get-restore-env-name.outputs.restore_env_name
+    name: Get backup ssh user
+    uses: ./.github/workflows/get-secret-from-environment.yml
+    with:
+      secret_name: 'BACKUP_SERVER_USER'
+      env_name: ${{ needs.get-restore-env-name.outputs.restore_env_name }}
+    secrets:
+      gh_token: ${{ secrets.GH_TOKEN }}
+      encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }}
+      BACKUP_SERVER_USER: ${{ secrets.BACKUP_SERVER_USER }}
   sync-env:
+    if: always()
+    needs:
+      - get-restore-env-name
+      - get-restore-ssh-key
+      - get-restore-host
+      - get-restore-ssh-user
+      - get-restore-encryption-key
+    name: Sync GitHub env to Kubernetes
     environment: ${{ inputs.environment }}
     runs-on:
       - self-hosted
@@ -40,7 +116,7 @@ jobs:
       # to store GitHub Secrets and Variables (base64 encoded)
       # Making those values base64 encoded allows us to avoid further complex escaping issues
       # with special characters and multiline values when generating Kubernetes Secret manifests
-      - name: Export all secrets and environment variables
+      - name: Export all secrets and environment variables from GitHub
         run: |
             ENV_FILE=$(mktemp)
             jq -n -r '
@@ -52,7 +128,31 @@ jobs:
             ' > $ENV_FILE
 
             echo env_file=$ENV_FILE >> $GITHUB_ENV
-            cat $ENV_FILE
+            cat $ENV_FILE | cut -d\= -f1
+      - name: Save restore (backup source) environment secrets
+        if: needs.get-restore-env-name.outputs.restore_env_name
+        run: |
+          RESTORE_ENCRYPTION_PASSPHRASE=$(echo "${{ needs.get-restore-encryption-key.outputs.secret_value }}" | base64 --decode | \
+          openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" | base64)
+          echo "::add-mask::$RESTORE_ENCRYPTION_PASSPHRASE"
+
+          BACKUP_HOST=$(echo "${{ needs.get-restore-host.outputs.secret_value }}" | base64 --decode | \
+          openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" | base64)
+          echo "::add-mask::$BACKUP_HOST"
+
+          BACKUP_HOST_PRIVATE_KEY=$(echo "${{ needs.get-restore-ssh-key.outputs.secret_value }}" | base64 --decode | \
+          openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" | base64 | tr -d ' \n')
+          echo "::add-mask::$BACKUP_HOST_PRIVATE_KEY"
+
+          BACKUP_SERVER_USER=$(echo "${{ needs.get-restore-ssh-user.outputs.secret_value }}" | base64 --decode | \
+          openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" | base64)
+          echo "::add-mask::$BACKUP_SERVER_USER"
+
+          echo RESTORE_ENCRYPTION_PASSPHRASE=$RESTORE_ENCRYPTION_PASSPHRASE >> $env_file
+          echo BACKUP_HOST=$BACKUP_HOST >> $env_file
+          echo BACKUP_HOST_PRIVATE_KEY=$BACKUP_HOST_PRIVATE_KEY >> $env_file
+          echo BACKUP_SERVER_USER=$BACKUP_SERVER_USER >> $env_file
+          grep BACKUP_HOST_PRIVATE_KEY $env_file || echo "No restore encryption passphrase to add"
 
       - name: Preprocess mapping into Secret YAMLs
         run: |

.github/workflows/k8s-reindex.yml

@@ -9,7 +9,9 @@ on:
         default: "dev"
         type: choice
         options:
-          - ""
+          - demo1
+          - production
+          - staging
   workflow_call:
     inputs:
       environment:

.github/workflows/k8s-reset-data.yml

@@ -9,7 +9,9 @@ on:
         default: "dev"
         type: choice
         options:
-          - ""
+          - demo1
+          - production
+          - staging
   workflow_call:
     inputs:
       environment:

.github/workflows/k8s-seed-data.yml

@@ -9,7 +9,9 @@ on:
         default: "dev"
         type: choice
         options:
-          - ""
+          - demo1
+          - production
+          - staging
   workflow_call:
     inputs:
       environment:

.github/workflows/provision.yml

@@ -9,7 +9,9 @@ on:
         default: 'dev'
         type: choice
         options:
-          - ""
+          - staging
+          - production
+          - demo1
       tags:
         description: 'Tags to apply to the provisioned resources'
         required: true
@@ -77,6 +79,8 @@ jobs:
           smtp_from: "team@opencrvs.org"
           smtp_password: ${{ secrets.SMTP_PASSWORD }}
           alert_email: ${{ secrets.ALERT_EMAIL }}
+          backup_host_public_key: ${{ secrets.BACKUP_HOST_PUBLIC_KEY }}
+          backup_server_user: ${{ secrets.BACKUP_SERVER_USER }}
       - name: checkout repository
         uses: actions/checkout@v6
       - name: Run Ansible Playbook

.github/workflows/publish-charts.yml

@@ -30,7 +30,7 @@ jobs:
         env:
             GITHUB_TOKEN_REGISTRY: ${{ secrets.PACKAGE_GITHUB_TOKEN }}
         run: |
-          echo $GITHUB_TOKEN_REGISTRY | helm registry login ghcr.io --username adskyiproger --password-stdin
+          echo $GITHUB_TOKEN_REGISTRY | helm registry login ghcr.io --username ocrvs-bot --password-stdin
           for package in $(ls -1 packages)
           do
             helm push packages/$package oci://ghcr.io/opencrvs

.github/workflows/reset-2fa.yml

@@ -13,7 +13,9 @@ on:
         default: 
         required: true
         options:
-          - ""
+          - staging
+          - production
+          - demo1
 
 jobs:
   approve:

charts/opencrvs-services/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: opencrvs-services
 description: OpenCRVS Services
 type: application
-version: 0.1.27
+version: 0.1.26
 appVersion: 1.9.5