Use a GH action to deploy to an OpenShift cluster

Author: marko-bekhta

.github/workflows/deploy.yml

@@ -0,0 +1,91 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - "main"
+    paths-ignore:
+      - '.gitignore'
+      - 'CODEOWNERS'
+      - 'LICENSE'
+      - '*.md'
+      - '*.adoc'
+      - '*.txt'
+      - '.all-contributorsrc'
+
+concurrency:
+  group: deployment
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+
+    if: github.repository == 'hibernate/hibernate-github-bot'
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 21
+
+      - name: Build
+        run: ./mvnw -B clean verify
+
+      - name: Set up Helm
+        uses: azure/[email protected]
+        with:
+          version: 'v3.13.3'
+
+      - name: Log in to OpenShift
+        uses: redhat-actions/oc-login@v1
+        with:
+          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER_INFRA_PROD }}
+          openshift_token: ${{ secrets.OPENSHIFT_TOKEN_INFRA_PROD }}
+          namespace: ${{ secrets.OPENSHIFT_NAMESPACE_INFRA_PROD }}
+
+      - name: Create ImageStream
+        run: |
+          oc create imagestream hibernate-github-bot || true
+          # https://docs.openshift.com/container-platform/4.14/openshift_images/using-imagestreams-with-kube-resources.html
+          oc set image-lookup hibernate-github-bot
+
+      - name: Retrieve OpenShift Container Registry URL
+        id: oc-registry
+        run: |
+          echo -n "OC_REGISTRY_URL=" >> "$GITHUB_OUTPUT"
+          oc get imagestream -o json | jq -r '.items[0].status.publicDockerImageRepository' | awk -F"[/]" '{print $1}' >> "$GITHUB_OUTPUT"
+
+      - name: Log in to OpenShift Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ steps.oc-registry.outputs.OC_REGISTRY_URL }}
+          username: ignored
+          password: ${{ secrets.OPENSHIFT_TOKEN_INFRA_PROD }}
+        # Helm in particular needs semantic versions
+        # See https://github.com/helm/helm/issues/9342#issuecomment-775269042
+        # See the parts about pre-release versions in https://semver.org/#semantic-versioning-specification-semver
+        # Ideally we should use a "+" before the SHA, but that won't work with Quarkus
+        # See https://github.com/quarkusio/quarkus/blob/da1a782e04b01b2e165d65474163050d497340c1/extensions/container-image/spi/src/main/java/io/quarkus/container/spi/ImageReference.java#L60
+      - name: Generate app version
+        id: app-version
+        run: |
+          echo "VALUE=1.0.0-$(date -u '+%Y%m%d%H%M%S')-${{ github.sha }}" >> $GITHUB_OUTPUT
+
+      - name: Build and push app container image
+        run: |
+          ./mvnw clean package -DskipTests \
+            -Drevision="${{ steps.app-version.outputs.value }}" \
+            -Dquarkus.container-image.build=true \
+            -Dquarkus.container-image.push=true \
+            -Dquarkus.container-image.registry="$(oc get imagestream -o json | jq -r '.items[0].status.publicDockerImageRepository' | awk -F"[/]" '{print $1}')" \
+            -Dquarkus.container-image.group="$(oc project --short)" \
+            -Dquarkus.container-image.additional-tags=latest  
+
+      - name: Deploy Helm charts
+        run: |
+          helm upgrade --install hibernate-github-bot ./target/helm/openshift/hibernate-github-bot

Jenkinsfile

@@ -43,6 +43,7 @@
     <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
     <quarkus.platform.group-id>io.quarkus</quarkus.platform.group-id>
     <glob.version>0.9.0</glob.version>
+    <quarkus-helm.version>1.2.5</quarkus-helm.version>
     <surefire-plugin.version>3.5.1</surefire-plugin.version>
     <assertj.version>3.26.0</assertj.version>
   </properties>
@@ -78,10 +79,6 @@
       <version>${assertj.version}</version>
       <scope>test</scope>
     </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-container-image-jib</artifactId>
-    </dependency>
     <dependency>
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-info</artifactId>
@@ -112,6 +109,21 @@
       <artifactId>glob</artifactId>
       <version>${glob.version}</version>
     </dependency>
+    <!-- Deployment: -->
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-openshift</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-container-image-jib</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkiverse.helm</groupId>
+      <artifactId>quarkus-helm</artifactId>
+      <version>${quarkus-helm.version}</version>
+    </dependency>
+
     <dependency>
       <groupId>io.quarkiverse.githubapp</groupId>
       <artifactId>quarkus-github-app-testing</artifactId>

pom.xml

@@ -8,9 +8,6 @@ quarkus.qute.content-types."md"=text/markdown
 
 quarkus.cache.caffeine."glob-cache".maximum-size=200
 
-quarkus.container-image.group=hibernate
-quarkus.container-image.registry=quay.io
-
 hibernate-github-bot.jenkins.github-app-id=347853
 hibernate-github-bot.develocity.uri=https://ge.hibernate.org/
 
@@ -25,3 +22,47 @@ quarkus.openapi-generator.gradle_enterprise_2023_4_api_yaml.auth.DevelocityAcces
 
 %dev,test.hibernate-github-bot.dry-run=false
 %dev,test.hibernate-github-bot.develocity.access-key=foo
+
+##############
+# Deployment configuration:
+#
+quarkus.container-image.builder=jib
+quarkus.openshift.part-of=hibernate-github-bot
+# Renew the SSL certificate automatically
+# This requires an additional controller to run on the OpenShift cluster (in our case it does).
+# See https://github.com/tnozicka/openshift-acme/#enabling-acme-certificates-for-your-object
+quarkus.openshift.annotations."kubernetes.io/tls-acme"=true
+quarkus.openshift.env.configmaps=hibernate-github-bot-config
+quarkus.openshift.env.secrets=hibernate-github-bot-secrets
+# Resource requirements
+quarkus.openshift.resources.limits.cpu=600m
+quarkus.openshift.resources.requests.cpu=400m
+quarkus.openshift.resources.limits.memory=300Mi
+quarkus.openshift.resources.requests.memory=150Mi
+# Add routes:
+quarkus.openshift.route.expose=true
+quarkus.openshift.route.target-port=http
+## Route TLS configuration:
+quarkus.openshift.route.tls.termination=edge
+quarkus.openshift.route.tls.insecure-edge-termination-policy=Redirect
+# Don't use the version in (service) selectors,
+# otherwise a rollback to an earlier version (due to failing startup) makes the service unavailable
+quarkus.openshift.add-version-to-label-selectors=false
+quarkus.helm.values."resources.limits.cpu".paths=(kind == Deployment).spec.template.spec.containers.resources.limits.cpu
+quarkus.helm.values."resources.requests.cpu".paths=(kind == Deployment).spec.template.spec.containers.resources.requests.cpu
+quarkus.helm.values."resources.limits.memory".paths=(kind == Deployment).spec.template.spec.containers.resources.limits.memory
+quarkus.helm.values."resources.requests.memory".paths=(kind == Deployment).spec.template.spec.containers.resources.requests.memory
+#
+# General Helm config
+#
+# Don't just add any random system property mentioned in application.properties to values.yaml...
+# We don't need it but more importantly it doesn't work (leads to marshalling errors)
+# for strings that look like numbers (e.g. 2.11)
+quarkus.helm.map-system-properties=false
+# Set common k8s labels everywhere:
+quarkus.helm.values."version".paths=metadata.labels.'app.kubernetes.io/version',spec.template.metadata.labels.'app.kubernetes.io/version'
+quarkus.helm.values."version".property=@.app.version
+quarkus.helm.values."version".value=${maven.revision}
+quarkus.helm.values."part-of".paths=metadata.labels.'app.kubernetes.io/part-of',spec.template.metadata.labels.'app.kubernetes.io/part-of'
+quarkus.helm.values."part-of".property=@.app.name
+quarkus.helm.values."part-of".value=hibernate-github-bot