feat: roll init into database (#1422)

.github/workflows/merge.yml

@@ -19,11 +19,8 @@ jobs:
       issues: write
     strategy:
       matrix:
-        name: [init, database, backend, frontend]
+        name: [database, backend, frontend]
         include:
-          - name: init
-            file: common/openshift.init.yml
-            overwrite: false
           - name: database
             file: database/openshift.deploy.yml
             overwrite: false
@@ -139,11 +136,8 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        name: [init, database, backend, frontend]
+        name: [database, backend, frontend]
         include:
-          - name: init
-            file: common/openshift.init.yml
-            overwrite: false
           - name: database
             file: database/openshift.deploy.yml
             overwrite: false

.github/workflows/pr-open.yml

@@ -81,11 +81,8 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        name: [init, database, backend, frontend]
+        name: [database, backend, frontend]
         include:
-          - name: init
-            file: common/openshift.init.yml
-            overwrite: false
           - name: database
             file: database/openshift.deploy.yml
             overwrite: false

README.md

@@ -70,7 +70,7 @@ Runs on pull request submission.
 - Deployment includes curl checks and optional penetration tests
 - Other checks and updates as required
 
-![](common/graphics/pr-open.png)
+![](.graphics/pr-open.png)
 
 ## Pull Request Closed
 
@@ -79,7 +79,7 @@ Runs on pull request close or merge.
 - Cleans up OpenShift objects/artifacts
 - Merge promotes successful build images to TEST
 
-![](common/graphics/pr-close.png)
+![](.graphics/pr-close.png)
 
 ## Merge to Main
 
@@ -93,7 +93,7 @@ Runs on merge to main branch.
 
 \* excludes database changes
 
-![](common/graphics/merge-main.png)
+![](.graphics/merge-main.png)
 
 ## Unit Tests
 
@@ -102,7 +102,7 @@ Runs on pull request submission or merge to main.
 - Unit tests (should include coverage)
 - Optionally, report results to Sonarcloud
 
-![](common/graphics/unit-tests.png)
+![](.graphics/unit-tests.png)
 
 
 # Starter Application
@@ -150,7 +150,7 @@ Create a new repository using this repository as a template.
 * Check Codecov | Code Coverage to grant access
 * Jira cannot be unchecked (I try every time!)
 
-![](./common/graphics/template.png)
+![](./.graphics/template.png)
 
 
 ## GitHub Secrets, Variables and Environments
@@ -293,7 +293,7 @@ This is required to prevent direct pushes and merges to the default branch.  The
     * `[check] Require conversation resolution before merging`
     * `[check] Include administrators` (optional)
 
-![](./common/graphics/branch-protection.png)
+![](./.graphics/branch-protection.png)
 
 ### Adding Team Members
 

database/openshift.deploy.yml

@@ -24,6 +24,16 @@ parameters:
   - name: REGISTRY
     description: Container registry to import from (internal is image-registry.openshift-image-registry.svc:5000)
     value: ghcr.io
+  - name: PROMOTE
+    description: Image (namespace/name:tag) to promote/import
+    required: true
+  - name: PG_DATABASE
+    description: Postgres database name
+    value: database
+  - name: DB_PASSWORD
+    description: Password for the PostgreSQL connection user.
+    from: "[a-zA-Z0-9]{16}"
+    generate: expression
   ### Backup-Container starts here ###
   - name: BACKUP_COMPONENT
     description: BACKUP_COMPONENT name
@@ -78,10 +88,45 @@ parameters:
     description: Random number, 0-60, for scheduling cronjobs
     from: "[0-5]{1}[0-9]{1}"
     generate: expression
-  - name: PROMOTE
-    description: Image (namespace/name:tag) to promote/import
-    required: true
 objects:
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: "${NAME}-${ZONE}-${PG_DATABASE}"
+      labels:
+        app: "${NAME}-${ZONE}"
+    stringData:
+      database-name: "${NAME}"
+      database-password: "${DB_PASSWORD}"
+      database-user: "${NAME}"
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-from-openshift-ingress
+      labels:
+        template: openshift-test
+    spec:
+      podSelector: {}
+      ingress:
+        - from:
+            - namespaceSelector:
+                matchLabels:
+                  network.openshift.io/policy-group: ingress
+      policyTypes:
+        - Ingress
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-same-namespace
+      labels:
+        template: quickstart-network-security-policy
+    spec:
+      podSelector: {}
+      ingress:
+        - from:
+            - podSelector: {}
+      policyTypes:
+        - Ingress
   - kind: PersistentVolumeClaim
     apiVersion: v1
     metadata: