-
Notifications
You must be signed in to change notification settings - Fork 1
141 lines (125 loc) · 6.01 KB
/
deploy-lts-prow.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: Deploy AKS LTS Prow
on:
workflow_dispatch:
inputs:
deployEnv:
description: 'Environment to run against'
type: environment
required: true
permissions:
id-token: write
contents: read
jobs:
Deploy_AKS_LTS_Prow:
runs-on: ubuntu-latest
environment: ${{ inputs.deployEnv }}
env:
GITHUB_APP_ID: ${{ vars.APP_ID }}
GITHUB_ORG: ${{ vars.ORG }}
GITHUB_REPO: ${{ vars.REPO }}
HMAC_TOKEN: ${{ secrets.HMAC_TOKEN }}
MINIO_CONSOLE_PORT: 8003
K8S_PROW_IMAGE_TAG: v20240723-dbbd2d86b
steps:
- name: Generate fake mount secret
run: |
FAKE_MOUNT_SECRET=$(echo '{"account":"fake","password":"fake"}' | base64)
echo "::add-mask::$FAKE_MOUNT_SECRET"
echo "FAKE_MOUNT_SECRET=$FAKE_MOUNT_SECRET" >> "$GITHUB_ENV"
- name: Check out repo
uses: actions/checkout@v4
- name: Azure login
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: create resourceGroups
run: |
if [ $(az group exists --name ${{ secrets.AZURE_RG }}) = false ]; then
az group create --name ${{ secrets.AZURE_RG }} --location ${{ secrets.AZURE_LOCATION }}
fi
if [ $(az group exists --name ${{ secrets.CAPZ_RG }}) = false ]; then
az group create --name ${{ secrets.CAPZ_RG }} --location ${{ secrets.AZURE_LOCATION }}
fi
- name: Deploy Prow cluster Bicep
id: bicep
uses: azure/arm-deploy@v2
with:
subscriptionId: ${{ vars.AZURE_SUBSCRIPTION_ID }}
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./config/prow/cluster/prow-cluster.bicep
parameters: aks_cluster_region=${{ secrets.AZURE_LOCATION }} aks_cluster_admin_groups="${{ secrets.PROW_ADMIN_GROUPS }}" aks_cluster_admin_users="${{ secrets.PROW_ADMIN_USERS }}"
failOnStdErr: false
- name: Deploy CAPZ Bicep
id: capzbicep
uses: azure/arm-deploy@v2
with:
subscriptionId: ${{ vars.AZURE_SUBSCRIPTION_ID }}
resourceGroupName: ${{ secrets.CAPZ_RG }}
template: ./config/capz/capz.bicep
parameters: location=${{ secrets.AZURE_LOCATION }}
failOnStdErr: false
- name: Fetch config
run: |
echo "PROW_HOST=${{ steps.bicep.outputs.prowHostName }}" >> "$GITHUB_ENV"
echo "AZURE_STORAGE_ACCOUNT_USER=${{ steps.bicep.outputs.storageAccountName }}" >> "$GITHUB_ENV"
echo "PUBLIC_IP_NAME=${{ steps.bicep.outputs.publicIpName }}" >> "$GITHUB_ENV"
echo "CLUSTER_RG=${{ steps.bicep.outputs.resourceGroupName }}" >> "$GITHUB_ENV"
echo "CAPZ_SA"=${{ steps.capzbicep.outputs.capzsastorage_name }}" >> "$GITHUB_ENV"
- name: Install Kubectl
uses: azure/setup-kubectl@v4
- name: Set up kubelogin for non-interactive login
uses: azure/use-kubelogin@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Set AKS cluster context
uses: azure/aks-set-context@v4
with:
resource-group: ${{ secrets.AZURE_RG }}
cluster-name: ${{ steps.bicep.outputs.aksClusterName }}
admin: 'false'
use-kubelogin: 'true'
- name: 'Apply Prow base manifests'
run: |
kubectl apply -f config/prow/k8s/base/ns.yaml
envsubst < config/prow/k8s/base/contour.yaml > contour.yaml
kubectl apply -f contour.yaml
envsubst < config/prow/k8s/base/prowdata.storageclass.yaml > prowdata.storageclass.yaml
kubectl apply -f prowdata.storageclass.yaml
env:
AZURE_RG: ${{ secrets.AZURE_RG }}
- name: 'Create GitHub Token secrets'
run: |
echo "${{ secrets.APP_PRIVATE_KEY }}" > cert.pem
kubectl create secret generic github-token -n prow --from-file=cert=cert.pem --from-literal=appid=$GITHUB_APP_ID -o yaml --dry-run=client | kubectl apply -f -
kubectl create secret generic github-token -n test-pods --from-file=cert=cert.pem --from-literal=appid=$GITHUB_APP_ID -o yaml --dry-run=client | kubectl apply -f -
rm cert.pem
- name: Fetch storage key
id: fetch-storage-key
run: |
AZURE_STORAGE_ACCOUNT_PASSWORD=$(az storage account keys list -g ${{ secrets.AZURE_RG }} -n ${{ steps.bicep.outputs.storageAccountName }} | jq -r '.[0].value')
echo "::add-mask::$AZURE_STORAGE_ACCOUNT_PASSWORD"
echo "AZURE_STORAGE_ACCOUNT_PASSWORD=$AZURE_STORAGE_ACCOUNT_PASSWORD" >> "$GITHUB_ENV"
PUBLIC_IP_ADDRESS=$(az network public-ip show -g ${{ secrets.AZURE_RG }} -n ${{ steps.bicep.outputs.publicIpName }} | jq -r '.ipAddress')
echo "::add-mask::$PUBLIC_IP_ADDRESS"
echo "PUBLIC_IP_ADDRESS=$PUBLIC_IP_ADDRESS" >> "$GITHUB_ENV"
CAPZ_CI_REGISTRY=$(az acr show -g ${{ secrets.CAPZ_RG }} -n ${{ steps.capzbicep.outputs.capzci_registry_name }} | jq .loginServer)
echo "::add-mask::$CAPZ_CI_REGISTRY"
echo "CAPZ_CI_REGISTRY=$CAPZ_CI_REGISTRY" >> "$GITHUB_ENV"
- name: 'Create job configs'
run: |
envsubst < config/prow/release-branch-jobs/base.yaml > cm.yaml
envsubst < config/prow/release-branch-jobs/1.27.yaml >> cm.yaml
kubectl create configmap config -n prow --from-file=config.yaml=cm.yaml -o yaml --dry-run=client | kubectl apply -f -
rm cm.yaml
- name: 'Apply Prowjob CRD'
run: for f in config/prow/k8s/prowjob/*.yaml; do kubectl apply --server-side=true -f $f; done
- name: 'Apply Prow app manifests'
run: for f in config/prow/k8s/app/*.yaml; do envsubst < $f | kubectl apply -f -; done
env:
AZURE_RG: ${{ secrets.AZURE_RG }}
- name: 'Apply test pod manifests'
run: for f in config/prow/k8s/test-pods/*.yaml; do envsubst < $f | kubectl apply -f -; done
env:
AZURE_RG: ${{ secrets.AZURE_RG }}