Merge branch 'main' of https://github.com/trieb-work/eci #983
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Production deployment" | |
on: | |
push: | |
branches: | |
- "main" | |
env: | |
NAMESPACE: eci-prod | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
service: ["worker", "logdrain", "bullboard"] | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }}/${{matrix.service}} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- | |
name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
images: ghcr.io/${{ env.IMAGE_NAME }} | |
tags: | | |
type=schedule | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}} | |
type=sha | |
- name: Build image | |
id: docker-build-push | |
uses: docker/build-push-action@v4 | |
with: | |
context: . | |
push: true | |
file: ./services/${{matrix.service}}/Dockerfile | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
build-args: commit_sha=${{ github.sha }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
# after the build job, we have one job, that is tagging all the images with the current version and pushing them to the registry | |
# we are using semantic-release to determine the current version. We use the docker sha from github as the image name | |
release: | |
runs-on: ubuntu-latest | |
needs: build | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_BASE: ${{ github.repository }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- | |
name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Setup pnpm | |
uses: pnpm/action-setup@v2 | |
- name: Use Node.js | |
uses: actions/setup-node@v3 | |
with: | |
node-version: 18 | |
cache: 'pnpm' | |
# Release the new version to GitHub. | |
# Set the current version as an output variable | |
- name: Release | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
pnpm i @semantic-release/git semantic-release | |
pnpm semantic-release | |
echo "CURRENT_VERSION=$(pnpm --silent semantic-release --version)" >> $GITHUB_ENV | |
# get the current sha that github uses as tag. It looks always like this: ghcr.io/trieb-work/schemabase/logdrain:sha-ba89316. The sha is always the first parts of the current commit sha | |
- name: Export docker tag sha | |
run: | | |
echo "DOCKER_TAG_SHA=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_ENV | |
# use the image sha from docker-build-push step as the image name. Tag it with the current version from set_tag. Push it afterwards | |
- name: Tag and push image | |
run: | | |
docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/worker:sha-${{ env.DOCKER_TAG_SHA }} | |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/worker:sha-${{ env.DOCKER_TAG_SHA }} ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/worker:${{ env.CURRENT_VERSION }} | |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/worker:${{ env.CURRENT_VERSION }} | |
docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/bullboard:sha-${{ env.DOCKER_TAG_SHA }} | |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/bullboard:sha-${{ env.DOCKER_TAG_SHA }} ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/bullboard:${{ env.CURRENT_VERSION }} | |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/bullboard:${{ env.CURRENT_VERSION }} | |
docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/logdrain:sha-${{ env.DOCKER_TAG_SHA }} | |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/logdrain:sha-${{ env.DOCKER_TAG_SHA }} ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/logdrain:${{ env.CURRENT_VERSION }} | |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/logdrain:${{ env.CURRENT_VERSION }} | |
deploy-worker: | |
name: Deploy Worker | |
needs: build | |
runs-on: ubuntu-latest | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }}/worker | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- uses: azure/setup-kubectl@v3 | |
with: | |
version: v1.25.2 | |
- uses: azure/setup-helm@v3 | |
with: | |
version: 'v3.10.0' | |
- name: Set Kubernetes Context | |
uses: azure/k8s-set-context@v3 | |
with: | |
method: kubeconfig | |
kubeconfig: ${{ secrets.KUBE_CONFIG }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# - name: Create the image-pull-secret in Kubernetes | |
# run: | | |
# kubectl create secret docker-registry regcred \ | |
# --save-config --dry-run=client \ | |
# --from-file=.dockerconfigjson=$HOME/.docker/config.json\ | |
# -o yaml | | |
# kubectl apply -f - | |
- name: Run helm deploy | |
run: > | |
helm upgrade eci-worker-v2 ./services/worker/helm-chart | |
--debug | |
--install | |
--create-namespace | |
--namespace=eci-prod | |
--set=imagePullSecret="regcred" | |
--set=image.imageName="${{ env.REGISTRY }}/${{ github.repository }}/worker:sha-$(git rev-parse --short HEAD)" | |
--set=eciEnv="production" | |
--set=databaseUrl="${{ secrets.DATABASE_URL }}" | |
--set=signingKey="${{ secrets.SIGNING_KEY }}" | |
--set=redis.host="${{ secrets.REDIS_HOST }}" | |
--set=redis.port="${{ secrets.REDIS_PORT }}" | |
--set=redis.password="${{ secrets.REDIS_PASSWORD }}" | |
--set=elasticsearch.host="${{ secrets.ELASTIC_LOGGING_SERVER }}" | |
--set=elasticsearch.username="${{ secrets.ELASTIC_LOGGING_USERNAME }}" | |
--set=elasticsearch.password="${{ secrets.ELASTIC_LOGGING_PASSWORD }}" | |
--set=kafka.brokerUrl="${{ secrets.PROD_KAFKA_BROKER_URL }}" | |
--set=kafka.saslMechanism="scram-sha-256" | |
--set=kafka.username="${{ secrets.PROD_KAFKA_USERNAME }}" | |
--set=kafka.password="${{ secrets.PROD_KAFKA_PASSWORD }}" | |
--set=sendgridApiKey=${{ secrets.SENDGRID_API_KEY }} | |
--set=secretKey=${{ secrets.SECRET_KEY_PROD }} | |
deploy-logdrain: | |
name: Deploy Logdrain | |
needs: build | |
runs-on: ubuntu-latest | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }}/logdrain | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- uses: azure/setup-kubectl@v3 | |
with: | |
version: v1.25.2 | |
- uses: azure/setup-helm@v3 | |
with: | |
version: 'v3.10.0' | |
- name: Set Kubernetes Context | |
uses: azure/k8s-set-context@v3 | |
with: | |
method: kubeconfig | |
kubeconfig: ${{ secrets.KUBE_CONFIG }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- run: cat ~/.docker/config.json | |
# - name: Create the image-pull-secret in Kubernetes | |
# run: | | |
# kubectl create secret docker-registry regcred \ | |
# --save-config --dry-run=client \ | |
# --from-file=.dockerconfigjson=$HOME/.docker/config.json\ | |
# -o yaml | | |
# kubectl apply -f - | |
- name: Run helm deploy | |
run: > | |
helm upgrade eci-logdrain ./services/logdrain/helm-chart | |
--install | |
--create-namespace | |
--namespace=eci-prod | |
--set=imagePullSecret="regcred" | |
--set=image.imageName="${{ env.REGISTRY }}/${{ github.repository }}/logdrain:sha-$(git rev-parse --short HEAD)" | |
--set=eciEnv="production" | |
--set=databaseUrl="${{ secrets.DATABASE_URL }}" | |
--set=redis.host="${{ secrets.REDIS_HOST }}" | |
--set=redis.port="${{ secrets.REDIS_PORT }}" | |
--set=redis.password="${{ secrets.REDIS_PASSWORD }}" | |
--set=elasticsearch.host="${{ secrets.ELASTIC_LOGGING_SERVER }}" | |
--set=elasticsearch.username="${{ secrets.ELASTIC_LOGGING_USERNAME }}" | |
--set=elasticsearch.password="${{ secrets.ELASTIC_LOGGING_PASSWORD }}" | |
--set=logdrain.client.id="${{ secrets.LOGDRAIN_CLIENT_ID }}" | |
--set=logdrain.client.secret="${{ secrets.LOGDRAIN_CLIENT_SECRET }}" | |
--set=logdrain.redirectUri="${{ secrets.LOGDRAIN_REDIRECT_URI }}" | |
--set=ingress.host="${{ secrets.LOGDRAIN_HOST }}" | |
deploy-bullboard: | |
name: Deploy bullboard | |
needs: build | |
runs-on: ubuntu-latest | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }}/bullboard | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- uses: azure/setup-kubectl@v3 | |
with: | |
version: v1.25.2 | |
- uses: azure/setup-helm@v3 | |
with: | |
version: 'v3.10.0' | |
- name: Set Kubernetes Context | |
uses: azure/k8s-set-context@v3 | |
with: | |
method: kubeconfig | |
kubeconfig: ${{ secrets.KUBE_CONFIG }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- run: cat ~/.docker/config.json | |
# - name: Create the image-pull-secret in Kubernetes | |
# run: | | |
# kubectl create secret docker-registry regcred \ | |
# --save-config --dry-run=client \ | |
# --from-file=.dockerconfigjson=$HOME/.docker/config.json\ | |
# -o yaml | | |
# kubectl apply -f - | |
- name: Create the wildcard certificate for *.eci-prod.eu.fsn1.trwrk.xyz | |
run: kubectl --v=8 -n ${{ env.NAMESPACE }} --validate=false apply -f ./wildcard-cert-eci.yml | |
- name: Run helm deploy | |
run: > | |
helm upgrade eci-bullboard ./services/bullboard/helm-chart | |
--install | |
--create-namespace | |
--namespace=eci-prod | |
--set=imagePullSecret="regcred" | |
--set=image.imageName="${{ env.REGISTRY }}/${{ github.repository }}/bullboard:sha-$(git rev-parse --short HEAD)" | |
--set=nodeEnv="production" | |
--set=redis.host="${{ secrets.REDIS_HOST }}" | |
--set=redis.port="${{ secrets.REDIS_PORT }}" | |
--set=redis.password="${{ secrets.REDIS_PASSWORD }}" | |
--set=ingress.host="queue-manager.eci-prod.eu.fsn1.trwrk.xyz" | |
--set=ingress.tls.secretName="eci-trwrk-wildcard" | |
--set=google.clientId="${{ secrets.GOOGLE_OAUTH_ID }}" | |
--set=google.clientSecret="${{ secrets.GOOGLE_OAUTH_SECRET }}" | |
--set=ingress.annotations."cert-manager\.io/cluster-issuer"="letsencrypt-prod" |