-
Notifications
You must be signed in to change notification settings - Fork 1
155 lines (141 loc) · 6.2 KB
/
reusable-push-and-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Push and Deploy
on:
workflow_call:
inputs:
env:
description: "which environment to deploy to"
required: true
type: string
secrets:
kube_namespace:
description: "the kubernetes namespace to deploy to"
required: true
kube_cert:
description: "cert used to verify identity to cluster"
required: true
kube_cluster:
description: "address of the cluster to connect to"
required: true
kube_token:
description: "used to authenticate to the cluster"
required: true
ecr_role_to_assume:
description: "role to authenticate ecr image repository push"
required: true
secret_key:
description: "secret key"
required: true
catalogue_token:
description: "token to authenticate with the catalogue"
required: true
slack_alert_webhook:
description: "used to post alerts to slack channel"
required: true
azure_client_secret:
description: "azure client secret"
required: true
jobs:
push-and-deploy:
name: Push image to CP namespace ECR and apply deployment in CP
environment: ${{ inputs.env }}
runs-on: ubuntu-latest
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
steps:
- uses: actions/checkout@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }}
aws-region: ${{ vars.ECR_REGION }}
- name: Login to ECR
id: login-to-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Generate, mask, output image path
id: image-path
env:
REGISTRY: ${{ steps.login-to-ecr.outputs.registry }}
REPOSITORY: ${{ vars.ECR_REPOSITORY }}
IMAGE_TAG: ${{ github.sha }}
run: |
echo "adding masks"
IMAGE_PATH="${REGISTRY}/${REPOSITORY}:${IMAGE_TAG}"
echo "::add-mask::$IMAGE_PATH"
echo "image_path=$IMAGE_PATH" >> "$GITHUB_OUTPUT"
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: fmd-image
path: /tmp
- name: Load image
id: load-image
run: |
docker load --input /tmp/fmd-image.tar
- name: Re-tag docker image
id: retag-image
env:
IMAGE_PATH: ${{ steps.image-path.outputs.image_path }}
run: |
docker tag "fmd-image" "${IMAGE_PATH}"
- name: Push Docker image to ECR
id: push-docker-image-to-ecr
env:
IMAGE_PATH: ${{ steps.image-path.outputs.image_path }}
run: docker push "${IMAGE_PATH}"
- name: Prepare deployment yaml
id: prepare-deployment
env:
ENV: ${{ inputs.env }}
CATALOGUE_URL: ${{ vars.CATALOGUE_URL }}
DEBUG: ${{ vars.DEBUG }}
GIT_REF: ${{ github.sha }}
DJANGO_ALLOWED_HOSTS: ${{ vars.DJANGO_ALLOWED_HOSTS }}
CSRF_TRUSTED_ORIGINS: ${{ vars.CSRF_TRUSTED_ORIGINS }}
DJANGO_LOG_LEVEL: ${{ vars.DJANGO_LOG_LEVEL }}
SENTRY_DSN_WORKAROUND: ${{ vars.SENTRY_DSN_WORKAROUND }}
SECRET_KEY: ${{ secrets.SECRET_KEY }}
CATALOGUE_TOKEN: ${{ secrets.CATALOGUE_TOKEN }}
IMAGE_PATH: ${{ steps.image-path.outputs.image_path }}
NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
ENABLE_ANALYTICS: ${{ vars.ENABLE_ANALYTICS }}
ANALYTICS_ID: ${{ vars.ANALYTICS_ID }}
SLACK_ALERT_WEBHOOK: ${{ secrets.SLACK_ALERT_WEBHOOK }}
AZURE_AUTH_ENABLED: ${{ vars.AZURE_AUTH_ENABLED}}
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_REDIRECT_URI: ${{ vars.AZURE_REDIRECT_URI }}
AZURE_AUTHORITY: ${{ vars.AZURE_AUTHORITY }}
EXTERNAL_DOMAIN_PREFIX: ${{ vars.EXTERNAL_DOMAIN_PREFIX }}
run: |
cat deployments/templates/deployment.yml | envsubst > deployments/deployment.yml
cat deployments/templates/hpa.yml | envsubst > deployments/hpa.yml
cat deployments/templates/ingress.yml | envsubst > deployments/ingress.yml
cat deployments/templates/service.yml | envsubst > deployments/service.yml
cat deployments/templates/secrets.yml | envsubst > deployments/secrets.yml
cat deployments/templates/monitoring/fmd-servicemonitor.yml | envsubst > deployments/servicemonitor.yml
cat deployments/templates/monitoring/fmd-networkpolicy.yml | envsubst > deployments/networkpolicy.yml
- name: Configure Kubernetes cluster
id: configure-kubernetes-cluster
env:
KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
run: |
echo "${{ secrets.KUBE_CERT }}" > ca.crt
kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }}
kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE}
kubectl config use-context ${KUBE_CLUSTER}
- name: Apply deployment
id: apply-deployment
env:
KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
run: kubectl -n ${KUBE_NAMESPACE} apply -f deployments/
- name: Slack failure notification
if: ${{ failure() && github.ref == 'refs/heads/main' }}
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_ALERT_WEBHOOK }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK