Adding superintendent and secretary treasurer roles for now.

bcgov · Nov 6, 2024 · 84943ec · 84943ec
1 parent 15d3d56
commit 84943ec
Show file tree

Hide file tree

Showing 2 changed files with 87 additions and 87 deletions.
diff --git a/.github/workflows/deploy-to.openshift-dev-and-test.yml b/.github/workflows/deploy-to.openshift-dev-and-test.yml
@@ -184,89 +184,89 @@ jobs:
         with:
           target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_DEV }}.apps.silver.devops.gov.bc.ca/v3/api-docs'
 
-#  deploy-test:
-#    name: Deploy to OpenShift TEST
-#    needs: build-and-deploy-dev
-#    runs-on: ubuntu-22.04
-#    environment: test
-#
-#    outputs:
-#      ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
-#      SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
-#
-#    steps:
-#      - name: Check for required secrets
-#        uses: actions/github-script@v6
-#        with:
-#          script: |
-#            const secrets = {
-#              OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
-#              OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
-#            };
-#
-#            const GHCR = "ghcr.io";
-#            if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
-#              core.info(`Image registry is ${GHCR} - no registry password required`);
-#            }
-#            else {
-#              core.info("A registry password is required");
-#              secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
-#            }
-#
-#            const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
-#              if (value.length === 0) {
-#                core.error(`Secret "${name}" is not set`);
-#                return true;
-#              }
-#              core.info(`✔️ Secret "${name}" is set`);
-#              return false;
-#            });
-#
-#            if (missingSecrets.length > 0) {
-#              core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
-#                "You can add it using:\n" +
-#                "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
-#                "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
-#                "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
-#            }
-#            else {
-#              core.info(`✅ All the required secrets are set`);
-#            }
-#
-#      - name: Check out repository
-#        uses: actions/checkout@v3
-#
-#      - name: Install oc
-#        uses: redhat-actions/openshift-tools-installer@v1
-#        with:
-#          oc: 4
-#
-#      - name: Deploy API
-#        run: |
-#          set -eu
-#          # Login to OpenShift and select project
-#          oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
-#          oc project ${{ env.OPENSHIFT_NAMESPACE_TEST }}
-#          # Cancel any rollouts in progress
-#          oc rollout cancel dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \
-#          || true && echo "No rollout in progress"
-#
-#          oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }} ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }}
-#
-#          # Process and apply deployment template
-#          oc process -f tools/openshift/api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_TEST }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_TEST }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_TEST }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \
-#          | oc apply -f -
-#
-#          curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/master/tools/config/update-configmap.sh | bash /dev/stdin test ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.DB_JDBC_CONNECT_STRING }} ${{ env.DB_PWD }} ${{ env.DB_USER }} ${{ env.SPLUNK_TOKEN }} ${{ env.CHES_CLIENT_ID }} ${{ env.CHES_CLIENT_SECRET }} ${{ env.CHES_TOKEN_URL }} ${{ env.CHES_ENDPOINT_URL }} ${{ env.SITE_URL }}
-#
-#          # Start rollout (if necessary) and follow it
-#          oc rollout latest dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \
-#          || true && echo "Rollout in progress"
-#          oc logs -f dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
-#          # Get status, returns 0 if rollout is successful
-#          oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
-#
-#      - name: ZAP Scan
-#        uses: zaproxy/[email protected]
-#        with:
-#          target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_TEST }}.apps.silver.devops.gov.bc.ca/v3/api-docs'
+  deploy-test:
+    name: Deploy to OpenShift TEST
+    needs: build-and-deploy-dev
+    runs-on: ubuntu-22.04
+    environment: test
+
+    outputs:
+      ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
+      SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
+
+    steps:
+      - name: Check for required secrets
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const secrets = {
+              OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
+              OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
+            };
+
+            const GHCR = "ghcr.io";
+            if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
+              core.info(`Image registry is ${GHCR} - no registry password required`);
+            }
+            else {
+              core.info("A registry password is required");
+              secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
+            }
+
+            const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
+              if (value.length === 0) {
+                core.error(`Secret "${name}" is not set`);
+                return true;
+              }
+              core.info(`✔️ Secret "${name}" is set`);
+              return false;
+            });
+
+            if (missingSecrets.length > 0) {
+              core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
+                "You can add it using:\n" +
+                "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
+                "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
+                "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
+            }
+            else {
+              core.info(`✅ All the required secrets are set`);
+            }
+
+      - name: Check out repository
+        uses: actions/checkout@v3
+
+      - name: Install oc
+        uses: redhat-actions/openshift-tools-installer@v1
+        with:
+          oc: 4
+
+      - name: Deploy API
+        run: |
+          set -eu
+          # Login to OpenShift and select project
+          oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
+          oc project ${{ env.OPENSHIFT_NAMESPACE_TEST }}
+          # Cancel any rollouts in progress
+          oc rollout cancel dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \
+          || true && echo "No rollout in progress"
+
+          oc tag ${{ env.NAMESPACE }}-dev/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }} ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }}
+
+          # Process and apply deployment template
+          oc process -f tools/openshift/api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_TEST }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_TEST }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_TEST }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \
+          | oc apply -f -
+
+          curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/master/tools/config/update-configmap.sh | bash /dev/stdin test ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.DB_JDBC_CONNECT_STRING }} ${{ env.DB_PWD }} ${{ env.DB_USER }} ${{ env.SPLUNK_TOKEN }} ${{ env.CHES_CLIENT_ID }} ${{ env.CHES_CLIENT_SECRET }} ${{ env.CHES_TOKEN_URL }} ${{ env.CHES_ENDPOINT_URL }} ${{ env.SITE_URL }}
+
+          # Start rollout (if necessary) and follow it
+          oc rollout latest dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \
+          || true && echo "Rollout in progress"
+          oc logs -f dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
+          # Get status, returns 0 if rollout is successful
+          oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
+
+      - name: ZAP Scan
+        uses: zaproxy/[email protected]
+        with:
+          target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_TEST }}.apps.silver.devops.gov.bc.ca/v3/api-docs'
diff --git a/tools/config/update-configmap.sh b/tools/config/update-configmap.sh
@@ -416,7 +416,7 @@ ROLES_ALLOW_LIST="EDX_DISTRICT_ADMIN,EDX_SCHOOL_ADMIN,STUDENT_DATA_COLLECTION,SE
 
 if [ "$envValue" = "prod" ]
 then
-  ROLES_ALLOW_LIST="EDX_DISTRICT_ADMIN,EDX_SCHOOL_ADMIN,SECURE_EXCHANGE_SCHOOL,SECURE_EXCHANGE_DISTRICT,EDX_EDIT_SCHOOL,EDX_EDIT_DISTRICT"
+  ROLES_ALLOW_LIST="EDX_DISTRICT_ADMIN,EDX_SCHOOL_ADMIN,SECURE_EXCHANGE_SCHOOL,SECURE_EXCHANGE_DISTRICT,EDX_EDIT_SCHOOL,EDX_EDIT_DISTRICT,DIS_SDC_RO,SCH_SDC_RO,SCHOOL_SDC,DISTRICT_SDC,SUPERINT,SECR_TRES,GRAD_SCH_ADMIN,GRAD_DIS_ADMIN"
 fi
 
 SCHEDULED_JOBS_EXTRACT_UNCOMPLETED_SAGAS_CRON="0 0/1 * * * *"