diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index c85429e..05b4b8d 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -37,11 +37,6 @@ on: description: The username for the container registry default: parcellab-dev-bot type: string - repository_kind: - required: false - description: The kind of repository (github or ecr) - default: "github" - type: string enableContainerScan: required: false description: Apply the container scan @@ -63,70 +58,8 @@ env: IMAGE_SCAN_TRIVY_TIMEOUT: 10m jobs: - build-github-single: - if: inputs.repository_kind == 'github' && inputs.imageTargets == '' - environment: ${{ github.event.deployment.payload.env }} - runs-on: ${{ inputs.runner }} - steps: - - name: Checkout current git repository - uses: actions/checkout@v4 - - if: inputs.preScript != '' - name: Run script before the docker image is built - run: | - echo "Run '${{ inputs.preScript }}'" - ${{ inputs.preScript }} - env: - NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} - - if: inputs.artifactPath != '' && inputs.artifactName != '' - name: Download artifact - uses: actions/download-artifact@v4 - with: - name: ${{ inputs.artifactName }} - path: ${{ inputs.artifactPath }} - - name: Login to Container Registry - uses: docker/login-action@v3 - with: - registry: ${{ inputs.registryHostname }} - username: ${{ inputs.registryUsername }} - password: ${{ secrets.repoAccessToken }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - name: Build image - uses: docker/build-push-action@v6 - with: - build-args: | - GITHUB_SHA=${{ github.sha }} - VERSION=${{ inputs.version }} - APP_NAME=${{ github.event.deployment.payload.name }} - ENVIRONMENT=${{ github.event.deployment.payload.env }} - NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} - cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} - cache-to: type=inline - context: ${{ github.event.deployment.payload.container.context }} - load: true - file: ${{ github.event.deployment.payload.container.file }} - platforms: linux/amd64 - tags: | - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ inputs.version }} - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ github.sha }} - - name: Scan for vulnerabilities - if: inputs.enableContainerScan - uses: crazy-max/ghaction-container-scan@v3 - with: - image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest - dockerfile: Containerfile - severity: ${{ env.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} - env: - TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - - name: Push image to GitHub - run: | - docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} - build-ecr-single: - if: inputs.repository_kind == 'ecr' && inputs.imageTargets == '' + if: inputs.imageTargets == '' environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} steps: @@ -148,7 +81,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - name: Configure AWS credentials - if: inputs.repository_kind == 'ecr' uses: aws-actions/configure-aws-credentials@v2 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -194,78 +126,11 @@ jobs: env: TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push image to ECR - if: inputs.repository_kind == 'ecr' run: | docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }} - build-github-matrix: - if: inputs.repository_kind == 'github' && inputs.imageTargets != '' - environment: ${{ github.event.deployment.payload.env }} - runs-on: ${{ inputs.runner }} - strategy: - matrix: - containerfile_targets: ${{ fromJson(inputs.imageTargets) }} - steps: - - name: Checkout current git repository - uses: actions/checkout@v4 - - if: inputs.preScript != '' - name: Run script before the docker image is built - run: | - echo "Run '${{ inputs.preScript }}'" - ${{ inputs.preScript }} - env: - NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} - - if: inputs.artifactPath != '' && inputs.artifactName != '' - name: Download artifact - uses: actions/download-artifact@v4 - with: - name: ${{ inputs.artifactName }} - path: ${{ inputs.artifactPath }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - name: Login to Container Registry - uses: docker/login-action@v3 - with: - registry: ${{ inputs.registryHostname }} - username: ${{ inputs.registryUsername }} - password: ${{ secrets.repoAccessToken }} - - name: Build ${{ matrix.containerfile_targets }} image - uses: docker/build-push-action@v6 - with: - build-args: | - GITHUB_SHA=${{ github.sha }} - VERSION=${{ inputs.version }} - APP_NAME=${{ github.event.deployment.payload.name }} - ENVIRONMENT=${{ github.event.deployment.payload.env }} - NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} - cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} - cache-to: type=inline - context: ${{ github.event.deployment.payload.container.context }} - load: true - file: ${{ github.event.deployment.payload.container.file }} - platforms: linux/amd64 - tags: | - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ inputs.version }} - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} - target: ${{ matrix.containerfile_targets }} - - name: Scan for vulnerabilities - uses: crazy-max/ghaction-container-scan@v3 - if: inputs.enableContainerScan - with: - image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - dockerfile: Containerfile - severity: ${{ env.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} - env: - TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - - name: Push ${{ matrix.containerfile_targets }} image to ECR - run: | - docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} - build-ecr-matrix: - if: inputs.repository_kind == 'ecr' && inputs.imageTargets != '' + if: inputs.imageTargets != '' environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} strategy: diff --git a/.github/workflows/deployment.yaml b/.github/workflows/deployment.yaml index a476d39..e7e4606 100644 --- a/.github/workflows/deployment.yaml +++ b/.github/workflows/deployment.yaml @@ -9,16 +9,6 @@ on: required: true description: The author of the change that triggers the deployment type: string - chartInAppRepo: - required: false - description: Specify if chart is migrated into the application's repository - default: false - type: boolean - configurationFilepath: - required: false - description: The path to the application configuration file - default: ./plconfig.yaml - type: string containerContext: required: false default: . @@ -65,99 +55,8 @@ on: required: true description: The Github token to perform operations cross-repo (not secrets.GITHUB_TOKEN!) jobs: - read_schema_version: - runs-on: ${{ inputs.runner }} - if: inputs.chartInAppRepo == false - outputs: - version: ${{ steps.version.outputs.result }} - steps: - - name: Checkout current git repository - uses: actions/checkout@v3 - - name: Load schema version - id: version - uses: mikefarah/yq@v4.30.8 - with: - cmd: yq ".schemaVersion" ${{ inputs.configurationFilepath }} - detect_declarations: - runs-on: ${{ inputs.runner }} - needs: [read_schema_version] - if: needs.read_schema_version.outputs.version == 'v2' - outputs: - has-kubernetes: ${{ steps.has-kubernetes.outputs.result }} - steps: - - name: Checkout current git repository - uses: actions/checkout@v3 - - name: Detect kubernetes deployment - id: has-kubernetes - uses: mikefarah/yq@v4.30.8 - with: - cmd: yq '.deployment | has("kubernetes")' ${{ inputs.configurationFilepath }} kubernetes: runs-on: ${{ inputs.runner }} - needs: [detect_declarations] - if: needs.detect_declarations.outputs.has-kubernetes == 'true' - steps: - - name: Checkout current git repository - uses: actions/checkout@v3 - - name: Load plconfig values - id: values - uses: mikefarah/yq@v4.30.8 - with: - cmd: yq "." ${{ inputs.configurationFilepath }} -o=json -I=0 - - name: Load k8s deployment variables - id: k8s - run: | - # shellcheck disable=SC2129,SC2086 - echo "namespace=${{ fromJSON(steps.values.outputs.result).deployment.kubernetes.namespace }}" >> $GITHUB_OUTPUT - # shellcheck disable=SC2086 - echo "version-key=${{ fromJSON(steps.values.outputs.result).deployment.kubernetes.versionKey }}" >> $GITHUB_OUTPUT - # shellcheck disable=SC2086 - echo "container-context=${{ fromJSON(steps.values.outputs.result).deployment.kubernetes.container.context || '.' }}" >> $GITHUB_OUTPUT - # shellcheck disable=SC2086 - echo "container-file=${{ fromJSON(steps.values.outputs.result).deployment.kubernetes.container.file || 'Containerfile' }}" >> $GITHUB_OUTPUT - if [[ "${{ inputs.env }}" == 'prod' ]] - then - URL="https://${{ inputs.appName }}.parcellab.dev" - STATUS_URL="https://argocd.${{ inputs.env }}.parcellab.dev/applications/${{ inputs.appName }}" - else - URL="https://${{ inputs.appName }}.${{ inputs.env }}.parcellab.dev" - STATUS_URL="https://argocd.${{ inputs.env }}.parcellab.dev/applications/${{ inputs.appName }}" - fi - # shellcheck disable=SC2086 - echo "url=$URL" >> $GITHUB_OUTPUT - # shellcheck disable=SC2086 - echo "status-url=$STATUS_URL" >> $GITHUB_OUTPUT - - name: Create Github ${{ fromJSON(steps.values.outputs.result).name }} k8s deployment - uses: chrnorm/deployment-action@v2 - with: - auto-merge: false - environment: ${{ inputs.env }} - ref: ${{ inputs.ref }} - required-contexts: "" - payload: | - { - "author": ${{ toJSON(inputs.author) }}, - "description": ${{ toJSON(inputs.description) }}, - "env": ${{ toJSON(inputs.env) }}, - "name": ${{ toJSON(fromJSON(steps.values.outputs.result).name) }}, - "container": { - "context": ${{ toJSON(steps.k8s.outputs.container-context) }}, - "file": ${{ toJSON(steps.k8s.outputs.container-file) }} - }, - "kubernetes": { - "namespace": ${{ toJSON(steps.k8s.outputs.namespace) }}, - "versionKey": ${{ toJSON(steps.k8s.outputs.version-key) }} - }, - "schemaVersion": "v2", - "statusUrl": ${{ toJSON(steps.k8s.outputs.status-url) }}, - "url": ${{ toJSON(steps.k8s.outputs.url) }} - } - production-environment: "${{ inputs.env == 'prod' }}" - transient-environment: "${{ inputs.env == 'test' }}" - token: ${{ secrets.repoAccessToken }} - kubernetes-migrated-chart: - runs-on: ${{ inputs.runner }} - if: inputs.chartInAppRepo == true steps: - name: Checkout current git repository uses: actions/checkout@v3 @@ -197,7 +96,6 @@ jobs: "namespace": "${{ inputs.namespace }}", "versionKey": "${{ inputs.versionKey }}" }, - "schemaVersion": "v2", "statusUrl": ${{ toJSON(steps.k8s.outputs.status-url) }}, "url": ${{ toJSON(steps.k8s.outputs.url) }} } diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 389e720..d517d33 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -17,11 +17,6 @@ on: description: The email of the bot that will appear in the GitOps commit default: dev.bot@parcellab.com type: string - chartInAppRepo: - required: false - description: Specify if chart is migrated into the application's repository - default: false - type: boolean deploymentRepoPath: required: false description: The path within the deployment repository that holds all version files @@ -62,11 +57,6 @@ on: description: The username for the container registry default: parcellab-dev-bot type: string - repository_kind: - required: false - description: The kind of repository (github or ecr) - default: "github" - type: string enableContainerScan: required: false description: Apply the container scan @@ -197,7 +187,6 @@ jobs: registryHostname: ${{ inputs.registryHostname }} registryOrg: ${{ inputs.registryOrg }} registryUsername: ${{ inputs.registryUsername }} - repository_kind: ${{ inputs.repository_kind }} enableContainerScan: ${{ inputs.enableContainerScan }} runner: ${{ inputs.runner }} version: ${{ needs.initialize.outputs.version }} @@ -216,31 +205,7 @@ jobs: path: remote token: ${{ secrets.repoAccessToken }} ref: main - - if: github.event.deployment.payload.schemaVersion == 'v2' && github.event.deployment.payload.env != 'playground' && inputs.chartInAppRepo == false - name: Update ${{ github.event.deployment.payload.name }} version for ${{ github.event.deployment.environment }} values - uses: mikefarah/yq@v4.30.8 - with: - cmd: yq '(.${{ github.event.deployment.payload.kubernetes.versionKey }} = "${{ needs.initialize.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/${{ github.event.deployment.payload.kubernetes.namespace }}/${{ github.event.deployment.payload.env }}/${{ github.event.deployment.payload.name }}/${{ inputs.versionFilePath }} - - - if: github.event.deployment.payload.schemaVersion == 'v2' && github.event.deployment.payload.env != 'playground' && inputs.chartInAppRepo == true && inputs.deploymentRepoValuesPath == '' - name: Deploy ${{ github.sha }} to ${{ github.event.deployment.environment }} values - uses: mikefarah/yq@v4.30.8 - with: - cmd: yq '(.${{ github.event.deployment.payload.kubernetes.versionKey }} = "${{ needs.initialize.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/values.${{ github.event.deployment.payload.env }}.yaml - - - if: github.event.deployment.payload.schemaVersion == 'v2' && github.event.deployment.payload.env != 'playground' && inputs.chartInAppRepo == true && inputs.deploymentRepoValuesPath != '' - name: Deploy ${{ github.sha }} to ${{ github.event.deployment.environment }} values - uses: mikefarah/yq@v4.30.8 - with: - cmd: yq '(.${{ github.event.deployment.payload.kubernetes.versionKey }} = "${{ needs.initialize.outputs.version }}")' -i remote/${{ inputs.deploymentRepoValuesPath }} - - - if: github.event.deployment.payload.schemaVersion == 'v2' && github.event.deployment.payload.env == 'playground' && inputs.chartInAppRepo == false - name: Update ${{ github.event.deployment.payload.name }} version for ${{ github.event.deployment.environment }} values - uses: mikefarah/yq@v4.30.8 - with: - cmd: yq '(.${{ github.event.deployment.payload.kubernetes.versionKey }} = "${{ needs.initialize.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/${{ github.event.deployment.payload.kubernetes.namespace }}/prod/${{ github.event.deployment.payload.name }}/values.playground.yaml - - if: github.event.deployment.payload.schemaVersion == 'v2' && github.event.deployment.payload.env == 'playground' && inputs.chartInAppRepo == true - name: Deploy ${{ github.sha }} to ${{ github.event.deployment.environment }} values + - name: Deploy ${{ github.sha }} to ${{ github.event.deployment.environment }} values uses: mikefarah/yq@v4.30.8 with: cmd: yq '(.${{ github.event.deployment.payload.kubernetes.versionKey }} = "${{ needs.initialize.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/values.yaml diff --git a/.github/workflows/plconfig.yaml b/.github/workflows/plconfig.yaml deleted file mode 100644 index 4378c7f..0000000 --- a/.github/workflows/plconfig.yaml +++ /dev/null @@ -1,141 +0,0 @@ -name: Reusable parcelLab Config -on: - workflow_call: - inputs: - botEmail: - required: false - description: The email of the bot that will appear in the GitOps commit - default: dev.bot@parcellab.com - type: string - botName: - required: false - description: The name of the bot that will appear in the GitOps commit - default: parcellab-dev-bot - type: string - configurationFilepath: - required: false - description: The path to the application configuration file - default: ./plconfig.yaml - type: string - deploymentRepoPath: - required: false - description: The path within the deployment repository that holds all version files - default: namespaces - type: string - deploymentRepoURL: - required: false - description: The repository within Github that holds the version file to deploy via GitOps - default: parcelLab/deployment - type: string - runner: - required: false - description: Runner type - default: ubuntu-latest - type: string - secrets: - repoAccessToken: - required: true - description: The Github token to perform operations cross-repo (not secrets.GITHUB_TOKEN!) -jobs: - read_schema_version: - runs-on: ${{ inputs.runner }} - outputs: - version: ${{ steps.version.outputs.result }} - steps: - - name: Checkout current git repository - uses: actions/checkout@v3 - - name: Load schema version - id: version - uses: mikefarah/yq@v4.30.8 - with: - cmd: yq ".schemaVersion" ${{ inputs.configurationFilepath }} - detect_declarations: - if: needs.read_schema_version.outputs.version == 'v2' - runs-on: ${{ inputs.runner }} - needs: [read_schema_version] - outputs: - has-kubernetes: ${{ steps.has-kubernetes.outputs.result }} - steps: - - name: Checkout current git repository - uses: actions/checkout@v3 - - name: Detect kubernetes deployment - id: has-kubernetes - uses: mikefarah/yq@v4.30.8 - with: - cmd: yq '.deployment | has("kubernetes")' ${{ inputs.configurationFilepath }} - kubernetes_matrix: - if: needs.detect_declarations.outputs.has-kubernetes == 'true' - runs-on: ${{ inputs.runner }} - needs: [detect_declarations] - outputs: - matrix: ${{ steps.envs.outputs.result }} - steps: - - name: Checkout current git repository - uses: actions/checkout@v3 - - name: Detect envs - id: envs - uses: mikefarah/yq@v4.30.8 - with: - cmd: yq '.deployment.kubernetes.env | keys' ${{ inputs.configurationFilepath }} -o=json -I=0 - kubernetes_env: - runs-on: ${{ inputs.runner }} - needs: [kubernetes_matrix] - strategy: - matrix: - env: ${{ fromJSON(needs.kubernetes_matrix.outputs.matrix) }} - max-parallel: 1 - steps: - - name: Checkout current git repository - uses: actions/checkout@v3 - - name: Checkout ${{ inputs.deploymentRepoURL }} git repository - uses: actions/checkout@v3 - with: - repository: ${{ inputs.deploymentRepoURL }} - path: remote - token: ${{ secrets.repoAccessToken }} - ref: main - - name: Load YAML values from file into JSON - id: json - uses: mikefarah/yq@v4.30.8 - with: - cmd: yq "." ${{ inputs.configurationFilepath }} -o=json -I=0 - - name: Load common vars - id: vars - run: | - # shellcheck disable=SC2086 - echo "namespace-path=remote/${{ inputs.deploymentRepoPath }}/${{ fromJSON(steps.json.outputs.result).deployment.kubernetes.namespace }}" >> $GITHUB_OUTPUT - # shellcheck disable=SC2086 - echo "do-not-edit=DO NOT EDIT. Auto generated from ${{ fromJSON(steps.json.outputs.result).name }} ${{ inputs.configurationFilepath }} (replaces values.yaml instead)" >> $GITHUB_OUTPUT - - name: Load external values for ${{ matrix.env }} - uses: mikefarah/yq@v4.30.8 - with: - cmd: >- - yq '.deployment.kubernetes.env.${{ matrix.env }}.values | . head_comment="${{ steps.vars.outputs.do-not-edit }}"' ${{ inputs.configurationFilepath }} > ${{ steps.vars.outputs.namespace-path }}/${{ matrix.env }}/${{ fromJSON(steps.json.outputs.result).name }}/values-external.yaml && - yq '{ "dependencies": .deployment.kubernetes.env.${{ matrix.env }}.dependencies } * {"apiVersion": "v2", "name": "${{ fromJSON(steps.json.outputs.result).name }}", "description": "${{ fromJSON(steps.json.outputs.result).description }} (${{ matrix.env }})", "version": "0.0.0"}' ${{ inputs.configurationFilepath }} > ${{ steps.vars.outputs.namespace-path }}/${{ matrix.env }}/${{ fromJSON(steps.json.outputs.result).name }}/Chart.yaml - # Commit & Push to GitOps repo - - name: Commit deployment files for ${{ matrix.env }} - id: commit - run: | - cd remote - if [[ $(git status --porcelain --untracked-files=no | wc -l) -gt 0 ]]; then - # Untracked changes - git config --global user.email "${{ inputs.botEmail }}" - git config --global user.name "${{ inputs.botName }}" - git add . - git commit --allow-empty -m "chore(${{ fromJSON(steps.json.outputs.result).name }}): set parcelLab ${{ matrix.env }} config values" - # shellcheck disable=SC2086 - echo "has-changes=true" >> $GITHUB_OUTPUT - else - # No changes, ignore - # shellcheck disable=SC2086 - echo "has-changes=false" >> $GITHUB_OUTPUT - fi - - if: steps.commit.outputs.has-changes == 'true' - name: Push changes to main in ${{ inputs.deploymentRepoURL }} git repository for ${{ matrix.env }} - uses: ad-m/github-push-action@0fafdd62b84042d49ec0cb92d9cac7f7ce4ec79e - with: - repository: ${{ inputs.deploymentRepoURL }} - directory: remote - github_token: ${{ secrets.repoAccessToken }} - branch: main - force: true