This repository has been archived by the owner on Feb 24, 2023. It is now read-only.
forked from hesar/tractusx
-
Notifications
You must be signed in to change notification settings - Fork 21
184 lines (167 loc) · 7.74 KB
/
iam.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
#
# Copyright (c) 2021 Microsoft (Catena-X Consortium)
#
# See the AUTHORS file(s) distributed with this work for additional
# information regarding authorship.
#
# See the LICENSE file(s) distributed with this work for
# additional information regarding license terms.
#
name: IAM
on:
push:
paths:
# this workflow file
- '.github/workflows/iam.yml'
# deployment manifest files
- 'infrastructure/manifests/iamcentralidp.yaml'
- 'infrastructure/manifests/iamsharedidp.yaml'
# ingress manifest file
- 'infrastructure/manifests/iamcentralidp-ingress.yaml'
- 'infrastructure/manifests/iamsharedidp-ingress.yaml'
# KeyCloak Docker files
- 'coreservices/iam/docker/**'
- 'coreservices/iam/themes/**'
branches:
# Integration environment
- main
# DevOps and IAM team integration branch
- feature/CAX-12-devops
# Onboarding and Portal Dev Space
- feature/CAX-portal
workflow_dispatch:
jobs:
########################################
# First job to determine the environment
########################################
environment:
# name of the job starts with a "run-level" subordinate to the workflow such that we can
# depend on them in order to implement workflow dependencies
name: 90 IAM Determine Target Environment
runs-on: ubuntu-latest
outputs:
workspace: ${{ steps.setvars.outputs.workspace }}
steps:
- name: Set variables
id: setvars
run: |
if [[ "${{github.repository}}" == eclipse/tractusx ]]; then
if [[ "${{github.ref}}" == refs/heads/main ]]; then
echo "Determined PRODUCTION"
echo "::set-output name=workspace::prod"
else
echo "Unsupported Environment on ECLIPSE. Leaving Workspace empty."
fi
elif [[ "${{github.repository}}" == catenax/tractusx ]]; then
if [[ "${{github.ref}}" == refs/heads/main ]]; then
echo "Determined INTEGRATION"
echo "::set-output name=workspace::int"
else
echo "Unsupported Branch on CATENAX. Leaving Workspace empty."
fi
elif [[ "${{github.repository}}" == tractusx-team-portal-onboarding/tractusx ]]; then
if [[ "${{github.ref}}" == refs/heads/feature/CAX-portal ]]; then
echo "Determined dev003"
echo "::set-output name=workspace::dev003"
else
echo "Unsupported Branch on tractusx-team-portal-onboarding. Leaving Workspace empty."
fi
else
echo "Unsupported Environment/Repository. Leaving Workspace empty."
fi
##########################################
# Second job does the deployment to AKS
##########################################
# FROM HERE ON: NO ADAPTION NEEDED ANYMORE
deploy:
# name of the job starts with a "run-level" subordinate to the workflow such that we can
# depend on them in order to implement workflow dependencies
name: 91 IAM Deployment
runs-on: ubuntu-latest
# rely on the first job
needs: environment
# rely on successful detection of the workspace, ignore if empty
if: ${{needs.environment.outputs.workspace}}
env:
WORKSPACE: ${{needs.environment.outputs.workspace}}
CLUSTER_ISSUER: service
CATENA_SERVICE_URL: https://catenax${{needs.environment.outputs.workspace}}akssrv.germanywestcentral.cloudapp.azure.com
CATENA_SERVICE_HOST: catenax${{needs.environment.outputs.workspace}}akssrv.germanywestcentral.cloudapp.azure.com
CATENA_REGISTRATION_URL: https://catenax-${{needs.environment.outputs.workspace}}-app-onboarding.azurewebsites.net
DB_HOST: catenax${{needs.environment.outputs.workspace}}database
DB_USER: ${{secrets.CATENAX_USER}}
DB_PASSWORD: ${{secrets.CATENAX_PASSWORD}}
CONTAINER_REGISTRY: catenaxacr.azurecr.io
CONTAINER_IMAGE_CENTRALIDP: catenaxacr.azurecr.io/keycloak/centralidp${{needs.environment.outputs.workspace}}:latest
CONTAINER_IMAGE_SHAREDIDP: catenaxacr.azurecr.io/keycloak/sharedidp${{needs.environment.outputs.workspace}}:latest
KEYCLOAK_ADMIN_USER: ${{secrets.KEYCLOAK_ADMIN_USER}}
KEYCLOAK_ADMIN_PASSWORD: ${{secrets.KEYCLOAK_ADMIN_PASSWORD}}
steps:
# Wait for infrastructure deployments to terminate
- name: Wait for Infrastructure
uses: lewagon/wait-on-check-action@v1.0.0
with:
ref: ${{github.ref}}
check-regexp: 0.*
repo-token: ${{secrets.GITHUB_TOKEN}}
wait-interval: 30
allowed-conclusions: success,skipped,cancelled
# This is needed to interact with the subscription
- name: Login via Azure CLI
uses: azure/login@v1
with:
creds: ${{secrets.AZURE_CREDENTIALS}}
# Get the latest sources
- name: Checkout
uses: actions/checkout@v2
# Build and push KeyCloak custom images for central and shared idp instances
- name: 'Build and push KeyCloak images'
uses: azure/docker-login@v1
with:
login-server: ${{env.CONTAINER_REGISTRY}}
username: ${{secrets.AZURE_REGISTRY_USERNAME}}
password: ${{secrets.AZURE_REGISTRY_PASSWORD}}
- run: |
docker build -f ./coreservices/iam/docker/Dockerfile.centralidp -t ${{env.CONTAINER_IMAGE_CENTRALIDP}} ./coreservices/iam/
docker push ${{env.CONTAINER_IMAGE_CENTRALIDP}}
docker build -f ./coreservices/iam/docker/Dockerfile.sharedidp -t ${{env.CONTAINER_IMAGE_SHAREDIDP}} ./coreservices/iam/
docker push ${{env.CONTAINER_IMAGE_SHAREDIDP}}
# Login to K8
- name: Kubernetes Login
uses: azure/aks-set-context@v1
with:
creds: '${{secrets.AZURE_CREDENTIALS}}' # Azure credentials
resource-group: 'catenax-${{needs.environment.outputs.workspace}}-rg'
cluster-name: 'catenax-${{needs.environment.outputs.workspace}}-aks-services'
id: login
# Deploy central idp service
- name: Deploy central idp service on AKS
working-directory: ./infrastructure/manifests
run: |
cat iamcentralidp.yaml | envsubst | kubectl apply -f -
cat iamcentralidp-ingress.yaml | envsubst | kubectl apply -f -
# Deploy shared idp service
- name: Deploy shared idp service on AKS
working-directory: ./infrastructure/manifests
run: |
cat iamsharedidp.yaml | envsubst | kubectl apply -f -
cat iamsharedidp-ingress.yaml | envsubst | kubectl apply -f -
# cert-manager <1.18 bugfix: Get Pending Solver, we have to wait a bit as it may take some time for the solver to come up
- name: Kubernetes Try To Find Pending Solver
id: try_solver
working-directory: ./infrastructure/terraform
run: |
sleep 15s
echo "::set-output name=SOLVER::$(kubectl describe ingress -n iam cm-acme | sed -n 's/Name:[\w]*\([\S]*\)/\1/p')"
# cert-manager <1.18 bugfix: Patch any pending solver
- name: Modify a pending <1.18 cert-manager solver
working-directory: ./infrastructure/manifests
if: "${{steps.try_solver.outputs.SOLVER}}"
run: |
echo "Found a pending solver ${{steps.try_solver.outputs.SOLVER}} which we need to patch"
kubectl get ingress ${{steps.try_solver.outputs.SOLVER}} -n iam -o yaml | sed '/^\w.*kubernetes.io\/ingress.class: service\w*$/d' | sed "/spec:$/a\ ingressClassName: service" | kubectl apply -f -
- name: Rollout the idp instances
working-directory: ./infrastructure/manifests
run: |
kubectl rollout restart deployment iamcentralidp -n iam
kubectl rollout restart deployment iamsharedidp -n iam