Skip to content

Commit

Permalink
Use new build targets for release workflows. (#965)
Browse files Browse the repository at this point in the history
* //src/main/docker:push_all_gke_images target for push image workflow
* Kustomize-based targets for K8s workflows.
  • Loading branch information
SanjayVas authored May 2, 2023
1 parent 13d1e9a commit f40536f
Show file tree
Hide file tree
Showing 5 changed files with 238 additions and 175 deletions.
4 changes: 4 additions & 0 deletions .bazelrc
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ test --test_env=TESTCONTAINERS_RYUK_DISABLED
# constraints for on images based on Distroless Java.
build --@io_bazel_rules_docker//transitions:enable=false

# Configuration for GitHub Container Registry
build:ghcr --define container_registry=ghcr.io
build:ghcr --define image_repo_prefix=world-federation-of-advertisers

# Convenience platform configurations.
build:debian-bullseye --platforms=//build/platforms:debian_bullseye
build:ubuntu-bionic --platforms=//build/platforms:ubuntu_bionic
Expand Down
177 changes: 122 additions & 55 deletions .github/workflows/configure-duchy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,69 +16,136 @@ name: "Configure Duchy"

on:
workflow_call:
inputs:
environment:
type: string
required: true
image-tag:
description: "Tag of container images"
type: string
required: true
duchy-name:
description: "Name (external ID) of Duchy"
type: string
required: true
duchy-cert-id:
description: "ID of the Duchy certificate"
type: string
required: true
apply:
description: "Apply the new configuration"
type: boolean
default: true
workflow_dispatch:
inputs:
image_tag:
description: "Image tag needed for configuration"
environment:
required: true
type: choice
options:
- dev
image-tag:
description: "Tag of container images"
type: string
required: true
duchy_name:
description: "The name of the Duchy to build"
duchy-name:
description: "Name (external ID) of Duchy"
type: choice
options:
- worker1
- worker2
- aggregator
required: true
duchy-cert-id:
description: "ID of the Duchy certificate"
type: string
required: true
kubectl_apply:
description: "Apply the manifest to the cluster"
required: false
apply:
description: "Apply the new configuration"
type: boolean
default: false

permissions:
id-token: write

env:
REGISTRY: ghcr.io
REPO_PREFIX: world-federation-of-advertisers/packages
KUSTOMIZATION_PATH: "k8s/cmms"
DUCHY_NAME: ${{ inputs.duchy-name }}

jobs:
create_k8s_manifest:
update-duchy:
runs-on: ubuntu-20.04
environment: ${{ inputs.environment }}
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@v2

# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v1

# Setup Gcloud identity federation
- name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v1"
with:
workload_identity_provider: ${{ secrets.WFI_PROVIDER }}
service_account: ${{ secrets.WFI_SA }}
token_format: 'access_token'

# Update KUBECONFIG
- name: Update KUBECONFIG
run: gcloud container clusters get-credentials dev-halo-duchy-worker --zone us-central1

- name: Apply secrets
run: |
bazelisk build //src/main/k8s/testing/secretfiles:kustomization.tar
mkdir secretfiles
tar -xf "$(bazelisk info bazel-bin)/src/main/k8s/testing/secretfiles/kustomization.tar" -C secretfiles
resource_name="$(kubectl apply -k secretfiles/src/main/k8s/testing/secretfiles/kustomization -o name)"
echo "SECRET_NAME=$(basename $resource_name)" >> "$GITHUB_ENV"
# TODO(wfa-siyengar): add duchy as an input at high-level(QA deploy)

# Create k8s manifest
- name: Build K8s manifest
run: |
bazelisk build //src/main/k8s/dev:${{ inputs.duchy_name }}_duchy_gke \
--define k8s_duchy_secret_name=$SECRET_NAME \
--define duchy_cert_id=SVVse4xWHL0 \
--define duchy_storage_bucket=${{ inputs.duchy_name }}-duchy \
--define container_registry=${{ env.REGISTRY }} \
--define image_repo_prefix=${{ env.REPO_PREFIX }} \
--define image_tag=${{ inputs.image_tag }}
# Apply manifest
- name: apply k8s manifest
if: inputs.kubectl_apply == true
run: kubectl apply -f bazel-bin/src/main/k8s/dev/${{ inputs.duchy_name }}.yaml
- uses: actions/checkout@v2

# Authenticate to Google Cloud. This will export some environment
# variables, including GCLOUD_PROJECT.
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ vars.GKE_CONFIG_SERVICE_ACCOUNT }}

- name: Generate archives
env:
IMAGE_TAG: ${{ inputs.image-tag }}
SPANNER_INSTANCE: ${{ vars.SPANNER_INSTANCE }}
KINGDOM_SYSTEM_API_TARGET: ${{ vars.KINGDOM_SYSTEM_API_TARGET }}
DUCHY_STORAGE_BUCKET: ${{ vars.DUCHY_STORAGE_BUCKET }}
DUCHY_CERT_ID: ${{ inputs.duchy-cert-id }}
run: >
bazelisk build
"//src/main/k8s/dev:${DUCHY_NAME}_duchy.tar"
//src/main/k8s/testing/secretfiles:archive
--config ghcr
--define "image_tag=$IMAGE_TAG"
--define "google_cloud_project=$GCLOUD_PROJECT"
--define "spanner_instance=$SPANNER_INSTANCE"
--define "kingdom_system_api_target=$KINGDOM_SYSTEM_API_TARGET"
--define "duchy_storage_bucket=$DUCHY_STORAGE_BUCKET"
--define "duchy_cert_id=$DUCHY_CERT_ID"
- name: Make Kustomization dir
run: mkdir -p "$KUSTOMIZATION_PATH"

- name: Export BAZEL_BIN
run: echo "BAZEL_BIN=$(bazelisk info bazel-bin)" >> $GITHUB_ENV

- name: Extract Kustomization archive
run: >
tar -xf "$BAZEL_BIN/src/main/k8s/dev/${DUCHY_NAME}_duchy.tar"
-C "$KUSTOMIZATION_PATH"
- name: Extract secret files archive
run: >
tar -xf "$BAZEL_BIN/src/main/k8s/testing/secretfiles/archive.tar"
-C "$KUSTOMIZATION_PATH/src/main/k8s/dev/${DUCHY_NAME}_duchy_secret"
# Write map from configuration variable. Since it appears that GitHub
# configuration variables use DOS (CRLF) line endings, we convert these to
# Unix (LF) line endings.
- name: Write AKID to principal map
env:
AKID_TO_PRINCIPAL_MAP: ${{ vars.AKID_TO_PRINCIPAL_MAP }}
run: >
echo "$AKID_TO_PRINCIPAL_MAP" | sed $'s/\r$//' >
"$KUSTOMIZATION_PATH/src/main/k8s/dev/config_files/authority_key_identifier_to_principal_map.textproto"
- name: Get GKE cluster credentials
uses: google-github-actions/get-gke-credentials@v1
with:
cluster_name: ${{ format('{0}-duchy', inputs.duchy-name) }}
location: ${{ vars.GCLOUD_ZONE }}

- name: Export KUSTOMIZE_PATH
run: echo "KUSTOMIZE_PATH=$KUSTOMIZATION_PATH/src/main/k8s/dev/${DUCHY_NAME}_duchy" >> $GITHUB_ENV

# Run kubectl diff, treating the command as succeeded even if the exit
# code is 1 as kubectl uses this code to indicate there's a diff.
- name: kubectl diff
id: kubectl-diff
run: kubectl diff -k "$KUSTOMIZE_PATH" || (( $? == 1 ))

- name: kubectl apply
if: ${{ inputs.apply }}
run: kubectl apply -k "$KUSTOMIZE_PATH"
128 changes: 86 additions & 42 deletions .github/workflows/configure-kingdom.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,63 +15,107 @@
name: "Configure Kingdom"

on:
# TODO(wfa-siyengar): to detail the workflow_call.
workflow_call:
inputs:
environment:
type: string
required: true
image-tag:
description: "Tag of container images"
type: string
required: true
apply:
description: "Apply the new configuration"
type: boolean
default: true
workflow_dispatch:
inputs:
image_tag:
description: "Image tag needed for configuration"
environment:
required: true
type: choice
options:
- dev
image-tag:
description: "Tag of container images"
type: string
required: true
kubectl_apply:
description: "Apply the manifest to the cluster"
required: false
apply:
description: "Apply the new configuration"
type: boolean
default: false

permissions:
id-token: write

env:
REGISTRY: ghcr.io
REPO_PREFIX: world-federation-of-advertisers/packages
KUSTOMIZATION_PATH: "k8s/cmms"

jobs:
create_k8s_manifest:
update-kingdom:
runs-on: ubuntu-20.04
environment: ${{ inputs.environment }}
steps:
- name: Checkout code
uses: actions/checkout@v2
- uses: actions/checkout@v2

# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v1

# Setup Gcloud identity federation
- name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v1"
# Authenticate to Google Cloud. This will export some environment
# variables, including GCLOUD_PROJECT.
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
workload_identity_provider: ${{ secrets.WFI_PROVIDER }}
service_account: ${{ secrets.WFI_SA }}
token_format: 'access_token'
workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ vars.GKE_CONFIG_SERVICE_ACCOUNT }}

- name: Generate archives
env:
IMAGE_TAG: ${{ inputs.image-tag }}
SPANNER_INSTANCE: ${{ vars.SPANNER_INSTANCE }}
run: >
bazelisk build
//src/main/k8s/dev:kingdom.tar
//src/main/k8s/testing/secretfiles:archive
--config ghcr
--define "image_tag=$IMAGE_TAG"
--define "google_cloud_project=$GCLOUD_PROJECT"
--define "spanner_instance=$SPANNER_INSTANCE"
- name: Make Kustomization dir
run: mkdir -p "$KUSTOMIZATION_PATH"

- name: Export BAZEL_BIN
run: echo "BAZEL_BIN=$(bazelisk info bazel-bin)" >> $GITHUB_ENV

- name: Connect to the cluster
run: gcloud container clusters get-credentials dev-halo-kingdom-gke-cluster --zone us-central
- name: Extract Kustomization archive
run: >
tar -xf "$BAZEL_BIN/src/main/k8s/dev/kingdom.tar"
-C "$KUSTOMIZATION_PATH"
- name: Apply secrets
run: |
bazelisk build //src/main/k8s/testing/secretfiles:kustomization.tar
mkdir secretfiles
tar -xf "$(bazelisk info bazel-bin)/src/main/k8s/testing/secretfiles/kustomization.tar" -C secretfiles
resource_name="$(kubectl apply -k secretfiles/src/main/k8s/testing/secretfiles/kustomization -o name)"
echo "SECRET_NAME=$(basename $resource_name)" >> "$GITHUB_ENV"
- name: Extract secret files archive
run: >
tar -xf "$BAZEL_BIN/src/main/k8s/testing/secretfiles/archive.tar"
-C "$KUSTOMIZATION_PATH/src/main/k8s/dev/kingdom_secret"
# Write map from configuration variable. Since it appears that GitHub
# configuration variables use DOS (CRLF) line endings, we convert these to
# Unix (LF) line endings.
- name: Write AKID to principal map
env:
AKID_TO_PRINCIPAL_MAP: ${{ vars.AKID_TO_PRINCIPAL_MAP }}
run: >
echo "$AKID_TO_PRINCIPAL_MAP" | sed $'s/\r$//' >
"$KUSTOMIZATION_PATH/src/main/k8s/dev/config_files/authority_key_identifier_to_principal_map.textproto"
- name: Get GKE cluster credentials
uses: google-github-actions/get-gke-credentials@v1
with:
cluster_name: kingdom
location: ${{ vars.GCLOUD_ZONE }}

# Create k8s manifest
- name: Build K8s manifest
run: |
bazelisk build //src/main/k8s/dev:kingdom_gke \
--define=k8s_kingdom_secret_name=$SECRET_NAME \
--define container_registry=${{ env.REGISTRY }} \
--define image_repo_prefix=${{ env.REPO_PREFIX }} \
--define image_tag=${{ inputs.image_tag }}
# Run kubectl diff, treating the command as succeeded even if the exit
# code is 1 as kubectl uses this code to indicate there's a diff.
- name: kubectl diff
id: kubectl-diff
run: kubectl diff -k "$KUSTOMIZATION_PATH/src/main/k8s/dev/kingdom" || (( $? == 1 ))

# Apply manifest
- name: apply k8s manifest
if: inputs.kubectl_apply == true
run: kubectl apply -f bazel-bin/src/main/k8s/dev/kingdom_gke.yaml
- name: kubectl apply
if: ${{ inputs.apply }}
run: kubectl apply -k "$KUSTOMIZATION_PATH/src/main/k8s/dev/kingdom"
Loading

0 comments on commit f40536f

Please sign in to comment.