-
Notifications
You must be signed in to change notification settings - Fork 1
152 lines (134 loc) · 5.28 KB
/
deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Build & Deploy
on:
push:
branches:
- main
workflow_dispatch:
schedule:
- cron: '10 0 * * 0'
permissions:
id-token: write
contents: read
packages: write
jobs:
package:
uses: Chia-Network/actions/.github/workflows/docker-build.yaml@main
deploy_internal:
name: Deploy Internal
needs:
- package
runs-on: [k8s-public]
container:
image: registry.gitlab.com/cmmarslender/kubectl-helm:v3
steps:
- uses: actions/checkout@v3
- name: Vault Login
uses: Chia-Network/actions/vault/login@main
with:
vault_url: ${{ secrets.VAULT_URL }}
role_name: github-block-metrics
- name: Get secrets from vault
uses: hashicorp/vault-action@v2
with:
url: ${{ secrets.VAULT_URL }}
token: ${{ env.VAULT_TOKEN }}
secrets: |
secret/data/fmt/mysql1/db-info host | DB_HOST;
secret/data/fmt/mysql1/users/blocks-write-user username | DB_USER;
secret/data/fmt/mysql1/users/blocks-write-user password | DB_PASSWORD;
secret/data/fmt/k8s/ghcr_image_pull username | IMAGE_PULL_USERNAME;
secret/data/fmt/k8s/ghcr_image_pull password | IMAGE_PULL_PASSWORD;
secret/data/fmt/k8s/fmt-k8s-internal api_server_url | K8S_API_SERVER_URL;
secret/data/fmt/k8s/fmt-k8s-internal private_crt | PRIVATE_CRT;
secret/data/fmt/k8s/fmt-k8s-internal private_key | PRIVATE_KEY;
secret/data/fmt/k8s/fmt-k8s-internal public_crt | PUBLIC_CRT;
secret/data/fmt/k8s/fmt-k8s-internal public_key | PUBLIC_KEY;
- name: Get config.yaml
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "CONFIG_YAML<<$EOF" >> $GITHUB_ENV
cat k8s/config.yaml >> $GITHUB_ENV
echo "$EOF" >> $GITHUB_ENV
- name: Login to k8s cluster
uses: Chia-Network/actions/vault/k8s-login@main
with:
vault_url: ${{ secrets.VAULT_URL }}
vault_token: ${{ env.VAULT_TOKEN }}
backend_name: fmt-k8s-internal
role_name: github-actions
cluster_url: ${{ env.K8S_API_SERVER_URL }}
- uses: Chia-Network/actions/k8s/image-pull-secret@main
with:
secret_name: block-metrics-image-pull
namespace: block-metrics
username: ${{ env.IMAGE_PULL_USERNAME }}
password: ${{ env.IMAGE_PULL_PASSWORD }}
docker_server: "ghcr.io"
- uses: Chia-Network/actions/helm/deploy@main
env:
DOCKER_TAG: "sha-${{ github.sha }}"
with:
namespace: "block-metrics"
app_name: "block-metrics"
helm_chart_repo: "https://chia-network.github.io/helm-charts"
helm_chart: "generic"
helm_values: "./k8s/internal.yaml"
deploy_public:
name: Deploy Public
needs:
- package
runs-on: [k8s-public]
container:
image: registry.gitlab.com/cmmarslender/kubectl-helm:v3
steps:
- uses: actions/checkout@v3
- name: Vault Login
uses: Chia-Network/actions/vault/login@main
with:
vault_url: ${{ secrets.VAULT_URL }}
role_name: github-block-metrics
- name: Get secrets from vault
uses: hashicorp/vault-action@v2
with:
url: ${{ secrets.VAULT_URL }}
token: ${{ env.VAULT_TOKEN }}
secrets: |
secret/data/pub-metrics-eks/rds/rds-info db_host | DB_HOST;
secret/data/pub-metrics-eks/rds/blocks-write-user username | DB_USER;
secret/data/pub-metrics-eks/rds/blocks-write-user password | DB_PASSWORD;
secret/data/fmt/k8s/ghcr_image_pull username | IMAGE_PULL_USERNAME;
secret/data/fmt/k8s/ghcr_image_pull password | IMAGE_PULL_PASSWORD;
secret/data/pub-metrics-eks/chia-certs private_crt | PRIVATE_CRT;
secret/data/pub-metrics-eks/chia-certs private_key | PRIVATE_KEY;
secret/data/pub-metrics-eks/chia-certs public_crt | PUBLIC_CRT;
secret/data/pub-metrics-eks/chia-certs public_key | PUBLIC_KEY;
- name: Get config.yaml
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "CONFIG_YAML<<$EOF" >> $GITHUB_ENV
cat k8s/config.yaml >> $GITHUB_ENV
echo "$EOF" >> $GITHUB_ENV
- name: Get ephemeral aws credentials
uses: Chia-Network/actions/vault/aws-sts@main
with:
vault_url: ${{ secrets.VAULT_URL }}
vault_token: ${{ env.VAULT_TOKEN }}
role_name: pub-metrics-deploy
- name: Log in to cluster
run: aws eks update-kubeconfig --name pub-metrics --region us-west-2
- uses: Chia-Network/actions/k8s/image-pull-secret@main
with:
secret_name: block-metrics-image-pull
namespace: block-metrics
username: ${{ env.IMAGE_PULL_USERNAME }}
password: ${{ env.IMAGE_PULL_PASSWORD }}
docker_server: "ghcr.io"
- uses: Chia-Network/actions/helm/deploy@main
env:
DOCKER_TAG: "sha-${{ github.sha }}"
with:
namespace: "block-metrics"
app_name: "block-metrics"
helm_chart_repo: "https://chia-network.github.io/helm-charts"
helm_chart: "generic"
helm_values: "./k8s/pub-metrics.yaml"