Switch from DO to GCP for kube

.github/workflows/deploy.yml

@@ -39,17 +39,24 @@ jobs:
       url: https://${{ needs.read-env.outputs.hostname }}/
     needs:
       - read-env
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Install doctl
-        uses: digitalocean/action-doctl@v2
+      - name: Google Cloud auth
+        uses: google-github-actions/auth@v0
         with:
-          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+          service_account: ${{ secrets.GOOGLE_SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ secrets.GOOGLE_WORKLOAD_ID_PROVIDER }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/[email protected]
 
       - name: Save kubeconfig
-        run: doctl kubernetes cluster kubeconfig save ${{ vars.CLUSTER_NAME }} --expiry-seconds 600
+        run: gcloud container clusters get-credentials ${{ vars.CLUSTER_NAME }} --location ${{ vars.CLUSTER_LOCATION }}
 
       - name: Helm deploy
         # The two TLS secrets have to be put in files because they're multi-line

deploy/README.md

@@ -29,23 +29,21 @@ These are one-time "singleton" resources. Resources include:
 
 - Google Cloud OIDC creds ([see here](https://github.com/google-github-actions/auth#setup))
 - GCS static assets bucket
-- GitHub Actions secrets to auth with DigitalOcean and GCP
+- GitHub Actions secrets to auth with GCP
 
 #### Setup
 
 1. `cd deploy/terraform/core`
 1. Create a new file `secrets.auto.tfvars`
 1. Generate a GitHub Personal Access Token
    1. [Go here](https://github.com/settings/tokens)
-   1. Create a new token with the scopes:
-      - `workflow`
-      - `read:org`
-      - `read:discussion`
+   1. Create a new token for the Beta Spray repo
+   1. Give it these scopes:
+      - Administration: R/W (for branch protection)
+      - Environments: R/W
+      - Secrets: R/W
+      - Variables: R/W
    1. Add `github_token = "<token>"` to the `tfvars` file
-1. Generate a DigitalOcean Personal Access Token
-   1. [Go here](https://cloud.digitalocean.com/account/api/tokens)
-   1. Create a new token with the scopes: `Read`
-   1. Add `digitalocean_token = "<token>"` to the `tfvars` file
 1. Auth to Google with `gcloud auth login`
 1. ` terraform init -backend-config encryption_key="<key>"`
    1. MAKE SURE TO INCLUDE THE SPACE AT THE BEGINNING, so your shell doesn't store the key in command history

deploy/terraform/core/github.tf

@@ -1,12 +1,12 @@
-# Create GH Actions secrets to auth with DigitalOcean and GCP
+# Create GH Actions secrets to auth with GCP
 
 locals {
   # Use a mapping so we don't have to repeat a ton of boilerplate
   variables = {
-    CLUSTER_NAME = var.kubernetes_cluster_name
+    CLUSTER_NAME     = var.kubernetes_cluster_name
+    CLUSTER_LOCATION = var.kubernetes_cluster_location
   }
   secrets = {
-    DIGITALOCEAN_ACCESS_TOKEN   = var.digitalocean_token
     GOOGLE_WORKLOAD_ID_PROVIDER = module.oidc.provider_name
     GOOGLE_SERVICE_ACCOUNT      = google_service_account.service_account.email
   }

deploy/terraform/core/variables.tf

@@ -1,9 +1,3 @@
-variable "digitalocean_token" {
-  description = "DigitalOcean Personal Access Token, to allow CI to auth with doctl"
-  type        = string
-  sensitive   = true
-}
-
 variable "github_owner" {
   description = "GitHub repository owner"
   default     = "LucasPickering"
@@ -37,9 +31,15 @@ variable "gcp_region" {
 }
 
 variable "kubernetes_cluster_name" {
-  description = "Name of the Kubernetes cluster (within DigitalOcean) that we'll deploy to"
+  description = "Name of the Kubernetes cluster (within GCP) that we'll deploy to"
+  type        = string
+  default     = "keskne-gke"
+}
+
+variable "kubernetes_cluster_location" {
+  description = "Location (region or zone ) of the Kubernetes cluster (within GCP) that we'll deploy to"
   type        = string
-  default     = "keskne"
+  default     = "us-east1-c"
 }
 
 variable "static_assets_bucket" {