diff --git a/.github/workflows/nikita-cd.yaml b/.github/workflows/nikita-cd.yaml new file mode 100644 index 00000000..93e22dff --- /dev/null +++ b/.github/workflows/nikita-cd.yaml @@ -0,0 +1,85 @@ +--- +name: Nikita CD + +on: + pull_request: + branches: + - master + types: [closed] + paths: + - '**' + - '.github/workflows/nikita-cd.yaml' + +env: + ACR: ${{ format('arkivverket.azurecr.io/da-nikita') }} + IMAGE: ${{ github.event.repository.name }} + TAG: ${{ github.event.pull_request.head.sha }} + TARGET_ENV: dev + +jobs: + pre_job: + runs-on: ubuntu-latest + outputs: + branch: ${{ steps.extract_branch.outputs.branch }} + steps: + - name: Extract branch name + id: extract_branch + shell: bash + run: echo "##[set-output name=branch;]$(BRANCH=${GITHUB_HEAD_REF#refs/heads/}; echo ${BRANCH//\//-})" + + publish: + if: github.event.pull_request.merged == true + needs: pre_job + runs-on: ubuntu-latest + env: + BRANCH_TAG: ${{ format('{0}-{1}', needs.pre_job.outputs.branch, github.event.pull_request.head.sha) }} + steps: + - name: Login to GitHub Package Registry + uses: docker/login-action@v1.10.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Pull from GHCR + run: docker pull ${{ format('ghcr.io/{0}:{1}', github.repository, env.BRANCH_TAG) }} + - name: Tag to ACR + run: docker tag ${{ format('ghcr.io/{0}:{1}', github.repository, env.BRANCH_TAG) }} ${ACR}/${IMAGE}:${TAG} + - name: Login to ACR + uses: Azure/docker-login@v1 + with: + username: ${{ secrets.ARKIVVERKET_AZURE_REGISTRY_USERNAME }} + password: ${{ secrets.ARKIVVERKET_AZURE_REGISTRY_PASSWORD }} + login-server: https://arkivverket.azurecr.io + - name: Publish to ACR + run: docker push ${ACR}/${IMAGE}:${TAG} + + update-deployment-version: + needs: + - publish + runs-on: ubuntu-latest + env: + PR_NUMBER: ${{ github.event.pull_request.number }} + PR_URL: ${{ github.event.pull_request.html_url }} + REPO: ${{ github.repository }} + steps: + - uses: actions/checkout@v2.3.4 + with: + repository: ${{ github.repository_owner }}/da-noark5-visning-poc-k8s-config + token: ${{ secrets.GITOPS_PAT }} + - uses: imranismail/setup-kustomize@v1.6.0 + with: + kustomize-version: "4.1.3" + - run: kustomize edit set image nikitaImage=${ACR}/${IMAGE}:${TAG} + working-directory: overlays/${{ env.TARGET_ENV }} + - run: | + git config --local user.email "${{ secrets.GITOPS_EMAIL }}" + git config --local user.name "${{ secrets.GITOPS_USER }}" + git add . + cat > /tmp/commit-message <<- EOM + Set ${IMAGE} image tag to ${TAG} in ${TARGET_ENV} + + Repository: ${REPO} + Pull Request: [#${PR_NUMBER}](${PR_URL}) + EOM + git commit -F /tmp/commit-message + git push diff --git a/.github/workflows/nikita-ci.yaml b/.github/workflows/nikita-ci.yaml new file mode 100644 index 00000000..a5eb2c3a --- /dev/null +++ b/.github/workflows/nikita-ci.yaml @@ -0,0 +1,50 @@ +--- +name: Nikita CI + +on: + push: + branches-ignore: + - master + paths: + - '**' + - '.github/workflows/nikita-ci.yaml' + +jobs: + + pre_job: + runs-on: ubuntu-latest + outputs: + branch: ${{ steps.extract_branch.outputs.branch }} + steps: + - name: Extract branch name + id: extract_branch + shell: bash + run: echo "##[set-output name=branch;]$(BRANCH=${GITHUB_REF#refs/heads/}; echo ${BRANCH//\//-})" + + main: + runs-on: ubuntu-latest + needs: pre_job + env: + FQ_IMAGE: ${{ format('ghcr.io/arkivverket/nikita-noark5-core:{0}-{1}', needs.pre_job.outputs.branch, github.sha) }} + steps: + - uses: actions/checkout@v2.3.4 + - name: Set up JDK 11 + uses: actions/setup-java@v2 + with: + java-version: '11' + distribution: 'adopt' + cache: maven + - name: Build with Maven + run: mvn --batch-mode --update-snapshots compile jib:build -Djib.to.image=${{ env.FQ_IMAGE }} -Djib.to.auth.username=${{ github.repository_owner }} -Djib.to.auth.password=${{ secrets.GITHUB_TOKEN }} + - name: Container scan + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.FQ_IMAGE }} + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL' + env: + TRIVY_USERNAME: ${{ github.repository_owner }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} diff --git a/docker-compose.yml b/docker-compose.yml index 5b1e1efa..26c887b9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,22 +1,43 @@ -version: '2' +version: '3' services: -# Using this file it is possible to run: - # docker-compose up - # I guess it assumes that the nikita image already - # exists. - # Leaving this commented out as we will use it again soon - # elasticsearch: - # image: "elasticsearch:2.4.4" - # ports: - # - "9200:9200" - nikita-noark5-core: - image: "oslometabi/nikita-noark5-core" - container_name: nikita-noark5 + elastic: + container_name: nikita-elastic + image: docker.elastic.co/elasticsearch/elasticsearch:7.13.3 + ports: + - "9200:9200" + - "9300:9300" + environment: + - discovery.type=single-node + postgres: + container_name: nikita-postgres + image: postgres:13 + ports: + - "5432:5432" + environment: + - POSTGRES_USER=nikita_user + - POSTGRES_PASSWORD=N1k1t4 + - POSTGRES_DB=nikita + healthcheck: + test: ["CMD-SHELL", "pg_isready"] + interval: 10s + timeout: 5s + retries: 5 + nikita: + depends_on: + elastic: + condition: service_started + postgres: + condition: service_healthy + image: arkivverket.azurecr.io/da-nikita/nikita-noark5-core:0.7 ports: - "8092:8092" - - "8082:8082" -# networks: -# - n5 -#networks: -# n5: -# external: true + environment: + - DB_URI=jdbc:postgresql://nikita-postgres:5432/nikita + - DB_USER=nikita_user + - DB_PASS=N1k1t4 + - ELASTIC_URI=http://nikita-elastic:9200 + - ELASTIC_USER=elastic + - ELASTIC_PASS=hQ98IjdXNBC00SS79yEe5207 + - NIKITA_BASE_DIR=/tmp + - spring.profiles.active=postgres + - nikita.import.allowed=true