From f948f7229c394232d3642b949138b7101eb15bd6 Mon Sep 17 00:00:00 2001 From: mike seibel Date: Wed, 20 Jan 2021 10:33:02 -0800 Subject: [PATCH 1/5] input descriptions, flux repo interaction --- cicd-deploy/action.yml | 68 +++++++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 27 deletions(-) diff --git a/cicd-deploy/action.yml b/cicd-deploy/action.yml index 3fa0937..e1a9b80 100644 --- a/cicd-deploy/action.yml +++ b/cicd-deploy/action.yml @@ -4,41 +4,53 @@ description: 'Deployment image via flux repository configured to appropriate GCP inputs: release_name: + description: 'Application name to use for release' required: true commit_hash: + description: 'Application repository hash applied to release' required: true git_repo_branch: + description: 'Application repository branch to release' required: true gh_auth_token: + description: 'Github auth token for Flux deployment repository' required: true app_instance: + description: 'Instance applied ' required: false - default: test + default: 'test' helm_chart_branch: + description: 'Helm chart repository branch at the base of release' required: false - default: master + default: 'master' helm_chart_name: + description: 'Helm chart repository used to produce release manifest' required: false - default: django-production-chart + default: 'django-production-chart' helm_app_version: + description: 'Helm application version used to produce release manifest' required: false - default: "3.4.2" + default: '3.4.2' kubeval_version: + description: 'Kubeval version used to lint kubernetes manifest' required: false - default: latest + default: 'latest' kubeval_skip_kinds: + description: 'List of manifest objects for Kubeval to ignore' required: false - default: "ExternalSecret,ServiceMonitor" + default: 'ExternalSecret,ServiceMonitor' checkov_version: + description: 'Checkov security policy manifest scanner version' required: false - default: latest + default: 'latest' checkov_skip_checks: + description: 'Checkov security policy viloations to ignore' required: false # acceptable policy violations: # CKV_K8S_21 - default namespace policy # CKV_K8S_35 - secret files preferred over environment # CKV_K8S_43 - image reference by digest - default: "CKV_K8S_21,CKV_K8S_35,CKV_K8S_43" + default: 'CKV_K8S_21,CKV_K8S_35,CKV_K8S_43' runs: using: 'composite' @@ -154,47 +166,45 @@ runs: - name: Clone Flux Repository shell: bash run: | - echo "CLONE flux repository ${FLUX_REPO_PATH}" echo "::add-mask::${{ inputs.gh_auth_token }}" + echo "CLONE flux repository ${FLUX_REPO_PATH}" git clone --depth 1 https://${{ inputs.gh_auth_token }}@github.com/${FLUX_REPO_PATH}.git --branch master ${FLUX_LOCAL_DIR} - name: Create Flux Release Branch shell: bash run: | echo "CREATE branch $FLUX_RELEASE_BRANCH_NAME, add $FLUX_RELEASE_MANIFEST" - export OLDPWD=$PWD - cd $FLUX_LOCAL_DIR + pushd $PWD git checkout -b ${FLUX_RELEASE_BRANCH_NAME} cp -p ${LOCAL_MANIFEST} ${FLUX_RELEASE_MANIFEST} git add ${FLUX_RELEASE_MANIFEST} git status - cd $OLDPWD + popd - name: Commit Flux Release shell: bash run: | + echo "::add-mask::${{ inputs.gh_auth_token }}" echo "COMMIT flux release $FLUX_RELEASE_BRANCH_NAME" - export OLDPWD=$PWD - cd $FLUX_LOCAL_DIR + pushd $PWD - echo "::add-mask::${{ inputs.gh_auth_token }}" git config user.email "aca-it@uw.edu" git config user.name "uw-it-aca-tools" git commit -m "${COMMIT_MESSAGE}" ${FLUX_RELEASE_MANIFEST} git push origin ${FLUX_RELEASE_BRANCH_NAME} git status - cd $OLDPWD + popd - name: Submit Flux Pull Release shell: bash run: | + echo "::add-mask::${{ inputs.gh_auth_token }}" echo "SUBMIT $FLUX_RELEASE_BRANCH_NAME pull request" GITHUB_REPO_PULLS="https://api.github.com/repos/${FLUX_REPO_PATH}/pulls" - echo "::add-mask::${{ inputs.gh_auth_token }}" - curl -H "Authorization: Token ${{ inputs.gh_auth_token }}" -H "Content-type: application/json" -X POST ${GITHUB_REPO_PULLS} >${FLUX_PR_OUTPUT} -d @- <${FLUX_PR_OUTPUT} -d @- <<<${PR_DATA} FLUX_PULL_URL=$(jq '.html_url' ${FLUX_PR_OUTPUT}) echo "FLUX_PULL_URL=$FLUX_PULL_URL" >> $GITHUB_ENV echo "SUBMITTED $FLUX_PULL_URL" @@ -209,18 +221,20 @@ runs: - name: Merge Flux Pull Request shell: bash run: | + echo "::add-mask::${{ inputs.gh_auth_token }}" + MERGE_DATA=$(cat < Date: Wed, 20 Jan 2021 11:15:41 -0800 Subject: [PATCH 2/5] proper flux repo dir --- cicd-deploy/action.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/cicd-deploy/action.yml b/cicd-deploy/action.yml index e1a9b80..b745629 100644 --- a/cicd-deploy/action.yml +++ b/cicd-deploy/action.yml @@ -168,36 +168,33 @@ runs: run: | echo "::add-mask::${{ inputs.gh_auth_token }}" echo "CLONE flux repository ${FLUX_REPO_PATH}" + git clone --depth 1 https://${{ inputs.gh_auth_token }}@github.com/${FLUX_REPO_PATH}.git --branch master ${FLUX_LOCAL_DIR} - name: Create Flux Release Branch shell: bash run: | echo "CREATE branch $FLUX_RELEASE_BRANCH_NAME, add $FLUX_RELEASE_MANIFEST" - pushd $PWD + cd $FLUX_LOCAL_DIR git checkout -b ${FLUX_RELEASE_BRANCH_NAME} cp -p ${LOCAL_MANIFEST} ${FLUX_RELEASE_MANIFEST} git add ${FLUX_RELEASE_MANIFEST} git status - popd - - name: Commit Flux Release shell: bash run: | echo "::add-mask::${{ inputs.gh_auth_token }}" echo "COMMIT flux release $FLUX_RELEASE_BRANCH_NAME" - pushd $PWD + cd $FLUX_LOCAL_DIR git config user.email "aca-it@uw.edu" git config user.name "uw-it-aca-tools" git commit -m "${COMMIT_MESSAGE}" ${FLUX_RELEASE_MANIFEST} git push origin ${FLUX_RELEASE_BRANCH_NAME} git status - popd - - name: Submit Flux Pull Release shell: bash run: | From 10277809d95f7c573d35473ed8962585fe71bdb5 Mon Sep 17 00:00:00 2001 From: mike seibel Date: Wed, 20 Jan 2021 11:23:47 -0800 Subject: [PATCH 3/5] missing paren --- cicd-deploy/action.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cicd-deploy/action.yml b/cicd-deploy/action.yml index b745629..a17afb0 100644 --- a/cicd-deploy/action.yml +++ b/cicd-deploy/action.yml @@ -208,6 +208,7 @@ runs: "head": "${FLUX_RELEASE_BRANCH_NAME}", "base": "master" } + ) EOF curl -H "Authorization: Token ${{ inputs.gh_auth_token }}" -H "Content-type: application/json" -X POST ${GITHUB_REPO_PULLS} >${FLUX_PR_OUTPUT} -d @- <<<${PR_DATA} @@ -226,6 +227,7 @@ runs: "sha": $(jq '.head.sha' ${FLUX_PR_OUTPUT}), "merge_method": "merge" } + ) EOF if [[ ${{ inputs.git_repo_branch }} =~ '^(main|master)$' ]]; then From 5dc70315794326e3770a8fcaf695186ba87d25d8 Mon Sep 17 00:00:00 2001 From: mike seibel Date: Wed, 20 Jan 2021 11:43:33 -0800 Subject: [PATCH 4/5] misplaced paren --- cicd-deploy/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cicd-deploy/action.yml b/cicd-deploy/action.yml index a17afb0..744768f 100644 --- a/cicd-deploy/action.yml +++ b/cicd-deploy/action.yml @@ -208,8 +208,8 @@ runs: "head": "${FLUX_RELEASE_BRANCH_NAME}", "base": "master" } - ) EOF + ) curl -H "Authorization: Token ${{ inputs.gh_auth_token }}" -H "Content-type: application/json" -X POST ${GITHUB_REPO_PULLS} >${FLUX_PR_OUTPUT} -d @- <<<${PR_DATA} FLUX_PULL_URL=$(jq '.html_url' ${FLUX_PR_OUTPUT}) @@ -227,8 +227,8 @@ runs: "sha": $(jq '.head.sha' ${FLUX_PR_OUTPUT}), "merge_method": "merge" } - ) EOF + ) if [[ ${{ inputs.git_repo_branch }} =~ '^(main|master)$' ]]; then echo "Visit $FLUX_PULL_URL to merge manifest branch" From 4cf3d0250265eed34911b06c8904ba08410258f1 Mon Sep 17 00:00:00 2001 From: mike seibel Date: Wed, 20 Jan 2021 12:12:52 -0800 Subject: [PATCH 5/5] cicd.yml example deploy action --- examples/django-build-test-deploy.yml | 51 +++++++++++++++------------ 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/examples/django-build-test-deploy.yml b/examples/django-build-test-deploy.yml index 56eb6b0..16548f5 100644 --- a/examples/django-build-test-deploy.yml +++ b/examples/django-build-test-deploy.yml @@ -69,11 +69,11 @@ jobs: - name: Checkout Repo uses: actions/checkout@v2 - - name: Set up Environment - run: | - export COMMIT_HASH="${{ needs.environment.outputs.commit_hash }}" - echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV - echo "IMAGE_TAG=${{ env.RELEASE_NAME }}:$COMMIT_HASH" >> $GITHUB_ENV + - name: Set up Context + id: cicd + uses: uw-it-aca/actions/cicd-context@v1.2 + with: + release_name: ${{ env.RELEASE_NAME }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 @@ -142,18 +142,10 @@ jobs: deploy: if: github.event_name == 'push' - needs: [environment, build] + needs: [build] runs-on: ubuntu-18.04 - env: - GH_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }} - GIT_REPO_SLUG: ${{ github.repository }} - BUILD_NUMBER: ${{ github.run_id }} - BUILD_WEB_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - DEPLOY_APP_BASE: https://raw.githubusercontent.com/uw-it-aca/gcp-app-deploy - DEPLOY_APP_BRANCH: master - steps: - name: Setup Environment run: | @@ -165,16 +157,29 @@ jobs: - name: Checkout Repo uses: actions/checkout@v2 - - name: Deploy Production Branch - if: env.GIT_REPO_BRANCH == 'main' || env.GIT_REPO_BRANCH == 'master' - run: curl -Ls ${DEPLOY_APP_BASE}/${DEPLOY_APP_BRANCH}/deploy.sh | bash + - name: Set up Context + id: cicd + uses: uw-it-aca/actions/cicd-context@v1.2 + with: + release_name: ${{ env.RELEASE_NAME }} - - name: Deploy Test Branch - if: env.GIT_REPO_BRANCH == 'develop' || env.GIT_REPO_BRANCH == 'qa' - run: curl -Ls ${DEPLOY_APP_BASE}/${DEPLOY_APP_BRANCH}/deploy.sh | bash + - name: Deployment Pipeline + if: >- + contains(fromJSON('["main", "master", "develop", "qa"]'), + steps.cicd.outputs.git_repo_branch) + uses: uw-it-aca/actions/cicd-deploy@v1.2 + with: + release_name: ${{ env.RELEASE_NAME }} + commit_hash: ${{ steps.cicd.outputs.commit_hash }} + git_repo_branch: ${{ steps.cicd.outputs.git_repo_branch }} + gh_auth_token: ${{ secrets.GH_AUTH_TOKEN }} - name: Deploy Evaluation Branch if: env.GIT_REPO_BRANCH == 'feature/eval-me' - env: - APP_INSTANCE: eval - run: curl -Ls ${DEPLOY_APP_BASE}/${DEPLOY_APP_BRANCH}/deploy.sh | bash + uses: uw-it-aca/actions/cicd-deploy@v1.2 + with: + release_name: ${{ env.RELEASE_NAME }} + commit_hash: ${{ steps.cicd.outputs.commit_hash }} + git_repo_branch: ${{ steps.cicd.outputs.git_repo_branch }} + gh_auth_token: ${{ secrets.GH_AUTH_TOKEN }} + app_instance: eval