Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use new GKE cluster for ci-pr.yaml #2418

Merged
merged 6 commits into from
Mar 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/terraform/README.md
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've put everything inside the .github/terraform folder to match https://github.com/GoogleCloudPlatform/kubernetes-engine-samples.

Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
This folder contains the Terraform for some of the infrastructure used by the CICD (continuous integration and continuous delivery/continuous deployment) of this repository.

## Update this Terraform

To make changes to this Terraform, follow these steps:

1. Make sure you have access to the `online-boutique-ci` Google Cloud project.
1. Move into this folder: `cd .github/terraform`
1. Set the PROJECT_ID environment variable: `export PROJECT_ID=online-boutique-ci`
1. Prepare Terraform and download the necessary Terraform dependencies (such as the "hashicorp/google" Terraform provider): `terraform init`
1. Apply the Terraform: `terraform apply -var project_id=${PROJECT_ID}`
* Ideally, you would see `Apply complete! Resources: 0 added, 0 changed, 0 destroyed.` in the output.
1. Make your desired changes to the Terraform code.
1. Apply the Terraform: `terraform apply -var project_id=${PROJECT_ID}`
* This time, Terraform will prompt you confirm your changes before applying them.
Copy link
Collaborator Author

@NimJay NimJay Mar 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Future: Ideally, these instructions would be made redundant by a GitHub Action or Cloud Build trigger that terraform applys Terraform merged into the main branch.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interestingly, I have a similar issue on the GKE samples side: GoogleCloudPlatform/kubernetes-engine-samples#611

116 changes: 116 additions & 0 deletions .github/terraform/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
/**
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is such a great idea. I know we have an internal doc with what infra we need to recreate the CICD environment for Online Boutique, but it's nice to have it all codify and easily-reproducible in a TF script. Thanks!

* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

# Set defaults for the google Terraform provider.
provider "google" {
project = var.project_id
region = "us-central1"
zone = "us-central1-a"
}

terraform {
# Store the state inside a Google Cloud Storage bucket.
backend "gcs" {
bucket = "cicd-terraform-state"
prefix = "terraform-state"
}
}
Copy link
Collaborator Author

@NimJay NimJay Mar 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Heads-up: I stored the Terraform state in this Google Cloud Storage (GCS) bucket.


# Enable Google Cloud APIs.
module "enable_google_apis" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
version = "~> 14.0"
disable_services_on_destroy = false
activate_apis = [
"cloudresourcemanager.googleapis.com",
"container.googleapis.com",
"iam.googleapis.com",
"storage.googleapis.com",
]
project_id = var.project_id
}

# Google Cloud Storage for storing Terraform state (.tfstate).
resource "google_storage_bucket" "terraform_state_storage_bucket" {
name = "cicd-terraform-state"
location = "us"
storage_class = "STANDARD"
force_destroy = false
public_access_prevention = "enforced"
uniform_bucket_level_access = true
versioning {
enabled = true
}
}

# Google Cloud IAM service account for GKE clusters.
# We avoid using the Compute Engine default service account because it's too permissive.
resource "google_service_account" "gke_clusters_service_account" {
account_id = "gke-clusters-service-account"
display_name = "My Service Account"
depends_on = [
module.enable_google_apis
]
}

# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
resource "google_project_iam_member" "gke_clusters_service_account_role_metric_writer" {
project = var.project_id
role = "roles/monitoring.metricWriter"
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
}

# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
resource "google_project_iam_member" "gke_clusters_service_account_role_logging_writer" {
project = var.project_id
role = "roles/logging.logWriter"
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
}

# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
resource "google_project_iam_member" "gke_clusters_service_account_role_monitoring_viewer" {
project = var.project_id
role = "roles/monitoring.viewer"
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
}

# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
resource "google_project_iam_member" "gke_clusters_service_account_role_stackdriver_writer" {
project = var.project_id
role = "roles/stackdriver.resourceMetadata.writer"
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
}

# The GKE cluster used for pull-request (PR) staging deployments.
resource "google_container_cluster" "prs_gke_cluster" {
name = "prs-gke-cluster"
location = "us-central1"
enable_autopilot = true
project = var.project_id
deletion_protection = true
depends_on = [
module.enable_google_apis
]
cluster_autoscaling {
auto_provisioning_defaults {
service_account = google_service_account.gke_clusters_service_account.email
}
}
# Need an empty ip_allocation_policy to overcome an error related to autopilot node pool constraints.
# Workaround from https://github.com/hashicorp/terraform-provider-google/issues/10782#issuecomment-1024488630
ip_allocation_policy {
}
}
23 changes: 23 additions & 0 deletions .github/terraform/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

# This file lists variables that you can set using the -var flag during "terraform apply".
# Example: terraform apply -var project_id="${PROJECT_ID}"

variable "project_id" {
type = string
description = "The Google Cloud project ID."
}
25 changes: 25 additions & 0 deletions .github/terraform/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

terraform {
required_version = ">= 0.13"
required_providers {
google = {
source = "hashicorp/google"
version = "~> 5.4"
}
}
}
6 changes: 3 additions & 3 deletions .github/workflows/ci-main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ jobs:
echo "::set-env name=NAMESPACE::$NAMESPACE"
echo "::set-env name=PR_NUMBER::$PR_NUMBER"

gcloud container clusters get-credentials $PR_CLUSTER --zone $ZONE --project $PROJECT_ID
gcloud container clusters get-credentials $PR_CLUSTER --region $REGION --project $PROJECT_ID
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
Expand All @@ -83,8 +83,8 @@ jobs:
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
PROJECT_ID: "online-boutique-ci"
PR_CLUSTER: "online-boutique-prs"
ZONE: "us-central1-c"
PR_CLUSTER: "prs-gke-cluster"
REGION: "us-central1"
Copy link
Collaborator Author

@NimJay NimJay Mar 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rationale for change: Since autopilot = regional and standard = zonal.

- name: Wait For Pods
timeout-minutes: 20
run: |
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/ci-pr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ jobs:
NAMESPACE="pr${PR_NUMBER}"
echo "::set-env name=NAMESPACE::$NAMESPACE"

gcloud container clusters get-credentials $PR_CLUSTER --zone $ZONE --project $PROJECT_ID
gcloud container clusters get-credentials $PR_CLUSTER --region $REGION --project $PROJECT_ID
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
Expand All @@ -85,8 +85,8 @@ jobs:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
PR_NUMBER: ${{ github.event.pull_request.number }}
PROJECT_ID: "online-boutique-ci"
PR_CLUSTER: "online-boutique-prs"
ZONE: "us-central1-c"
PR_CLUSTER: "prs-gke-cluster"
REGION: "us-central1"
- name: Wait For Pods
timeout-minutes: 20
run: |
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/cleanup.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,11 @@ jobs:
timeout-minutes: 20
run: |
gcloud container clusters get-credentials $PR_CLUSTER \
--zone $ZONE --project $PROJECT_ID
--region $REGION --project $PROJECT_ID
NAMESPACE="pr${PR_NUMBER}"
kubectl delete namespace $NAMESPACE
env:
PROJECT_ID: "online-boutique-ci"
PR_CLUSTER: "online-boutique-prs"
ZONE: "us-central1-c"
PR_CLUSTER: "prs-gke-cluster"
REGION: "us-central1"
PR_NUMBER: ${{ github.event.number }}
Loading