-
Notifications
You must be signed in to change notification settings - Fork 3
110 lines (107 loc) · 4.01 KB
/
gcp.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
---
name: 'GCP'
on:
# push:
# branches:
# - main
# - feature/*
# pull_request:
# branches:
# - main
# - feature/*
workflow_dispatch:
inputs:
runner:
description: 'Runner type'
required: true
default: 'ubuntu-24.04'
type: choice
options:
- ubuntu-24.04
- matihost
env:
description: 'Target environment'
required: true
default: 'dev'
type: choice
options:
- dev
- prod
permissions:
contents: read
id-token: write
concurrency:
group: gcp-${{ github.ref }}
cancel-in-progress: true
env:
IMAGE_TAG: "${{ github.ref == 'refs/heads/main' && 'latest' || github.sha }}"
jobs:
gcp:
name: Run GCP related tasks
runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
environment: ${{ inputs.env || 'dev' }}
timeout-minutes: 30
container:
image: quay.io/matihost/cd
permissions:
contents: 'read'
id-token: 'write'
env:
GCP_PROJECT: "${{ vars.GCP_PROJECT }}"
# Artifact Registry docker repository
GAR_REPOSITORY: "${{ vars.GAR_REPOSITORY }}"
# Region of the Artifact Registry
GAR_LOCATION: "${{ vars.GAR_LOCATION }}"
GKE_CLUSTER: "${{ vars.GKE_CLUSTER }}"
GKE_LOCATION: "${{ vars.GKE_LOCATION }}"
steps:
# The credentials file is exported into $GITHUB_WORKSPACE, which makes it available to all future steps and filesystems (including Docker-based GitHub Actions).
# The file is automatically removed at the end of the job via a post action.
# In order to use exported credentials, the actions/checkout step has be present before calling auth.
# This is due to how GitHub Actions creates $GITHUB_WORKSPACE.
- name: Checkout
uses: actions/checkout@v4
# Configure Workload Identity Federation and generate an access token.
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v2'
with:
token_format: 'access_token'
# Format: 'projects/137505059283/locations/global/workloadIdentityPools/gh-pool/providers/gh-pool-provider'
workload_identity_provider: "${{ secrets.GH_WORKLOAD_IDENTITY_PROVIDER}}"
# Format: '[email protected]'
service_account: "${{ secrets.GH_GSA}}"
# Alternative option - authentication via credentials json
# - id: 'auth'
# uses: 'google-github-actions/auth@v2'
# with:
# credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
- name: Run gcloud command
run: |-
gcloud storage buckets list --format="json(name)"
- name: Docker configuration
env:
REGISTRY_ADDRESS: "${{ vars.GAR_LOCATION }}-docker.pkg.dev"
REGISTRY_USER: 'oauth2accesstoken'
REGISTRY_PASSWORD: "${{ steps.auth.outputs.access_token }}"
run: |-
mkdir -p /kaniko/.docker
echo "{\"auths\":{\"${{ env.REGISTRY_ADDRESS }}\":{\"username\":\"${{ env.REGISTRY_USER }}\",\"password\":\"${{ env.REGISTRY_PASSWORD }}\"}}}" > /kaniko/.docker/config.json
- name: Build
working-directory: k8s/images/ansible
run: |-
/kaniko/executor -f ./Dockerfile -c "$(pwd)" --insecure --push-retry 5 - --skip-tls-verify --cache=true --ignore-path=/var/mail --ignore-path=/var/spool/mail \
--destination="${GAR_LOCATION}-docker.pkg.dev/${GCP_PROJECT}/${GAR_REPOSITORY}/ansible:${{ env.IMAGE_TAG }}"
- name: Set up GKE credentials
uses: google-github-actions/get-gke-credentials@v2
if: ((inputs.runner || 'ubuntu-24.04') != 'ubuntu-24.04')
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_LOCATION }}
use_internal_ip: true
- name: Run kubectl
# when run on self-hosted runner within GCP network, otherwise cluster is not accessible from internet
# TODO consider add https://api.github.com/meta actions servers to authz GKE networks...
if: ((inputs.runner || 'ubuntu-24.04') != 'ubuntu-24.04')
run: |-
kubectl get svc -A