generated from Datawheel/template-tesseract-api
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6 from DataUSA/develop
Change repo devops helm configuration and workflows
- Loading branch information
Showing
15 changed files
with
644 additions
and
195 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
TESSERACT_BACKEND=clickhouse://<CLICKHOUSE_USER>:<CLICKHOUSE_PASS>@<CLICKHOUSE_DB_IP>:<CLICKHOUSE_DB_PORT>/<CLICKHOUSE_DB_SCHEMA> | ||
TESSERACT_BACKEND=clickhouse://default:[email protected]:9000/bls_db | ||
TESSERACT_SCHEMA=schema | ||
TESSERACT_DEBUG=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
.git | ||
dist | ||
node_modules | ||
vendor | ||
*.jar |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,135 @@ | ||
# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch | ||
# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image | ||
# | ||
# To configure this workflow: | ||
# | ||
# 1. Ensure the required Google Cloud APIs are enabled in the project: | ||
# | ||
# Cloud Build cloudbuild.googleapis.com | ||
# Kubernetes Engine API container.googleapis.com | ||
# Artifact Registry artifactregistry.googleapis.com | ||
# | ||
# 2. Create a service account (if you don't have one) with the following fields: | ||
# | ||
# Service Account Name <PROJECT-NAME>-github-actions | ||
# Service Account ID <PROJECT-NAME>-github-actions | ||
# | ||
# 3. Ensure the service account have the required IAM permissions granted: | ||
# | ||
# Kubernetes Engine Developer | ||
# roles/container.developer (kubernetes engine developer) | ||
# | ||
# Artifact Registry | ||
# roles/artifactregistry.repoAdmin (artifact registry repository administrator) | ||
# roles/artifactregistry.admin (artifact registry administrator) | ||
# | ||
# Service Account | ||
# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) | ||
# | ||
# Basic Roles | ||
# roles/viewer (viewer) | ||
# | ||
# NOTE: You should always follow the principle of least privilege when assigning IAM roles | ||
# | ||
# 4. Ensure you have the following GitHub Secrets and Variables: | ||
# | ||
# GitHub Secrets | ||
# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets | ||
# | ||
# GitHub Variables | ||
# GCP_PROJECT_ID (Google Cloud Project ID) | ||
# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) | ||
# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) | ||
# | ||
# 5. Ensure you have the following GitHub Variables for each environment that you will set up: | ||
# | ||
# GitHub Variables | ||
# GCP_IMAGE_NAME (Docker Image Name) | ||
# GKE_APP_NAME (Google Kubernetes Engine Deployment Name) | ||
# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace) | ||
# GKE_CLUSTER (Google Kubernetes Engine Cluster Name) | ||
# GKE_ZONE (Google Kubernetes Engine Cluster Zone) | ||
# | ||
# Further reading: | ||
# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer | ||
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles | ||
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry | ||
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege | ||
# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun | ||
name: "[GCP][PROD] Deploy to GKE via Helm" | ||
|
||
on: | ||
workflow_dispatch: | ||
inputs: | ||
release: | ||
description: 'Production Release Name' | ||
required: true | ||
type: string | ||
update_release: | ||
description: 'Check if you are updating the production release name of the latest image' | ||
required: true | ||
type: boolean | ||
|
||
env: | ||
GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} | ||
GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} | ||
GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} | ||
GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} | ||
GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} | ||
GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} | ||
GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} | ||
GKE_ZONE: ${{ vars.GKE_ZONE }} | ||
ACTIONS_ALLOW_UNSECURE_COMMANDS: true | ||
|
||
jobs: | ||
deploy: | ||
environment: production | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
|
||
# Authentication via credentials json | ||
- name: Google Auth | ||
id: auth | ||
uses: 'google-github-actions/auth@v2' | ||
with: | ||
project_id: '${{ vars.GCP_PROJECT_ID }}' | ||
credentials_json: '${{ secrets.GCP_SA_KEY }}' | ||
|
||
# Get google kubernetes engine credentials | ||
- name: Get GKE Credentials | ||
uses: google-github-actions/get-gke-credentials@v2 | ||
with: | ||
cluster_name: ${{ env.GKE_CLUSTER }} | ||
location: ${{ env.GKE_ZONE }} | ||
|
||
# Retag latest image | ||
- name: Retag Image to Production Release | ||
if: ${{ inputs.update_release }} | ||
run: |- | ||
gcloud beta artifacts docker tags add \ | ||
--quiet \ | ||
${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ env.GKE_APP_NAMESPACE }} \ | ||
${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ inputs.release }} | ||
# Transform GitHub secrets to base64 encoded | ||
- name: Set encoded secret values | ||
run: | | ||
echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV | ||
# Install Helm chart | ||
- name: Helm install | ||
uses: WyriHaximus/github-action-helm3@v2 | ||
with: | ||
exec: | | ||
helm upgrade --install --create-namespace \ | ||
--namespace ${{ env.GKE_APP_NAMESPACE }} \ | ||
--set app.environment=${{ env.GKE_APP_NAMESPACE }} \ | ||
--set app.release=${{ env.GKE_APP_NAMESPACE }} \ | ||
--set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \ | ||
--set image.tag=${{ inputs.release }} \ | ||
--set nameOverride=${{ env.GKE_APP_NAME }} \ | ||
--set fullnameOverride=${{ env.GKE_APP_NAME }} \ | ||
--set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \ | ||
${{ env.GKE_APP_NAME }} --values=./helm/production.yaml ./helm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,198 @@ | ||
# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch | ||
# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image | ||
# | ||
# To configure this workflow: | ||
# | ||
# 1. Ensure the required Google Cloud APIs are enabled in the project: | ||
# | ||
# Cloud Build cloudbuild.googleapis.com | ||
# Kubernetes Engine API container.googleapis.com | ||
# Artifact Registry artifactregistry.googleapis.com | ||
# | ||
# 2. Create a service account (if you don't have one) with the following fields: | ||
# | ||
# Service Account Name <PROJECT-NAME>-github-actions | ||
# Service Account ID <PROJECT-NAME>-github-actions | ||
# | ||
# 3. Ensure the service account have the required IAM permissions granted: | ||
# | ||
# Kubernetes Engine Developer | ||
# roles/container.developer (kubernetes engine developer) | ||
# | ||
# Artifact Registry | ||
# roles/artifactregistry.repoAdmin (artifact registry repository administrator) | ||
# roles/artifactregistry.admin (artifact registry administrator) | ||
# | ||
# Service Account | ||
# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) | ||
# | ||
# Basic Roles | ||
# roles/viewer (viewer) | ||
# | ||
# NOTE: You should always follow the principle of least privilege when assigning IAM roles | ||
# | ||
# 4. Ensure you have the following GitHub Secrets and Variables: | ||
# | ||
# GitHub Secrets | ||
# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets | ||
# | ||
# GitHub Variables | ||
# GCP_PROJECT_ID (Google Cloud Project ID) | ||
# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) | ||
# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) | ||
# | ||
# 5. Ensure you have the following GitHub Variables for each environment that you will set up: | ||
# | ||
# GitHub Variables | ||
# GCP_IMAGE_NAME (Docker Image Name) | ||
# GKE_APP_NAME (Google Kubernetes Engine Deployment Name) | ||
# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace) | ||
# GKE_CLUSTER (Google Kubernetes Engine Cluster Name) | ||
# GKE_ZONE (Google Kubernetes Engine Cluster Zone) | ||
# | ||
# Further reading: | ||
# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer | ||
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles | ||
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry | ||
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege | ||
# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun | ||
name: "[GCP][DEV] Build API to Registry and Deploy via Helm" | ||
|
||
on: | ||
push: | ||
branches: [ "develop" ] | ||
paths: | ||
- .github/workflows/google-registry-gke-dev.yaml | ||
- helm/development.yaml | ||
- schema/** | ||
|
||
env: | ||
GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} | ||
GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} | ||
GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} | ||
GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} | ||
GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} | ||
GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} | ||
GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} | ||
GKE_ZONE: ${{ vars.GKE_ZONE }} | ||
ACTIONS_ALLOW_UNSECURE_COMMANDS: true | ||
|
||
jobs: | ||
build: | ||
environment: development | ||
runs-on: ubuntu-latest | ||
if: ${{ !contains(github.event.head_commit.message, '#update') }} | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
|
||
# Authentication via credentials json | ||
- name: Google Auth | ||
id: auth | ||
uses: google-github-actions/auth@v2 | ||
with: | ||
project_id: ${{ env.GCP_PROJECT_ID }} | ||
credentials_json: ${{ secrets.GCP_SA_KEY }} | ||
|
||
# Install Cloud SDK | ||
- name: Set up Cloud SDK | ||
uses: google-github-actions/setup-gcloud@v1 | ||
with: | ||
install_components: beta | ||
|
||
# Build image on Google Cloud Artifact Registry | ||
- name: Build Docker Image | ||
run: |- | ||
gcloud builds submit \ | ||
--quiet \ | ||
--timeout=40m \ | ||
--config=cloudbuild.yml \ | ||
--substitutions=_GCP_PROJECT_ID=${{ env.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ env.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_ARTIFACT_REGISTRY_LOCATION=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_IMAGE_NAME=${{ env.GCP_IMAGE_NAME }},_GCP_IMAGE_TAG=${{ github.sha }},_GCP_IMAGE_ENVIRONMENT=${{ env.GKE_APP_NAMESPACE }} | ||
deploy: | ||
needs: build | ||
environment: development | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
|
||
# Authentication via credentials json | ||
- name: Google Auth | ||
id: auth | ||
uses: 'google-github-actions/auth@v2' | ||
with: | ||
project_id: '${{ vars.GCP_PROJECT_ID }}' | ||
credentials_json: '${{ secrets.GCP_SA_KEY }}' | ||
|
||
# Get google kubernetes engine credentials | ||
- name: Get GKE Credentials | ||
uses: google-github-actions/get-gke-credentials@v2 | ||
with: | ||
cluster_name: ${{ env.GKE_CLUSTER }} | ||
location: ${{ env.GKE_ZONE }} | ||
|
||
# Transform GitHub secrets to base64 encoded | ||
- name: Set encoded secret values | ||
run: | | ||
echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV | ||
# Install Helm chart | ||
- name: Helm install | ||
uses: WyriHaximus/github-action-helm3@v2 | ||
with: | ||
exec: | | ||
helm upgrade --install --create-namespace \ | ||
--namespace ${{ env.GKE_APP_NAMESPACE }} \ | ||
--set app.environment=${{ env.GKE_APP_NAMESPACE }} \ | ||
--set app.release=${{ env.GKE_APP_NAMESPACE }} \ | ||
--set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \ | ||
--set image.tag=${{ github.sha }} \ | ||
--set nameOverride=${{ env.GKE_APP_NAME }} \ | ||
--set fullnameOverride=${{ env.GKE_APP_NAME }} \ | ||
--set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \ | ||
${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm | ||
update: | ||
runs-on: ubuntu-latest | ||
environment: development | ||
if: ${{ contains(github.event.head_commit.message, '#update') }} | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
|
||
# Authentication via credentials json | ||
- name: Google Auth | ||
id: auth | ||
uses: 'google-github-actions/auth@v2' | ||
with: | ||
project_id: '${{ vars.GCP_PROJECT_ID }}' | ||
credentials_json: '${{ secrets.GCP_SA_KEY }}' | ||
|
||
# Get google kubernetes engine credentials | ||
- name: Get GKE Credentials | ||
uses: google-github-actions/get-gke-credentials@v2 | ||
with: | ||
cluster_name: ${{ env.GKE_CLUSTER }} | ||
location: ${{ env.GKE_ZONE }} | ||
|
||
# Transform GitHub secrets to base64 encoded | ||
- name: Set encoded secret values | ||
run: | | ||
echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV | ||
# Install Helm chart | ||
- name: Helm install | ||
uses: WyriHaximus/github-action-helm3@v2 | ||
with: | ||
exec: | | ||
helm upgrade --install --create-namespace \ | ||
--namespace ${{ env.GKE_APP_NAMESPACE }} \ | ||
--set app.environment=${{ env.GKE_APP_NAMESPACE }} \ | ||
--set app.release=${{ env.GKE_APP_NAMESPACE }} \ | ||
--set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \ | ||
--set image.tag=${{ env.GKE_APP_NAMESPACE }} \ | ||
--set nameOverride=${{ env.GKE_APP_NAME }} \ | ||
--set fullnameOverride=${{ env.GKE_APP_NAME }} \ | ||
--set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \ | ||
${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm |
Oops, something went wrong.