Skip to content

Commit

Permalink
Merge pull request #2129 from fermyon/vdice/ref/docs-oci-deploy
Browse files Browse the repository at this point in the history
ref(docs): update to run/deploy via OCI
  • Loading branch information
vdice authored Dec 4, 2023
2 parents 58d580b + c5cdc9b commit b98eba2
Show file tree
Hide file tree
Showing 5 changed files with 117 additions and 235 deletions.
140 changes: 55 additions & 85 deletions .github/workflows/deploy-website.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,6 @@ on:
default: 'refs/heads/main'
commit:
description: 'Commit SHA to deploy from (optional)'
environment:
type: choice
description: 'Environment to deploy to (Default: canary)'
options:
- canary
- prod

# Construct a concurrency group to be shared across workflow runs.
# The default behavior ensures that only one is running at a time, with
Expand All @@ -30,9 +24,6 @@ permissions:
contents: read
id-token: write # Allow the workflow to create a JWT for AWS auth

env:
JOB: spin-docs

jobs:
echo-inputs:
runs-on: ubuntu-latest
Expand All @@ -42,103 +33,82 @@ jobs:
run: |
echo ref: ${{ github.event.inputs.ref }}
echo commit: ${{ github.event.inputs.commit }}
echo environment: ${{ github.event.inputs.environment }}
deploy:
runs-on: ubuntu-latest
if: ${{ github.repository_owner == 'fermyon' }}
env:
OCI_IMAGE_NAME: spin-docs
steps:
- uses: actions/checkout@v3

- name: Install Nomad
env:
NOMAD_VERSION: "1.4.3"
run: |
curl -Os https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_linux_$(dpkg --print-architecture).zip
unzip nomad_${NOMAD_VERSION}_linux_$(dpkg --print-architecture).zip -d /usr/local/bin
chmod +x /usr/local/bin/nomad
- name: Check out specific ref
if: ${{ github.event_name == 'workflow_dispatch' }} && ${{ inputs.ref != ''}}
run: git checkout ${{ inputs.ref }}

# This action currently generates a warning due to using deprecated features.
# https://github.com/aws-actions/configure-aws-credentials/issues/521 tracks the new behaviour.
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.INFRA_NAMESPACE }}-${{ secrets.AWS_REGION }}-gha-certs
role-session-name: fermyon-developer-deploy
aws-region: ${{ secrets.AWS_REGION }}
- name: Check out specific commit
if: ${{ github.event_name == 'workflow_dispatch' }} && ${{ inputs.commit != ''}}
run: git checkout ${{ inputs.commit }}

- name: Fetch Nomad Certs from S3
- name: Construct OCI image tag
shell: bash
run: |
set -euo pipefail
[[ "${{ github.event_name }}" == "push" ]] && \
echo "IMAGE_TAG=latest" >> $GITHUB_ENV || \
echo "IMAGE_TAG=canary" >> $GITHUB_ENV
for cert in infra_ca \
api_client_cert_private_key \
api_client_cert_public_key; do
- name: Setup Spin
uses: fermyon/actions/spin/setup@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
version: v2.0.1

aws s3api get-object \
--bucket "infra-certs-${{ secrets.INFRA_NAMESPACE }}-${{ secrets.AWS_REGION }}" \
--key "${cert}" \
"/tmp/${cert}"
done
- name: Configure AWS Credentials for publishing
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_IAM_ROLE }}
role-session-name: ${{ env.OCI_IMAGE_NAME }}
aws-region: ${{ secrets.AWS_REGION_WEBSITES }}

- name: Configure Nomad
shell: bash
run: |
echo "NOMAD_CACERT=/tmp/infra_ca" >> $GITHUB_ENV
echo "NOMAD_CLIENT_CERT=/tmp/api_client_cert_public_key" >> $GITHUB_ENV
echo "NOMAD_CLIENT_KEY=/tmp/api_client_cert_private_key" >> $GITHUB_ENV
echo "NOMAD_ADDR=https://nomad.${{ secrets.INFRA_NAMESPACE }}.${{ secrets.AWS_REGION }}.fermyon.link:4646" >> $GITHUB_ENV
- name: Log in to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2

- name: Configure manual deploy
if: ${{ github.event_name == 'workflow_dispatch' }}
shell: bash
- name: Publish Spin app
id: push
uses: fermyon/actions/spin/push@v1
with:
registry_reference: ${{ steps.login-ecr.outputs.registry }}/${{ env.OCI_IMAGE_NAME }}:${{ env.IMAGE_TAG }}
manifest_file: docs/spin.toml

- name: Cleanup login
if: ${{ always() }}
run: |
echo "GIT_REF=${{ github.event.inputs.ref }}" >> $GITHUB_ENV
echo "GIT_SHA=${{ github.event.inputs.commit }}" >> $GITHUB_ENV
if [[ "${{ github.event.inputs.environment }}" == "prod" ]]; then
echo "PRODUCTION=true" >> $GITHUB_ENV
echo "NOMAD_NAMESPACE=prod" >> $GITHUB_ENV
else
echo "PRODUCTION=false" >> $GITHUB_ENV
echo "NOMAD_NAMESPACE=staging" >> $GITHUB_ENV
fi
- name: Configure auto-deploy
if: ${{ github.event_name == 'push' }}
shell: bash
rm -rf /home/runner/fermyon
- name: Install Nomad
env:
NOMAD_VERSION: "1.4.3"
run: |
echo "GIT_REF=${{ github.ref }}" >> $GITHUB_ENV
echo "GIT_SHA=${{ github.sha }}" >> $GITHUB_ENV
curl -Os https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_linux_$(dpkg --print-architecture).zip
unzip nomad_${NOMAD_VERSION}_linux_$(dpkg --print-architecture).zip -d /usr/local/bin
chmod +x /usr/local/bin/nomad
echo "PRODUCTION=true" >> $GITHUB_ENV
echo "NOMAD_NAMESPACE=prod" >> $GITHUB_ENV
- name: Tailscale
uses: tailscale/github-action@v2
with:
oauth-client-id: ${{ secrets.TS_CI_OAUTH_CLIENT_ID }}
oauth-secret: ${{ secrets.TS_CI_OAUTH_SECRET }}
tags: tag:ci

- name: Deploy
shell: bash
run: |
set -euox pipefail
# purge any lingering/completed publish jobs
nomad job inspect publish-${{ env.JOB }} &>/dev/null && \
nomad stop -purge -yes publish-${{ env.JOB }}
# run the publish job
nomad run \
-var "region=${{ secrets.AWS_REGION }}" \
-var "git_ref=${{ env.GIT_REF }}" \
-var "commit_sha=${{ env.GIT_SHA }}" \
deploy/publish-${{ env.JOB }}.nomad
# wait for publish job to complete
timeout 300s bash -c 'until [[ "$(nomad job inspect publish-${{ env.JOB }} | jq -j '.Job.Status')" == "dead" ]]; do sleep 2; done'
readonly bindle_id="$(nomad logs -job publish-${{ env.JOB }} | sed -n 's/pushed: //p')"
export NOMAD_ADDR="${{ secrets.NOMAD_ADDR }}"
export NOMAD_NAMESPACE=websites
# run/update the website job
nomad run \
-var "region=${{ secrets.AWS_REGION }}" \
-var "production=${{ env.PRODUCTION }}" \
-var "bindle_id=${bindle_id}" \
deploy/${{ env.JOB }}.nomad
-var "region=${{ secrets.AWS_REGION_WEBSITES }}" \
-var "commit_sha=$(git rev-parse HEAD)" \
-var "ecr_ref=${{ steps.login-ecr.outputs.registry }}/${{ env.OCI_IMAGE_NAME }}@${{ steps.push.outputs.digest }}" \
deploy/spin-docs.nomad
6 changes: 2 additions & 4 deletions deploy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,10 @@ The production version of the website is deployed whenever commits are pushed to

## Manual Deploys

Deployments may also be [triggered manually](https://github.com/fermyon/spin/actions/workflows/deploy-website.yml), providing a choice of `ref`, `sha` and `environment` (eg canary or prod).
Deployments may also be [triggered manually](https://github.com/fermyon/spin/actions/workflows/deploy-website.yml), providing a choice of `ref` and `sha`.

## Nomad jobs

We currently deploy the website via its Nomad job directly. (In the future, we envision running the website as a Fermyon Cloud app.)

The [publish-spin-docs](./publish-spin-docs.nomad) Nomad job checks out this repo's source code and publishes it to Bindle.

The [spin-docs](./spin-docs.nomad) Nomad job contains configuration for the running website, including the bindle ID to run from.
The [spin-docs](./spin-docs.nomad) Nomad job contains configuration for the running website, including the OCI reference to run from.
78 changes: 0 additions & 78 deletions deploy/publish-spin-docs.nomad

This file was deleted.

Loading

0 comments on commit b98eba2

Please sign in to comment.