ci: support deploying to a custom GCP project

The GCP project was hardcoded, but now it's possible to specify a different one using environment variables. #122: Deploy to separate GCP project
akvo · Apr 13, 2022 · 5921147 · 5921147
1 parent 11632ef
commit 5921147
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 10 deletions.
diff --git a/ci/deploy.sh b/ci/deploy.sh
@@ -1,20 +1,31 @@
 #!/usr/bin/env bash
+# Required env vars:
+#   IMAGE_PREFIX - The host (and path if necessary) to push the docker images to
+#   CLOUDSDK_CORE_PROJECT - ID of the GCP project
+#   CLOUDSDK_CONTAINER_CLUSTER - ID of the GKE cluster
+#   CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE -
+#   CLOUDSDK_COMPUTE_ZONE - the zone of the gke cluster
+#   GCP_DOCKER_HOST - Where to push the docker images to
+# Optional env vars:
+#   GCP_SERVICE_ACCOUNT_FILE - path to file containing GCP service account credentials
 set -exuo pipefail
 
 [[ "${CI_BRANCH}" !=  "main" && ! "${CI_TAG:=}" =~ promote.* ]] && { echo "Branch different than main and not a tag. Skip deploy"; exit 0; }
-[[ "${CI_PULL_REQUEST}" ==  "true" ]] && { echo "Pull request. Skip deploy"; exit 0; }
+[[ "${CI_PULL_REQUEST:-}" ==  "true" ]] && { echo "Pull request. Skip deploy"; exit 0; }
+
+test -n "${CLOUDSDK_CORE_PROJECT}"
+test -n "${CLOUDSDK_CONTAINER_CLUSTER}"
+test -n "${CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE}"
+test -n "${CLOUDSDK_COMPUTE_ZONE}"
+test -n "${GCP_DOCKER_HOST}"
 
 auth () {
-    gcloud auth activate-service-account --key-file=/home/semaphore/.secrets/gcp.json
-    gcloud config set project akvo-lumen
-    gcloud config set container/cluster europe-west1-d
-    gcloud config set compute/zone europe-west1-d
-    gcloud config set container/use_client_certificate False
-    gcloud auth configure-docker "eu.gcr.io"
+    gcloud auth activate-service-account --key-file="${GCP_SERVICE_ACCOUNT_FILE:-/home/semaphore/.secrets/gcp.json}"
+    gcloud auth configure-docker "${GCP_DOCKER_HOST}"
 }
 
 push_image () {
-    prefix="eu.gcr.io/akvo-lumen/isco"
+    prefix="${IMAGE_PREFIX}"
     docker push "${prefix}/${1}:${CI_COMMIT}"
 }
 
@@ -29,7 +40,9 @@ prepare_deployment () {
 
     sed "s/\${CI_COMMIT}/${CI_COMMIT}/g;" \
         ci/k8s/deployment.template.yml \
-        | sed "s/\${BUCKET_FOLDER}/${cluster}/g;" > ci/k8s/deployment.yml
+        | sed "s/\${BUCKET_FOLDER}/${cluster}/g;" \
+        | sed "s|\${IMAGE_PREFIX}|${IMAGE_PREFIX}|g;" \
+        > ci/k8s/deployment.yml
 }
 
 apply_deployment () {

diff --git a/ci/k8s/deployment.template.yml b/ci/k8s/deployment.template.yml
@@ -61,7 +61,7 @@ spec:
           volumeMounts:
             - name: isco-secrets
               mountPath: /secrets/credentials.json
-              subPath: isco-service-account.json
+              subPath: backend-service-account.json
               readOnly: true
           readinessProbe:
             httpGet:
@@ -80,6 +80,53 @@ spec:
             limits:
               cpu: "500m"
               memory: "1024Mi"
+
+        - name: cloud-sql-proxy
+          spec:
+          # https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine#run_the_as_a_sidecar
+          # It is recommended to use the latest version of the Cloud SQL proxy
+          # Make sure to update on a regular schedule!
+          image: eu.gcr.io/cloudsql-docker/gce-proxy:1.30.0
+          command:
+            - "/cloud_sql_proxy"
+
+            # By default, the proxy will write all logs to stderr. In some
+            # environments, anything printed to stderr is consider an error. To
+            # disable this behavior and write all logs to stdout (except errors
+            # which will still go to stderr), use:
+            - "-log_debug_stdout"
+
+            # Replace DB_PORT with the port the proxy should listen on
+            # Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433
+            - "-instances=$(GOOGLE_PROJECT):$(GOOGLE_SQL_COMPUTE_ZONE):$(GOOGLE_SQL_DB_INSTANCE)=tcp:5432"
+            - "-credential_file=/secrets/cloudsql/credentials.json"
+          securityContext:
+            # The default Cloud SQL proxy image runs as the
+            # "nonroot" user and group (uid: 65532) by default.
+            runAsNonRoot: true
+          # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+          env:
+            - name: GOOGLE_SQL_COMPUTE_ZONE
+              valueFrom:
+                configMapKeyRef:
+                  name: isco
+                  key: google-sql-compute-zone
+            - name: GOOGLE_SQL_DB_INSTANCE
+              valueFrom:
+                configMapKeyRef:
+                  name: isco
+                  key: google-sql-db-instance
+            - name: GOOGLE_PROJECT
+              valueFrom:
+                configMapKeyRef:
+                  name: isco
+                  key: google-project
+          volumeMounts:
+            - name: "isco-secrets"
+              mountPath: "/secrets/cloudsql/credentials.json"
+              subPath: "cloudsql-service-account.json"
+              readOnly: true
+
       volumes:
         - name: isco-secrets
           secret: