-
Notifications
You must be signed in to change notification settings - Fork 1
162 lines (132 loc) · 6.02 KB
/
deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: "Environment build / deploy"
on:
workflow_call:
inputs:
environment:
required: true
type: string
registry:
required: true
type: string
ips_formatted:
required: true
type: string
modsec_config:
required: true
type: string
jobs:
deploy_environment:
name: "Deploy"
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
env:
KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
steps:
- name: "Checkout"
uses: actions/checkout@v4
- name: "Inject environment variables"
env:
TPL_PATH: "deploy/${{ inputs.environment }}"
ECR_URL: ${{ inputs.registry }}/${{ vars.ECR_REPOSITORY }}
IMAGE_TAG_NGINX: "nginx-${{ github.sha }}"
IMAGE_TAG_FPM: "fpm-${{ github.sha }}"
IMAGE_TAG_CRON: "cron-${{ github.sha }}"
IMAGE_TAG_S3_PUSH: "s3-push-${{ github.sha }}"
GOV_NOTIFY_API_KEY: ${{ secrets.GOV_NOTIFY_API_KEY }}
ACF_PRO_LICENSE: ${{ secrets.ACF_PRO_LICENSE }}
AS3CF_PRO_LICENCE: ${{ secrets.AS3CF_PRO_LICENCE }}
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
AUTH_KEY: ${{ secrets.AUTH_KEY }}
AUTH_SALT: ${{ secrets.AUTH_SALT }}
LOGGED_IN_KEY: ${{ secrets.LOGGED_IN_KEY }}
LOGGED_IN_SALT: ${{ secrets.LOGGED_IN_SALT }}
NONCE_KEY: ${{ secrets.NONCE_KEY }}
NONCE_SALT: ${{ secrets.NONCE_SALT }}
SECURE_AUTH_KEY: ${{ secrets.SECURE_AUTH_KEY }}
SECURE_AUTH_SALT: ${{ secrets.SECURE_AUTH_SALT }}
JWT_SECRET: ${{ secrets.JWT_SECRET }}
OAUTH_CLIENT_SECRET: "${{ secrets.OAUTH_CLIENT_SECRET }}"
AWS_CLOUDFRONT_PUBLIC_KEY: "${{ secrets.AWS_CLOUDFRONT_PUBLIC_KEY_A }}"
AWS_CLOUDFRONT_PRIVATE_KEY: "${{ secrets.AWS_CLOUDFRONT_PRIVATE_KEY_A }}"
# AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING: "${{ secrets.AWS_CLOUDFRONT_PUBLIC_KEY_B }}"
BASIC_AUTH_USER: ${{ secrets.BASIC_AUTH_USER }}
BASIC_AUTH_PASS: ${{ secrets.BASIC_AUTH_PASS }}
IGNORE_IP_RANGES: ${{ vars.IGNORE_IP_RANGES }}
ALERTS_SLACK_WEBHOOK: ${{ secrets.ALERTS_SLACK_WEBHOOK }}
run: |
## - - - - - - - - - -
## CloudFront - - - -
## - - - - - - - - - -
export AWS_CLOUDFRONT_PUBLIC_KEY_BASE64=$(echo -n "$AWS_CLOUDFRONT_PUBLIC_KEY" | base64 -w 0)
export AWS_CLOUDFRONT_PRIVATE_KEY_BASE64=$(echo -n "$AWS_CLOUDFRONT_PRIVATE_KEY" | base64 -w 0)
# export AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING_BASE64=$(echo -n "$AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING" | base64 -w 0)
## - - - - - - - - - -
## Basic Auth - - - -
## - - - - - - - - - -
BASIC_AUTH_BASE64=""
## Prevent errors when basic auth isn't used
## Nb.the BASIC_AUTH_USER secret in GH production environment should
## be set to `no-basic-auth` if not being used
if [ "$BASIC_AUTH_USER" != "no-basic-auth" ]; then
BASIC_AUTH_BASE64=$(htpasswd -nbm "$BASIC_AUTH_USER" "$BASIC_AUTH_PASS" | base64 -w 0)
fi
export BASIC_AUTH_BASE64
## - - - - - - - - - -
## IP Ranges - - - - -
## - - - - - - - - - -
EXTERNAL_IPS_FORMATTED=""
## Allow external IP ranges to be ignored.
## Nb. set IGNORE_IP_RANGES env var to `true` for the intended GH environment.
if [ "${{ vars.IGNORE_IP_RANGES }}" != "true" ]; then
EXTERNAL_IPS_FORMATTED=$(
echo -n "${{ inputs.ips_formatted }}" |
openssl enc -aes-256-cbc -pbkdf2 -base64 -d -salt -k "${{ secrets.WORKFLOW_ENCRYPTION_KEY }}" |
base64 --decode
);
fi
# Below is a line for LB_RANGE - trust these internal IPs to correctly report HTTP_X_FORWARDED_FOR.
# `127.0.0.1 $LOCAL_VALUE;` - allows requests from fpm to nginx containers.
IP_CLOUD_GROUP=3
IP_LOCAL_GROUP=4
IPS_FORMATTED=$(
echo "proxy ${{ vars.LB_RANGE }};"
echo "$EXTERNAL_IPS_FORMATTED"
echo "${{ vars.CLOUD_RANGE }} $IP_CLOUD_GROUP;"
echo "127.0.0.1 $IP_LOCAL_GROUP;"
)
export IPS_FORMATTED_BASE64=$(
echo -n "$IPS_FORMATTED" |
base64 -w 0
)
## - - - - - - - - - - -
## Modsec config
## - - - - - - - - - - -
export MODSEC_CONFIG=$(
echo -n "${{ inputs.modsec_config }}" |
openssl enc -aes-256-cbc -pbkdf2 -base64 -d -salt -k "${{ secrets.WORKFLOW_ENCRYPTION_KEY }}" |
base64 --decode
);
## - - - - - - - - - - -
## Perform find/replace
## - - - - - - - - - - -
## Only replace $MODSEC_CONFIG fromn ingress.tpl.yml
< "$TPL_PATH"/ingress.tpl.yml envsubst '${MODSEC_CONFIG}' > "$TPL_PATH"/ingress.yaml
< "$TPL_PATH"/secret.tpl.yml envsubst > "$TPL_PATH"/secret.yaml
< "$TPL_PATH"/deployment.tpl.yml envsubst > "$TPL_PATH"/deployment.yaml
< "$TPL_PATH"/job.tpl.yml envsubst > "$TPL_PATH"/job.yaml
## Remove template files before apply
rm "$TPL_PATH"/*.tpl.yml
- name: "Authenticate to the cluster"
env:
KUBE_CERT: ${{ secrets.KUBE_CERT }}
KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }}
KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
run: |
echo "${KUBE_CERT}" > ca.crt
kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
kubectl config set-credentials deploy-user --token=${KUBE_TOKEN}
kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE}
kubectl config use-context ${KUBE_CLUSTER}
- name: "Apply manifest files"
run: |
kubectl -n ${KUBE_NAMESPACE} apply -f deploy/${{ inputs.environment }}