feat: use image digests for conditional rollouts with HELM, initial a…

…ttempt (#1528)

.github/workflows/.deploy.yml

@@ -10,13 +10,26 @@ on:
         type: string
       tag:
         description: 'Docker semver tag or SHA.  E.g.: needs.semver.outputs.semver or github.sha.'
+        required: false
+        type: string
+      backend_tag:
+        description: 'backend Tag, could be tag or sha'
         required: true
         type: string
+      migrations_tag:
+        description: 'migrations Tag, could be tag or sha'
+        required: true
+        type: string
+      frontend_tag:
+        description: 'frontend Tag, could be tag or sha'
+        required: true
+        type: string
+
       target:
         description: 'PR number, test or prod.'
         required: true
         type: string
-      
+
       ### Usually a bad idea / not recommended
       directory:
         description: 'Chart directory.'
@@ -46,6 +59,7 @@ jobs:
         working-directory: ${{ inputs.directory }}
         shell: bash
         run: |
+          echo tags are ${{ inputs.backend_tag }} ${{ inputs.migrations_tag }} ${{ inputs.frontend_tag }}
           # Login to OpenShift (NOTE: project command is a safeguard)
           oc login --token=${{ secrets.oc_token }} --server=${{ vars.oc_server }}
           oc project ${{ vars.oc_namespace }}
@@ -57,14 +71,13 @@ jobs:
             helm rollback ${{ github.event.repository.name }}-${{ inputs.target }} || \
               helm uninstall ${{ github.event.repository.name }}-${{ inputs.target }}
           fi
-
           # Deploy Helm Chart
           helm dependency update
           helm upgrade \
             --set-string global.repository=${{ github.repository }} \
-            --set-string backend.containers[0].tag="${{ inputs.tag }}" \
-            --set-string backend.initContainers[0].tag="${{ inputs.tag }}" \
-            --set-string frontend.containers[0].tag="${{ inputs.tag }}" \
+            --set-string backend.containers[0].tag="${{ inputs.backend_tag }}" \
+            --set-string backend.initContainers[0].tag="${{ inputs.migrations_tag }}" \
+            --set-string frontend.containers[0].tag="${{ inputs.frontend_tag }}" \
             --set-string bitnami-pg.auth.password=${{ secrets.DB_PASSWORD }} \
             --set-string bitnami-pg.auth.postgresPassword=${{ secrets.DB_PASSWORD }} \
             --install --wait --atomic ${{ github.event.repository.name }}-${{ inputs.target }} \

.github/workflows/merge.yml

@@ -30,30 +30,33 @@ jobs:
           skip-on-empty: 'false'
           git-push: 'false'
 
-  retag-images:
-    name: Tag Images
-    needs: [semver]
+  get-digest:
+    name: Get Digests
+    outputs:
+      backend_tag: ${{ steps.get_digest.outputs.backend_tag }}
+      migrations_tag: ${{ steps.get_digest.outputs.migrations_tag }}
+      frontend_tag: ${{ steps.get_digest.outputs.frontend_tag }}
     runs-on: ubuntu-22.04
     strategy:
         matrix:
             package: [backend, migrations, frontend]
     steps:
-      - name: Tag Docker Images
-        uses: shrink/actions-docker-registry-tag@v3
-        with:
-          registry: ghcr.io
-          repository: ${{ github.repository }}/${{ matrix.package }}
-          target: test
-          tags: ${{ needs.semver.outputs.semver }}
+      - name: return digest
+        id: get_digest
+        run: |
+          DIGEST=$(docker manifest inspect ghcr.io/${{ github.repository }}/${{ matrix.package }}:test | jq '.manifests[0].digest')
+          echo "${{ matrix.package }}_tag=${DIGEST}" >> $GITHUB_OUTPUT
 
   deploys-test:
     name: Deploys (test)
-    needs: [retag-images, semver]
+    needs: [retag-images, get-digest]
     uses: ./.github/workflows/.deploy.yml
     secrets: inherit
     with:
       environment: test
-      tag: ${{ needs.semver.outputs.semver }}
+      backend_tag: ${{ needs.get-digest.outputs.backend_tag }}
+      migrations_tag: ${{ needs.get-digest.outputs.migrations_tag }}
+      frontend_tag: ${{ needs.get-digest.outputs.frontend_tag }}
       target: test
 
   integration-tests:
@@ -123,12 +126,14 @@ jobs:
 
   deploys-prod:
     name: Deploys (prod)
-    needs: [cypress-e2e, integration-tests, semver]
+    needs: [cypress-e2e, integration-tests, get-digest]
     uses: ./.github/workflows/.deploy.yml
     secrets: inherit
     with:
       environment: prod
-      tag: ${{ needs.semver.outputs.semver }}
+      backend_tag: ${{ needs.get-digest.outputs.backend_tag }}
+      migrations_tag: ${{ needs.get-digest.outputs.migrations_tag }}
+      frontend_tag: ${{ needs.get-digest.outputs.frontend_tag }}
       target: prod
 
   tags:

.github/workflows/pr-open.yml

@@ -51,14 +51,20 @@ jobs:
   builds:
     name: Builds
     runs-on: ubuntu-22.04
+    outputs:
+      backend_tag: ${{ steps.get_digest.outputs.backend_tag }}
+      migrations_tag: ${{ steps.get_digest.outputs.migrations_tag }}
+      frontend_tag: ${{ steps.get_digest.outputs.frontend_tag }}
+
     permissions:
       packages: write
     strategy:
       matrix:
         package: [migrations, backend, frontend]
     timeout-minutes: 10
     steps:
-      - uses: bcgov-nr/[email protected]
+      - uses: bcgov-nr/[email protected]
+        id: build
         with:
           keep_versions: 50
           package: ${{ matrix.package }}
@@ -74,6 +80,10 @@ jobs:
           repository: ${{ github.repository }}/${{ matrix.package }}
           target: ${{ github.sha }}
           tags: ${{ github.event.number }}
+      - name: return build output
+        id: get_digest
+        run: |
+          echo "${{ matrix.package }}_tag=${{steps.build.outputs.digest}}" >> $GITHUB_OUTPUT
 
   # https://github.com/bcgov-nr/action-deployer-openshift
   deploys:
@@ -82,6 +92,8 @@ jobs:
     uses: ./.github/workflows/.deploy.yml
     secrets: inherit
     with:
-      tag: ${{ github.sha }}
+      backend_tag: ${{ needs.builds.outputs.backend_tag }}
+      migrations_tag: ${{ needs.builds.outputs.migrations_tag }}
+      frontend_tag: ${{ needs.builds.outputs.frontend_tag }}
       target: ${{ github.event.number }}
       values: values-pr.yaml

charts/quickstart-openshift/Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: component
   repository: https://bcgov.github.io/helm-service
-  version: 0.0.12
+  version: 0.0.13
 - name: component
   repository: https://bcgov.github.io/helm-service
-  version: 0.0.12
+  version: 0.0.13
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
   version: 13.0.0
 - name: component
   repository: https://bcgov.github.io/helm-service
-  version: 0.0.12
-digest: sha256:317f1d1c1bb8d59d3f3c7eeb2a31d290699bf0247bf335ee2f3e0253e7af6b58
-generated: "2023-10-24T20:40:23.026159341-07:00"
+  version: 0.0.13
+digest: sha256:a5cc2fbfbfa83d24905e056a69ece0cc0992e401b5d37821e0910bd23aa18ffb
+generated: "2023-10-25T14:05:35.9312876-07:00"

charts/quickstart-openshift/Chart.yaml

@@ -27,13 +27,13 @@ appVersion: "1.16.0"
 dependencies:
   - name: component
     condition: backend.enabled
-    version: 0.0.12
+    version: 0.0.13
     repository: https://bcgov.github.io/helm-service
     alias: backend
 
   - name: component
     condition: frontend.enabled
-    version: 0.0.12
+    version: 0.0.13
     repository: https://bcgov.github.io/helm-service
     alias: frontend
 
@@ -46,6 +46,6 @@ dependencies:
 
   - name: component
     condition: backup.enabled
-    version: 0.0.12
+    version: 0.0.13
     repository: https://bcgov.github.io/helm-service
     alias: backup

charts/quickstart-openshift/values.yaml

@@ -327,7 +327,7 @@ bitnami-pg:
   shmVolume:
     enabled: false
   backup:
-    enabled: true
+    enabled: false
     cronjob:
       containerSecurityContext: { }
       podSecurityContext: