-
Notifications
You must be signed in to change notification settings - Fork 2
164 lines (135 loc) · 6.1 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
on: [push]
jobs:
main:
name: Build, Format and Test
runs-on: ubuntu-latest
steps:
- uses: linz/action-typescript@9bf69b0f313b3525d3ba3116f26b1aff7eb7a6c0 # v3.1.0
- name: Download actionlint
run: docker build --tag actionlint - < .github/workflows/actionlint.dockerfile
- name: Run actionlint to check workflow files
run: docker run --volume="${PWD}:/repo" --workdir=/repo actionlint -color
deploy-prod:
runs-on: ubuntu-latest
concurrency: deploy-prod-${{ github.ref }}
needs: [main]
if: ${{ github.ref == 'refs/heads/master' }}
environment:
name: prod
permissions:
id-token: write
contents: read
env:
CLUSTER_NAME: Workflows
steps:
- uses: linz/action-typescript@9bf69b0f313b3525d3ba3116f26b1aff7eb7a6c0 # v3.1.0
# Configure access to AWS / EKS
- name: Setup kubectl
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3
with:
version: 'latest'
- name: AWS Configure
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4
with:
aws-region: ap-southeast-2
mask-aws-account-id: true
role-to-assume: ${{ secrets.AWS_CI_ROLE }}
- name: Find Changes in Infra
id: get-infra-changes
run: |
mapfile -d '' modified_infra_files < <(git diff --name-only -z ${{ github.event.before }} ${{ github.event.after }} -- "infra/*")
if [[ "${#modified_infra_files[@]}" -ge 1 ]]; then
echo "run_infra=true" >> "$GITHUB_OUTPUT"
else
echo "run_infra=false" >> "$GITHUB_OUTPUT"
fi
- name: (CDK) Deploy
if: steps.get-infra-changes.outputs.run_infra == 'true'
run: |
npx cdk deploy ${{ env.CLUSTER_NAME }} \
-c maintainer-arns=${{ secrets.AWS_CI_ROLE }},${{ secrets.AWS_ADMIN_ROLE }},${{ secrets.AWS_WFMAINTAINER_ROLE }} \
-c aws-account-id=${{ secrets.AWS_ACCOUNT_ID }} \
--require-approval never
- name: Login to EKS
run: |
aws eks update-kubeconfig --name ${{ env.CLUSTER_NAME }} --region ap-southeast-2
- name: Check EKS connection
run: |
kubectl get nodes
# Configure the Kubernetes cluster with CDK8s
- name: (CDK8s) Synth
if: steps.get-infra-changes.outputs.run_infra == 'true'
run: |
npx cdk8s synth
# nb: kubectl diff - is somewhat dangerous as it dumps out secrets in plain text
# so it should not be used in this pipeline
# TODO use a --prune and --applyset to remove unused objects
- name: (CDK8s) Deploy
if: steps.get-infra-changes.outputs.run_infra == 'true'
run: |
kubectl apply -f dist/
# FIXME since `WATCH_CONTROLLER_SEMAPHORE_CONFIGMAPS=false` we need to restart argo-workflow-controller
# to make sure ConfigMap changes are taken into account
kubectl rollout restart deployment argo-workflows-workflow-controller -n argo
- name: Install Argo
run: |
curl -sLO https://github.com/argoproj/argo-workflows/releases/download/v3.4.0-rc2/argo-linux-amd64.gz
gunzip argo-linux-amd64.gz
chmod +x argo-linux-amd64
./argo-linux-amd64 version
- name: Lint workflows
if: github.ref != 'refs/heads/master'
run: |
# Create test namespace
kubectl create namespace "$GITHUB_SHA"
# Create copy of Workflows files to change their namespaces
mkdir test
cp -r workflows/ test/workflows/
# Deploy templates in the test namespace
# Note: the templates have no default namespace so no need to modify them
kubectl apply -f templates/argo-tasks/ --namespace "$GITHUB_SHA"
# Find all workflows that have kind "WorkflowTemplate"
WORKFLOWS=$(grep -R -H '^kind: WorkflowTemplate$' test/workflows/ | cut -d ':' -f1)
# For each workflow template attempt to deploy it using kubectl
for wf in $WORKFLOWS; do
# Change namespace in files
sed -i "/^\([[:space:]]*namespace: \).*/s//\1$GITHUB_SHA/" "$wf"
kubectl apply -f "$wf" --namespace "$GITHUB_SHA"
done
# Find all cron workflows that have kind "CronWorkflow"
CRON_WORKFLOWS=$(grep -R -H '^kind: CronWorkflow$' test/workflows/ | cut -d ':' -f1)
# For each cron workflow attempt to deploy it using kubectl
for cwf in $CRON_WORKFLOWS; do
# Change namespace in files
sed -i "/^\([[:space:]]*namespace: \).*/s//\1$GITHUB_SHA/" "$cwf"
kubectl apply -f "$cwf" --namespace "$GITHUB_SHA"
done
# Finally lint the templates
./argo-linux-amd64 lint templates/ -n "$GITHUB_SHA"
./argo-linux-amd64 lint test/workflows/ -n "$GITHUB_SHA"
- name: Delete Test namespace
if: always()
run: |
# Delete the test namespace
stderr_tmp="$(mktemp --directory)/stderr"
if ! kubectl delete namespaces "$GITHUB_SHA" 2> >(tee "$stderr_tmp" >&2)
then
grep -q 'Error from server (NotFound): namespaces ".*" not found' "$stderr_tmp"
fi
- name: Deploy workflows
if: github.ref == 'refs/heads/master'
run: |
# Deploy templates first
kubectl apply -f templates/argo-tasks/ --namespace argo
# Find all workflows that have kind "WorkflowTemplate"
WORKFLOWS=$(grep '^kind: WorkflowTemplate$' -R workflows/ -H | cut -d ':' -f1)
# For each workflow template attempt to deploy it using kubectl
for wf in $WORKFLOWS; do
kubectl apply -f "$wf" --namespace argo
done
# Find all cron workflows that have kind "CronWorkflow"
CRON_WORKFLOWS=$(grep '^kind: CronWorkflow$' -R workflows/ -H | cut -d ':' -f1)
# For each cron workflow attempt to deploy it using kubectl
for cwf in $CRON_WORKFLOWS; do
kubectl apply -f "$cwf" --namespace argo
done