Configure AWS Duchy #50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2023 The Cross-Media Measurement Authors | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # | |
| # Unless required by applicable law or agreed to in writing, software | |
| # distributed under the License is distributed on an "AS IS" BASIS, | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| # See the License for the specific language governing permissions and | |
| # limitations under the License. | |
| name: "Configure AWS Duchy" | |
| on: | |
| workflow_call: | |
| inputs: | |
| environment: | |
| type: string | |
| required: true | |
| image-tag: | |
| description: "Tag of container images" | |
| type: string | |
| required: true | |
| duchy-name: | |
| description: "Name (external ID) of Duchy" | |
| type: string | |
| required: true | |
| apply: | |
| description: "Apply the new configuration" | |
| type: boolean | |
| required: true | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: "GitHub-managed environment" | |
| required: true | |
| type: choice | |
| options: | |
| - dev | |
| - qa | |
| image-tag: | |
| description: "Tag of container images" | |
| type: string | |
| required: true | |
| duchy-name: | |
| description: "Name (external ID) of Duchy" | |
| type: choice | |
| options: | |
| - worker2 | |
| required: true | |
| apply: | |
| description: "Apply the new configuration" | |
| type: boolean | |
| default: false | |
| permissions: | |
| id-token: write | |
| env: | |
| KUSTOMIZATION_PATH: "k8s/cmms" | |
| DUCHY_NAME: ${{ inputs.duchy-name }} | |
| jobs: | |
| update-duchy: | |
| runs-on: ubuntu-22.04 | |
| environment: ${{ inputs.environment }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Authenticate to AWS Cloud. This will export some environment | |
| # e.g. AWS_REGION, AWS_SESSION_TOKEN ... | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ vars.AWS_REGION }} | |
| role-to-assume: ${{ vars.AWS_GHA_ROLE }} | |
| role-session-name: GitHubAction | |
| - name: Export DUCHY_CERT_ID | |
| env: | |
| AGGREGATOR_DUCHY_CERT_ID: ${{ vars.AGGREGATOR_DUCHY_CERT_ID }} | |
| WORKER1_DUCHY_CERT_ID: ${{ vars.WORKER1_DUCHY_CERT_ID }} | |
| WORKER2_DUCHY_CERT_ID: ${{ vars.WORKER2_DUCHY_CERT_ID }} | |
| run: ./.github/workflows/export-duchy-cert-id.sh | |
| - name: Write ~/.bazelrc | |
| env: | |
| IMAGE_TAG: ${{ inputs.image-tag }} | |
| POSTGRES_HOST: ${{ vars.AWS_POSTGRES_HOST }} | |
| POSTGRES_CRED_SECRET_NAME: ${{ vars.AWS_POSTGRES_CRED_SECRET_NAME }} | |
| KINGDOM_SYSTEM_API_TARGET: ${{ vars.KINGDOM_SYSTEM_API_TARGET }} | |
| KINGDOM_PUBLIC_API_TARGET: ${{ vars.KINGDOM_PUBLIC_API_TARGET }} | |
| AGGREGATOR_SYSTEM_API_TARGET: ${{ vars.AGGREGATOR_SYSTEM_API_TARGET }} | |
| WORKER1_SYSTEM_API_TARGET: ${{ vars.WORKER1_SYSTEM_API_TARGET }} | |
| WORKER2_SYSTEM_API_TARGET: ${{ vars.WORKER2_SYSTEM_API_TARGET }} | |
| DUCHY_PUBLIC_API_EIP_ALLOCS: ${{ vars.AWS_DUCHY_PUBLIC_API_EIP_ALLOCS }} | |
| DUCHY_SYSTEM_API_EIP_ALLOCS: ${{ vars.AWS_DUCHY_SYSTEM_API_EIP_ALLOCS }} | |
| S3_BUCKET: ${{ vars.AWS_S3_BUCKET }} | |
| run: | | |
| cat << EOF > ~/.bazelrc | |
| common --config=ci | |
| common --config=ghcr | |
| build --define image_tag=$IMAGE_TAG | |
| build --define kingdom_system_api_target=$KINGDOM_SYSTEM_API_TARGET | |
| build --define kingdom_public_api_target=$KINGDOM_PUBLIC_API_TARGET | |
| build --define aggregator_system_api_target=$AGGREGATOR_SYSTEM_API_TARGET | |
| build --define worker1_system_api_target=$WORKER1_SYSTEM_API_TARGET | |
| build --define worker2_system_api_target=$WORKER2_SYSTEM_API_TARGET | |
| build --define s3_bucket=$S3_BUCKET | |
| build --define s3_region=$AWS_REGION | |
| build --define duchy_cert_id=$DUCHY_CERT_ID | |
| build --define postgres_host=$POSTGRES_HOST | |
| build --define postgres_port=5432 | |
| build --define postgres_region=$AWS_REGION | |
| build --define postgres_credential_secret_name=$POSTGRES_CRED_SECRET_NAME | |
| build --define duchy_public_api_eip_allocs=$DUCHY_PUBLIC_API_EIP_ALLOCS | |
| build --define duchy_system_api_eip_allocs=$DUCHY_SYSTEM_API_EIP_ALLOCS | |
| EOF | |
| - name: Get EKS cluster credentials | |
| run: aws eks update-kubeconfig --region $AWS_REGION --name ${DUCHY_NAME}-duchy | |
| - name: Export BAZEL_BIN | |
| run: echo "BAZEL_BIN=$(bazelisk info bazel-bin)" >> $GITHUB_ENV | |
| - name: Configure metrics | |
| uses: ./.github/actions/configure-metrics-aws | |
| if: ${{ inputs.apply }} | |
| with: | |
| amp-ingest-endpoint: ${{ vars.AMP_INGEST_ENDPOINT }} | |
| amp-region: ${{ vars.AWS_REGION }} | |
| - name: Generate archives | |
| run: > | |
| bazelisk build | |
| "//src/main/k8s/dev:${DUCHY_NAME}_duchy_aws.tar" | |
| //src/main/k8s/testing/secretfiles:archive | |
| - name: Make Kustomization dir | |
| run: mkdir -p "$KUSTOMIZATION_PATH" | |
| - name: Extract Kustomization archive | |
| run: > | |
| tar -xf "$BAZEL_BIN/src/main/k8s/dev/${DUCHY_NAME}_duchy_aws.tar" | |
| -C "$KUSTOMIZATION_PATH" | |
| - name: Extract secret files archive | |
| run: > | |
| tar -xf "$BAZEL_BIN/src/main/k8s/testing/secretfiles/archive.tar" | |
| -C "$KUSTOMIZATION_PATH/src/main/k8s/dev/${DUCHY_NAME}_duchy_secret" | |
| # Write map from configuration variable. Since it appears that GitHub | |
| # configuration variables use DOS (CRLF) line endings, we convert these to | |
| # Unix (LF) line endings. | |
| - name: Write AKID to principal map | |
| env: | |
| AKID_TO_PRINCIPAL_MAP: ${{ vars.AKID_TO_PRINCIPAL_MAP }} | |
| run: > | |
| echo "$AKID_TO_PRINCIPAL_MAP" | sed $'s/\r$//' > | |
| "$KUSTOMIZATION_PATH/src/main/k8s/dev/config_files/authority_key_identifier_to_principal_map.textproto" | |
| - name: Export KUSTOMIZE_PATH | |
| run: echo "KUSTOMIZE_PATH=$KUSTOMIZATION_PATH/src/main/k8s/dev/${DUCHY_NAME}_duchy_aws" >> $GITHUB_ENV | |
| # Run kubectl diff, treating the command as succeeded even if the exit | |
| # code is 1 as kubectl uses this code to indicate there's a diff. | |
| - name: kubectl diff | |
| id: kubectl-diff | |
| run: kubectl diff -k "$KUSTOMIZE_PATH" || (( $? == 1 )) | |
| - name: kubectl apply | |
| if: ${{ inputs.apply }} | |
| run: kubectl apply -k "$KUSTOMIZE_PATH" | |
| - name: Wait for rollout | |
| if: ${{ inputs.apply }} | |
| run: | | |
| for deployment in $(kubectl get deployments -o name); do | |
| kubectl rollout status "$deployment" --timeout=5m | |
| done |