-
Notifications
You must be signed in to change notification settings - Fork 0
158 lines (113 loc) · 5.74 KB
/
actions.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: 'Google Cloud CI/CD Pipeline'
on:
push:
branches:
- main
- "releases/*"
paths-ignore:
- '**/README.md'
- '**/.gitignore'
- 'screenshots/**'
pull_request:
branches:
- main
env:
TF_VERSION: 1.8.1
TF_WORKSPACE: terraform # terraform commands will change dir each time command runs, this is intentional because want to stay in root dir
TF_VAR_region: ${{ vars.GCP_REGION }} # GCP region
TF_VAR_state_bucket: ${{ secrets.GCS_BUCKET_NAME }} # GCS bucket to store terraform state
TF_VAR_project_id: ${{ secrets.PROJECT_ID }} # Google Cloud project ID
TF_VAR_cluster_name: ${{ secrets.PROJECT_ID }}-gke # The GKE cluster name
GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }} # Google Cloud Service Account key
ARTIFACT_REGISTRY_URL: ${{ vars.GCP_REGION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/${{ secrets.ARTIFACT_REGISTRY_REPO_NAME }} # Artifact registry
DOCKER_IMAGE_TAG : ${{ github.sha }} # The docker image will be tagged with trimmed sha of the git commit
jobs:
gcp_ci_cd:
name: 'Build image, create Infra with TF and deploy a web-app to GKE cluster'
runs-on: ubuntu-22.04
defaults:
run:
shell: bash -e {0}
permissions:
contents: 'read'
id-token: 'write'
packages: write # needed to push docker image to gcr.io
steps:
- name: Git Checkout
uses: 'actions/checkout@v4'
- id: "auth"
name: Authenticate current session to Google Cloud
uses: "google-github-actions/auth@v2"
with:
credentials_json: "${{ secrets.GOOGLE_CREDENTIALS }}"
# # Uncomment the below & comment the credentials_json; if you wish to use Workload Identity Federation for authentications instead of service account
# project_id: ${{ secrets.PROJECT_ID }}
# workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
- name: "Set up Google Cloud SDK (gcloud cli)"
uses: "google-github-actions/setup-gcloud@v2"
- name: "Authenticate to GCP Artifact Registry"
run: |
gcloud auth configure-docker ${{ vars.GCP_REGION }}-docker.pkg.dev --quiet
- name: Cache Docker layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Build and Push Docker Images for voting, result & worker apps.
run: |
services_list="vote worker result"
for service in $services_list
do
docker build --tag ${{ env.ARTIFACT_REGISTRY_URL }}/${service}:${{ env.DOCKER_IMAGE_TAG }} ./src/example-voting-app/${service}
docker push ${{ env.ARTIFACT_REGISTRY_URL }}/${service}:${{ env.DOCKER_IMAGE_TAG }}
docker image inspect ${{ env.ARTIFACT_REGISTRY_URL }}/${service}:${{ env.DOCKER_IMAGE_TAG }}
done
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TF_VERSION }}
- name: Terraform init, fmt, validate & Plan
run: |
cd $TF_WORKSPACE
terraform init -backend-config="bucket=${TF_VAR_state_bucket}"
terraform validate
terraform plan
cd -
- name: Terraform Apply
run: terraform -chdir=${{ env.TF_WORKSPACE }} apply -auto-approve
- name: Get Kubernetes Credentials using gcloud cli
# Starting with v1.26, GKE users will need to download and use a separate authentication plugin to generate GKE-specific tokens...
# ... This new binary, gke-gcloud-auth-plugin, uses the Kubernetes Client-go Credential Plugin. See more at: https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
run: |
gcloud components install gke-gcloud-auth-plugin
export USE_GKE_GCLOUD_AUTH_PLUGIN=True
gcloud components update && gcloud container clusters get-credentials ${{ env.TF_VAR_cluster_name }} --zone ${{ vars.GCP_REGION }}
- name: Install and configure kubectl on GKE cluster
run: |
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x kubectl
sudo mv kubectl /usr/local/bin/
- name: Replace image paths & tag in Kubernetes manifests to fetch built image from Google Cloud Artifact Registry.
run: |
for file in ./src/example-voting-app/k8s-specs/*sv-depl.yaml
do
envsubst < "$file" > "${file}.out"
mv "${file}.out" "$file"
done
env:
DOCKER_IMAGE_PATH: ${{ env.ARTIFACT_REGISTRY_URL }}
DOCKER_IMAGE_TAG: ${{ env.DOCKER_IMAGE_TAG }}
- name: Create Docker secret to authenticate against Google Cloud Artifact Registry.
run: kubectl create secret docker-registry gcp-ar-cred --docker-server=${{ vars.GCP_REGION }}-docker.pkg.dev --docker-username=_json_key --docker-password="$(cat $GOOGLE_APPLICATION_CREDENTIALS)"
- name: Deploy the sample web-app to GKE
run: kubectl apply -f ./src/example-voting-app/k8s-specs/
# # uncomment to enable detailed Cloud logging and monitoring.
# - name: Enable logging and monitoring on GKE cluster
# run: gcloud container clusters update ${{ env.TF_VAR_cluster_name }} --location=${{ vars.GCP_REGION }} --logging=SYSTEM,WORKLOAD --monitoring=SYSTEM,POD
- name: Sleep & then Terraform Destroy
# set if: always() In testing env, which means it will run even if previous steps fail....
# ...This is usually a good practice to clean up resources even if something goes wrong.
if: always()
run: sleep 30 && terraform -chdir=${{ env.TF_WORKSPACE }} destroy -auto-approve