Central build and deploy Services pipeline (#82)

The PR gives us:

* Images are building and being pushed to artifact registry via Cloud
Build for both the profile and ping-discovery services.
* Ping Discovery is being deployed with Cloud Deploy
* IAM Roles and Service accounts for the Ping Discovery Service.

This should hopefully be a good template for any other services that
need this setup going forward.

Closes #53
Closes #46
Work on #50

README.md

@@ -101,7 +101,19 @@ gcloud builds submit --config=cloudbuild.yaml --substitutions=_RELEASE_NAME=rel-
 
 ## Install Game Backend Services
 
-TODO: fill in once we have services.
+To install all the backend services, submit the following Cloud Build command, and replace the` _RELEASE_NAME` 
+substitution with a unique build name.
+
+```shell
+cd $GAME_DEMO_HOME/services
+gcloud builds submit --config=cloudbuild.yaml --substitutions=_RELEASE_NAME=rel-1
+```
+
+This will:
+
+* Build all the images required for all services.
+* Store those image in [Artifact Registry](https://cloud.google.com/artifact-registry)
+* Deploy them via Cloud Build to a Autopilot cluster.
 
 ## Game Client
 

infrastructure/files/services/ping-service-account.yaml.tpl

@@ -0,0 +1,20 @@
+# Copyright 2023 Google LLC All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ping-discovery
+  annotations:
+    iam.gke.io/gcp-service-account: ${service_email}

infrastructure/services-gke.tf

@@ -52,7 +52,8 @@ data "google_iam_policy" "workload-id-policy" {
     role = "roles/iam.workloadIdentityUser"
     members = [
       "serviceAccount:${var.project}.svc.id.goog[default/${var.k8s_service_account_id}]",
-      "serviceAccount:${var.project}.svc.id.goog[${var.allocation_endpoint.agones_namespace}/agones-allocator]"
+      "serviceAccount:${var.project}.svc.id.goog[${var.allocation_endpoint.agones_namespace}/agones-allocator]",
+      "serviceAccount:${var.project}.svc.id.goog[default/ping-discovery]"
     ]
   }
 
@@ -65,3 +66,48 @@ resource "google_service_account_iam_policy" "app-service-account-iam" {
 
   depends_on = [google_project_service.project, google_container_cluster.services-gke]
 }
+
+#
+# IAM for Ping Discovery Service
+#
+
+resource "google_project_iam_custom_role" "ping_discovery_role" {
+  role_id     = "globalGame.pingDiscovery"
+  title       = "Global Game: Ping Discovery Service"
+  description = "Allows querying of forwarding rules to dynamically discover ping endpoints"
+  permissions = [
+    "compute.forwardingRules.list",
+  ]
+}
+
+resource "google_service_account_iam_binding" "ping-discovery-workload-identity-binding" {
+  service_account_id = google_service_account.ping_discovery_sa.name
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "serviceAccount:${var.project}.svc.id.goog[default/ping-discovery]"
+  ]
+
+  depends_on = [google_container_cluster.services-gke]
+}
+
+resource "google_service_account" "ping_discovery_sa" {
+  project      = var.project
+  account_id   = "ping-sa"
+  display_name = "Ping Discovery Service Account"
+}
+
+resource "google_project_iam_member" "ping_discovery_sa" {
+  project = var.project
+  role    = google_project_iam_custom_role.ping_discovery_role.id
+  member  = "serviceAccount:${google_service_account.ping_discovery_sa.email}"
+}
+
+# Make Service Account file for deploy with Cloud Deploy
+resource "local_file" "services-ping-service-account" {
+  content = templatefile(
+    "${path.module}/files/services/ping-service-account.yaml.tpl", {
+      service_email = google_service_account.ping_discovery_sa.email
+  })
+  filename = "${path.module}/${var.services_directory}/ping-discovery/service-account.yaml"
+}

infrastructure/terraform.tfvars.sample

@@ -17,6 +17,7 @@ project = "PROJECT_ID"
 
 # Cloud Deploy Configuration
 platform_directory = "../platform" # Relative to Terraform directory
+services_directory = "../services" # Relative to Terraform directory
 clouddeploy_config = {
   "location" : "us-central1"
 }
@@ -39,7 +40,7 @@ vpc_regions = {
 
 # Game GKE Cluster Config Values
 ### NOTE: If you change the GKE Clusters, please make sure to change `cloudbuild.yaml` in 
-### `agones/install` & `deploy/agones/endpoint-patch/` as they are not dynamically created.  
+### `platform/agones/install` as they are not dynamically created.
 game_gke_clusters = {
   "global-game-us-central1-01" : {
     "short_name" : "us-central1-01",
@@ -106,8 +107,10 @@ services_gke_config = {
 }
 
 # Artifact Registry variables
+### NOTE: If you change the Artifact registry location, please make sure to change `cloudbuild.yaml` in
+### `services/clouddeploy.yaml;` as it is not dynamically created.
 artifact_registry_config = {
-  location = "us-central1"
+  location = "us"
 }
 
 # Agones Application Service Account Name

infrastructure/variables.tf

@@ -113,5 +113,10 @@ variable "allocation_endpoint" {
 
 variable "platform_directory" {
   type        = string
-  description = "Services Directory for outputed Cloud Deploy related files"
+  description = "Platform Directory for output to Cloud Deploy related files"
+}
+
+variable "services_directory" {
+  type        = string
+  description = "Services Directory for output to Cloud Deploy related files"
 }

services/cloudbuild.yaml

@@ -0,0 +1,59 @@
+# Copyright 2023 Google LLC All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+serviceAccount: projects/${PROJECT_ID}/serviceAccounts/cloudbuild-cicd@${PROJECT_ID}.iam.gserviceaccount.com
+steps:
+
+#
+# Building of images
+#
+
+  - name: gcr.io/cloud-builders/docker
+    id: ping-discovery
+    args: ["build", ".", "-t", "${_PING_IMAGE}"]
+    dir: ping-discovery
+  - name: gcr.io/cloud-builders/docker
+    id: profile
+    args: ["build", ".", "-t", "${_REGISTRY}/profile:${BUILD_ID}"]
+    dir: profile
+
+#
+# Deployment
+#
+
+  - name: gcr.io/google.com/cloudsdktool/cloud-sdk
+    id: cloud-deploy-release
+    entrypoint: gcloud
+    args:
+      [
+        "deploy", "releases", "create", "${_RELEASE_NAME}",
+        "--delivery-pipeline", "global-game-services",
+        "--skaffold-file", "skaffold.yaml",
+        "--skaffold-version", "1.39",
+        "--images", "ping-discovery=${_PING_IMAGE}",
+        "--region", "us-central1"
+      ]
+
+artifacts:
+  images:
+    - ${_REGISTRY}/ping-discovery
+    - ${_REGISTRY}/profile
+substitutions:
+  _PING_IMAGE: ${_REGISTRY}/ping-discovery:${BUILD_ID}
+  _REGISTRY: us-docker.pkg.dev/${PROJECT_ID}/global-game-images
+  _RELEASE_NAME: rel-01
+options:
+  dynamic_substitutions: true
+  machineType: E2_HIGHCPU_8
+  logging: CLOUD_LOGGING_ONLY

services/ping-discovery/.gitignore

@@ -0,0 +1,15 @@
+# Copyright 2023 Google LLC All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+service-account.yaml

services/ping-discovery/Dockerfile

@@ -31,4 +31,5 @@ COPY --from=build /go/bin/ping-discovery /
 
 ENV GIN_MODE=release
 USER nonroot:nonroot
+EXPOSE 8080
 CMD ["/ping-discovery"]

services/ping-discovery/deployment.yaml

@@ -0,0 +1,46 @@
+# Copyright 2023 Google LLC All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ping-discovery
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: ping-discovery
+  template:
+    metadata:
+      labels:
+        app: ping-discovery
+    spec:
+      containers:
+      - name: ping-discovery
+        image: ping-discovery
+        ports:
+        - containerPort: 8080
+      serviceAccountName: ping-discovery
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ping-discovery
+spec:
+  type: ClusterIP
+  selector:
+    app: ping-discovery
+  ports:
+  - port: 80
+    targetPort: 8080

services/skaffold.yaml

@@ -0,0 +1,21 @@
+# Copyright 2023 Google LLC All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: skaffold/v2beta29
+kind: Config
+deploy:
+  kubectl:
+    manifests:
+      - ping-discovery/service-account.yaml
+      - ping-discovery/deployment.yaml