forked from aws/eks-pod-identity-agent
-
Notifications
You must be signed in to change notification settings - Fork 0
161 lines (146 loc) · 6.24 KB
/
cd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: Build and publish release artifacts
on:
push:
branches:
- main
tags:
- v*
workflow_dispatch:
inputs:
deploy_env:
# This allows to manually trigger deployment of any branch to staging env
# or manually trigger build in main branch
description: "Select staging or production release"
default: staging
required: false
type: choice
options:
- staging # build and push artifacts to staging repos
- release # build and push artifacts to release repos (works only for main branch)
permissions:
contents: read
jobs:
test:
name: Test application and helm chart
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Setup Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
with:
go-version-file: go.mod
cache: true
- name: Run tets
run: make test
- name: Build helm chart
working-directory: charts/eks-pod-identity-agent
run: helm package . --version "1.2.3-dev" --app-version "4.5.6-dev"
build-and-push:
strategy:
matrix:
environment:
- ${{ inputs.deploy_env }}
- if: matrix.environment != inputs.deploy_env
- release
- if: matrix.environment != inputs.deploy_env
- staging
name: Build and push Docker image and Helm chart
runs-on: ubuntu-latest
needs: [test]
environment: ${{ inputs.deploy_env || matrix.environment }}
env:
AWS_REGION_PRIVATE: us-west-2
AWS_REGION_PUBLIC: us-east-1
permissions:
contents: read
id-token: write # This is required for requesting the JWT, see https://github.com/aws-actions/configure-aws-credentials#OIDC
steps:
- name: Checkout repo
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
fetch-depth: 0
- name: Setup docker buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3
- name: Configure AWS credentials for ECR Private
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
with:
aws-region: ${{ env.AWS_REGION_PRIVATE }}
role-to-assume: ${{ vars.ECR_ROLE }}
- name: Configure AWS credentials for ECR Public
if: "startsWith(github.ref, 'refs/tags/v')"
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
with:
aws-region: ${{ env.AWS_REGION_PUBLIC }}
role-to-assume: ${{ vars.ECR_ROLE }}
- name: Login to Amazon ECR Private
id: login-ecr
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
- name: Login to Amazon ECR Public
if: "startsWith(github.ref, 'refs/tags/v')"
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
with:
registry-type: public
- name: Prepare docker labels and tags
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
with:
# enable public repo only for tags
images: |
name=${{ vars.PRIVATE_ECR_REPO }},enable=true
name=${{ vars.PUBLIC_ECR_REPO }},enable=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }}
flavor: |
latest=false
# Enable sha tag on branch push events and workflow dispatches.
# Enable semver tags on tag push events, but don't overwrite major/minor tags for prereleases.
tags: |
type=sha,prefix={{branch}}-,suffix=-{{date 'YYYYMMDDTHHmmss'}},format=short,enable=${{ startsWith(github.ref, 'refs/heads/') }}
type=semver,pattern={{major}},enable=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-') }}
type=semver,pattern={{major}}.{{minor}},enable=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-') }}
type=semver,pattern={{version}},enable=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }}
- name: Build the Docker image and push
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6
with:
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: |
linux/amd64
linux/arm64
- name: Build and publish the Helm chart
working-directory: charts/eks-pod-identity-agent
env:
EVENT_TYPE: ${{ (github.event_name == 'push' && (startsWith(github.ref, 'refs/tags/v') && 'tag' ) || 'commit' ) || 'dispatch'}}
IMAGE_VERSION: ${{ steps.meta.outputs.version }}
run: |
# Determine chart version to set
case "${EVENT_TYPE}" in
tag)
CHART_VERSION="${GITHUB_REF_NAME}"
;;
commit)
;&
dispatch)
CHART_VERSION="$(git describe --tags --dirty --long --match "v[[:digit:]]*.[[:digit:]]*.[[:digit:]]*" || true)"
;;
*)
echo "Unknown event type '${EVENT_TYPE}', workflow bug?" >&2
exit 1
;;
esac
# Trim `v` prefix if exists
CHART_VERSION=${CHART_VERSION#v}
IMAGE_VERSION=${IMAGE_VERSION#v}
CHART_VERSION=${CHART_VERSION:-0.0.0-${IMAGE_VERSION}}
# Build/package the chart
echo "Setting chart version to ${CHART_VERSION} and image version to ${IMAGE_VERSION}"
helm package . --version "${CHART_VERSION}" --app-version "${IMAGE_VERSION}"
ARTIFACT_NAME=$(find . -name '*.tgz' -exec basename {} \; | head -n 1)
# Publish the chart
helm push "$ARTIFACT_NAME" "oci://${{ vars.HELM_PRIVATE_ECR_REPO }}"
if [[ "$EVENT_TYPE" == "tag" ]]; then
helm push "$ARTIFACT_NAME" "oci://${{ vars.HELM_PUBLIC_ECR_REPO }} "
fi