From d8cf65e23cbd1cf009ad112ff5571ed23c507e41 Mon Sep 17 00:00:00 2001 From: nspmx Date: Fri, 31 Mar 2023 00:13:30 -0300 Subject: [PATCH 1/2] update example required env variables --- .env | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.env b/.env index 326d75e..5c6959e 100644 --- a/.env +++ b/.env @@ -1,8 +1,9 @@ -CANON_API="https://api.dataafrica.io/" - +# canon-cms required variables +CANON_API=http://localhost:3300 CANON_LANGUAGE_DEFAULT=en CANON_LANGUAGES=en,es - -# Env vars prefixed with CANON_CONST_ are later replaced in builds -# You have to use the __{KEY}__ global variable -CANON_CONST_TESTCONST=23 +CANON_LOGINS=true +CANON_CMS_ENABLE=true +CANON_CMS_LOGGING=true +CANON_CMS_DB=postgresql://:@:/ +CANON_CMS_CUBES=https://tesseract-url.com/tesseract From 288dfa2fedddb4fa1d2ac1383cc8f729e31fd29a Mon Sep 17 00:00:00 2001 From: nspmx Date: Fri, 31 Mar 2023 00:20:45 -0300 Subject: [PATCH 2/2] update workflows --- .../google-registry-cloudrun-develop.yml | 148 ------------------ .../workflows/google-registry-gke-develop.yml | 133 ---------------- .github/workflows/google-registry-gke.yml | 24 ++- 3 files changed, 11 insertions(+), 294 deletions(-) delete mode 100644 .github/workflows/google-registry-cloudrun-develop.yml delete mode 100644 .github/workflows/google-registry-gke-develop.yml diff --git a/.github/workflows/google-registry-cloudrun-develop.yml b/.github/workflows/google-registry-cloudrun-develop.yml deleted file mode 100644 index b291f84..0000000 --- a/.github/workflows/google-registry-cloudrun-develop.yml +++ /dev/null @@ -1,148 +0,0 @@ -# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the "develop" branch -# -# To configure this workflow: -# -# 1. Ensure the required Google Cloud APIs are enabled in the project: -# -# Cloud Build cloudbuild.googleapis.com -# Cloud Run run.googleapis.com -# Artifact Registry artifactregistry.googleapis.com -# -# 2. Create a service account (if you don't have one) with the following fields: -# -# Service Account Name -github-actions -# Service Account ID -github-actions -# -# 3. Ensure the service account have the required IAM permissions granted: -# -# Cloud Build -# roles/cloudbuild.builds.editor (cloud build editor) -# roles/cloudbuild.builds.builder (cloud build service account) -# -# Cloud Run -# roles/run.admin (cloud run admin) -# -# Artifact Registry -# roles/artifactregistry.repoAdmin (artifact registry repository administrator) -# roles/artifactregistry.admin (artifact registry administrator) -# -# Service Account -# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) -# -# Basic Roles -# roles/viewer (viewer) -# -# NOTE: You should always follow the principle of least privilege when assigning IAM roles -# -# 4. Ensure you have the following GitHub Secrets and Variables: -# -# GitHub Secrets -# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets -# -# GitHub Variables -# GCP_PROJECT_ID (Google Cloud Project ID) -# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) -# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) -# -# 5. Ensure you have the following GitHub Variables for each environment that you will set up: -# -# GitHub Secrets -# CANON_CMS_DB (Canon CMD DB String) -# -# GitHub Variables -# GCP_CLOUDRUN_SERVICE (CloudRun Service Name of the environment) -# GCP_CLOUDRUN_REGION (CloudRun Service Region of the environment) -# CANON_API (Canon API Endpoint) -# CANON_CMS_CUBES (Canon Tesseract API Cubes Endpoint) -# CANON_CONST_STORAGE_BUCKET (Google Storage Bucket) -# FLICKR_API_KEY (Flickr API Key) -# -# Further reading: -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying -# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles -# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege -# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun -name: "[Google Cloud] Build to Artifact Registry and Deploy Dev to Cloud Run" - -on: - push: - branches: [ "develop" ] - -env: - GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} - GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} - GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} - GCP_CLOUDRUN_SERVICE: ${{ vars.GCP_CLOUDRUN_SERVICE }} - GCP_CLOUDRUN_REGION: ${{ vars.GCP_CLOUDRUN_REGION }} - CANON_API: ${{ vars.CANON_API }} - CANON_CMS_CUBES: ${{ vars.CANON_CMS_CUBES }} - CANON_CONST_STORAGE_BUCKET: ${{ vars.CANON_CONST_STORAGE_BUCKET }} - FLICKR_API_KEY: ${{ vars.FLICKR_API_KEY }} - -jobs: - build: - runs-on: ubuntu-latest - environment: develop - steps: - - name: Checkout - uses: actions/checkout@v3 - - # Authentication via credentials json - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v0' - with: - project_id: '${{ env.GCP_PROJECT_ID }}' - credentials_json: '${{ secrets.GCP_SA_KEY }}' - - # Build image on Google Cloud Artifact Registry - - name: Build Docker Image - run: |- - gcloud builds submit \ - --quiet \ - --timeout=20m \ - --tag ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:${{ github.sha }} - - # Uncomment for adding the latest tag to the latest image created - - name: Add 'Latest' Tag to Development Environments - run: |- - gcloud beta artifacts docker tags add \ - --quiet \ - ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:${{ github.sha }} \ - ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:latest - - deploy: - needs: build - runs-on: ubuntu-latest - environment: develop - steps: - - name: Checkout - uses: actions/checkout@v3 - - # Authentication via credentials json - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v0' - with: - project_id: '${{ vars.GCP_PROJECT_ID }}' - credentials_json: '${{ secrets.GCP_SA_KEY }}' - - - name: Deploy to Cloud Run - id: 'deploy' - uses: 'google-github-actions/deploy-cloudrun@v1' - with: - service: '${{ env.GCP_CLOUDRUN_SERVICE }}' - image: '${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:${{ github.sha }}' - region: '${{ env.GCP_CLOUDRUN_REGION }}' - flags: '--port=3300 --min-instances=0 --max-instances=4 --allow-unauthenticated' - env_vars: | - CANON_API=${{ env.CANON_API }} - CANON_CMS_CUBES=${{ env.CANON_CMS_CUBES }} - CANON_CMS_DB=${{ secrets.CANON_CMS_DB }} - CANON_CONST_STORAGE_BUCKET=${{ env.CANON_CONST_STORAGE_BUCKET }} - FLICKR_API_KEY=${{ env.FLICKR_API_KEY }} - - # If required, use the Cloud Run url output in later steps - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }} diff --git a/.github/workflows/google-registry-gke-develop.yml b/.github/workflows/google-registry-gke-develop.yml deleted file mode 100644 index 98ac801..0000000 --- a/.github/workflows/google-registry-gke-develop.yml +++ /dev/null @@ -1,133 +0,0 @@ -# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch -# -# To configure this workflow: -# -# 1. Ensure the required Google Cloud APIs are enabled in the project: -# -# Cloud Build cloudbuild.googleapis.com -# Kubernetes Engine API container.googleapis.com -# Artifact Registry artifactregistry.googleapis.com -# -# 2. Create a service account (if you don't have one) with the following fields: -# -# Service Account Name -github-actions -# Service Account ID -github-actions -# -# 3. Ensure the service account have the required IAM permissions granted: -# -# Kubernetes Engine Developer -# roles/container.developer (kubernetes engine developer) -# -# Artifact Registry -# roles/artifactregistry.repoAdmin (artifact registry repository administrator) -# roles/artifactregistry.admin (artifact registry administrator) -# -# Service Account -# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) -# -# Basic Roles -# roles/viewer (viewer) -# -# NOTE: You should always follow the principle of least privilege when assigning IAM roles -# -# 4. Ensure you have the following GitHub Secrets and Variables: -# -# GitHub Secrets -# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets -# -# GitHub Variables -# GCP_PROJECT_ID (Google Cloud Project ID) -# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) -# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) -# -# 5. Ensure you have the following GitHub Variables for each environment that you will set up: -# -# GitHub Variables -# GCP_CLOUDRUN_SERVICE (CloudRun Service Name of the environment) -# GCP_CLOUDRUN_REGION (CloudRun Service Region of the environment) -# GKE_APP_NAME (Google Kubernetes Engine Deployment Name) -# GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace) -# GKE_CLUSTER (Google Kubernetes Engine Cluster Name) -# GKE_ZONE (Google Kubernetes Engine Cluster Zone) -# -# Further reading: -# Kubernetes Developer - https://cloud.google.com/iam/docs/understanding-roles#container.developer -# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles -# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege -# Deploy CloudRun Github Actions - https://github.com/google-github-actions/deploy-cloudrun -name: "[Google Cloud] Build to Artifact Registry and Deploy Dev to GKE" - -on: - push: - branches: [ "develop" ] - -env: - GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} - GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} - GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} - GCP_CLOUDRUN_SERVICE: ${{ vars.GCP_CLOUDRUN_SERVICE }} - GCP_CLOUDRUN_REGION: ${{ vars.GCP_CLOUDRUN_REGION }} - GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} - GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} - GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} - GKE_ZONE: ${{ vars.GKE_ZONE }} - -jobs: - build: - runs-on: ubuntu-latest - environment: develop - steps: - - name: Checkout - uses: actions/checkout@v3 - - # Authentication via credentials json - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v0' - with: - project_id: '${{ env.GCP_PROJECT_ID }}' - credentials_json: '${{ secrets.GCP_SA_KEY }}' - - # Build image on Google Cloud Artifact Registry - - name: Build Docker Image - run: |- - gcloud builds submit \ - --quiet \ - --timeout=20m \ - --tag ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:${{ github.sha }} - - # Uncomment for adding the latest tag to the latest image created - - name: Add 'Latest' Tag to Development Environments - run: |- - gcloud beta artifacts docker tags add \ - --quiet \ - ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:${{ github.sha }} \ - ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:latest - - deploy: - needs: build - runs-on: ubuntu-latest - environment: develop - steps: - - name: Checkout - uses: actions/checkout@v3 - - # Authentication via credentials json - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v0' - with: - project_id: '${{ vars.GCP_PROJECT_ID }}' - credentials_json: '${{ secrets.GCP_SA_KEY }}' - - # Get google kubernetes engine credentials - - name: Get GKE Credentials - uses: google-github-actions/get-gke-credentials@v0 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - - # Restart deployment by deleting old pod - - name: Restart Deployment - run: kubectl delete pod -n ${{ env.GKE_APP_NAMESPACE }} -l app=${{ env.GKE_APP_NAME }} diff --git a/.github/workflows/google-registry-gke.yml b/.github/workflows/google-registry-gke.yml index a95dcdf..631b117 100644 --- a/.github/workflows/google-registry-gke.yml +++ b/.github/workflows/google-registry-gke.yml @@ -43,8 +43,7 @@ # 5. Ensure you have the following GitHub Variables for each environment that you will set up: # # GitHub Variables -# GCP_CLOUDRUN_SERVICE (CloudRun Service Name of the environment) -# GCP_CLOUDRUN_REGION (CloudRun Service Region of the environment) +# GCP_IMAGE_NAME (Docker Image Name) # GKE_APP_NAME (Google Kubernetes Engine Deployment Name) # GKE_APP_NAMESPACE (Google Kubernetes Engine Deployment Namespace) # GKE_CLUSTER (Google Kubernetes Engine Cluster Name) @@ -66,8 +65,7 @@ env: GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} - GCP_CLOUDRUN_SERVICE: ${{ vars.GCP_CLOUDRUN_SERVICE }} - GCP_CLOUDRUN_REGION: ${{ vars.GCP_CLOUDRUN_REGION }} + GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} @@ -76,7 +74,7 @@ env: jobs: build: runs-on: ubuntu-latest - environment: staging + environment: playground steps: - name: Checkout uses: actions/checkout@v3 @@ -95,20 +93,20 @@ jobs: gcloud builds submit \ --quiet \ --timeout=20m \ - --tag ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:${{ github.sha }} - + --tag ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ github.sha }} + # Uncomment for adding the latest tag to the latest image created - - name: Add 'Latest' Tag to Development Environments + - name: Add 'Latest' Tag to Development Environments run: |- gcloud beta artifacts docker tags add \ --quiet \ - ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:${{ github.sha }} \ - ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_CLOUDRUN_SERVICE }}:latest + ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ github.sha }} \ + ${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:latest deploy: needs: build runs-on: ubuntu-latest - environment: staging + environment: playground steps: - name: Checkout uses: actions/checkout@v3 @@ -120,7 +118,7 @@ jobs: with: project_id: '${{ vars.GCP_PROJECT_ID }}' credentials_json: '${{ secrets.GCP_SA_KEY }}' - + # Get google kubernetes engine credentials - name: Get GKE Credentials uses: google-github-actions/get-gke-credentials@v0 @@ -130,4 +128,4 @@ jobs: # Restart deployment by deleting old pod - name: Restart Deployment - run: kubectl delete pod -n ${{ env.GKE_APP_NAMESPACE }} -l app=${{ env.GKE_APP_NAME }} + run: kubectl delete pod -n ${{ env.GKE_APP_NAMESPACE }} -l app=${{ env.GKE_APP_NAME }} \ No newline at end of file