Before you can automate the deployment you will to manually deploy using helm so that the deployer account gets created, refer to the deployment script for the command and to the app actions for the environment overrides.
To deploy the project into a new namespace or to deploy another instance of the project into an existing namespace GitHub Environments along with Helm and GitHub Actions is used. The following steps can be used to as a reference to deploy:
-
Create a new environment on the GitHub repository, set any protection rules as necessary. The environment will be used to hold the secrets needed for GitHub Actions to be passed to Helm.
-
Add the following secrets and fill as appropriate:
- AWS_CLAM_S3_BUCKET
- AWS_ROLE_ARN
- AWS_S3_BACKUPS_BUCKET
- AWS_S3_BUCKET
- AWS_S3_KEY
- AWS_S3_REGION
- AWS_S3_SECRET_KEY
- CLIENT_SECRET
- SSO Client Secret
- NEXT_PUBLIC_GROWTHBOOK_API_KEY
- OPENSHIFT_APP_NAMESPACE
- OPENSHIFT_METABASE_NAMESPACE
- Used for NetworkPolicy
- OPENSHIFT_METABASE_PROD_NAMESPACE
- Used for NetworkPolicy
- OPENSHIFT_ROUTE
- OPENSHIFT_SECURE_ROUTE
- OPENSHIFT_TOKEN
- CERT
- CERT_KEY
- CERT_CA
-
Create any updated values as needed for your new deployment under
helm/app. For example, if you named your environmentfooyou will create a file namedvalues-foo.yaml -
Add an extra step to
.github/workflows/deploy.yamlwith updated job and environment name. -
Run the action!
Note: there might be additional modifications or steps required to suit your specific needs. You might need to create independent workflows or Helm charts.
Please refer to CCBC Disaster Recovery Testing with Patroni
In case of a major disaster in which the database volume has been lost refer to Restoring Backup volumes on OpenShift
The project consists of several OpenShift CronJobs to automatically run the following tasks:
Managed by the PostgresCluster Operator (CrunchyDB), performs an incremental database backup at every 4 hours, starting at 1:00AM Pacific Time.
As above managed by CrunchyDB. Performs a full backup of the database every day at 1:00AM Pacific Time.
Marks all applications for a specific intake as received on the database. Runs twice a day at 10:00 AM and 10:00PM Pacific time.
Sets any applications with status of submitted to received.
Prepares attachments for download from the S3 bucket. Runs twice a day at 10:00 AM and 10:00PM Pacific time.
To run any of the CronJobs above manually:
- Get the name of CronJob you want to run by running:
oc get CronJob - To start the CronJob run:
oc create job --from cronjob/[NAME FROM STEP 1] [YOUR JOB NAME]. For example assuming the name of the CronJob from step 1 isccbc-pgbackrest-repo1-fulland we want to name our job my-manual-job then we will runoc create job --from cronjob/ccbc-pgbackrest-repo1-full my-manual-job
- Once ran you should see
job.batch/[YOUR JOB NAME]created
Note that you cannot run a job with the same name twice, if you need to rerun a job either delete the old job and rerun the command from step 2, or use a different name.
Certificates are generated using the standard BC Government process:
- Create a submission for certificates through MySC.
- Generate a CSR or use one already generated and provide it when requested.
If a new one is needed, you can use the following command:
# replace `domain.ca` with the domain you are generating a certificate for. openssl req -new -newkey rsa:2048 -nodes -out domain.ca.csr -keyout domain.ca.key \ -subj "/C=CA/ST=British Columbia/L=Victoria/O=Government of the Province of British Columbia/OU=NetworkBC/CN=domain.ca"
- The step above will give you two files,
domain.ca.csranddomain.ca.key. You will only need to share the CSR; the key will be saved in a secret as listed above during deployment. - Once complete, you will receive a certificate and a chain. Use them in the
CERTandCERT_CAfields, respectively. You might also need to updateCERT_KEYif a new CSR was used. - Repeat this process for any other certificates you need to renew (e.g., dev, test, etc.).
- Finally, to update the certificates run the deployment action for each environment that needs updating.