diff --git a/.bazelrc b/.bazelrc index a1fa0ec8656..61a9df8bca2 100644 --- a/.bazelrc +++ b/.bazelrc @@ -17,6 +17,10 @@ test --test_env=TESTCONTAINERS_RYUK_DISABLED # constraints for on images based on Distroless Java. build --@io_bazel_rules_docker//transitions:enable=false +# Configuration for GitHub Container Registry +build:ghcr --define container_registry=ghcr.io +build:ghcr --define image_repo_prefix=world-federation-of-advertisers + # Convenience platform configurations. build:debian-bullseye --platforms=//build/platforms:debian_bullseye build:ubuntu-bionic --platforms=//build/platforms:ubuntu_bionic diff --git a/.github/workflows/configure-duchy.yml b/.github/workflows/configure-duchy.yml index 264e62b2c13..0d2a55374d5 100644 --- a/.github/workflows/configure-duchy.yml +++ b/.github/workflows/configure-duchy.yml @@ -16,69 +16,136 @@ name: "Configure Duchy" on: workflow_call: + inputs: + environment: + type: string + required: true + image-tag: + description: "Tag of container images" + type: string + required: true + duchy-name: + description: "Name (external ID) of Duchy" + type: string + required: true + duchy-cert-id: + description: "ID of the Duchy certificate" + type: string + required: true + apply: + description: "Apply the new configuration" + type: boolean + default: true workflow_dispatch: inputs: - image_tag: - description: "Image tag needed for configuration" + environment: + required: true + type: choice + options: + - dev + image-tag: + description: "Tag of container images" type: string required: true - duchy_name: - description: "The name of the Duchy to build" + duchy-name: + description: "Name (external ID) of Duchy" + type: choice + options: + - worker1 + - worker2 + - aggregator + required: true + duchy-cert-id: + description: "ID of the Duchy certificate" + type: string required: true - kubectl_apply: - description: "Apply the manifest to the cluster" - required: false + apply: + description: "Apply the new configuration" type: boolean + default: false + +permissions: + id-token: write env: - REGISTRY: ghcr.io - REPO_PREFIX: world-federation-of-advertisers/packages + KUSTOMIZATION_PATH: "k8s/cmms" + DUCHY_NAME: ${{ inputs.duchy-name }} + jobs: - create_k8s_manifest: + update-duchy: runs-on: ubuntu-20.04 + environment: ${{ inputs.environment }} steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout code - uses: actions/checkout@v2 - - # Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`. - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v1 - - # Setup Gcloud identity federation - - name: "Authenticate to Google Cloud" - uses: "google-github-actions/auth@v1" - with: - workload_identity_provider: ${{ secrets.WFI_PROVIDER }} - service_account: ${{ secrets.WFI_SA }} - token_format: 'access_token' - - # Update KUBECONFIG - - name: Update KUBECONFIG - run: gcloud container clusters get-credentials dev-halo-duchy-worker --zone us-central1 - - - name: Apply secrets - run: | - bazelisk build //src/main/k8s/testing/secretfiles:kustomization.tar - mkdir secretfiles - tar -xf "$(bazelisk info bazel-bin)/src/main/k8s/testing/secretfiles/kustomization.tar" -C secretfiles - resource_name="$(kubectl apply -k secretfiles/src/main/k8s/testing/secretfiles/kustomization -o name)" - echo "SECRET_NAME=$(basename $resource_name)" >> "$GITHUB_ENV" - - # TODO(wfa-siyengar): add duchy as an input at high-level(QA deploy) - - # Create k8s manifest - - name: Build K8s manifest - run: | - bazelisk build //src/main/k8s/dev:${{ inputs.duchy_name }}_duchy_gke \ - --define k8s_duchy_secret_name=$SECRET_NAME \ - --define duchy_cert_id=SVVse4xWHL0 \ - --define duchy_storage_bucket=${{ inputs.duchy_name }}-duchy \ - --define container_registry=${{ env.REGISTRY }} \ - --define image_repo_prefix=${{ env.REPO_PREFIX }} \ - --define image_tag=${{ inputs.image_tag }} - - # Apply manifest - - name: apply k8s manifest - if: inputs.kubectl_apply == true - run: kubectl apply -f bazel-bin/src/main/k8s/dev/${{ inputs.duchy_name }}.yaml + - uses: actions/checkout@v2 + + # Authenticate to Google Cloud. This will export some environment + # variables, including GCLOUD_PROJECT. + - name: Authenticate to Google Cloud + uses: google-github-actions/auth@v1 + with: + workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.GKE_CONFIG_SERVICE_ACCOUNT }} + + - name: Generate archives + env: + IMAGE_TAG: ${{ inputs.image-tag }} + SPANNER_INSTANCE: ${{ vars.SPANNER_INSTANCE }} + KINGDOM_SYSTEM_API_TARGET: ${{ vars.KINGDOM_SYSTEM_API_TARGET }} + DUCHY_STORAGE_BUCKET: ${{ vars.DUCHY_STORAGE_BUCKET }} + DUCHY_CERT_ID: ${{ inputs.duchy-cert-id }} + run: > + bazelisk build + "//src/main/k8s/dev:${DUCHY_NAME}_duchy.tar" + //src/main/k8s/testing/secretfiles:archive + --config ghcr + --define "image_tag=$IMAGE_TAG" + --define "google_cloud_project=$GCLOUD_PROJECT" + --define "spanner_instance=$SPANNER_INSTANCE" + --define "kingdom_system_api_target=$KINGDOM_SYSTEM_API_TARGET" + --define "duchy_storage_bucket=$DUCHY_STORAGE_BUCKET" + --define "duchy_cert_id=$DUCHY_CERT_ID" + + - name: Make Kustomization dir + run: mkdir -p "$KUSTOMIZATION_PATH" + + - name: Export BAZEL_BIN + run: echo "BAZEL_BIN=$(bazelisk info bazel-bin)" >> $GITHUB_ENV + + - name: Extract Kustomization archive + run: > + tar -xf "$BAZEL_BIN/src/main/k8s/dev/${DUCHY_NAME}_duchy.tar" + -C "$KUSTOMIZATION_PATH" + + - name: Extract secret files archive + run: > + tar -xf "$BAZEL_BIN/src/main/k8s/testing/secretfiles/archive.tar" + -C "$KUSTOMIZATION_PATH/src/main/k8s/dev/${DUCHY_NAME}_duchy_secret" + + # Write map from configuration variable. Since it appears that GitHub + # configuration variables use DOS (CRLF) line endings, we convert these to + # Unix (LF) line endings. + - name: Write AKID to principal map + env: + AKID_TO_PRINCIPAL_MAP: ${{ vars.AKID_TO_PRINCIPAL_MAP }} + run: > + echo "$AKID_TO_PRINCIPAL_MAP" | sed $'s/\r$//' > + "$KUSTOMIZATION_PATH/src/main/k8s/dev/config_files/authority_key_identifier_to_principal_map.textproto" + + - name: Get GKE cluster credentials + uses: google-github-actions/get-gke-credentials@v1 + with: + cluster_name: ${{ format('{0}-duchy', inputs.duchy-name) }} + location: ${{ vars.GCLOUD_ZONE }} + + - name: Export KUSTOMIZE_PATH + run: echo "KUSTOMIZE_PATH=$KUSTOMIZATION_PATH/src/main/k8s/dev/${DUCHY_NAME}_duchy" >> $GITHUB_ENV + + # Run kubectl diff, treating the command as succeeded even if the exit + # code is 1 as kubectl uses this code to indicate there's a diff. + - name: kubectl diff + id: kubectl-diff + run: kubectl diff -k "$KUSTOMIZE_PATH" || (( $? == 1 )) + + - name: kubectl apply + if: ${{ inputs.apply }} + run: kubectl apply -k "$KUSTOMIZE_PATH" diff --git a/.github/workflows/configure-kingdom.yml b/.github/workflows/configure-kingdom.yml index 48cf11825b8..e7c24ddef1e 100644 --- a/.github/workflows/configure-kingdom.yml +++ b/.github/workflows/configure-kingdom.yml @@ -15,63 +15,107 @@ name: "Configure Kingdom" on: - # TODO(wfa-siyengar): to detail the workflow_call. workflow_call: + inputs: + environment: + type: string + required: true + image-tag: + description: "Tag of container images" + type: string + required: true + apply: + description: "Apply the new configuration" + type: boolean + default: true workflow_dispatch: inputs: - image_tag: - description: "Image tag needed for configuration" + environment: + required: true + type: choice + options: + - dev + image-tag: + description: "Tag of container images" type: string required: true - kubectl_apply: - description: "Apply the manifest to the cluster" - required: false + apply: + description: "Apply the new configuration" type: boolean + default: false + +permissions: + id-token: write env: - REGISTRY: ghcr.io - REPO_PREFIX: world-federation-of-advertisers/packages + KUSTOMIZATION_PATH: "k8s/cmms" jobs: - create_k8s_manifest: + update-kingdom: runs-on: ubuntu-20.04 + environment: ${{ inputs.environment }} steps: - - name: Checkout code - uses: actions/checkout@v2 + - uses: actions/checkout@v2 - # Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`. - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v1 - - # Setup Gcloud identity federation - - name: "Authenticate to Google Cloud" - uses: "google-github-actions/auth@v1" + # Authenticate to Google Cloud. This will export some environment + # variables, including GCLOUD_PROJECT. + - name: Authenticate to Google Cloud + uses: google-github-actions/auth@v1 with: - workload_identity_provider: ${{ secrets.WFI_PROVIDER }} - service_account: ${{ secrets.WFI_SA }} - token_format: 'access_token' + workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.GKE_CONFIG_SERVICE_ACCOUNT }} + + - name: Generate archives + env: + IMAGE_TAG: ${{ inputs.image-tag }} + SPANNER_INSTANCE: ${{ vars.SPANNER_INSTANCE }} + run: > + bazelisk build + //src/main/k8s/dev:kingdom.tar + //src/main/k8s/testing/secretfiles:archive + --config ghcr + --define "image_tag=$IMAGE_TAG" + --define "google_cloud_project=$GCLOUD_PROJECT" + --define "spanner_instance=$SPANNER_INSTANCE" + + - name: Make Kustomization dir + run: mkdir -p "$KUSTOMIZATION_PATH" + + - name: Export BAZEL_BIN + run: echo "BAZEL_BIN=$(bazelisk info bazel-bin)" >> $GITHUB_ENV - - name: Connect to the cluster - run: gcloud container clusters get-credentials dev-halo-kingdom-gke-cluster --zone us-central + - name: Extract Kustomization archive + run: > + tar -xf "$BAZEL_BIN/src/main/k8s/dev/kingdom.tar" + -C "$KUSTOMIZATION_PATH" - - name: Apply secrets - run: | - bazelisk build //src/main/k8s/testing/secretfiles:kustomization.tar - mkdir secretfiles - tar -xf "$(bazelisk info bazel-bin)/src/main/k8s/testing/secretfiles/kustomization.tar" -C secretfiles - resource_name="$(kubectl apply -k secretfiles/src/main/k8s/testing/secretfiles/kustomization -o name)" - echo "SECRET_NAME=$(basename $resource_name)" >> "$GITHUB_ENV" + - name: Extract secret files archive + run: > + tar -xf "$BAZEL_BIN/src/main/k8s/testing/secretfiles/archive.tar" + -C "$KUSTOMIZATION_PATH/src/main/k8s/dev/kingdom_secret" + + # Write map from configuration variable. Since it appears that GitHub + # configuration variables use DOS (CRLF) line endings, we convert these to + # Unix (LF) line endings. + - name: Write AKID to principal map + env: + AKID_TO_PRINCIPAL_MAP: ${{ vars.AKID_TO_PRINCIPAL_MAP }} + run: > + echo "$AKID_TO_PRINCIPAL_MAP" | sed $'s/\r$//' > + "$KUSTOMIZATION_PATH/src/main/k8s/dev/config_files/authority_key_identifier_to_principal_map.textproto" + + - name: Get GKE cluster credentials + uses: google-github-actions/get-gke-credentials@v1 + with: + cluster_name: ${{ vars.KINGDOM_CLUSTER }} + location: ${{ vars.GCLOUD_ZONE }} - # Create k8s manifest - - name: Build K8s manifest - run: | - bazelisk build //src/main/k8s/dev:kingdom_gke \ - --define=k8s_kingdom_secret_name=$SECRET_NAME \ - --define container_registry=${{ env.REGISTRY }} \ - --define image_repo_prefix=${{ env.REPO_PREFIX }} \ - --define image_tag=${{ inputs.image_tag }} + # Run kubectl diff, treating the command as succeeded even if the exit + # code is 1 as kubectl uses this code to indicate there's a diff. + - name: kubectl diff + id: kubectl-diff + run: kubectl diff -k "$KUSTOMIZATION_PATH/src/main/k8s/dev/kingdom" || (( $? == 1 )) - # Apply manifest - - name: apply k8s manifest - if: inputs.kubectl_apply == true - run: kubectl apply -f bazel-bin/src/main/k8s/dev/kingdom_gke.yaml + - name: kubectl apply + if: ${{ inputs.apply }} + run: kubectl apply -k "$KUSTOMIZATION_PATH/src/main/k8s/dev/kingdom" diff --git a/.github/workflows/create-cmm-images.yml b/.github/workflows/create-cmm-images.yml index 2f6aa9fb57b..59c461bedf3 100644 --- a/.github/workflows/create-cmm-images.yml +++ b/.github/workflows/create-cmm-images.yml @@ -17,87 +17,41 @@ name: Build and Push CMM Images on: workflow_dispatch: workflow_call: + outputs: + image-tag: + description: "Tag of container images" + value: ${{ jobs.push-images.outputs.image-tag }} env: - REGISTRY: ghcr.io + CONTAINER_REGISTRY: ghcr.io jobs: - create-image-tag: + push-images: runs-on: ubuntu-20.04 outputs: - image_tag: ${{ steps.get-image-tag-step.outputs.image_tag }} - steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Generate image tag - run: ./.github/workflows/export-image-tag.sh - - name: Output image tag - id: get-image-tag-step - run: echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT - - build-kingdom-image: - runs-on: ubuntu-20.04 - needs: create-image-tag + image-tag: ${{ steps.output-image-tag.outputs.image-tag }} steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Show Tag - run: echo ${{ needs.create-image-tag.outputs.image_tag }} - - - name: Login to GitHub Packages - uses: docker/login-action@v2 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ GITHUB_TOKEN }} - - # Build Kingdom Image - - name: Build kingdom image - run: | - bazelisk query 'filter("push_kingdom", kind("container_push", //src/main/docker:all))' | - xargs bazelisk build -c opt --define container_registry=ghcr.io \ - --define image_repo_prefix=world-federation-of-advertisers \ - --platforms=//build/platforms:ubuntu_20_04_rbe \ - --define image_tag=${{ needs.create-image-tag.outputs.image_tag }} - - # Push Kingdom Image to GitHub Artifacts. - - name: Push Kingdom Image - run: | - bazelisk query 'filter("push_kingdom", kind("container_push", //src/main/docker:all))' | - xargs -n 1 bazelisk run -c opt --define container_registry=ghcr.io \ - --define image_repo_prefix=world-federation-of-advertisers --platforms=//build/platforms:ubuntu_20_04_rbe --define image_tag=${{ needs.create-image-tag.outputs.image_tag }} + - uses: actions/checkout@v3 + - name: Export image tag + run: ./.github/workflows/export-image-tag.sh - build-duchy-image: - runs-on: ubuntu-20.04 - needs: create-image-tag - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Show Tag - run: echo ${{ needs.create-image-tag.outputs.image_tag }} + - name: Output image tag + id: output-image-tag + run: echo "image-tag=$IMAGE_TAG" >> $GITHUB_OUTPUT - - name: Login to GitHub Packages + - name: Authenticate to GitHub Container Registry uses: docker/login-action@v2 with: - registry: ${{ env.REGISTRY }} + registry: ${{ env.CONTAINER_REGISTRY }} username: ${{ github.actor }} - password: ${{ GITHUB_TOKEN }} - - # Build Duchy Image - - name: Build Duchy image - run: | - bazelisk query 'filter("push_duchy", kind("container_push", //src/main/docker:all))' | - xargs bazelisk build -c opt --define container_registry=ghcr.io \ - --define image_repo_prefix=world-federation-of-advertisers \ - --platforms=//build/platforms:ubuntu_20_04_rbe \ - --define image_tag=${{ needs.create-image-tag.outputs.image_tag }} - - # Push Duchy Image to GitHub Artifacts. - - name: Push Duchy Image - run: | - bazelisk query 'filter("push_duchy", kind("container_push", //src/main/docker:all))' | - xargs -n 1 bazelisk run -c opt --define container_registry=ghcr.io \ - --define image_repo_prefix=world-federation-of-advertisers --platforms=//build/platforms:ubuntu_20_04_rbe --define image_tag=${{ needs.create-image-tag.outputs.image_tag }} + password: ${{ github.token }} + + - name: Push images + run: > + bazelisk run //src/main/docker:push_all_gke_images + --compilation_mode=opt + --platforms=//build/platforms:ubuntu_20_04 + --define "container_registry=$CONTAINER_REGISTRY" + --define "image_repo_prefix=$GITHUB_REPOSITORY_OWNER" + --define "image_tag=$IMAGE_TAG" diff --git a/.github/workflows/export-image-tag.sh b/.github/workflows/export-image-tag.sh index 41df2cf9a3d..19826092103 100755 --- a/.github/workflows/export-image-tag.sh +++ b/.github/workflows/export-image-tag.sh @@ -13,15 +13,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -#set -eu -o pipefail - -DEFAULT_BRANCH="${DEFAULT_BRANCH:-main}" - declare tag -if [[ "$GITHUB_EVENT_NAME" == 'release' ]]; then +if [[ "$GITHUB_REF_TYPE" == 'tag' ]]; then tag="${GITHUB_REF_NAME#v}" -elif [[ "$GITHUB_REF_NAME" == "$DEFAULT_BRANCH" ]]; then - tag="latest" else tag="$GITHUB_SHA" fi