From 29a85b7d826eeef90dcbb1a60bc30125715de737 Mon Sep 17 00:00:00 2001 From: Mark Mandel Date: Mon, 27 Feb 2023 21:27:49 -0800 Subject: [PATCH] Central build and deploy Services pipeline (#82) The PR gives us: * Images are building and being pushed to artifact registry via Cloud Build for both the profile and ping-discovery services. * Ping Discovery is being deployed with Cloud Deploy * IAM Roles and Service accounts for the Ping Discovery Service. This should hopefully be a good template for any other services that need this setup going forward. Closes #53 Closes #46 Work on #50 --- README.md | 14 ++++- .../services/ping-service-account.yaml.tpl | 20 +++++++ infrastructure/services-gke.tf | 48 ++++++++++++++- infrastructure/terraform.tfvars.sample | 7 ++- infrastructure/variables.tf | 7 ++- services/cloudbuild.yaml | 59 +++++++++++++++++++ services/ping-discovery/.gitignore | 15 +++++ services/ping-discovery/Dockerfile | 1 + services/ping-discovery/deployment.yaml | 46 +++++++++++++++ services/skaffold.yaml | 21 +++++++ 10 files changed, 233 insertions(+), 5 deletions(-) create mode 100644 infrastructure/files/services/ping-service-account.yaml.tpl create mode 100644 services/cloudbuild.yaml create mode 100644 services/ping-discovery/.gitignore create mode 100644 services/ping-discovery/deployment.yaml create mode 100644 services/skaffold.yaml diff --git a/README.md b/README.md index 726af62..8397cdf 100644 --- a/README.md +++ b/README.md @@ -101,7 +101,19 @@ gcloud builds submit --config=cloudbuild.yaml --substitutions=_RELEASE_NAME=rel- ## Install Game Backend Services -TODO: fill in once we have services. +To install all the backend services, submit the following Cloud Build command, and replace the` _RELEASE_NAME` +substitution with a unique build name. + +```shell +cd $GAME_DEMO_HOME/services +gcloud builds submit --config=cloudbuild.yaml --substitutions=_RELEASE_NAME=rel-1 +``` + +This will: + +* Build all the images required for all services. +* Store those image in [Artifact Registry](https://cloud.google.com/artifact-registry) +* Deploy them via Cloud Build to a Autopilot cluster. ## Game Client diff --git a/infrastructure/files/services/ping-service-account.yaml.tpl b/infrastructure/files/services/ping-service-account.yaml.tpl new file mode 100644 index 0000000..1e62615 --- /dev/null +++ b/infrastructure/files/services/ping-service-account.yaml.tpl @@ -0,0 +1,20 @@ +# Copyright 2023 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ping-discovery + annotations: + iam.gke.io/gcp-service-account: ${service_email} \ No newline at end of file diff --git a/infrastructure/services-gke.tf b/infrastructure/services-gke.tf index 1b18c3b..026e5b3 100644 --- a/infrastructure/services-gke.tf +++ b/infrastructure/services-gke.tf @@ -52,7 +52,8 @@ data "google_iam_policy" "workload-id-policy" { role = "roles/iam.workloadIdentityUser" members = [ "serviceAccount:${var.project}.svc.id.goog[default/${var.k8s_service_account_id}]", - "serviceAccount:${var.project}.svc.id.goog[${var.allocation_endpoint.agones_namespace}/agones-allocator]" + "serviceAccount:${var.project}.svc.id.goog[${var.allocation_endpoint.agones_namespace}/agones-allocator]", + "serviceAccount:${var.project}.svc.id.goog[default/ping-discovery]" ] } @@ -65,3 +66,48 @@ resource "google_service_account_iam_policy" "app-service-account-iam" { depends_on = [google_project_service.project, google_container_cluster.services-gke] } + +# +# IAM for Ping Discovery Service +# + +resource "google_project_iam_custom_role" "ping_discovery_role" { + role_id = "globalGame.pingDiscovery" + title = "Global Game: Ping Discovery Service" + description = "Allows querying of forwarding rules to dynamically discover ping endpoints" + permissions = [ + "compute.forwardingRules.list", + ] +} + +resource "google_service_account_iam_binding" "ping-discovery-workload-identity-binding" { + service_account_id = google_service_account.ping_discovery_sa.name + role = "roles/iam.workloadIdentityUser" + + members = [ + "serviceAccount:${var.project}.svc.id.goog[default/ping-discovery]" + ] + + depends_on = [google_container_cluster.services-gke] +} + +resource "google_service_account" "ping_discovery_sa" { + project = var.project + account_id = "ping-sa" + display_name = "Ping Discovery Service Account" +} + +resource "google_project_iam_member" "ping_discovery_sa" { + project = var.project + role = google_project_iam_custom_role.ping_discovery_role.id + member = "serviceAccount:${google_service_account.ping_discovery_sa.email}" +} + +# Make Service Account file for deploy with Cloud Deploy +resource "local_file" "services-ping-service-account" { + content = templatefile( + "${path.module}/files/services/ping-service-account.yaml.tpl", { + service_email = google_service_account.ping_discovery_sa.email + }) + filename = "${path.module}/${var.services_directory}/ping-discovery/service-account.yaml" +} diff --git a/infrastructure/terraform.tfvars.sample b/infrastructure/terraform.tfvars.sample index 6d11912..8a48007 100644 --- a/infrastructure/terraform.tfvars.sample +++ b/infrastructure/terraform.tfvars.sample @@ -17,6 +17,7 @@ project = "PROJECT_ID" # Cloud Deploy Configuration platform_directory = "../platform" # Relative to Terraform directory +services_directory = "../services" # Relative to Terraform directory clouddeploy_config = { "location" : "us-central1" } @@ -39,7 +40,7 @@ vpc_regions = { # Game GKE Cluster Config Values ### NOTE: If you change the GKE Clusters, please make sure to change `cloudbuild.yaml` in -### `agones/install` & `deploy/agones/endpoint-patch/` as they are not dynamically created. +### `platform/agones/install` as they are not dynamically created. game_gke_clusters = { "global-game-us-central1-01" : { "short_name" : "us-central1-01", @@ -106,8 +107,10 @@ services_gke_config = { } # Artifact Registry variables +### NOTE: If you change the Artifact registry location, please make sure to change `cloudbuild.yaml` in +### `services/clouddeploy.yaml;` as it is not dynamically created. artifact_registry_config = { - location = "us-central1" + location = "us" } # Agones Application Service Account Name diff --git a/infrastructure/variables.tf b/infrastructure/variables.tf index 69d468d..f00653f 100644 --- a/infrastructure/variables.tf +++ b/infrastructure/variables.tf @@ -113,5 +113,10 @@ variable "allocation_endpoint" { variable "platform_directory" { type = string - description = "Services Directory for outputed Cloud Deploy related files" + description = "Platform Directory for output to Cloud Deploy related files" +} + +variable "services_directory" { + type = string + description = "Services Directory for output to Cloud Deploy related files" } diff --git a/services/cloudbuild.yaml b/services/cloudbuild.yaml new file mode 100644 index 0000000..f90c850 --- /dev/null +++ b/services/cloudbuild.yaml @@ -0,0 +1,59 @@ +# Copyright 2023 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +serviceAccount: projects/${PROJECT_ID}/serviceAccounts/cloudbuild-cicd@${PROJECT_ID}.iam.gserviceaccount.com +steps: + +# +# Building of images +# + + - name: gcr.io/cloud-builders/docker + id: ping-discovery + args: ["build", ".", "-t", "${_PING_IMAGE}"] + dir: ping-discovery + - name: gcr.io/cloud-builders/docker + id: profile + args: ["build", ".", "-t", "${_REGISTRY}/profile:${BUILD_ID}"] + dir: profile + +# +# Deployment +# + + - name: gcr.io/google.com/cloudsdktool/cloud-sdk + id: cloud-deploy-release + entrypoint: gcloud + args: + [ + "deploy", "releases", "create", "${_RELEASE_NAME}", + "--delivery-pipeline", "global-game-services", + "--skaffold-file", "skaffold.yaml", + "--skaffold-version", "1.39", + "--images", "ping-discovery=${_PING_IMAGE}", + "--region", "us-central1" + ] + +artifacts: + images: + - ${_REGISTRY}/ping-discovery + - ${_REGISTRY}/profile +substitutions: + _PING_IMAGE: ${_REGISTRY}/ping-discovery:${BUILD_ID} + _REGISTRY: us-docker.pkg.dev/${PROJECT_ID}/global-game-images + _RELEASE_NAME: rel-01 +options: + dynamic_substitutions: true + machineType: E2_HIGHCPU_8 + logging: CLOUD_LOGGING_ONLY diff --git a/services/ping-discovery/.gitignore b/services/ping-discovery/.gitignore new file mode 100644 index 0000000..82044d6 --- /dev/null +++ b/services/ping-discovery/.gitignore @@ -0,0 +1,15 @@ +# Copyright 2023 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +service-account.yaml \ No newline at end of file diff --git a/services/ping-discovery/Dockerfile b/services/ping-discovery/Dockerfile index 4749bed..644737e 100644 --- a/services/ping-discovery/Dockerfile +++ b/services/ping-discovery/Dockerfile @@ -31,4 +31,5 @@ COPY --from=build /go/bin/ping-discovery / ENV GIN_MODE=release USER nonroot:nonroot +EXPOSE 8080 CMD ["/ping-discovery"] diff --git a/services/ping-discovery/deployment.yaml b/services/ping-discovery/deployment.yaml new file mode 100644 index 0000000..81a7cc3 --- /dev/null +++ b/services/ping-discovery/deployment.yaml @@ -0,0 +1,46 @@ +# Copyright 2023 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ping-discovery +spec: + replicas: 3 + selector: + matchLabels: + app: ping-discovery + template: + metadata: + labels: + app: ping-discovery + spec: + containers: + - name: ping-discovery + image: ping-discovery + ports: + - containerPort: 8080 + serviceAccountName: ping-discovery +--- +apiVersion: v1 +kind: Service +metadata: + name: ping-discovery +spec: + type: ClusterIP + selector: + app: ping-discovery + ports: + - port: 80 + targetPort: 8080 diff --git a/services/skaffold.yaml b/services/skaffold.yaml new file mode 100644 index 0000000..9bda9af --- /dev/null +++ b/services/skaffold.yaml @@ -0,0 +1,21 @@ +# Copyright 2023 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: skaffold/v2beta29 +kind: Config +deploy: + kubectl: + manifests: + - ping-discovery/service-account.yaml + - ping-discovery/deployment.yaml