ci(vault): fetch secrets for all environments (#103)

.github/workflows/merge-main.yml

@@ -219,16 +219,17 @@ jobs:
           provision_role_id: ${{ secrets.PROVISION_ROLE_ID }}
           project_name: spar
           app_name: app-spar
+          environment: test
       - name: Import Secrets
         id: import-secrets
-        uses: hashicorp/vault-action@v2.5.0
+        uses: hashicorp/vault-action@v2
         with:
           url: https://vault-iit.apps.silver.devops.gov.bc.ca
           token: ${{ steps.broker.outputs.vault_token }}
           exportEnv: 'false'
           secrets: |
-            apps/test/spar/app-spar/db_proxy_read_only db_username | VAULT_DB_USER;
-            apps/test/spar/app-spar/db_proxy_read_only db_password | VAULT_DB_PASS;
+            apps/data/test/spar/app-spar/db_proxy_read_only db_username | VAULT_DB_USER;
+            apps/data/test/spar/app-spar/db_proxy_read_only db_password | VAULT_DB_PASS;
 
       - uses: actions/checkout@v3
       - name: Print NR_SPAR_ORACLE_API_VERSION env
@@ -245,8 +246,8 @@ jobs:
             -p DATABASE_HOST=${{ secrets.DATABASE_HOST }} \
             -p DATABASE_PORT=${{ secrets.DATABASE_PORT }} \
             -p SERVICE_NAME=${{ secrets.SERVICE_NAME }} \
-            -p DATABASE_USER=${{ steps.import-secrets.outputs.VAULT_DB_USER }} \
-            -p DATABASE_PASSWORD=${{ steps.import-secrets.outputs.VAULT_DB_PASS }} \
+            -p DATABASE_USER='${{ steps.import-secrets.outputs.VAULT_DB_USER }}' \
+            -p DATABASE_PASSWORD='${{ steps.import-secrets.outputs.VAULT_DB_PASS }}' \
             -p ALLOWED_ORIGINS=${{ secrets.ALLOWED_ORIGINS }} \
             -p KEYCLOAK_REALM_URL=${{ secrets.KEYCLOAK_REALM_URL }} \
             -p PROMOTE=${{ github.repository }}:${{ env.ZONE }}-service-api | oc apply -f -
@@ -418,16 +419,17 @@ jobs:
           provision_role_id: ${{ secrets.PROVISION_ROLE_ID }}
           project_name: spar
           app_name: app-spar
+          environment: production
       - name: Import Secrets
         id: import-secrets
-        uses: hashicorp/vault-action@v2.5.0
+        uses: hashicorp/vault-action@v2
         with:
           url: https://vault-iit.apps.silver.devops.gov.bc.ca
           token: ${{ steps.broker.outputs.vault_token }}
           exportEnv: 'false'
           secrets: |
-            apps/prod/spar/app-spar/db_proxy_read_only db_username | VAULT_DB_USER;
-            apps/prod/spar/app-spar/db_proxy_read_only db_password | VAULT_DB_PASS;
+            apps/data/prod/spar/app-spar/db_proxy_read_only db_username | VAULT_DB_USER;
+            apps/data/prod/spar/app-spar/db_proxy_read_only db_password | VAULT_DB_PASS;
 
       - uses: actions/checkout@v3
       - name: Print NR_SPAR_ORACLE_API_VERSION env
@@ -450,8 +452,8 @@ jobs:
             -p DATABASE_HOST=${{ secrets.DATABASE_HOST }} \
             -p DATABASE_PORT=${{ secrets.DATABASE_PORT }} \
             -p SERVICE_NAME=${{ secrets.SERVICE_NAME }} \
-            -p DATABASE_USER=${{ steps.import-secrets.outputs.VAULT_DB_USER }} \
-            -p DATABASE_PASSWORD=${{ steps.import-secrets.outputs.VAULT_DB_PASS }} \
+            -p DATABASE_USER='${{ steps.import-secrets.outputs.VAULT_DB_USER }}' \
+            -p DATABASE_PASSWORD='${{ steps.import-secrets.outputs.VAULT_DB_PASS }}' \
             -p ALLOWED_ORIGINS=${{ secrets.ALLOWED_ORIGINS }} \
             -p KEYCLOAK_REALM_URL=${{ secrets.KEYCLOAK_REALM_URL }} \
             -p PROMOTE=${{ github.repository }}:${{ env.PREV }}-service-api | oc apply -f -

.github/workflows/pr-open.yml

@@ -133,7 +133,7 @@ jobs:
       - name: QualityGate
         run: mvn --no-transfer-progress clean verify package -P all-tests sonar:sonar -Dsonar.projectKey=bcgov_nr-backend-starting-api -Dsonar.coverage.jacoco.xmlReportPaths=target/coverage-reports/merged-test-report/jacoco.xml --file pom.xml
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   # For every commit and pull request
@@ -339,6 +339,26 @@ jobs:
       ZONE: ${{ github.event.number }}
       NR_SPAR_ORACLE_API_VERSION: snapshot-${{ github.event.number }}
     steps:
+      - name: Broker
+        id: broker
+        uses: bcgov-nr/action-vault-broker-approle@v0.0.5
+        with:
+          broker_jwt: ${{ secrets.BROKER_JWT }}
+          provision_role_id: ${{ secrets.PROVISION_ROLE_ID }}
+          project_name: spar
+          app_name: app-spar
+          environment: development
+      - name: Import Secrets
+        id: import-secrets
+        uses: hashicorp/vault-action@v2
+        with:
+          url: https://vault-iit.apps.silver.devops.gov.bc.ca
+          token: ${{ steps.broker.outputs.vault_token }}
+          exportEnv: 'false'
+          secrets: |
+            apps/data/dev/spar/app-spar/db_proxy_read_only db_username | VAULT_DB_USER;
+            apps/data/dev/spar/app-spar/db_proxy_read_only db_password | VAULT_DB_PASS;
+
       - uses: actions/checkout@v3
       - name: Deploy
         run: |
@@ -361,8 +381,8 @@ jobs:
             -p DATABASE_HOST=${{ secrets.DATABASE_HOST }} \
             -p DATABASE_PORT=${{ secrets.DATABASE_PORT }} \
             -p SERVICE_NAME=${{ secrets.SERVICE_NAME }} \
-            -p DATABASE_USER=${{ secrets.DATABASE_USER }} \
-            -p DATABASE_PASSWORD=${{ secrets.DATABASE_PASSWORD }} \
+            -p DATABASE_USER='${{ steps.import-secrets.outputs.VAULT_DB_USER }}' \
+            -p DATABASE_PASSWORD='${{ steps.import-secrets.outputs.VAULT_DB_PASS }}' \
             -p KEYCLOAK_REALM_URL=${{ secrets.KEYCLOAK_REALM_URL }} \
             -p PROMOTE=${{ github.repository }}:${{ env.ZONE }}-service-api | oc apply -f -
 
@@ -415,4 +435,4 @@ jobs:
         uses: actions/upload-artifact@v3
         with:
           name: API test report
-          path: testArtifacts 
+          path: testArtifacts