OpenShift Deployer

OpenShift Deployer with Route Verification or Penetration Testing

GitHub Action. Deploy to OpenShift using templates. Runs route verification or penetration tests. Most of the heavy lifting here is done in template configuration.

Testing has only been done with public containers on ghcr.io (GitHub Container Registry) so far.

Usage

- uses: bcgov-nr/action-deployer-openshift@main
  with:
    ### Required

    # OpenShift template file
    file: frontend/openshift.deploy.yml

    # OpenShift project/namespace
    oc_namespace: abc123-dev

    # OpenShift server
    oc_server: https://api.silver.devops.gov.bc.ca:6443
    
    # OpenShift token
    # Usually available as a secret in your project/namespace
    oc_token: ${{ secrets.OC_TOKEN }}
    
    # Overwrite objects using `oc apply` or only create with `oc create`
    # Expected errors from `oc create` are handled with `set +o pipefail`
    overwrite: true


    ### Typical / recommended

    # Template parameters/variables to pass
    parameters: -p PR_NO=${{ github.event.number }}

    # Run a ZAProxy penetration test against any routes? [true/false]
    penetration_test: false

    # Allow ZAProxy alerts to fail the workflow? [true/false]
    penetration_test_fail: false

    # Provide a name to enable ZAProxy issue creation; e.g. frontend, backend
    penetration_test_issue: frontend

    # Bash array to diff for build triggering
    # Optional, defaults to nothing, which forces a build
    triggers: ('frontend/')
    
    # Sets the health path to be used during deployment verification, does not require the '/' at the begining
    # Builds a health verification URL, form: <route_via_template>/<verifidation_path>
    verification_path: ""

    # Number of times to attempt deployment verification
    verification_retry_attempts: "3"

    # Seconds to wait between deployment verification attempts
    verification_retry_seconds: "10"


    ### Usually a bad idea / not recommended

    # Overrides the default branch to diff against
    # Defaults to the default branch, usually `main`
    diff_branch: ${{ github.event.repository.default_branch }}

    # Repository to clone and process
    # Useful for consuming other repos, defaults to the current one
    repository: ${{ github.repository }}

Example, Single Template

Deploy a single template. Multiple GitHub secrets are used.

deploys:
  name: Deploys
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v3
    - name: Deploys
      uses: bcgov-nr/action-deployer-openshift.yml@main
      with:
        file: frontend/openshift.deploy.yml
        oc_namespace: ${{ secrets.OC_NAMESPACE }}
        oc_server: ${{ secrets.OC_SERVER }}
        oc_token: ${{ secrets.OC_TOKEN }}
        overwrite: true
        parameters:
          -p MIN_REPLICAS=1 -p MAX_REPLICAS=2
          -p PR_NUMBER=${{ github.event.number }}
        triggers: ('frontend/')

Example, Matrix / Multiple Templates

Deploy multiple templates in parallel. This time penetration tests are enabled and issues created. Runs on pull requests (PRs).

deploys:
name: Deploys
runs-on: ubuntu-latest
  strategy:
    matrix:
    name: [backend, database, frontend, init]
    include:
      - name: backend
        file: backend/openshift.deploy.yml
        overwrite: true
        parameters: -p MIN_REPLICAS=1 -p MAX_REPLICAS=2
        triggers: ('backend/')
      - name: database
        overwrite: false
        file: database/openshift.deploy.yml
      - name: frontend
        overwrite: true
        file: frontend/openshift.deploy.yml
        parameters: -p MIN_REPLICAS=1 -p MAX_REPLICAS=2
        triggers: ('backend/', 'frontend/')
      - name: init
        overwrite: false
        file: common/openshift.init.yml
steps:
  - uses: actions/checkout@v3
  - name: Deploys
    uses: bcgov-nr/action-deployer-openshift.yml@main
    with:
      file: ${{ matrix.file }}
      oc_namespace: ${{ secrets.OC_NAMESPACE }}
      oc_server: ${{ secrets.OC_SERVER }}
      oc_token: ${{ secrets.OC_TOKEN }}
      overwrite: ${{ matrix.overwrite }}
      parameters:
        -p COMMON_TEMPLATE_VAR=whatever-${{ github.event.number }}
        ${{ matrix.parameters }}
      penetration_test: true
      penetration_test_issue: ${{ matrix.name }}
      triggers: ${{ matrix.triggers }}

Example, Using a different endpoint for deployment check

Deploy a template and set the after deployment check to hit the /health endpoint. Multiple GitHub secrets are used.

deploys:
  name: Deploys
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v3
    - name: Deploys
      uses: bcgov-nr/action-deployer-openshift.yml@main
      with:
        file: backend/openshift.deploy.yml
        oc_namespace: ${{ secrets.OC_NAMESPACE }}
        oc_server: ${{ secrets.OC_SERVER }}
        oc_token: ${{ secrets.OC_TOKEN }}
        overwrite: true
        verification_url: health
        parameters:
          -p MIN_REPLICAS=1 -p MAX_REPLICAS=2
          -p PR_NUMBER=${{ github.event.number }}
        triggers: ${{ matrix.triggers }}

Route Verification vs Penetration Testing

Deployment templates are parsed for a route. If found, those routes are verified with a curl command for status code 200 (success). This ensures that applications are accessible from outside their OpenShift namespace/project.

Provide penetration_test: true to instead run a penetration test using OWASP ZAP (Zed Attack Proxy) against that route. penetration_test_fail: false can be used to fail pipelines where problems are found. penetration_test_issue: name creates issues and is generally preferable over failing pipelines.

Troubleshooting

Dependabot Pull Requests Failing

Pull requests created by Dependabot require their own secrets. See GitHub Repo > Settings > Secrets > Dependabot.

Feedback

Please contribute your ideas! Issues and pull requests are appreciated.

Idea: Can anyone test with Kubernetes, which OpenShift is based on?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Action

OpenShift Deployer