-
Notifications
You must be signed in to change notification settings - Fork 0
158 lines (139 loc) · 5.72 KB
/
ci_pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: CI/CD Pipeline
on:
push:
branches:
- "**"
tags:
- "v*.*.*"
pull_request:
branches:
- "main"
env:
APP_VERSION: ${{ github.ref_name }}
jobs:
lint-and-test:
name: Run linter and tests
runs-on: [self-hosted-linux]
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
- name: Install dependencies
run: npm install
- name: Linting
run: npm run lint
- name: Set environment variables based on ref
run: |
if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
echo "CATALOGUE_API_PATH=${{ secrets.CATALOGUE_PROD_API_PATH }}" >> $GITHUB_ENV
else
echo "CATALOGUE_API_PATH=${{ secrets.CATALOGUE_STAGE_API_PATH }}" >> $GITHUB_ENV
fi
- name: Build application
run: npm run build
build-and-publish:
name: Create and push Docker image
needs: lint-and-test
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
runs-on: [self-hosted-linux]
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver: docker
- name: Import secrets
id: import-secrets
uses: hashicorp/vault-action@v3
with:
url: ${{ secrets.VAULT_URL }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
secrets: |
kv/team/text/data/harbor * ;
kv/team/text/data/hugin-stage * ;
kv/team/text/data/keycloak-nbauth-tekst *
- name: Log in to Harbor
uses: docker/login-action@v3
with:
registry: ${{ steps.import-secrets.outputs.HARBOR_URL }}
username: ${{ steps.import-secrets.outputs.HARBOR_USERNAME }}
password: ${{ steps.import-secrets.outputs.HARBOR_PASSWORD }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: harbor.nb.no/tekst/hugin
tags: |
type=semver,pattern={{version}}
type=ref,event=branch
type=ref,event=pr
- name: Set .env variables
run: |
touch .env.production
echo "CATALOGUE_API_PATH=${{ secrets.CATALOGUE_STAGE_API_PATH }}" >> .env.production
echo "DATABASE_URL=${{ steps.import-secrets.outputs.DATABASE_URL_STAGE }}" >> .env.production
echo "SENTRY_DSN=${{ secrets.SENTRY_DSN }}" >> .env.production
echo "SENTRY_ORG=${{ secrets.SENTRY_ORG }}" >> .env.production
echo "SENTRY_PROJECT=${{ secrets.SENTRY_PROJECT }}" >> .env.production
echo "SENTRY_URL=${{ secrets.SENTRY_URL }}" >> .env.production
echo "KEYCLOAK_TEKST_CLIENT_ID=${{ steps.import-secrets.outputs.KEYCLOAK_TEKST_CLIENT_ID }}" >> .env.production
echo "KEYCLOAK_TEKST_CLIENT_SECRET=${{ steps.import-secrets.outputs.KEYCLOAK_TEKST_CLIENT_SECRET }}" >> .env.production
echo "KEYCLOAK_TEKST_URL=${{ steps.import-secrets.outputs.KEYCLOAK_TEKST_URL }}" >> .env.production
echo "NEXT_PUBLIC_KEYCLOAK_BASE_URL=${{ steps.import-secrets.outputs.KEYCLOAK_BASE_URL }}" >> .env.production
echo "NEXT_PUBLIC_KEYCLOAK_REALM=${{ steps.import-secrets.outputs.KEYCLOAK_REALM }}" >> .env.production
echo "NEXT_PUBLIC_KEYCLOAK_CLIENT_ID=${{ steps.import-secrets.outputs.KEYCLOAK_CLIENT_ID }}" >> .env.production
- name: Build and push image
uses: docker/build-push-action@v5
with:
push: true
context: .
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
file: Dockerfile
build-args: |
HTTP_PROXY=${{ secrets.HTTP_PROXY }}
HTTPS_PROXY=${{ secrets.HTTPS_PROXY }}
deploy-to-stage:
name: Deploy stage environment
needs: build-and-publish
runs-on: [self-hosted-linux]
if: github.ref == 'refs/heads/main'
environment: stage
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- name: Import secrets
id: import-secrets
uses: hashicorp/vault-action@v3
with:
url: ${{ secrets.VAULT_URL }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
secrets: |
kv/team/text/data/k8s-text-stage *
- name: Set up kubectl
uses: azure/setup-kubectl@v4
with:
version: 'v1.26.5'
- name: Deploy to stage cluster
run: |
echo "Deploying to stage version ${{ env.APP_VERSION }}"
sed -i "s/<version>/${{ env.APP_VERSION }}/g" k8s/stage/deployment.yml
sed -i "s/<host_url>/${{ steps.import-secrets.outputs.K8S_HOST_URL }}/g" k8s/stage/ingress.yml
kubectl config set-cluster stagecl --server=${{ steps.import-secrets.outputs.K8S_STAGE_SERVER }}
kubectl config set clusters.stagecl.certificate-authority-data ${{ steps.import-secrets.outputs.K8S_STAGE_NB_NO_CA }}
kubectl config set-credentials ${{ steps.import-secrets.outputs.K8S_STAGE_USER }} --token=${{ steps.import-secrets.outputs.K8S_STAGE_NB_NO_TOKEN }}
kubectl config set-context tekst --cluster=stagecl --user=${{ steps.import-secrets.outputs.K8S_STAGE_USER }} --namespace=tekst-stage
kubectl config use-context tekst
kubectl config view
kubectl version
kubectl apply -f k8s/stage
kubectl rollout restart deployment hugin-deployment