-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
closes #165
- Loading branch information
Showing
2 changed files
with
172 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,150 @@ | ||
| # git tag prod-build-X -> build docker image | ||
| # git tag prod-deploy-X -> build image & deploy to GKE | ||
| name: 'Production CD' | ||
| on: | ||
| push: | ||
| tags: | ||
| - 'prod-build-*' | ||
| - 'prod-deploy-*' | ||
|
|
||
| env: | ||
| GAR_LOCATION: 'us-west2' | ||
| PROJECT_ID: 'cca-web-0' | ||
| REPOSITORY: 'us-west2-docker.pkg.dev/cca-web-0/docker-web' | ||
| IMAGE: 'libraries' | ||
| SERVICE_ACCOUNT: '[email protected]' | ||
| WORKLOAD_IDENTITY_PROVIDER: projects/681601623218/locations/global/workloadIdentityPools/github/providers/libraries-wagtail | ||
| CLUSTER_LOCATION: 'us-west1-b' | ||
| CLUSTER_NAME: 'ccaedu-prod' | ||
| K8S_NAMESPACE: 'lib-production' | ||
|
|
||
| jobs: | ||
| build: | ||
| name: 'Setup, Build, and Push Docker image to Artifact Registry' | ||
| runs-on: ubuntu-latest | ||
| environment: production | ||
|
|
||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/[email protected] | ||
|
|
||
| # Configure Workload Identity Federation and generate an access token. | ||
| # See https://github.com/google-github-actions/auth for more options, | ||
| # including authenticating via a JSON credentials file. | ||
| - id: auth | ||
| name: Authenticate to Google Cloud | ||
| uses: google-github-actions/[email protected] | ||
| with: | ||
| create_credentials_file: true # Important for Docker auth | ||
| project_id: ${{ env.PROJECT_ID }} | ||
| service_account: ${{ env.SERVICE_ACCOUNT }} | ||
| token_format: access_token # Explicitly request OAuth token | ||
| workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }} | ||
|
|
||
| # Configure Docker to use the gcloud credentials | ||
| - name: Set up Cloud SDK | ||
| uses: google-github-actions/[email protected] | ||
|
|
||
| # This step is necessary too, google-github-actions/auth is not enough | ||
| - name: Configure Docker to use GCloud auth | ||
| run: gcloud auth configure-docker ${{ env.GAR_LOCATION }}-docker.pkg.dev | ||
|
|
||
| # Authenticate Docker to Google Cloud Artifact Registry | ||
| - name: Docker Auth | ||
| uses: docker/[email protected] | ||
| with: | ||
| username: oauth2accesstoken | ||
| password: ${{ steps.auth.outputs.auth_token }} | ||
| registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev | ||
|
|
||
| # Unique Docker tag like prod-deploy-20-abcd123 | ||
| - name: Generate tags | ||
| id: tag | ||
| run: | | ||
| SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7) | ||
| if [ "${{ github.ref_type }}" = "tag" ]; then | ||
| VERSION="${{ github.ref_name }}-${SHORT_SHA}" | ||
| else | ||
| VERSION="${SHORT_SHA}" | ||
| fi | ||
| echo "tag=${VERSION}" >> $GITHUB_OUTPUT | ||
| shell: bash | ||
|
|
||
| # From https://docs.docker.com/build/ci/github-actions/cache/ | ||
| - name: Set up Docker Buildx | ||
| uses: docker/[email protected] | ||
|
|
||
| - name: Build and push | ||
| uses: docker/[email protected] | ||
| with: | ||
| cache-to: type=inline | ||
| cache-from: type=registry,ref=${{ env.REPOSITORY }}/${{ env.IMAGE}}:latest | ||
| tags: | | ||
| ${{ env.REPOSITORY }}/${{ env.IMAGE}}:latest | ||
| ${{ env.REPOSITORY }}/${{ env.IMAGE}}:${{ steps.tag.outputs.tag }} | ||
| push: true | ||
|
|
||
| deploy: | ||
| needs: build | ||
| if: startsWith(github.ref_name, 'prod-deploy-') | ||
| runs-on: ubuntu-latest | ||
| environment: production | ||
|
|
||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/[email protected] | ||
|
|
||
| - name: Set up Google Cloud Auth | ||
| uses: google-github-actions/[email protected] | ||
| with: | ||
| project_id: ${{ env.PROJECT_ID }} | ||
| service_account: ${{ env.SERVICE_ACCOUNT }} | ||
| workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }} | ||
|
|
||
| - name: Set up GKE credentials | ||
| uses: google-github-actions/[email protected] | ||
| with: | ||
| cluster_name: ${{ env.CLUSTER_NAME }} | ||
| location: ${{ env.CLUSTER_LOCATION }} | ||
|
|
||
| - name: Determine Docker tag | ||
| id: tag | ||
| run: | | ||
| SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7) | ||
| if [ "${{ github.ref_type }}" = "tag" ]; then | ||
| VERSION="${{ github.ref_name }}-${SHORT_SHA}" | ||
| else | ||
| VERSION="${SHORT_SHA}" | ||
| fi | ||
| echo "tag=${VERSION}" >> $GITHUB_OUTPUT | ||
| shell: bash | ||
|
|
||
| - name: Deploy to GKE | ||
| env: | ||
| # see staging.yaml for needed vars, most are derived from namespace | ||
| IMAGE: ${{ env.REPOSITORY }}/${{ env.IMAGE}}:${{ steps.tag.outputs.tag }} | ||
| run: | | ||
| # Ensure namespace exists | ||
| kubectl get namespace ${K8S_NAMESPACE} || kubectl create namespace ${K8S_NAMESPACE} | ||
| # Apply configuration with error checking | ||
| if ! cat kubernetes/staging.yaml | envsubst | kubectl apply -f -; then | ||
| echo "Failed to apply Kubernetes configuration" | ||
| exit 1 | ||
| fi | ||
| # Wait for deployment to roll out | ||
| kubectl rollout status deployment/app --namespace ${K8S_NAMESPACE} --timeout=300s | ||
| - name: Verify deployment | ||
| run: | | ||
| kubectl wait --for=condition=available deployment/app --namespace ${K8S_NAMESPACE} --timeout=60s | ||
| kubectl get pods --namespace ${K8S_NAMESPACE} --selector app=libraries -o jsonpath='{.items[*].status.containerStatuses[*].ready}' | grep -q true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,5 @@ | ||
| # Staging CD: | ||
| # git tag stg-build-X -> build docker image | ||
| # git tag stg-deploy-X -> build image & deploy to GKE | ||
|
|
||
| name: 'Staging CD' | ||
| on: | ||
| push: | ||
|
|
@@ -22,45 +20,45 @@ env: | |
|
|
||
| jobs: | ||
| build: | ||
| name: 'Setup, Build, and Push Docker image to Artifact Registry' | ||
| runs-on: 'ubuntu-latest' | ||
| environment: 'staging' | ||
| name: Setup, Build, and Push Docker image to Artifact Registry | ||
| runs-on: ubuntu-latest | ||
| environment: staging | ||
|
|
||
| permissions: | ||
| contents: 'read' | ||
| id-token: 'write' | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - name: 'Checkout' | ||
| uses: 'actions/[email protected]' | ||
| - name: Checkout | ||
| uses: actions/[email protected] | ||
|
|
||
| # Configure Workload Identity Federation and generate an access token. | ||
| # See https://github.com/google-github-actions/auth for more options, | ||
| # including authenticating via a JSON credentials file. | ||
| - id: 'auth' | ||
| name: 'Authenticate to Google Cloud' | ||
| uses: 'google-github-actions/[email protected]' | ||
| - id: auth | ||
| name: Authenticate to Google Cloud | ||
| uses: google-github-actions/[email protected] | ||
| with: | ||
| create_credentials_file: true # Important for Docker auth | ||
| project_id: ${{ env.PROJECT_ID }} | ||
| service_account: ${{ env.SERVICE_ACCOUNT }} | ||
| token_format: 'access_token' # Explicitly request OAuth token | ||
| token_format: access_token # Explicitly request OAuth token | ||
| workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }} | ||
|
|
||
| # Configure Docker to use the gcloud credentials | ||
| - name: 'Set up Cloud SDK' | ||
| uses: 'google-github-actions/[email protected]' | ||
| - name: Set up Cloud SDK | ||
| uses: google-github-actions/[email protected] | ||
|
|
||
| # This step is necessary too, google-github-actions/auth is not enough | ||
| - name: 'Configure Docker to use GCloud auth' | ||
| - name: Configure Docker to use GCloud auth | ||
| run: gcloud auth configure-docker ${{ env.GAR_LOCATION }}-docker.pkg.dev | ||
|
|
||
| # Authenticate Docker to Google Cloud Artifact Registry | ||
| - name: 'Docker Auth' | ||
| uses: 'docker/[email protected]' | ||
| - name: Docker Auth | ||
| uses: docker/[email protected] | ||
| with: | ||
| username: 'oauth2accesstoken' | ||
| password: '${{ steps.auth.outputs.auth_token }}' | ||
| username: oauth2accesstoken | ||
| password: ${{ steps.auth.outputs.auth_token }} | ||
| registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev | ||
|
|
||
| # Unique Docker tag like stg-deploy-20-abcd123 | ||
|
|
@@ -97,11 +95,12 @@ jobs: | |
| environment: staging | ||
|
|
||
| permissions: | ||
| contents: 'read' | ||
| id-token: 'write' | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - uses: actions/[email protected] | ||
| - name: Checkout | ||
| uses: actions/[email protected] | ||
|
|
||
| - name: Set up Google Cloud Auth | ||
| uses: google-github-actions/[email protected] | ||
|
|
||