From dd346a7ca562a4741b4e1e6a8b6021ea6a509343 Mon Sep 17 00:00:00 2001
From: nspmx <nico.perezmundaca@gmail.com>
Date: Thu, 25 Jan 2024 11:25:14 -0300
Subject: [PATCH] add playground workflow

---
 .../google-registry-gke-playground.yaml       | 201 ++++++++++++++++++
 1 file changed, 201 insertions(+)
 create mode 100644 .github/workflows/google-registry-gke-playground.yaml

diff --git a/.github/workflows/google-registry-gke-playground.yaml b/.github/workflows/google-registry-gke-playground.yaml
new file mode 100644
index 0000000..e50299e
--- /dev/null
+++ b/.github/workflows/google-registry-gke-playground.yaml
@@ -0,0 +1,201 @@
+# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Google Kubernetes Engine when a commit is pushed to the "develop" branch
+# You can start your commit with `#update` and the workflow will just trigger an update of the Helm installation, without building a new image
+#
+# To configure this workflow:
+#
+# 1. Ensure the required Google Cloud APIs are enabled in the project:
+#
+#    Cloud Build              cloudbuild.googleapis.com
+#    Kubernetes Engine API    container.googleapis.com
+#    Artifact Registry        artifactregistry.googleapis.com
+#
+# 2. Create a service account (if you don't have one) with the following fields:
+#
+#    Service Account Name     <PROJECT-NAME>-github-actions
+#    Service Account ID       <PROJECT-NAME>-github-actions
+#
+# 3. Ensure the service account have the required IAM permissions granted:
+#
+#    Kubernetes Engine Developer
+#      roles/container.developer         (kubernetes engine developer)
+#
+#    Artifact Registry
+#      roles/artifactregistry.repoAdmin  (artifact registry repository administrator)
+#      roles/artifactregistry.admin      (artifact registry administrator)
+#
+#    Service Account
+#      roles/iam.serviceAccountUser      (act as the Cloud Run runtime service account)
+#
+#    Basic Roles
+#      roles/viewer                      (viewer)
+#
+#    NOTE: You should always follow the principle of least privilege when assigning IAM roles
+#
+# 4. Ensure you have the following GitHub Secrets and Variables:
+#
+#    GitHub Secrets
+#      GCP_SA_KEY                        (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets
+#
+#    GitHub Variables
+#      GCP_PROJECT_ID                    (Google Cloud Project ID)
+#      GCP_ARTIFACT_REGISTRY_NAME        (Google Cloud Articaft Registry Repository Name)
+#      GCP_ARTIFACT_REGISTRY_LOCATION    (Google Cloud Artifact Registry Reposotiry Location)
+#
+# 5. Ensure you have the following GitHub Variables for each environment that you will set up:
+#
+#    GitHub Variables
+#      GCP_IMAGE_NAME                    (Docker Image Name)
+#      GKE_APP_NAME                      (Google Kubernetes Engine Deployment Name)
+#      GKE_APP_NAMESPACE                 (Google Kubernetes Engine Deployment Namespace)
+#      GKE_CLUSTER                       (Google Kubernetes Engine Cluster Name)
+#      GKE_ZONE                          (Google Kubernetes Engine Cluster Zone)
+#
+# Further reading:
+#    Kubernetes Developer                      - https://cloud.google.com/iam/docs/understanding-roles#container.developer
+#    Artifact Registry IAM permissions         - https://cloud.google.com/artifact-registry/docs/access-control#roles
+#    Container Registry vs Artifact Registry   - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
+#    Principle of least privilege              - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+#    Deploy CloudRun Github Actions            - https://github.com/google-github-actions/deploy-cloudrun
+name: "[GCP][DEV] Build API to Registry and Deploy via Helm"
+
+on:
+  push:
+    branches: [ "tesseract-python" ]
+    paths:
+      - .github/workflows/google-registry-gke-playground.yaml
+      - helm/development.yaml
+      - schema/**
+
+env:
+  GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}
+  GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }}
+  GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }}
+  GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }}
+  GKE_APP_NAME: ${{ vars.GKE_APP_NAME }}
+  GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }}
+  GKE_CLUSTER: ${{ vars.GKE_CLUSTER }}
+  GKE_ZONE: ${{ vars.GKE_ZONE }}
+  ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+
+jobs:
+  build:
+    environment: playground
+    runs-on: ubuntu-latest
+    # runs-on: self-hosted
+    if: ${{ !contains(github.event.head_commit.message, '#update') }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Authentication via credentials json
+      - name: Google Auth
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          project_id: ${{ env.GCP_PROJECT_ID }}
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+      
+      # Install Cloud SDK
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v1
+        with:
+          install_components: beta
+
+      # Build image on Google Cloud Artifact Registry
+      - name: Build Docker Image
+        run: |-
+          gcloud builds submit \
+            --quiet \
+            --timeout=40m \
+            --config=cloudbuild.yml \
+            --substitutions=_GCP_PROJECT_ID=${{ env.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ env.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_ARTIFACT_REGISTRY_LOCATION=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_IMAGE_NAME=${{ env.GCP_IMAGE_NAME }},_GCP_IMAGE_TAG=${{ github.sha }},_GCP_IMAGE_ENVIRONMENT=${{ env.GKE_APP_NAMESPACE }}
+
+  deploy:
+    needs: build
+    environment: playground
+    runs-on: ubuntu-latest
+    # runs-on: self-hosted
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Authentication via credentials json
+      - name: Google Auth
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          project_id: ${{ env.GCP_PROJECT_ID }}
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+      
+      # Get google kubernetes engine credentials
+      - name: Get GKE Credentials
+        uses: google-github-actions/get-gke-credentials@v2
+        with:
+          cluster_name: ${{ env.GKE_CLUSTER }}
+          location: ${{ env.GKE_ZONE }}
+      
+      # Transform GitHub secrets to base64 encoded
+      - name: Set encoded secret values
+        run: |
+          echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV
+
+      # Install Helm chart
+      - name: Helm install
+        uses: WyriHaximus/github-action-helm3@v2
+        with:
+          exec: |
+            helm upgrade --install --create-namespace \
+              --namespace ${{ env.GKE_APP_NAMESPACE }} \
+              --set app.environment=${{ env.GKE_APP_NAMESPACE }} \
+              --set app.release=${{ env.GKE_APP_NAMESPACE }} \
+              --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \
+              --set image.tag=${{ github.sha }} \
+              --set nameOverride=${{ env.GKE_APP_NAME }} \
+              --set fullnameOverride=${{ env.GKE_APP_NAME }} \
+              --set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \
+              ${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm
+  
+  update:
+    runs-on: ubuntu-latest
+    environment: playground
+    # runs-on: self-hosted
+    if: ${{ contains(github.event.head_commit.message, '#update') }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Authentication via credentials json
+      - name: Google Auth
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          project_id: ${{ env.GCP_PROJECT_ID }}
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+      
+      # Get google kubernetes engine credentials
+      - name: Get GKE Credentials
+        uses: google-github-actions/get-gke-credentials@v2
+        with:
+          cluster_name: ${{ env.GKE_CLUSTER }}
+          location: ${{ env.GKE_ZONE }}
+      
+      # Transform GitHub secrets to base64 encoded
+      - name: Set encoded secret values
+        run: |
+          echo "ENCODED_TESSERACT_BACKEND=$(echo -n "${{ secrets.TESSERACT_BACKEND }}" | base64 | tr -d '\n')" >> $GITHUB_ENV
+
+      # Install Helm chart
+      - name: Helm install
+        uses: WyriHaximus/github-action-helm3@v2
+        with:
+          exec: |
+            helm upgrade --install --create-namespace \
+              --namespace ${{ env.GKE_APP_NAMESPACE }} \
+              --set app.environment=${{ env.GKE_APP_NAMESPACE }} \
+              --set app.release=${{ env.GKE_APP_NAMESPACE }} \
+              --set image.repository=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }} \
+              --set image.tag=${{ github.sha }} \
+              --set nameOverride=${{ env.GKE_APP_NAME }} \
+              --set fullnameOverride=${{ env.GKE_APP_NAME }} \
+              --set secrets.TESSERACT_BACKEND=$ENCODED_TESSERACT_BACKEND \
+              ${{ env.GKE_APP_NAME }} --values=./helm/development.yaml ./helm
\ No newline at end of file