-
Notifications
You must be signed in to change notification settings - Fork 715
173 lines (158 loc) · 7.01 KB
/
gcp_deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
##############################################################################################
# Copyright Accenture. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
##############################################################################################
# Deploy DLT network supported by Hyperledger Bevel on GCP environment
# Prerequisites
# - A GKE Cluster accessible from GitHub Runner
# - A Vault instance accessible from GitHub Runner
# - A completed network.yaml file on Github Secrets
# This workflow can triggered manually
#
# In summary, this pipeline does the following
# 1. Prepare deployment environment files
# 2. Depending on the branch, deploys DLT network
name: Deploy DLT network
on:
workflow_dispatch:
push:
# Only allow the workflow to run in the following branches on push
branches:
- 'substrate'
- 'vitalam'
# Ignore the releases and charts as that is deployed by Flux
paths-ignore:
- 'docs/**'
- '**/charts/**'
- '**/releases/**'
env:
GCLOUD_PROJECT: ${{ secrets.GCP_PROJECT }} # Add your Google project name here.
GKE_CLUSTER: ${{ secrets.GKE_CLUSTER }} # Add your GKE cluster name here.
GKE_REGION: ${{ secrets.GKE_REGION }} # Add your cluster zone here.
GITOPS_CREDS: ${{ secrets.GITOPS_PRIVATE_KEY }} # If using ssh for Gitops, provide private key
VAULT_CREDS: ${{ secrets.VAULT_PRIVATE_KEY }} # Private key for access to Vault via Bastion
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} # Vault Token
VAULT_SERVER: ${{ secrets.VAULT_SERVER }} # Vault Server DNS name
VAULT_PORT: ${{ secrets.VAULT_PORT }} # Vault Port
VAULT_BASTION: ${{ secrets.VAULT_BASTION }} # Bastion IP or DNS
GKE_CONTEXT: ${{ secrets.GKE_CONTEXT }} # GKE Context
GITOPS_TOKEN: ${{ secrets.GITOPS_TOKEN }} # GitHub token with right access to this repo
SSH_SERVER_ALIVE_INTERVAL: 60
SSH_SERVER_ALIVE_COUNT_MAX: 20
jobs:
deployment:
runs-on: ubuntu-latest
environment: gcp_development # Provide environment with environment secrets as defined above
strategy:
max-parallel: 1
steps:
# checkout git repo
- name: Git checkout
uses: actions/[email protected]
# Install dependencies
- name: Set up gcloud Cloud SDK environment
uses: google-github-actions/[email protected]
with:
project_id: ${{ env.GCLOUD_PROJECT }}
# GCP Authentication
- name: Authenticate to Google Cloud
uses: 'google-github-actions/[email protected]'
with:
credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
# Get current branch
- name: Set output
id: vars
run: echo ::set-output name=branch::${GITHUB_REF#refs/heads/}
# Get GKE kubeconfig file
- uses: google-github-actions/get-gke-credentials@v0
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_REGION }}
# Prepare the build environment and network.yaml
- name: Prepare build environment
run: |
mkdir -p build
mkdir -p ~/.ssh
LOCAL_BUILD_PATH=$(pwd)/build
curl https://ipv4.icanhazip.com/ > ./build/localip
# Move Kubeconfig to build dir
mv $KUBECONFIG ./build/config
# Add ssh access to Bastion Firewall rule -- `allow-github-ssh` should already be created and service account must have rights to get-update
gcloud compute firewall-rules update allow-github-ssh --source-ranges=$(cat ./build/localip)/32
# Get the base64 encoded Private keys from secrets
set +x
echo -n "${GITOPS_CREDS}" | base64 --decode > ${LOCAL_BUILD_PATH}/gitops
echo -n "${VAULT_CREDS}" | base64 --decode > ~/.ssh/vault.pem
set -x
chmod 400 ${LOCAL_BUILD_PATH}/gitops
chmod 400 ~/.ssh/vault.pem
# Update ssh configs for access
ssh-keyscan github.com >> ~/.ssh/known_hosts
ssh-keyscan ${VAULT_BASTION} >> ~/.ssh/known_hosts
cp /etc/hosts hosts
# Add vault dns mapping to localhost as we are using an ssh tunnel via bastion
echo "127.0.0.1 ${VAULT_SERVER}" >> hosts
sudo mv hosts /etc/hosts
echo "ServerAliveInterval ${SSH_SERVER_ALIVE_INTERVAL}" >> ~/.ssh/config
echo "ServerAliveCountMax ${SSH_SERVER_ALIVE_COUNT_MAX}" >> ~/.ssh/config
# Create the ssh tunnel to Vault server via Bastion host
ssh -i ~/.ssh/vault.pem -f -q -N -L "${VAULT_PORT}:${VAULT_SERVER}:${VAULT_PORT}" "ubuntu@${VAULT_BASTION}"
# Copy and update the network.yaml with secrets
cp platforms/substrate/configuration/samples/network-${{ steps.vars.outputs.branch }}.yaml build/network.yaml
git config --global user.email "[email protected]"
git config --global user.name "bevel"
git config --global push.default matching
sed -i -e s+/BUILD_DIR+${LOCAL_BUILD_PATH}+g build/network.yaml
sed -i -e s*VAULT_TOKEN*${VAULT_TOKEN}*g build/network.yaml
sed -i -e s*VAULT_URL*${VAULT_SERVER}*g build/network.yaml
sed -i -e s*VAULT_PORT*${VAULT_PORT}*g build/network.yaml
sed -i -e s*GKE_CONTEXT*${GKE_CONTEXT}*g build/network.yaml
sed -i -e s*GIT_TOKEN*${GITOPS_TOKEN}*g build/network.yaml
# Add upterm session when trying to debug ( add 'debug' in the commit message )
- name: Setup upterm session
if: ${{ contains(github.event.head_commit.message, 'debug') }}
uses: lhotari/action-upterm@v1
with:
## limits ssh access and adds the ssh public key for the user which triggered the workflow
limit-access-to-actor: true
# Deploy dlt platform using ansible.
- name: Deploy DLT platform
env:
GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
ANSIBLE_STDOUT_CALLBACK: "yaml"
run: |
mkdir -p ~/bin
export PATH=$PATH:~/bin
# Openshift has to be deployed using pip3
pip3 install openshift=='0.12.0'
ansible-galaxy collection install -r platforms/shared/configuration/requirements.yaml
# Required, playbook filepath
ansible-playbook platforms/shared/configuration/site.yaml \
-i platforms/shared/inventory/ansible_provisioners \
-e "@build/network.yaml" \
-e "no_ansible_log=true"
post-deployment:
if: ${{ always() }}
needs: [deployment]
runs-on: ubuntu-latest
strategy:
max-parallel: 1
steps:
# Install dependencies
- name: Set up gcloud Cloud SDK environment
uses: google-github-actions/[email protected]
with:
project_id: ${{ env.GCLOUD_PROJECT }}
# GCP Authentication
- name: Authenticate to Google Cloud
uses: 'google-github-actions/[email protected]'
with:
credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
# Cleanup
- name: Remove github runner in firewall rule and secrets
continue-on-error: true
run: |
rm -rf build
rm -f ~/.ssh/vault.pem
gcloud compute firewall-rules update allow-github-ssh --source-ranges=