GitHub Action
OpenShift Deployer
GitHub Action. Deploy to OpenShift using templates. Runs route verification or penetration tests. Most of the heavy lifting here is done in template configuration.
Testing has only been done with public containers on ghcr.io (GitHub Container Registry) so far.
- uses: bcgov-nr/action-deployer-openshift@main
with:
### Required
# OpenShift template file
file: frontend/openshift.deploy.yml
# OpenShift project/namespace
oc_namespace: abc123-dev
# OpenShift server
oc_server: https://api.silver.devops.gov.bc.ca:6443
# OpenShift token
# Usually available as a secret in your project/namespace
oc_token: ${{ secrets.OC_TOKEN }}
# Overwrite objects using `oc apply` or only create with `oc create`
# Expected errors from `oc create` are handled with `set +o pipefail`
overwrite: true
### Typical / recommended
# Template parameters/variables to pass
parameters: -p PR_NO=${{ github.event.number }}
# Run a ZAProxy penetration test against any routes? [true/false]
penetration_test: false
# Allow ZAProxy alerts to fail the workflow? [true/false]
penetration_test_fail: false
# Provide a name for ZAProxy workflow artifacts; e.g. frontend, backend
# Without this multiple package artifact names can collide
penetration_test_artifact: frontend
# Provide a name to enable ZAProxy issue creation; e.g. frontend, backend
# If the issue exists, it adds new comments to the existing issue.
penetration_test_issue: frontend
# Timeout seconds, only affects the OpenShift deployment (apply/create)
# Default = "15m"
timeout: "15m"
# Bash array to diff for build triggering
# Optional, defaults to nothing, which forces a build
triggers: ('frontend/')
# Sets the health path to be used during deployment verification, does not require the '/' at the begining
# Builds a health verification URL, form: <route_via_template>/<verifidation_path>
verification_path: ""
# Number of times to attempt deployment verification
verification_retry_attempts: "3"
# Seconds to wait between deployment verification attempts
verification_retry_seconds: "10"
### Usually a bad idea / not recommended
# Overrides the default branch to diff against
# Defaults to the default branch, usually `main`
diff_branch: ${{ github.event.repository.default_branch }}
# Repository to clone and process
# Useful for consuming other repos, defaults to the current one
repository: ${{ github.repository }}
# Specify GITHUB_TOKEN or Personal Access Token (PAT) for issue writing
# Defaults to inheriting from the calling workflow
penetration_test_token: ${{ github.token }}Deploy a single template. Multiple GitHub secrets are used.
deploys:
name: Deploys
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Deploys
uses: bcgov-nr/action-deployer-openshift.yml@main
with:
file: frontend/openshift.deploy.yml
oc_namespace: ${{ vars.OC_NAMESPACE }}
oc_server: ${{ vars.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
overwrite: true
parameters:
-p MIN_REPLICAS=1 -p MAX_REPLICAS=2
-p PR_NUMBER=${{ github.event.number }}
triggers: ('frontend/')Deploy multiple templates in parallel. This time penetration tests are enabled and issues created. Runs on pull requests (PRs).
deploys:
name: Deploys
runs-on: ubuntu-latest
strategy:
matrix:
name: [backend, database, frontend, init]
include:
- name: backend
file: backend/openshift.deploy.yml
overwrite: true
parameters: -p MIN_REPLICAS=1 -p MAX_REPLICAS=2
triggers: ('backend/')
- name: database
overwrite: false
file: database/openshift.deploy.yml
- name: frontend
overwrite: true
file: frontend/openshift.deploy.yml
parameters: -p MIN_REPLICAS=1 -p MAX_REPLICAS=2
triggers: ('backend/', 'frontend/')
- name: init
overwrite: false
file: common/openshift.init.yml
steps:
- uses: actions/checkout@v3
- name: Deploys
uses: bcgov-nr/action-deployer-openshift.yml@main
with:
file: ${{ matrix.file }}
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
overwrite: ${{ matrix.overwrite }}
parameters:
-p COMMON_TEMPLATE_VAR=whatever-${{ github.event.number }}
${{ matrix.parameters }}
penetration_test: true
penetration_test_issue: ${{ matrix.name }}
triggers: ${{ matrix.triggers }}Deploy a template and set the after deployment check to hit the /health endpoint. Multiple GitHub secrets are used.
deploys:
name: Deploys
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Deploys
uses: bcgov-nr/action-deployer-openshift.yml@main
with:
file: backend/openshift.deploy.yml
oc_namespace: ${{ secrets.OC_NAMESPACE }}
oc_server: ${{ secrets.OC_SERVER }}
oc_token: ${{ secrets.OC_TOKEN }}
overwrite: true
verification_url: health
parameters:
-p MIN_REPLICAS=1 -p MAX_REPLICAS=2
-p PR_NUMBER=${{ github.event.number }}
triggers: ${{ matrix.triggers }}Deployment templates are parsed for a route. If found, those routes are verified with a curl command for status code 200 (success). This ensures that applications are accessible from outside their OpenShift namespace/project.
Provide penetration_test: true to instead run a penetration test using OWASP ZAP (Zed Attack Proxy) against that route. penetration_test_fail: false can be used to fail pipelines where problems are found. penetration_test_issue: name creates or comments on issues and is generally preferable over failing pipelines.
Pull requests created by Dependabot require their own secrets. See GitHub Repo > Settings > Secrets > Dependabot.
Please contribute your ideas! Issues and pull requests are appreciated.
Idea: Can anyone test with Kubernetes, which OpenShift is based on?