Merge pull request #15 from bcgov/setup-crunchy-chart

crunchy chart initial setup

Author: marcellmueller

.bin/install-gitleaks-linux-x64.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -xeuo pipefail;
+
+version="8.16.0";
+releases_api="https://api.github.com/repositories/119190187/releases/tags/v${version}";
+releases_json="$(curl -s ${releases_api})";
+
+case "$OSTYPE" in
+  darwin*)  arch="darwin_x64" ;; # arm detection? I give up
+  linux*)   arch="linux_x64" ;;
+  solaris*) echo "Error: Solaris is not supported"; exit 1; ;;
+  bsd*)     echo "Error: BSD is not supported"; exit 1; ;;
+  msys*)    echo "Error: Windows is not supported"; exit 1; ;;
+  cygwin*)  echo "Error: Windows is still not supported"; exit 1; ;;
+  *)        echo "Error: unknown: $OSTYPE – definitely not supported"; exit 1; ;;
+esac
+
+# download the specified release
+download_url=$(echo "${releases_json}" | jq -r ".assets[] | select(.name | contains(\"${arch}\")) | .browser_download_url");
+wget "${download_url}";
+
+# validate checksum
+download_url=$(echo "${releases_json}" | jq -r ".assets[] | select(.name | contains(\"checksums\")) | .browser_download_url");
+wget "${download_url}";
+sed -i.bak -n "/${arch}/p" gitleaks_${version}_checksums.txt
+shasum -a 256 "gitleaks_${version}_checksums.txt" --check;
+
+# extract to current working directory
+tar -zxvf "gitleaks_${version}_${arch}.tar.gz" gitleaks;
+
+# check version
+if [[ "$(./gitleaks version)" != "${version}" ]]; then
+  echo "Somehow we installed the wrong version...";
+  exit 1;
+fi
+
+# cleanup
+rm gitleaks_*;
+
+exit 0;

.github/actions/deploy/action.yaml

@@ -0,0 +1,37 @@
+name: Deploy to OpenShift
+description: "Login and deploy to OpenShift"
+
+inputs:
+  openshift_server_url:
+    description: "URL of the OpenShift server"
+    required: true
+  openshift_token:
+    description: "Unique login token for OpenShift"
+    required: true
+  openshift_namespace:
+    description: "The namespace being deployed to"
+    required: true
+  openshift_route:
+    description: "Domain where the application can be accessed"
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Authenticate, set context and run deploy script
+      uses: redhat-actions/oc-login@v1
+      with:
+        openshift_server_url: ${{ inputs.openshift_server_url }}
+        openshift_token: ${{ inputs.openshift_token }}
+        openshift_namespace: ${{ inputs.openshift_namespace }}
+        openshift_route: ${{ inputs.openshift_route }}
+
+        insecure_skip_tls_verify: true
+    - run: |
+        cd operations/deployment/crunchy-postgres
+        helm dep up
+        helm upgrade --install --atomic "$@" crunchy-postgres . --timeout=8m0s -n ${{ inputs.openshift_namespace }} \
+        --set networking.route.host=${{ inputs.openshift_route }} \
+        --values values-repo.yaml
+
+      shell: bash

.github/workflows/deploy-chart.yaml

@@ -0,0 +1,72 @@
+# Deploy to OpenShift namespaces
+name: deploy-chart
+
+on:
+  workflow_call:
+    secrets:
+      OPENSHIFT_SERVER: { required: true }
+      OPENSHIFT_TOKEN: { required: true }
+      OPENSHIFT_NAMESPACE: { required: true }
+      OPENSHIFT_ROUTE: { required: true }
+      NAMESPACE_PREFIX: { required: true }
+
+env:
+  TAG: sha-${{ github.sha }}
+
+jobs:
+  deploy-tools:
+    uses: ./.github/workflows/deploy-tools.yaml
+    secrets:
+      OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
+      OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
+      NAMESPACE_PREFIX: ${{ secrets.NAMESPACE_PREFIX }}
+
+  deploy-to-openshift-development:
+    runs-on: ubuntu-latest
+    environment:
+      name: development
+      url: "dev"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Deploy
+        uses: ./.github/actions/deploy
+        with:
+          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
+          openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
+          openshift_route: ${{ secrets.OPENSHIFT_ROUTE }}
+          openshift_namespace: ${{ secrets.OPENSHIFT_NAMESPACE }}
+
+  deploy-to-openshift-test:
+    needs: [deploy-to-openshift-development]
+    runs-on: ubuntu-latest
+    environment:
+      name: test
+      url: "test"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Deploy
+        uses: ./.github/actions/deploy
+        with:
+          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
+          openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
+          openshift_route: ${{ secrets.OPENSHIFT_ROUTE }}
+          openshift_namespace: ${{ secrets.OPENSHIFT_NAMESPACE }}
+
+  deploy-to-openshift-production:
+    needs: [deploy-to-openshift-test]
+    runs-on: ubuntu-latest
+    environment:
+      name: production
+      url: "prod"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Deploy
+        uses: ./.github/actions/deploy
+        with:
+          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
+          openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
+          openshift_route: ${{ secrets.OPENSHIFT_ROUTE }}
+          openshift_namespace: ${{ secrets.OPENSHIFT_NAMESPACE }}

.github/workflows/deploy-tools.yaml

@@ -0,0 +1,25 @@
+name: deploy tools chart
+
+on:
+  workflow_call:
+    secrets:
+      OPENSHIFT_SERVER: { required: true }
+      OPENSHIFT_TOKEN: { required: true }
+      NAMESPACE_PREFIX: { required: true }
+
+jobs:
+  deploy-to-openshift-tools:
+    runs-on: ubuntu-latest
+    environment:
+      name: tools
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Authenticate, set context and run deploy script
+        uses: redhat-actions/oc-login@v1
+        with:
+          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
+          openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
+          insecure_skip_tls_verify: true
+      - run: |
+          helm upgrade crunchy-postgres-tools operations/deployment/tools --install --atomic -n ${{ secrets.NAMESPACE_PREFIX }}-tools

.github/workflows/main.yaml

@@ -0,0 +1,25 @@
+# Main workflow, orchestrating and triggering other workflows
+name: main
+
+on:
+  workflow_call:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    uses: ./.github/workflows/test.yaml
+    secrets: inherit
+
+  deploy:
+    # if: github.event.ref == 'refs/heads/main'
+    needs: [test]
+    uses: ./.github/workflows/deploy-chart.yaml
+    secrets:
+      OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
+      OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
+      OPENSHIFT_NAMESPACE: ${{ secrets.OPENSHIFT_NAMESPACE }}
+      OPENSHIFT_ROUTE: ${{ secrets.OPENSHIFT_ROUTE }}
+      NAMESPACE_PREFIX: ${{ secrets.NAMESPACE_PREFIX }}

.github/workflows/test.yaml

@@ -0,0 +1,52 @@
+# Tests
+name: test code
+
+on:
+  workflow_call:
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: ./.bin/install-gitleaks-linux-x64.sh
+      - run: ./gitleaks detect --exit-code 0 --report-format sarif --report-path "gitleaks.sarif"
+      - uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "gitleaks.sarif"
+
+  lint-tools-chart:
+    runs-on: ubuntu-latest
+    environment:
+      name: tools
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Authenticate to OpenShift Linter namespace
+        uses: redhat-actions/oc-login@v1
+        with:
+          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
+          openshift_token: ${{ secrets.OPENSHIFT_LINTER_TOKEN }}
+          insecure_skip_tls_verify: true
+      - run: |
+          set -euo pipefail; \
+          helm dep up ./operations/deployment/tools; \
+          helm template -f ./operations/deployment/tools/values.yaml crunchy-postgres ./operations/deployment/tools --validate;
+
+  lint-crunchy-postgres-chart:
+    runs-on: ubuntu-latest
+    environment:
+      name: tools
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Authenticate to OpenShift Linter namespace
+        uses: redhat-actions/oc-login@v1
+        with:
+          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
+          openshift_token: ${{ secrets.OPENSHIFT_LINTER_TOKEN }}
+          insecure_skip_tls_verify: true
+      - run: |
+          set -euo pipefail; \
+          helm dep up ./operations/deployment/crunchy-postgres; \
+          helm template -f ./operations/deployment/crunchy-postgres/values.yaml crunchy-postgres ./operations/deployment/crunchy-postgres --validate;

.prettierignore

@@ -0,0 +1 @@
+operations/**/templates/**/*.yaml

operations/deployment/DEPLOYMENT_TEMPLATES_HERE

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

operations/deployment/crunchy-postgres/.helmignore

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: crunchy-postgres
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "5.0.0"