Skip to content

Configure Duchy

Configure Duchy #135

Workflow file for this run

# Copyright 2023 The Cross-Media Measurement Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: "Configure Duchy"
on:
workflow_call:
inputs:
environment:
type: string
required: true
image-tag:
description: "Tag of container images"
type: string
required: true
duchy-name:
description: "Name (external ID) of Duchy"
type: string
required: true
apply:
description: "Apply the new configuration"
type: boolean
required: true
workflow_dispatch:
inputs:
environment:
required: true
type: choice
options:
- dev
image-tag:
description: "Tag of container images"
type: string
required: true
duchy-name:
description: "Name (external ID) of Duchy"
type: choice
options:
- worker1
- aggregator
required: true
apply:
description: "Apply the new configuration"
type: boolean
default: false
permissions:
id-token: write
env:
KUSTOMIZATION_PATH: "k8s/cmms"
DUCHY_NAME: ${{ inputs.duchy-name }}
jobs:
update-duchy:
runs-on: ubuntu-20.04
environment: ${{ inputs.environment }}
steps:
- uses: actions/checkout@v3
# Authenticate to Google Cloud. This will export some environment
# variables, including GCLOUD_PROJECT.
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ vars.GKE_CONFIG_SERVICE_ACCOUNT }}
- name: Export DUCHY_CERT_ID
env:
AGGREGATOR_DUCHY_CERT_ID: ${{ vars.AGGREGATOR_DUCHY_CERT_ID }}
WORKER1_DUCHY_CERT_ID: ${{ vars.WORKER1_DUCHY_CERT_ID }}
WORKER2_DUCHY_CERT_ID: ${{ vars.WORKER2_DUCHY_CERT_ID }}
run: ./.github/workflows/export-duchy-cert-id.sh
- name: Write ~/.bazelrc
env:
IMAGE_TAG: ${{ inputs.image-tag }}
POSTGRES_HOST: ${{ vars.AWS_POSTGRES_HOST }}
POSTGRES_CRED_SECRET_NAME: ${{ vars.AWS_POSTGRES_CRED_SECRET_NAME }}
KINGDOM_SYSTEM_API_TARGET: ${{ vars.KINGDOM_SYSTEM_API_TARGET }}
COMPUTATION_CONTROL_SERVER_EIPS: ${{ vars.AWS_COMPUTATION_CONTROL_SERVER_EIPS }}
S3_BUCKET: ${{ vars.AWS_S3_BUCKET }}
run: |
cat << EOF > ~/.bazelrc
common --config=ci
common --config=ghcr
build --define image_tag=$IMAGE_TAG
build --define kingdom_system_api_target=$KINGDOM_SYSTEM_API_TARGET
build --define s3_bucket=$S3_BUCKET
build --define s3_region=$AWS_REGION
build --define duchy_cert_id=$DUCHY_CERT_ID
build --define postgres_host=$POSTGRES_HOST
build --define postgres_port=5432
build --define postgres_region=$AWS_REGION
build --define postgres_credential_secret_name=$POSTGRES_CRED_SECRET_NAME
build --define computation_control_server_eips=$COMPUTATION_CONTROL_SERVER_EIPS
EOF
- name: Export BAZEL_BIN
run: echo "BAZEL_BIN=$(bazelisk info bazel-bin)" >> $GITHUB_ENV
- name: Get GKE cluster credentials
uses: google-github-actions/get-gke-credentials@v1
with:
cluster_name: ${{ format('{0}-duchy', inputs.duchy-name) }}
location: ${{ vars.GCLOUD_ZONE }}
- name: Configure metrics
uses: ./.github/actions/configure-metrics
if: ${{ inputs.apply }}
- name: Generate archives
env:
IMAGE_TAG: ${{ inputs.image-tag }}
SPANNER_INSTANCE: ${{ vars.SPANNER_INSTANCE }}
KINGDOM_SYSTEM_API_TARGET: ${{ vars.KINGDOM_SYSTEM_API_TARGET }}
STORAGE_BUCKET: ${{ vars.STORAGE_BUCKET }}
run: >
bazelisk build
"//src/main/k8s/dev:${DUCHY_NAME}_duchy.tar"
//src/main/k8s/testing/secretfiles:archive
--config ghcr
--define "image_tag=$IMAGE_TAG"
--define "google_cloud_project=$GCLOUD_PROJECT"
--define "spanner_instance=$SPANNER_INSTANCE"
--define "kingdom_system_api_target=$KINGDOM_SYSTEM_API_TARGET"
--define "duchy_storage_bucket=$STORAGE_BUCKET"
--define "duchy_cert_id=$DUCHY_CERT_ID"
- name: Make Kustomization dir
run: mkdir -p "$KUSTOMIZATION_PATH"
- name: Extract Kustomization archive
run: >
tar -xf "$BAZEL_BIN/src/main/k8s/dev/${DUCHY_NAME}_duchy.tar"
-C "$KUSTOMIZATION_PATH"
- name: Extract secret files archive
run: >
tar -xf "$BAZEL_BIN/src/main/k8s/testing/secretfiles/archive.tar"
-C "$KUSTOMIZATION_PATH/src/main/k8s/dev/${DUCHY_NAME}_duchy_secret"
# Write map from configuration variable. Since it appears that GitHub
# configuration variables use DOS (CRLF) line endings, we convert these to
# Unix (LF) line endings.
- name: Write AKID to principal map
env:
AKID_TO_PRINCIPAL_MAP: ${{ vars.AKID_TO_PRINCIPAL_MAP }}
run: >
echo "$AKID_TO_PRINCIPAL_MAP" | sed $'s/\r$//' >
"$KUSTOMIZATION_PATH/src/main/k8s/dev/config_files/authority_key_identifier_to_principal_map.textproto"
- name: Export KUSTOMIZE_PATH
run: echo "KUSTOMIZE_PATH=$KUSTOMIZATION_PATH/src/main/k8s/dev/${DUCHY_NAME}_duchy" >> $GITHUB_ENV
# Run kubectl diff, treating the command as succeeded even if the exit
# code is 1 as kubectl uses this code to indicate there's a diff.
- name: kubectl diff
id: kubectl-diff
run: kubectl diff -k "$KUSTOMIZE_PATH" || (( $? == 1 ))
- name: kubectl apply
if: ${{ inputs.apply }}
run: kubectl apply -k "$KUSTOMIZE_PATH"
- name: Wait for rollout
if: ${{ inputs.apply }}
run: |
for deployment in $(kubectl get deployments -o name); do
kubectl rollout status "$deployment" --timeout=5m
done