generated from Datawheel/template-tesseract-api
-
Notifications
You must be signed in to change notification settings - Fork 0
135 lines (127 loc) · 6.25 KB
/
google-gke-prod.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch
# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image
#
# To configure this workflow:
#
# 1. Ensure the required Google Cloud APIs are enabled in the project:
#
# Cloud Build cloudbuild.googleapis.com
# Kubernetes Engine API container.googleapis.com
# Artifact Registry artifactregistry.googleapis.com
#
# 2. Create a service account (if you don't have one) with the following fields:
#
# Service Account Name <PROJECT-NAME>-github-actions
# Service Account ID <PROJECT-NAME>-github-actions
#
# 3. Ensure the service account have the required IAM permissions granted:
#
# Kubernetes Engine Developer
# roles/container.developer (kubernetes engine developer)
#
# Artifact Registry
# roles/artifactregistry.repoAdmin (artifact registry repository administrator)
# roles/artifactregistry.admin (artifact registry administrator)
#
# Service Account
# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account)
#
# Basic Roles
# roles/viewer (viewer)
#
# NOTE: You should always follow the principle of least privilege when assigning IAM roles
#
# 4. Ensure you have the following GitHub Secrets and Variables:
#
# GitHub Secrets
# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets
#
# GitHub Variables
# GCP_PROJECT_ID (Google Cloud Project ID)
# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name)
# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location)
#
# 5. Ensure you have the following GitHub Variables for each environment that you will set up:
#
# GitHub Variables
# GCP_IMAGE_NAME (Docker Image Name)
# GKE_APP_NAME (Google Kubernetes Engine Deployment Name)
# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace)
# GKE_CLUSTER (Google Kubernetes Engine Cluster Name)
# GKE_ZONE (Google Kubernetes Engine Cluster Zone)
#
# Further reading:
# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun
name: "[GCP][PROD] Deploy to GKE via Helm"
on:
workflow_dispatch:
inputs:
release:
description: 'Production Release Name'
required: true
type: string
update_release:
description: 'Check if you are updating the production release name of the latest image'
required: true
type: boolean
env:
GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}
GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }}
GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }}
GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }}
GKE_APP_NAME: ${{ vars.GKE_APP_NAME }}
GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }}
GKE_CLUSTER: ${{ vars.GKE_CLUSTER }}
GKE_ZONE: ${{ vars.GKE_ZONE }}
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
jobs:
deploy:
environment: production
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
# Authentication via credentials json
- name: Google Auth
id: auth
uses: 'google-github-actions/auth@v2'
with:
project_id: '${{ vars.GCP_PROJECT_ID }}'
credentials_json: '${{ secrets.GCP_SA_KEY }}'
# Get google kubernetes engine credentials
- name: Get GKE Credentials
uses: google-github-actions/get-gke-credentials@v2
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_ZONE }}
# Retag latest image
- name: Retag Image to Production Release
if: ${{ inputs.update_release }}
run: |-
gcloud beta artifacts docker tags add \
--quiet \
${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ env.GKE_APP_NAMESPACE }} \
${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ inputs.release }}
# Transform GitHub secrets to base64 encoded
- name: Set encoded secret values
run: |
echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV
# Install Helm chart
- name: Helm install
uses: WyriHaximus/github-action-helm3@v2
with:
exec: |
helm upgrade --install --create-namespace \
--namespace ${{ env.GKE_APP_NAMESPACE }} \
--set app.environment=${{ env.GKE_APP_NAMESPACE }} \
--set app.release=${{ env.GKE_APP_NAMESPACE }} \
--set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \
--set image.tag=${{ inputs.release }} \
--set nameOverride=${{ env.GKE_APP_NAME }} \
--set fullnameOverride=${{ env.GKE_APP_NAME }} \
--set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \
${{ env.GKE_APP_NAME }} --values=./helm/production.yaml ./helm