Skip to content
Deploy to Dev

Deploy to Dev #258

Sign in to view logs

Deploy to Dev

Deploy to Dev #258

Workflow file for this run

.github/workflows/deploy-dev.yaml at c80aaeb
name: Deploy to Dev
on:
workflow_run:
workflows: [Release]
types: [completed]
branches: [main]
workflow_dispatch:
permissions:
contents: read
id-token: write
concurrency:
group: deploy-dev-gke
cancel-in-progress: false
jobs:
deploy:
if: (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') || github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-latest
env:
KELOS_NAMESPACE: ${{ vars.KELOS_NAMESPACE || 'default' }}
GCP_PROJECT_ID: gjkim-400213
GKE_CLUSTER_NAME: gjkim
GKE_CLUSTER_LOCATION: asia-northeast3
GCP_SERVICE_ACCOUNT_EMAIL: kelos-gh-action@gjkim-400213.iam.gserviceaccount.com
GCP_WORKLOAD_IDENTITY_PROVIDER: projects/317215297044/locations/global/workloadIdentityPools/github/providers/kelos
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Build CLI
run: make build WHAT=cmd/kelos
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }}
- name: Configure GKE credentials
uses: google-github-actions/get-gke-credentials@v2
with:
cluster_name: ${{ env.GKE_CLUSTER_NAME }}
location: ${{ env.GKE_CLUSTER_LOCATION }}
project_id: ${{ env.GCP_PROJECT_ID }}
- name: Apply github-webhook-secret
env:
KELOS_WEBHOOK_SECRET: ${{ secrets.KELOS_WEBHOOK_SECRET }}
KELOS_GITHUB_APP_ID: ${{ secrets.KELOS_GITHUB_APP_ID }}
KELOS_GITHUB_APP_INSTALLATION_ID: ${{ secrets.KELOS_GITHUB_APP_INSTALLATION_ID }}
KELOS_GITHUB_APP_PRIVATE_KEY: ${{ secrets.KELOS_GITHUB_APP_PRIVATE_KEY }}
run: |
# Apply the full github-webhook-secret from repo secrets so the
# workflow is self-sufficient and the secret state is portable to
# other clusters. Holds both the HMAC WEBHOOK_SECRET and the
# GitHub App credentials the webhook server uses to resolve
# .Branch for issue_comment events on pull requests.
KEY_FILE=$(mktemp)
trap 'rm -f "$KEY_FILE"' EXIT
printf '%s' "$KELOS_GITHUB_APP_PRIVATE_KEY" > "$KEY_FILE"
kubectl create secret generic github-webhook-secret \
--namespace kelos-system \
--from-literal=WEBHOOK_SECRET="$KELOS_WEBHOOK_SECRET" \
--from-literal=appID="$KELOS_GITHUB_APP_ID" \
--from-literal=installationID="$KELOS_GITHUB_APP_INSTALLATION_ID" \
--from-file=privateKey="$KEY_FILE" \
--dry-run=client -o yaml \
| kubectl apply -f -
- name: Install kelos
run: |
cat > /tmp/kelos-dev-values.yaml <<'EOF'
image:
tag: main
pullPolicy: Always
spawner:
resources:
requests: "cpu=100m,memory=128Mi"
ghproxy:
cacheTTL: 50s
resources:
requests: "cpu=10m,memory=64Mi"
controller:
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 500m
memory: 128Mi
# NOTE: webhookServer.gateway is intentionally left at chart default
# (disabled). The dev cluster already has a Gateway
# (kelos-webhook-gateway) and HTTPRoute (kelos-webhook-route) applied
# out of band — they use GKE CertMap via
# networking.gke.io/certmap annotation, which the chart's gateway
# template cannot express. Managing them via helm would fight the
# out-of-band config, so they stay manual.
webhookServer:
sources:
github:
enabled: true
secretName: github-webhook-secret
githubSecretName: github-webhook-secret
resources:
requests:
cpu: 100m
memory: 128Mi
EOF
bin/kelos install -f /tmp/kelos-dev-values.yaml
kubectl rollout restart deployment/kelos-controller-manager -n kelos-system
kubectl rollout status deployment/kelos-controller-manager -n kelos-system --timeout=120s
kubectl rollout restart deployment -l kelos.dev/component=ghproxy -n "${KELOS_NAMESPACE}"
kubectl rollout restart deployment -l kelos.dev/component=spawner -n "${KELOS_NAMESPACE}"
kubectl rollout restart deployment/kelos-webhook-github -n kelos-system
kubectl rollout status deployment -l kelos.dev/component=ghproxy -n "${KELOS_NAMESPACE}" --timeout=120s
kubectl rollout status deployment -l kelos.dev/component=spawner -n "${KELOS_NAMESPACE}" --timeout=120s
kubectl rollout status deployment/kelos-webhook-github -n kelos-system --timeout=120s
- name: Apply PodMonitoring
run: |
kubectl apply -f - <<EOF
apiVersion: monitoring.googleapis.com/v1
kind: PodMonitoring
metadata:
name: kelos-controller
namespace: kelos-system
labels:
app.kubernetes.io/name: kelos
app.kubernetes.io/component: manager
spec:
selector:
matchLabels:
app.kubernetes.io/name: kelos
app.kubernetes.io/component: manager
endpoints:
- port: metrics
interval: 30s
---
apiVersion: monitoring.googleapis.com/v1
kind: PodMonitoring
metadata:
name: kelos-spawner
namespace: ${KELOS_NAMESPACE}
labels:
kelos.dev/name: kelos
kelos.dev/component: spawner
spec:
selector:
matchLabels:
kelos.dev/name: kelos
kelos.dev/component: spawner
matchExpressions:
- key: job-name
operator: DoesNotExist
endpoints:
- port: metrics
interval: 30s
---
apiVersion: monitoring.googleapis.com/v1
kind: PodMonitoring
metadata:
name: ghproxy
namespace: ${KELOS_NAMESPACE}
labels:
kelos.dev/name: kelos
kelos.dev/component: ghproxy
spec:
selector:
matchLabels:
kelos.dev/name: kelos
kelos.dev/component: ghproxy
endpoints:
- port: metrics
interval: 30s
---
apiVersion: monitoring.googleapis.com/v1
kind: PodMonitoring
metadata:
name: kelos-webhook-github
namespace: kelos-system
labels:
app.kubernetes.io/name: kelos
app.kubernetes.io/component: webhook-github
spec:
selector:
matchLabels:
app.kubernetes.io/name: kelos
app.kubernetes.io/component: webhook-github
endpoints:
- port: metrics
interval: 30s
EOF
- name: Apply self-development resources
run: kubectl apply -f self-development/ -n "${KELOS_NAMESPACE}"