Update Dockerfile #637
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| name: AKS - Build, Scan and Deploy | |
| jobs: | |
| build-and-deploy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # checkout the repo | |
| - name: 'Checkout GitHub Action' | |
| uses: actions/checkout@main | |
| - name: 'Login via Azure CLI' | |
| uses: azure/login@v1 | |
| with: | |
| creds: ${{ secrets.AZURE_CREDENTIALS }} | |
| - name: 'Log in Docker' | |
| uses: azure/docker-login@v1 | |
| with: | |
| login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }} | |
| username: ${{ secrets.REGISTRY_USERNAME }} | |
| password: ${{ secrets.REGISTRY_PASSWORD }} | |
| - name: 'Build Image' | |
| run: | | |
| docker build . -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/pythonserver:${{ github.sha }} | |
| - name: Prisma Cloud image scan | |
| id: scan | |
| uses: PaloAltoNetworks/prisma-cloud-scan@v1 | |
| with: | |
| pcc_console_url: ${{ secrets.PCC_CONSOLE_URL }} | |
| pcc_user: ${{ secrets.PCC_USER }} | |
| pcc_pass: ${{ secrets.PCC_PASS }} | |
| image_name: ${{ secrets.REGISTRY_LOGIN_SERVER }}/pythonserver:${{ github.sha }} | |
| - name: 'Push image' | |
| run: | | |
| docker push ${{ secrets.REGISTRY_LOGIN_SERVER }}/pythonserver:${{ github.sha }} | |
| - name: Set up kubelogin for non-interactive login | |
| run: | | |
| curl -LO https://github.com/Azure/kubelogin/releases/download/v0.0.20/kubelogin-linux-amd64.zip | |
| sudo unzip -j kubelogin-linux-amd64.zip -d /usr/local/bin | |
| rm -f kubelogin-linux-amd64.zip | |
| kubelogin --version | |
| - name: Set AKS context | |
| id: set-context | |
| uses: azure/aks-set-context@v3 | |
| with: | |
| resource-group: '${{ secrets.resource_group }}' | |
| cluster-name: '${{ secrets.cluster_name }}' | |
| admin: 'false' | |
| use-kubelogin: 'true' | |
| - name: Setup kubectl | |
| id: install-kubectl | |
| uses: azure/setup-kubectl@v3 | |
| - name: Update Registry URL | |
| run: | | |
| sed -i.bak 's/pcgithub.azurecr.io/${{ secrets.REGISTRY_LOGIN_SERVER }}/' aks-deployment.yml | |
| - name: Set up deployment environment variables | |
| run: | | |
| kustomize create --resources aks-deployment.yml,aks-serviceaccount.yaml | |
| kustomize edit add patch --kind Deployment --patch '[{"op":"add","path":"/spec/template/spec/containers/0/env","value":[{"name":"BLOB_ENDPOINT","value":"'"${{secrets.BLOB_ENDPOINT}}"'"},{"name":"CONTAINER_NAME","value":"'"${{secrets.CONTAINER_NAME}}"'"}]}]' --group apps | |
| if [ -n "${{ secrets.AWI_CLIENTID }}" ] | |
| then | |
| kustomize edit add patch --kind ServiceAccount --patch '[{"op":"add","path":"/metadata/annotations","value":{"azure.workload.identity/client-id":"'"${{secrets.AWI_CLIENTID}}"'"}}]' | |
| kustomize edit add patch --kind Deployment --patch '[{"op":"add","path":"/spec/template/spec/serviceAccountName","value":"workload-identity-sa"}]' --group apps | |
| fi | |
| kustomize build . -o aks-deployment-kustomized.yml | |
| - name: Deploy to AKS | |
| id: deploy-aks | |
| uses: Azure/k8s-deploy@v4 | |
| with: | |
| namespace: 'default' | |
| manifests: | | |
| aks-deployment-kustomized.yml | |
| images: '${{ secrets.REGISTRY_LOGIN_SERVER }}/pythonserver:${{ github.sha }}' | |
| annotate-namespace: 'false' |