CIVendor option: Github action

davidcheung · davidcheung · commit cae708e8e265 · 2021-02-19T13:52:01.000-05:00
diff --git a/Makefile b/Makefile
@@ -6,7 +6,19 @@
 GITHUB_ORG := $(shell echo ${REPOSITORY} | cut -d "/" -f 2)
 GITHUB_REPO := $(shell echo ${REPOSITORY} | cut -d "/" -f 3)
 
-run:
+run: ci_setup
+	@echo "\nDone"
+
+ci_setup:
+# Conditionally setup GitHub Action OR CircleCI's environment for CI
+ifeq ($(CIVendor), github-actions)
+ci_setup: github_actions_setup
+endif
+ifeq ($(CIVendor), circleci)
+ci_setup: circle_ci_setup
+endif
+
+circle_ci_setup:
 	@echo "Set CIRCLECI environment variables\n"
 	export AWS_ACCESS_KEY_ID=$(shell aws secretsmanager get-secret-value --region ${region} --secret-id=${PROJECT_NAME}-ci-user-aws-keys${randomSeed} | jq -r '.SecretString'| jq -r .access_key_id)
 	export AWS_SECRET_ACCESS_KEY=$(shell aws secretsmanager get-secret-value --region ${region} --secret-id=${PROJECT_NAME}-ci-user-aws-keys${randomSeed} | jq -r '.SecretString'| jq -r .secret_key)
@@ -15,7 +27,9 @@ run:
 	curl -X POST --header "Content-Type: application/json" -d '{"name":"AWS_SECRET_ACCESS_KEY", "value":"${AWS_SECRET_ACCESS_KEY}"}' https://circleci.com/api/v1.1/project/github/${GITHUB_ORG}/${GITHUB_REPO}/envvar?circle-token=${CIRCLECI_API_KEY}
 	@echo "\nFollow CIRCLECI project"
 	curl -X POST https://circleci.com/api/v1.1/project/github/${GITHUB_ORG}/${GITHUB_REPO}/follow?circle-token=${CIRCLECI_API_KEY}
-	@echo "\nDone"
+
+github_actions_setup:
+	sh scripts/gha-setup.sh
 
 summary:
 	@echo "zero-deployable-node-backend:"
diff --git a/scripts/gha-setup.sh b/scripts/gha-setup.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# In order to set project env-vars, we must encrypt secrets
+# Using gh client allows us to set the secret without installing another
+# binary just to encrypt the secrets
+
+# Login GH client
+# GITHUB_ACCESS_TOKEN is injected when zero apply runs
+gh auth login --with-token <<EOF
+$GITHUB_ACCESS_TOKEN
+EOF
+
+gh auth status
+
+AWS_KEY_PAIR=$(aws secretsmanager get-secret-value --region ${REGION} --secret-id=${PROJECT_NAME}-ci-user-aws-keys${RANDOM_SEED})
+AWS_ACCESS_KEY_ID=$(echo ${AWS_KEY_PAIR} | jq -r '.SecretString'| jq -r .access_key_id)
+AWS_SECRET_ACCESS_KEY=$(echo ${AWS_KEY_PAIR} | jq -r '.SecretString'| jq -r .secret_key)
+
+## IMPORTANT: Set secret operates on the nearest .git repo even if you specify a different repository
+pushd $PROJECT_DIR && \
+gh secret set AWS_ACCESS_KEY_ID --repos="$GITHUB_REPO" --body="$AWS_ACCESS_KEY_ID" && \
+gh secret set AWS_SECRET_ACCESS_KEY --repos="$GITHUB_REPO" --body="$AWS_SECRET_ACCESS_KEY" && \
+popd
+
+## Branch Protect for PRs
+## By default we setup Pull-request checks of [lint, unit-test] in `.github/workflows/pull-request.yml`
+## And we will enforce both the checks pass before PR can be merged into default branch
+DEFAULT_BRANCH=master
+curl -XPUT "https://api.github.com/repos/$GITHUB_ORG/$GITHUB_REPO/branches/$DEFAULT_BRANCH/protection" \
+--header "Authorization: token $GITHUB_ACCESS_TOKEN" \
+--header 'Content-Type: application/json' \
+--data '{
+	"required_status_checks": {
+		"strict": false,
+		"contexts": ["unit-test"]
+	},
+	"enforce_admins": false,
+	"required_pull_request_reviews": null,
+	"restrictions": null
+}'
+
+echo "Github actions environment variables setup successfully."
diff --git a/templates/.github/actions/db-migration/action.yml b/templates/.github/actions/db-migration/action.yml
@@ -0,0 +1,37 @@
+name: db-migration
+description: create kubernetes job to run migration
+inputs:
+  namespace:
+    description: Kubernetes namespace to run migration on
+    required: true
+  repository-name:
+    description: name of repository, used to create migration job name
+    required: true
+runs:
+  using: "composite"
+  steps:
+  - name: Migration
+    shell: bash
+    run: |
+      NAMESPACE=${{ inputs.namespace }}
+      MIGRATION_NAME=${{ inputs.repository-name }}-migration
+      SQL_DIR="${GITHUB_WORKSPACE}/database/migration"
+
+      kubectl -n $NAMESPACE delete configmap $MIGRATION_NAME || echo "no migration configmap existing for deletion"
+      kubectl -n $NAMESPACE delete job $MIGRATION_NAME || echo "no migration job existing for deletion"
+
+      if [ -f ${SQL_DIR}/*.sql ] ; then
+        pushd kubernetes/migration
+        kubectl -n $NAMESPACE delete configmap $MIGRATION_NAME || echo "no migration configmap existing for deletion"
+        kubectl -n $NAMESPACE create configmap $MIGRATION_NAME --from-file ${SQL_DIR}/*.sql
+
+        kubectl -n $NAMESPACE create -f job.yml
+        if ! kubectl -n $NAMESPACE wait --for=condition=complete --timeout=180s job/$MIGRATION_NAME ; then
+            echo "$MIGRATION_NAME run failed:"
+            kubectl -n $NAMESPACE describe job $MIGRATION_NAME
+            exit 1
+        fi
+        popd
+      else
+        kubectl -n $NAMESPACE create configmap $MIGRATION_NAME
+      fi
diff --git a/templates/.github/actions/deploy/action.yml b/templates/.github/actions/deploy/action.yml
@@ -0,0 +1,49 @@
+name: deploy
+description: Deploy docker image by image-tag to kubernetes
+inputs:
+  namespace:
+    description: Kubernetes namespace to deploy
+    required: true
+  repository-name:
+    description: Name of ECR repository containing the image
+    required: true
+  image-tag:
+    description: image-tag to deploy
+    required: true
+  docker-host:
+    description: Docker host consisting of the deploy image
+    required: true
+  region:
+    description: Name of AWS region
+    default: us-west-2
+    required: false
+  environment-overlay:
+    description: Overlay folder to pick from for Kustomize apply
+    default: staging
+    required: false
+runs:
+  using: "composite"
+  steps:
+  - name: Migration
+    shell: bash
+    run: |
+      DEPLOYMENT=${{ inputs.repository-name }}
+      NAMESPACE=${{ inputs.namespace }}
+
+      cd kubernetes/overlays/${{ inputs.environment-overlay }}
+      IMAGE=${{ inputs.docker-host }}/${{ inputs.repository-name }}
+      kustomize edit set image fake-image=${IMAGE}:${{ inputs.image-tag }}
+      kustomize build . | kubectl apply -f - -n $NAMESPACE
+      if ! kubectl -n $NAMESPACE rollout status deployment/$DEPLOYMENT -w --timeout=180s ; then
+        echo "$DEPLOYMENT rollout check failed:"
+        echo "$DEPLOYMENT deployment:"
+        kubectl -n $NAMESPACE describe deployment $DEPLOYMENT
+        echo "$DEPLOYMENT replicaset:"
+        kubectl -n $NAMESPACE describe rs -l app=$DEPLOYMENT
+        echo "$DEPLOYMENT pods:"
+        kubectl -n $NAMESPACE describe pod -l app=$DEPLOYMENT
+        exit 1
+      fi
+      # Update the last-deployed tag to be used in dev environments
+      MANIFEST=$(aws ecr batch-get-image --region ${{ inputs.region }} --repository-name ${{ inputs.repository-name }} --image-ids imageTag=${{ inputs.image-tag }} --query 'images[].imageManifest' --output text)
+      aws ecr put-image --region ${{ inputs.region }} --repository-name ${{ inputs.repository-name }} --image-tag last-deployed --image-manifest "$MANIFEST"
diff --git a/templates/.github/actions/setup-aws-kustomize/action.yml b/templates/.github/actions/setup-aws-kustomize/action.yml
@@ -0,0 +1,36 @@
+name: setup-kustomize
+description: setup kustomize on an image
+inputs:
+  # this step has pre-requisite of AWS-cli and kubectl being installed
+  cluster-name:
+    description: Name of cluster using `aws eks` tool
+    required: true
+  cluster-authentication-role-arn:
+    description: role-arn used with AWS-iam-authenticator for kubernetes cluster
+    required: true
+  region:
+    description: Name of AWS region
+    default: us-west-2
+    required: false
+runs:
+  using: "composite"
+  steps:
+    # Deploy to s3
+    - name: Install aws cli
+      shell: bash
+      run: python -m pip install --upgrade pip awscli
+    - name: Install kustomize
+      shell: bash
+      run: |
+        KUSTOMIZE_VERSION=3.5.4
+        curl -L -o ./kustomize.tar.gz "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_amd64.tar.gz"
+        sudo tar xvzf ./kustomize.tar.gz -C /usr/local/bin/
+        sudo chmod +x /usr/local/bin/kustomize
+        kustomize version
+    - name: Setup kubernetes configuration
+      shell: bash
+      run: |
+        aws eks update-kubeconfig --name ${{ inputs.cluster-name }} \
+        --region ${{ inputs.region }} \
+        --role-arn ${{ inputs.cluster-authentication-role-arn }}
+        cat ~/.kube/config
diff --git a/templates/.github/workflows/ci.yml b/templates/.github/workflows/ci.yml
@@ -0,0 +1,160 @@
+# CI pipeline
+# This runs against all the commits landed on master
+# It will do the following things:
+# - run sanity tests against the checked-out code
+# - build an image and upload the docker image to ECR
+# - deploy to staging environment
+# - run smoke test against staging enviroment
+# - deploy to production
+name: CI Pipeline
+on:
+  push:
+    branches: [master, main]
+env:
+  # Environment variables shared across jobs and doesn't change per environment
+  region: <% index .Params `region` %>
+  accountId: "<% index .Params `accountId` %>"
+  repo: <% .Name %>
+  namespace: <% .Name %>
+jobs:
+  unit-test:
+    runs-on: ubuntu-latest
+    env:
+      CI: true
+      build_env: production
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-node@v2
+      with:
+        node-version: "14"
+    - run: npm install
+    - run: npm test
+
+  build:
+      needs: unit-test
+      runs-on: ubuntu-latest
+      steps:
+        - uses: actions/checkout@v2
+        - name: Set IMAGE_TAG as env
+          run: |
+            IMAGE_TAG=$(git rev-parse --short=7 ${{ github.sha }})
+            echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV
+        - name: Configure AWS credentials
+          uses: aws-actions/configure-aws-credentials@v1
+          with:
+            aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+            aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+            aws-region: ${{ env.region }}
+        - name: Login to Amazon ECR
+          id: login-ecr
+          uses: aws-actions/amazon-ecr-login@v1
+        - name: Build and push
+          id: docker_build
+          uses: docker/build-push-action@v2
+          with:
+            push: true
+            tags: ${{ env.accountId }}.dkr.ecr.${{ env.region }}.amazonaws.com/${{ env.repo }}:${{ env.IMAGE_TAG }}
+
+  staging-deploy:
+      needs: build
+      runs-on: ubuntu-latest
+      env:
+        environment-overlay: staging
+        cluster-name: "<% .Name %>-stage-<% index .Params `region` %>"
+        cluster-authentication-role-arn: "arn:aws:iam::<% index .Params `accountId` %>:role/<% .Name %>-kubernetes-deployer-stage"
+      steps:
+        - uses: actions/checkout@v2
+        - name: Set IMAGE_TAG as env
+          run: |
+            IMAGE_TAG=$(git rev-parse --short=7 ${{ github.sha }})
+            echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV
+        - name: Install kubectl
+          uses: azure/setup-kubectl@v1
+        - name: Configure AWS credentials
+          uses: aws-actions/configure-aws-credentials@v1
+          with:
+            aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+            aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+            aws-region: ${{ env.region }}
+        - name: Setup binaries(aws-cli/kustomize/iam-authenticator)
+          uses: ./.github/actions/setup-aws-kustomize
+          with:
+            cluster-authentication-role-arn: ${{ env.cluster-authentication-role-arn }}
+            cluster-name: ${{ env.cluster-name }}
+            region: ${{ env.region }}
+        - name: Check Namespace
+          run: |
+            DEPLOYMENT=${{ env.repo }}
+            NAMESPACE=${{ env.namespace }}
+            kubectl create namespace $NAMESPACE || echo "Namespace already exists"
+        - name: Database migration
+          uses: ./.github/actions/db-migration
+          with:
+            namespace: ${{ env.namespace }}
+            repository-name: ${{ env.repo }}
+        - name: Deploy image
+          uses: ./.github/actions/deploy
+          with:
+            namespace: ${{ env.namespace }}
+            repository-name: ${{ env.repo }}
+            image-tag: ${{ env.IMAGE_TAG }}
+            docker-host: ${{ env.accountId }}.dkr.ecr.${{ env.region }}.amazonaws.com
+            region: ${{ env.region }}
+            environment-overlay: ${{ env.environment-overlay }}
+  integration-test:
+    needs: [staging-deploy]
+    runs-on: ubuntu-latest
+    name: integration-test
+    steps:
+    ## Example of smoke test against staging env before deploying to production
+    ## To be enhanced to more sophisicated checks
+    - run: echo "TEST_RESPONSE_COD=$(curl -o /dev/null -s -w \"%{http_code}\" https://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>)" >> $GITHUB_ENV
+    - if: env.TEST_RESPONSE_COD >= 400
+      run: exit 1
+  production-deploy:
+    needs: [build, integration-test]
+    runs-on: ubuntu-latest
+    name: production-deploy
+    env:
+        environment-overlay: production
+        cluster-name: "<% .Name %>-prod-<% index .Params `region` %>"
+        cluster-authentication-role-arn: "arn:aws:iam::<% index .Params `accountId` %>:role/<% .Name %>-kubernetes-deployer-prod"
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set IMAGE_TAG as env
+        run: |
+          IMAGE_TAG=$(git rev-parse --short=7 ${{ github.sha }})
+          echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v1
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.region }}
+      - name: Setup binaries(aws-cli/kustomize/iam-authenticator)
+        uses: ./.github/actions/setup-aws-kustomize
+        with:
+          cluster-authentication-role-arn: ${{ env.cluster-authentication-role-arn }}
+          cluster-name: ${{ env.cluster-name }}
+          region: ${{ env.region }}
+      - name: Check Namespace
+        run: |
+          DEPLOYMENT=${{ env.repo }}
+          NAMESPACE=${{ env.namespace }}
+          kubectl create namespace $NAMESPACE || echo "Namespace already exists"
+      - name: Database migration
+        uses: ./.github/actions/db-migration
+        with:
+          namespace: ${{ env.namespace }}
+          repository-name: ${{ env.repo }}
+      - name: Deploy image
+        uses: ./.github/actions/deploy
+        with:
+          namespace: ${{ env.namespace }}
+          repository-name: ${{ env.repo }}
+          image-tag: ${{ env.IMAGE_TAG }}
+          docker-host: ${{ env.accountId }}.dkr.ecr.${{ env.region }}.amazonaws.com
+          region: ${{ env.region }}
+          environment-overlay: ${{ env.environment-overlay }}
diff --git a/templates/.github/workflows/pull-request.yml b/templates/.github/workflows/pull-request.yml
@@ -0,0 +1,21 @@
+# Pull request
+# they are sanity checks that runs on every commit in a PR
+# By default your repository setup will require a pre-configured list [`unit-test`] of status for merging,
+# You can modify this behavior in the Github's Branch protection settings
+name: Pull request
+on:
+  pull_request:
+    branches: ['*']
+jobs:
+  unit-test:
+    runs-on: ubuntu-latest
+    env:
+      CI: true
+      build_env: production
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-node@v2
+      with:
+        node-version: "14"
+    - run: npm install
+    - run: npm test
diff --git a/templates/README.md b/templates/README.md
diff --git a/templates/kubernetes/migration/job.yml b/templates/kubernetes/migration/job.yml
diff --git a/zero-module.yml b/zero-module.yml
