diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..b8bd4ca --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,88 @@ +name: Release app + +on: + workflow_dispatch: + +jobs: + # docker-build-and-publish: + # name: Build and publish docker image + # permissions: + # contents: read + # id-token: write + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v4 + + # - name: Set up QEMU + # uses: docker/setup-qemu-action@v3 + + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@v2 + + # - name: Login to GHCR + # uses: docker/login-action@v2 + # with: + # registry: ghcr.io + # username: ${{ github.actor }} + # password: ${{ github.token }} + + # - name: Docker meta + # id: meta + # uses: docker/metadata-action@v4 + # with: + # images: ghcr.io/${{ github.repository }} + # tags: | + # type=sha + # type=raw,value={{branch}}-{{sha}}-{{date 'X'}},enable=${{ startsWith(github.ref, 'refs/heads') }} + # type=raw,value={{branch}},enable=${{ startsWith(github.ref, 'refs/heads') }} + # type=raw,value=latest,enable={{is_default_branch}} + + # - name: Build and Push Docker Image + # uses: docker/build-push-action@v4 + # with: + # context: . + # platforms: linux/x86_64 + # push: true + # cache-from: type=gha + # cache-to: type=gha,mode=max + # tags: ${{ steps.meta.outputs.tags }} + # labels: ${{ steps.meta.outputs.labels }} + + # patch-values: + # name: Patch values with new tag + # needs: docker-build-and-publish + # if: github.ref == 'refs/heads/master' + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v4 + # - name: Update values.yaml + # uses: fjogeleit/yaml-update-action@master + # with: + # valueFile: 'argocd/test-app/version.yaml' + # propertyPath: 'image.tag' + # value: ${{ github.sha }} + # branch: master + # createPR: false + # message: 'Update test-app image Version to ${{ github.sha }}' + + test: + name: "Test WIF" + runs-on: ubuntu-latest + timeout-minutes: 90 + permissions: + contents: 'read' + id-token: 'write' + steps: + - name: Checkout + uses: actions/checkout@v4 + - uses: 'google-github-actions/auth@v2' + with: + project_id: 'earnest-reactor-416012' + workload_identity_provider: 'projects/200867752258/locations/global/workloadIdentityPools/github-actions/providers/github-actions' + service_account: github-actions@earnest-reactor-416012.iam.gserviceaccount.com + - name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@v0.3.0 + # - name: set crdential_file + # run: gcloud auth login --cred-file=${{steps.auth.outputs.credentials_file_path}} + - name: Run gcloud + run: gcloud compute instances list --zones us-east4-c \ No newline at end of file diff --git a/terraform/argocd.tf b/terraform/argocd.tf index 0b22024..781c69b 100644 --- a/terraform/argocd.tf +++ b/terraform/argocd.tf @@ -2,23 +2,23 @@ locals { argocd_values = { # Configure repository connection configs = { - # credentialTemplates = { - # github-ssh = { - # url = var.argocd_repository_url - # sshPrivateKey = var.argocd_private_key - # } - # } - # repositories = { - # github = { - # url = var.argocd_repository_url - # } - # } + credentialTemplates = { + github-ssh = { + url = var.argocd_repository_url + sshPrivateKey = var.argocd_private_key + } + } + repositories = { + github = { + url = var.argocd_repository_url + } + } } # Configure initial applications list - # server = { - # additionalApplications = yamldecode(var.argocd_applications_definition) - # } + server = { + additionalApplications = yamldecode(var.argocd_applications_definition) + } # Configure rbac to enable application CRD sync repoServer = { diff --git a/terraform/artifact-repository.tf b/terraform/artifact-repository.tf new file mode 100644 index 0000000..76fcde1 --- /dev/null +++ b/terraform/artifact-repository.tf @@ -0,0 +1,6 @@ +resource "google_artifact_registry_repository" "docker_repository" { + location = var.region + repository_id = var.docker_repository_name + description = "example docker repository" + format = "DOCKER" +} \ No newline at end of file diff --git a/terraform/github-iam.tf b/terraform/github-iam.tf new file mode 100644 index 0000000..60241b2 --- /dev/null +++ b/terraform/github-iam.tf @@ -0,0 +1,45 @@ +resource "google_iam_workload_identity_pool" "identity-pool" { + workload_identity_pool_id = "github-actions" +} + +resource "google_iam_workload_identity_pool_provider" "github-oidc-provider" { + workload_identity_pool_id = google_iam_workload_identity_pool.identity-pool.workload_identity_pool_id + workload_identity_pool_provider_id = "github-actions" + attribute_mapping = { + "google.subject" = "assertion.sub", + "attribute.actor" = "assertion.actor", + "attribute.repository" = "assertion.repository", + "attribute.repository_owner" = "assertion.repository_owner" + } + attribute_condition = "attribute.repository==\"${var.argocd_repository}\"" + oidc { + issuer_uri = "https://token.actions.githubusercontent.com" + } +} + +resource "google_service_account" "github-actions" { + account_id = "github-actions" + display_name = "Github Actions" +} + +resource "google_artifact_registry_repository_iam_member" "github-actions-docker-image-write" { + location = var.region + repository = google_artifact_registry_repository.docker_repository.id + role = "roles/artifactregistry.writer" + member = "serviceAccount:${google_service_account.github-actions.email}" +} + +resource "google_service_account_iam_binding" "github-actions" { + service_account_id = google_service_account.github-actions.id + role = "roles/iam.workloadIdentityUser" + + members = [ + "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.identity-pool.name}/attribute.repository/${var.argocd_repository}", + ] +} + +resource "google_project_iam_member" "test" { + project = var.project_id + role = "roles/compute.viewer" + member = "serviceAccount:${google_service_account.github-actions.email}" +} \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf index 7f56f39..5c938ef 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -18,6 +18,10 @@ variable "subnetwork_name" { description = "The network name" } +variable "docker_repository_name" { + description = "The name of artifacts repository containing docker images" +} + variable "project_id" { description = "The project ID to host the cluster in" } @@ -40,4 +44,20 @@ variable "ip_range_nodes" { variable "argocd_version" { description = "Version of Argo CD to install" -} \ No newline at end of file +} + +variable "argocd_repository_url" { + description = "Repository that would be used by ArgoCD as a source in SSH format" +} + +variable "argocd_repository" { + description = "Repository that would be used by ArgoCD in github org/repo_name format, would be used in OIDC claims" +} + +variable "argocd_private_key" { + description = "SSH key that would be used by ArgoCD to access source repository" +} + +variable "argocd_applications_definition" { + description = "ArgoCD applications deffinition" +} diff --git a/terraform/vars.auto.tfvars b/terraform/vars.auto.tfvars index bd3b9fd..5f0bec5 100644 --- a/terraform/vars.auto.tfvars +++ b/terraform/vars.auto.tfvars @@ -7,9 +7,38 @@ region = "europe-west1" cluster_name = "gke-cluster" network_name = "gke-cluster" subnetwork_name = "gke-cluster" +docker_repository_name = "docker-repository" ip_range_pods = "192.168.0.0/16" ip_range_services = "10.96.0.0/12" ip_range_nodes = "10.32.0.0/20" -argocd_version = "6.6.0" \ No newline at end of file +argocd_version = "6.6.0" + +argocd_repository_url = "git@github.com:dm3ch/p2p-devops-test.git" +argocd_repository = "dm3ch/p2p-devops-test" +argocd_private_key = <