-
Notifications
You must be signed in to change notification settings - Fork 13
137 lines (120 loc) · 4.37 KB
/
configure-kingdom.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# Copyright 2023 The Cross-Media Measurement Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: "Configure Kingdom"
on:
workflow_call:
inputs:
environment:
type: string
required: true
image-tag:
description: "Tag of container images"
type: string
required: true
apply:
description: "Apply the new configuration"
type: boolean
required: true
workflow_dispatch:
inputs:
environment:
required: true
type: choice
options:
- dev
image-tag:
description: "Tag of container images"
type: string
required: true
apply:
description: "Apply the new configuration"
type: boolean
default: false
permissions:
id-token: write
env:
KUSTOMIZATION_PATH: "k8s/cmms"
jobs:
update-kingdom:
runs-on: ubuntu-20.04
environment: ${{ inputs.environment }}
steps:
- uses: actions/checkout@v3
# Authenticate to Google Cloud. This will export some environment
# variables, including GCLOUD_PROJECT.
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ vars.GKE_CONFIG_SERVICE_ACCOUNT }}
- name: Write ~/.bazelrc
env:
IMAGE_TAG: ${{ inputs.image-tag }}
SPANNER_INSTANCE: ${{ vars.SPANNER_INSTANCE }}
run: |
cat << EOF > ~/.bazelrc
common --config=ci
common --config=ghcr
build --define "image_tag=$IMAGE_TAG"
build --define "google_cloud_project=$GCLOUD_PROJECT"
build --define "spanner_instance=$SPANNER_INSTANCE"
EOF
- name: Export BAZEL_BIN
run: echo "BAZEL_BIN=$(bazelisk info bazel-bin)" >> $GITHUB_ENV
- name: Get GKE cluster credentials
uses: google-github-actions/get-gke-credentials@v1
with:
cluster_name: kingdom
location: ${{ vars.GCLOUD_ZONE }}
- name: Configure metrics
uses: ./.github/actions/configure-metrics
if: ${{ inputs.apply }}
- name: Generate archives
run: >
bazelisk build
//src/main/k8s/dev:kingdom.tar
//src/main/k8s/testing/secretfiles:archive
- name: Make Kustomization dir
run: mkdir -p "$KUSTOMIZATION_PATH"
- name: Extract Kustomization archive
run: >
tar -xf "$BAZEL_BIN/src/main/k8s/dev/kingdom.tar"
-C "$KUSTOMIZATION_PATH"
- name: Extract secret files archive
run: >
tar -xf "$BAZEL_BIN/src/main/k8s/testing/secretfiles/archive.tar"
-C "$KUSTOMIZATION_PATH/src/main/k8s/dev/kingdom_secret"
# Write map from configuration variable. Since it appears that GitHub
# configuration variables use DOS (CRLF) line endings, we convert these to
# Unix (LF) line endings.
- name: Write AKID to principal map
env:
AKID_TO_PRINCIPAL_MAP: ${{ vars.AKID_TO_PRINCIPAL_MAP }}
run: >
echo "$AKID_TO_PRINCIPAL_MAP" | sed $'s/\r$//' >
"$KUSTOMIZATION_PATH/src/main/k8s/dev/config_files/authority_key_identifier_to_principal_map.textproto"
# Run kubectl diff, treating the command as succeeded even if the exit
# code is 1 as kubectl uses this code to indicate there's a diff.
- name: kubectl diff
id: kubectl-diff
run: kubectl diff -k "$KUSTOMIZATION_PATH/src/main/k8s/dev/kingdom" || (( $? == 1 ))
- name: kubectl apply
if: ${{ inputs.apply }}
run: kubectl apply -k "$KUSTOMIZATION_PATH/src/main/k8s/dev/kingdom"
- name: Wait for rollout
if: ${{ inputs.apply }}
run: |
for deployment in $(kubectl get deployments -o name); do
kubectl rollout status "$deployment" --timeout=5m
done