-
Notifications
You must be signed in to change notification settings - Fork 2
233 lines (224 loc) · 10.1 KB
/
publish-master.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
name: Build and deploy website
on:
push:
branches:
- master
paths-ignore:
- '**.md' # Don't deploy when markdown files are edited
- 'deploy/kubernetes/dev' # Ignore changes to dev environment
- 'Tiltfile' # Ignore changes to dev environment
- 'startdev.sh' # Ignore changes to dev environment
- 'old_website_migration/' # Ignore changes to scripts
jobs:
deploy:
name: Apply Terraform configuration, build containers, and deploy to Kubernetes
runs-on: ubuntu-latest
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
HCLOUD_TOKEN: ${{ secrets.HETZNER_API_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets.TF_STATE_BUCKET_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_STATE_BUCKET_KEY }}
B2_APPLICATION_KEY_ID: ${{ secrets.B2_MASTER_KEY_ID }}
B2_APPLICATION_KEY: ${{ secrets.B2_MASTER_KEY }}
TF_VAR_pw_hash: ${{ secrets.NODE_ROOT_USER_PW_HASH }}
steps:
- uses: actions/checkout@v3
# https://learn.hashicorp.com/tutorials/terraform/github-actions?in=terraform/automation
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: "1.7.5"
- name: Terraform Init
run: terraform init
working-directory: deploy/terraform
- name: Terraform Apply
run: terraform apply -auto-approve -input=false
working-directory: deploy/terraform
# How to fetch Terraform variables from CLI
# https://learn.hashicorp.com/tutorials/terraform/outputs
- name: Get node IPv4 address # GITHUB DOESNT SUPPORT IPV6 FFS
id: tf_ip_addr
run: terraform output -raw ipv4_address
working-directory: deploy/terraform
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: "1.7.5"
terraform_wrapper: false # Remove wrapper so that we can output directly to files
- name: Get Cloudflare token for Let's Encrypt
id: tf_cf_le_token
run: terraform output -raw cloudflare-le-token > ../kubernetes/tmeit-se/certificate/cloudflare-api-token
working-directory: deploy/terraform
- name: Get name for the B2 database backup bucket
id: tf_b2_db_bucket
run: terraform output -raw b2-db-backup-bucket > ../kubernetes/tmeit-se/postgres/b2-db-backup-bucket
working-directory: deploy/terraform
- name: Get B2 appkey id for DB backups
id: tf_b2_db_id
run: terraform output -raw b2-db-key-id > ../kubernetes/tmeit-se/postgres/b2-db-backup-id
working-directory: deploy/terraform
- name: Get B2 appkey secret for DB backups
id: tf_b2_db_secret
run: terraform output -raw b2-db-key-secret > ../kubernetes/tmeit-se/postgres/b2-db-backup-key
working-directory: deploy/terraform
- name: Get SSH key
run: terraform output -raw ssh_key > "$HOME/id_ed25519"
working-directory: deploy/terraform
- name: chmod SSH key
run: chmod 700 "$HOME/id_ed25519"
- name: Download kubeconfig file
run: |
scp \
-qo "StrictHostKeyChecking=no" \
-i "$HOME/id_ed25519" \
root@${{ steps.tf_ip_addr.outputs.stdout }}:/etc/rancher/k3s/k3s.yaml .
- name: Set kubeconfig server URL
uses: mikefarah/yq@master
with:
cmd: yq -i '.clusters[0].cluster.server = "https://${{ steps.tf_ip_addr.outputs.stdout }}:6443"' "k3s.yaml"
- name: Move kubeconfig to ~/.kube/config
run: mkdir "$HOME/.kube/" && mv k3s.yaml "$HOME/.kube/config"
- uses: actions/setup-python@v3
with:
python-version: '3.10'
- name: Get release version
run: python release_utils/get_version.py gh-actions
shell: sh
id: release_version
- name: Build OCI image for tmeit-app
uses: redhat-actions/buildah-build@v2
with:
image: ghcr.io/tmeit/tmeit-app
tags: "${{ steps.release_version.outputs.version }}"
context: '.'
containerfiles: |-
containerfiles/tmeit-app.Containerfile
- name: Build OCI image for tmeit-run-migrations
uses: redhat-actions/buildah-build@v2
with:
image: ghcr.io/tmeit/tmeit-run-migrations
tags: "${{ steps.release_version.outputs.version }}"
context: '.'
containerfiles: |-
containerfiles/tmeit-run-migrations.Containerfile
- name: Build OCI image for tmeit-worker
uses: redhat-actions/buildah-build@v2
with:
image: ghcr.io/tmeit/tmeit-worker
tags: "${{ steps.release_version.outputs.version }}"
context: '.'
containerfiles: |-
containerfiles/tmeit-worker.Containerfile
- name: Build OCI image for db-backup-agent
uses: redhat-actions/buildah-build@v2
with:
image: ghcr.io/tmeit/db-backup-agent
tags: "${{ steps.release_version.outputs.version }}"
context: '.'
containerfiles: |-
containerfiles/db-backup-agent.Containerfile
- name: Export OCI images
run: |
podman save --format docker-archive -o tmeit-app-docker-container.tar ghcr.io/tmeit/tmeit-app:${{ steps.release_version.outputs.version }}
podman save --format docker-archive -o tmeit-run-migrations-docker-container.tar ghcr.io/tmeit/tmeit-run-migrations:${{ steps.release_version.outputs.version }}
podman save --format docker-archive -o tmeit-worker-docker-container.tar ghcr.io/tmeit/tmeit-worker:${{ steps.release_version.outputs.version }}
podman save --format docker-archive -o db-backup-agent-docker-container.tar ghcr.io/tmeit/db-backup-agent:${{ steps.release_version.outputs.version }}
- name: Send tmeit-app image to publish-tag job # https://stackoverflow.com/a/57877438
uses: actions/upload-artifact@v3
with:
name: "tmeit-app-image"
path: "tmeit-app-docker-container.tar"
- name: Send tmeit-run-migrations image to publish-tag job
uses: actions/upload-artifact@v3
with:
name: "tmeit-run-migrations-image"
path: "tmeit-run-migrations-docker-container.tar"
- name: Send tmeit-worker image to publish-tag job
uses: actions/upload-artifact@v3
with:
name: "tmeit-worker-image"
path: "tmeit-worker-docker-container.tar"
- name: Send db-backup-agent image to publish-tag job
uses: actions/upload-artifact@v3
with:
name: "db-backup-agent-image"
path: "db-backup-agent-docker-container.tar"
- name: Log in to gh registry
uses: redhat-actions/podman-login@v1
with:
username: "${{ github.actor }}"
password: "${{ secrets.GITHUB_TOKEN }}"
registry: "ghcr.io/tmeit"
- name: Publish OCI images # This is where kubernetes will download the images from
run: |
podman push ghcr.io/tmeit/tmeit-app:${{ steps.release_version.outputs.version }}
podman push ghcr.io/tmeit/tmeit-run-migrations:${{ steps.release_version.outputs.version }}
podman push ghcr.io/tmeit/tmeit-worker:${{ steps.release_version.outputs.version }}
podman push ghcr.io/tmeit/db-backup-agent:${{ steps.release_version.outputs.version }}
- name: 'Push manifests to prod'
# We delete the job because jobs are immutable, but we also don't want to break our migration-check init-container with an old job
# NOTE: latest version of kubectl can be found here https://dl.k8s.io/release/stable.txt
run: |
curl -LO "https://dl.k8s.io/release/v1.25.3/bin/linux/amd64/kubectl"
curl -LO "https://dl.k8s.io/v1.25.3/bin/linux/amd64/kubectl.sha256"
echo "$(cat kubectl.sha256) kubectl" | sha256sum --check
chmod +x kubectl
kubectl delete -f deploy/kubernetes/tmeit-se/run-migrations/job.yaml
kubectl apply --server-side=true --force-conflicts -k deploy/kubernetes/tmeit-se/
# kubectl 1.25.3 has kustomize 4.5.7 built-in, according to "kubectl version"
publish-tag:
name: Publish GH release
runs-on: ubuntu-latest
needs: deploy # Run after deploy so that we can get the docker image for publishing
steps:
- uses: actions/checkout@v4
with:
fetch-depth: '0'
- uses: actions/setup-python@v3
with:
python-version: '3.10'
- name: Get release version
run: python release_utils/get_version.py gh-actions
shell: sh
id: release_version
- name: Build k8s manifests
uses: stefanprodan/kube-tools@v1
with:
kustomize: '4.5.4'
command: |-
kustomize build deploy/kubernetes/tmeit-se -o k8s-manifests.yaml
- name: Receive tmeit-app image from build-push job # https://stackoverflow:com/a/57877438
uses: actions/download-artifact@v3
with:
name: "tmeit-app-image"
- name: Receive tmeit-run-migrations image from build-push job
uses: actions/download-artifact@v3
with:
name: "tmeit-run-migrations-image"
- name: Receive tmeit-worker image from build-push job
uses: actions/download-artifact@v3
with:
name: "tmeit-worker-image"
- name: Receive db-backup-agent image from build-push job
uses: actions/download-artifact@v3
with:
name: "db-backup-agent-image"
- name: Create git tag
uses: anothrNick/[email protected]
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CUSTOM_TAG: "${{ steps.release_version.outputs.version }}"
- name: Generate changelog
uses: loopwerk/tag-changelog@v1
id: changelog
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create GH release
uses: softprops/action-gh-release@v1
with:
tag_name: "${{ steps.release_version.outputs.version }}"
body: "${{ steps.changelog.outputs.changelog }}"
files: |
tmeit-app-docker-container.tar
tmeit-run-migrations-docker-container.tar
tmeit-worker-docker-container.tar
db-backup-agent-docker-container.tar
k8s-manifests.yaml