Skip to content

Commit

Permalink
Merge pull request #6 from DataUSA/develop
Browse files Browse the repository at this point in the history
Change repo devops helm configuration and workflows
  • Loading branch information
nspmx authored Jan 4, 2024
2 parents d9b2485 + 554b91e commit 1c6a327
Show file tree
Hide file tree
Showing 15 changed files with 644 additions and 195 deletions.
2 changes: 1 addition & 1 deletion .env
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
TESSERACT_BACKEND=clickhouse://<CLICKHOUSE_USER>:<CLICKHOUSE_PASS>@<CLICKHOUSE_DB_IP>:<CLICKHOUSE_DB_PORT>/<CLICKHOUSE_DB_SCHEMA>
TESSERACT_BACKEND=clickhouse://default:[email protected]:9000/bls_db
TESSERACT_SCHEMA=schema
TESSERACT_DEBUG=true
5 changes: 5 additions & 0 deletions .gcloudignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
.git
dist
node_modules
vendor
*.jar
135 changes: 135 additions & 0 deletions .github/workflows/google-gke-prod.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch
# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image
#
# To configure this workflow:
#
# 1. Ensure the required Google Cloud APIs are enabled in the project:
#
# Cloud Build cloudbuild.googleapis.com
# Kubernetes Engine API container.googleapis.com
# Artifact Registry artifactregistry.googleapis.com
#
# 2. Create a service account (if you don't have one) with the following fields:
#
# Service Account Name <PROJECT-NAME>-github-actions
# Service Account ID <PROJECT-NAME>-github-actions
#
# 3. Ensure the service account have the required IAM permissions granted:
#
# Kubernetes Engine Developer
# roles/container.developer (kubernetes engine developer)
#
# Artifact Registry
# roles/artifactregistry.repoAdmin (artifact registry repository administrator)
# roles/artifactregistry.admin (artifact registry administrator)
#
# Service Account
# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account)
#
# Basic Roles
# roles/viewer (viewer)
#
# NOTE: You should always follow the principle of least privilege when assigning IAM roles
#
# 4. Ensure you have the following GitHub Secrets and Variables:
#
# GitHub Secrets
# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets
#
# GitHub Variables
# GCP_PROJECT_ID (Google Cloud Project ID)
# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name)
# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location)
#
# 5. Ensure you have the following GitHub Variables for each environment that you will set up:
#
# GitHub Variables
# GCP_IMAGE_NAME (Docker Image Name)
# GKE_APP_NAME (Google Kubernetes Engine Deployment Name)
# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace)
# GKE_CLUSTER (Google Kubernetes Engine Cluster Name)
# GKE_ZONE (Google Kubernetes Engine Cluster Zone)
#
# Further reading:
# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun
name: "[GCP][PROD] Deploy to GKE via Helm"

on:
workflow_dispatch:
inputs:
release:
description: 'Production Release Name'
required: true
type: string
update_release:
description: 'Check if you are updating the production release name of the latest image'
required: true
type: boolean

env:
GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}
GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }}
GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }}
GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }}
GKE_APP_NAME: ${{ vars.GKE_APP_NAME }}
GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }}
GKE_CLUSTER: ${{ vars.GKE_CLUSTER }}
GKE_ZONE: ${{ vars.GKE_ZONE }}
ACTIONS_ALLOW_UNSECURE_COMMANDS: true

jobs:
deploy:
environment: production
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3

# Authentication via credentials json
- name: Google Auth
id: auth
uses: 'google-github-actions/auth@v2'
with:
project_id: '${{ vars.GCP_PROJECT_ID }}'
credentials_json: '${{ secrets.GCP_SA_KEY }}'

# Get google kubernetes engine credentials
- name: Get GKE Credentials
uses: google-github-actions/get-gke-credentials@v2
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_ZONE }}

# Retag latest image
- name: Retag Image to Production Release
if: ${{ inputs.update_release }}
run: |-
gcloud beta artifacts docker tags add \
--quiet \
${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ env.GKE_APP_NAMESPACE }} \
${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ inputs.release }}
# Transform GitHub secrets to base64 encoded
- name: Set encoded secret values
run: |
echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV
# Install Helm chart
- name: Helm install
uses: WyriHaximus/github-action-helm3@v2
with:
exec: |
helm upgrade --install --create-namespace \
--namespace ${{ env.GKE_APP_NAMESPACE }} \
--set app.environment=${{ env.GKE_APP_NAMESPACE }} \
--set app.release=${{ env.GKE_APP_NAMESPACE }} \
--set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \
--set image.tag=${{ inputs.release }} \
--set nameOverride=${{ env.GKE_APP_NAME }} \
--set fullnameOverride=${{ env.GKE_APP_NAME }} \
--set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \
${{ env.GKE_APP_NAME }} --values=./helm/production.yaml ./helm
198 changes: 198 additions & 0 deletions .github/workflows/google-registry-gke-dev.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,198 @@
# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch
# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image
#
# To configure this workflow:
#
# 1. Ensure the required Google Cloud APIs are enabled in the project:
#
# Cloud Build cloudbuild.googleapis.com
# Kubernetes Engine API container.googleapis.com
# Artifact Registry artifactregistry.googleapis.com
#
# 2. Create a service account (if you don't have one) with the following fields:
#
# Service Account Name <PROJECT-NAME>-github-actions
# Service Account ID <PROJECT-NAME>-github-actions
#
# 3. Ensure the service account have the required IAM permissions granted:
#
# Kubernetes Engine Developer
# roles/container.developer (kubernetes engine developer)
#
# Artifact Registry
# roles/artifactregistry.repoAdmin (artifact registry repository administrator)
# roles/artifactregistry.admin (artifact registry administrator)
#
# Service Account
# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account)
#
# Basic Roles
# roles/viewer (viewer)
#
# NOTE: You should always follow the principle of least privilege when assigning IAM roles
#
# 4. Ensure you have the following GitHub Secrets and Variables:
#
# GitHub Secrets
# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets
#
# GitHub Variables
# GCP_PROJECT_ID (Google Cloud Project ID)
# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name)
# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location)
#
# 5. Ensure you have the following GitHub Variables for each environment that you will set up:
#
# GitHub Variables
# GCP_IMAGE_NAME (Docker Image Name)
# GKE_APP_NAME (Google Kubernetes Engine Deployment Name)
# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace)
# GKE_CLUSTER (Google Kubernetes Engine Cluster Name)
# GKE_ZONE (Google Kubernetes Engine Cluster Zone)
#
# Further reading:
# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun
name: "[GCP][DEV] Build API to Registry and Deploy via Helm"

on:
push:
branches: [ "develop" ]
paths:
- .github/workflows/google-registry-gke-dev.yaml
- helm/development.yaml
- schema/**

env:
GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}
GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }}
GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }}
GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }}
GKE_APP_NAME: ${{ vars.GKE_APP_NAME }}
GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }}
GKE_CLUSTER: ${{ vars.GKE_CLUSTER }}
GKE_ZONE: ${{ vars.GKE_ZONE }}
ACTIONS_ALLOW_UNSECURE_COMMANDS: true

jobs:
build:
environment: development
runs-on: ubuntu-latest
if: ${{ !contains(github.event.head_commit.message, '#update') }}
steps:
- name: Checkout
uses: actions/checkout@v3

# Authentication via credentials json
- name: Google Auth
id: auth
uses: google-github-actions/auth@v2
with:
project_id: ${{ env.GCP_PROJECT_ID }}
credentials_json: ${{ secrets.GCP_SA_KEY }}

# Install Cloud SDK
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v1
with:
install_components: beta

# Build image on Google Cloud Artifact Registry
- name: Build Docker Image
run: |-
gcloud builds submit \
--quiet \
--timeout=40m \
--config=cloudbuild.yml \
--substitutions=_GCP_PROJECT_ID=${{ env.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ env.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_ARTIFACT_REGISTRY_LOCATION=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_IMAGE_NAME=${{ env.GCP_IMAGE_NAME }},_GCP_IMAGE_TAG=${{ github.sha }},_GCP_IMAGE_ENVIRONMENT=${{ env.GKE_APP_NAMESPACE }}
deploy:
needs: build
environment: development
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3

# Authentication via credentials json
- name: Google Auth
id: auth
uses: 'google-github-actions/auth@v2'
with:
project_id: '${{ vars.GCP_PROJECT_ID }}'
credentials_json: '${{ secrets.GCP_SA_KEY }}'

# Get google kubernetes engine credentials
- name: Get GKE Credentials
uses: google-github-actions/get-gke-credentials@v2
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_ZONE }}

# Transform GitHub secrets to base64 encoded
- name: Set encoded secret values
run: |
echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV
# Install Helm chart
- name: Helm install
uses: WyriHaximus/github-action-helm3@v2
with:
exec: |
helm upgrade --install --create-namespace \
--namespace ${{ env.GKE_APP_NAMESPACE }} \
--set app.environment=${{ env.GKE_APP_NAMESPACE }} \
--set app.release=${{ env.GKE_APP_NAMESPACE }} \
--set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \
--set image.tag=${{ github.sha }} \
--set nameOverride=${{ env.GKE_APP_NAME }} \
--set fullnameOverride=${{ env.GKE_APP_NAME }} \
--set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \
${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm
update:
runs-on: ubuntu-latest
environment: development
if: ${{ contains(github.event.head_commit.message, '#update') }}
steps:
- name: Checkout
uses: actions/checkout@v3

# Authentication via credentials json
- name: Google Auth
id: auth
uses: 'google-github-actions/auth@v2'
with:
project_id: '${{ vars.GCP_PROJECT_ID }}'
credentials_json: '${{ secrets.GCP_SA_KEY }}'

# Get google kubernetes engine credentials
- name: Get GKE Credentials
uses: google-github-actions/get-gke-credentials@v2
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_ZONE }}

# Transform GitHub secrets to base64 encoded
- name: Set encoded secret values
run: |
echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV
# Install Helm chart
- name: Helm install
uses: WyriHaximus/github-action-helm3@v2
with:
exec: |
helm upgrade --install --create-namespace \
--namespace ${{ env.GKE_APP_NAMESPACE }} \
--set app.environment=${{ env.GKE_APP_NAMESPACE }} \
--set app.release=${{ env.GKE_APP_NAMESPACE }} \
--set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \
--set image.tag=${{ env.GKE_APP_NAMESPACE }} \
--set nameOverride=${{ env.GKE_APP_NAME }} \
--set fullnameOverride=${{ env.GKE_APP_NAME }} \
--set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \
${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm
Loading

0 comments on commit 1c6a327

Please sign in to comment.