-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #103 from kartverket/add_run_kubectl
add run-kubectl workflow
- Loading branch information
Showing
3 changed files
with
139 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| name: Run kubectl | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| cluster_name: | ||
| required: true | ||
| description: 'Name of the cluster to authenticate with. Example: atgcp1-sandbox' | ||
| type: string | ||
| kubernetes_project_id: | ||
| required: true | ||
| description: 'GCP project id to use for authentication. Example: kubernetes-dev-32432vf' | ||
| type: string | ||
| project_number: | ||
| required: true | ||
| description: 'GCP project number to use for authentication. Example: 10763836584382' | ||
| type: string | ||
| service_account: | ||
| required: true | ||
| description: 'Project service account to use for authentication. Full address is expected. Example: [email protected]' | ||
| type: string | ||
| commands: | ||
| required: true | ||
| description: 'Multiline string of commands to run with kubectl. Example: "get pods\nget services".' | ||
| type: string | ||
| namespace: | ||
| required: true | ||
| description: 'Namespace to run the command in. Example: my-namespace' | ||
| type: string | ||
| kubectl_version: | ||
| required: false | ||
| description: 'Version of kubectl to install. Default is latest stable.' | ||
| type: string | ||
|
|
||
| env: | ||
| AUTH_PROJECT_NUMBER: ${{ inputs.project_number }} | ||
| SERVICE_ACCOUNT: ${{ inputs.service_account }} | ||
| CLUSTER_NAME: ${{ inputs.cluster_name }} | ||
| KUBERNETES_PROJECT_ID: ${{ inputs.kubernetes_project_id }} | ||
| NAMESPACE: ${{ inputs.namespace }} | ||
| KUBECTL_VERSION: ${{ inputs.kubectl_version }} | ||
|
|
||
| jobs: | ||
| deploy: | ||
| name: Run kubectl | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Set gcp project envs based on input environment | ||
| id: set-env | ||
| run: | | ||
| PRODUCT_NAME=$(echo $SERVICE_ACCOUNT | sed 's/-deploy.*//') | ||
| WORKLOAD_IDENTITY_PROVIDER="projects/$AUTH_PROJECT_NUMBER/locations/global/workloadIdentityPools/$PRODUCT_NAME-deploy-pool/providers/github-provider" | ||
| echo "WORKLOAD_IDENTITY_PROVIDER=$WORKLOAD_IDENTITY_PROVIDER" >> $GITHUB_ENV | ||
| if [ -z "$KUBECTL_VERSION" ]; then | ||
| echo "KUBECTL_VERSION=latest" >> $GITHUB_ENV | ||
| fi | ||
| - uses: azure/setup-kubectl@v4 | ||
| with: | ||
| version: ${{ env.KUBECTL_VERSION }} | ||
| id: install | ||
|
|
||
| - name: Authenticate with Google Cloud | ||
| uses: google-github-actions/auth@v2 | ||
| with: | ||
| workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }} | ||
| service_account: ${{ env.SERVICE_ACCOUNT }} | ||
|
|
||
| - id: 'get-credentials' | ||
| uses: google-github-actions/get-gke-credentials@v2 | ||
| with: | ||
| cluster_name: ${{ env.CLUSTER_NAME }} | ||
| location: 'europe-north1' | ||
| use_connect_gateway: 'true' | ||
| project_id: ${{ env.KUBERNETES_PROJECT_ID }} | ||
| namespace: ${{ env.NAMESPACE }} | ||
|
|
||
| - name: 'Execute kubectl commands' | ||
| run: | | ||
| echo "${{ inputs.commands }}" | while IFS= read -r cmd; do | ||
| echo "Running command: kubectl $cmd" | ||
| kubectl $cmd | ||
| done | ||
| shell: bash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| .idea/ | ||
| .vscode/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -21,14 +21,61 @@ Shared reusable workflows for GitHub Actions. | |
|
|
||
| # Reusable Workflows | ||
|
|
||
| We currently have 2 reusable workflows (i.e. [run-terraform](#run-terraform) and [run-security-scans (DEPRECATED)](#run-security-scans)) available for use. | ||
| We currently have 4 reusable workflows (i.e. [run-terraform](#run-terraform) and [run-security-scans (DEPRECATED)](#run-security-scans)) available for use. | ||
|
|
||
| See [Ideal Use of Workflows](#ideal-use-of-reusable-workflows) for an example of how to optimally use all 3 workflows together. | ||
|
|
||
| See [Tips and Tricks](#tips-and-tricks) for supporting information regarding usage of the reusable workflows. | ||
|
|
||
| <br/> | ||
|
|
||
| ## run-kubectl | ||
|
|
||
| Allows running kubectl commands against a Kubernetes cluster. This is useful for doing restarts of deployments for example. | ||
|
|
||
|
|
||
| ### Features | ||
|
|
||
| - Connects to a google cluster as a deploy service account | ||
| - Will always use connect gateway | ||
| - Runs specified kubectl commands against the cluster | ||
|
|
||
| ### Requirements | ||
|
|
||
| - Your gcp project is set up and given required permissions in skip-core-infrastructure and gcp-service-accounts | ||
|
|
||
|
|
||
| ### Example | ||
|
|
||
| Example usage in `.github/workflows/auto-merge.yml`: | ||
| ```yaml | ||
| name: Restart deployment | ||
| on: pull_request_target | ||
|
|
||
| jobs: | ||
| sandbox: | ||
| name: restart-app | ||
| uses: kartverket/github-workflows/.github/workflows/run-kubectl.yaml@latest | ||
| with: | ||
| cluster_name: atkv1-dev | ||
| service_account: [email protected] | ||
| kubernetes_project_id: kube-dev-4329023 | ||
| kubernetes_project_number: 43290432893 | ||
| command: restart deployment my-deployment | ||
| namespace: default | ||
| ``` | ||
| ### Inputs | ||
| | Key | Type | Required | Description | | ||
| |-----------------------|------------------|----------|-------------------------------------------------------------------------| | ||
| | cluster_name | string | X | Cluster name. Found with `gcloud container fleet memberships list` | | ||
| | service_account | string | X | The projects deploy service account in full format. | | ||
| | kubernetes_project_id | string | X | The kubernetes GCP project id. | | ||
| | project_number | string | X | A 12-digit number used as a unique identifier for the product project. | | ||
| | namespace | string | X | which namespace to execute the command in | | ||
| | kubectl_version | string | X | which kubectl version to use. format: v1.30.0. latest stable is default | | ||
| | commands | multiline string | X | The kubectl commands you want to run, exclude `kubectl`. example: https://skip.kartverket.no/docs/github-actions/kubectl-fra-github | | ||
|
|
||
| ## auto-merge-dependabot | ||
|
|
||
| Allows auto-merging dependabot PRs that match given patterns. Useful when you are drowning in PRs and have built up trust in a set of dependencies that release often and never break. It's recommended to have a sane CI setup so that anything merged to main at least passes CI tests before going into prod | ||
|
|
||