diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 7849f90a..e0faf247 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -39,17 +39,24 @@ jobs: url: https://${{ needs.read-env.outputs.hostname }}/ needs: - read-env + permissions: + contents: read + id-token: write steps: - name: Checkout uses: actions/checkout@v3 - - name: Install doctl - uses: digitalocean/action-doctl@v2 + - name: Google Cloud auth + uses: google-github-actions/auth@v0 with: - token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} + service_account: ${{ secrets.GOOGLE_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ secrets.GOOGLE_WORKLOAD_ID_PROVIDER }} + + - name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@v1.1.1 - name: Save kubeconfig - run: doctl kubernetes cluster kubeconfig save ${{ vars.CLUSTER_NAME }} --expiry-seconds 600 + run: gcloud container clusters get-credentials ${{ vars.CLUSTER_NAME }} --location ${{ vars.CLUSTER_LOCATION }} - name: Helm deploy # The two TLS secrets have to be put in files because they're multi-line diff --git a/deploy/README.md b/deploy/README.md index 3a89503f..263636c4 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -29,7 +29,7 @@ These are one-time "singleton" resources. Resources include: - Google Cloud OIDC creds ([see here](https://github.com/google-github-actions/auth#setup)) - GCS static assets bucket -- GitHub Actions secrets to auth with DigitalOcean and GCP +- GitHub Actions secrets to auth with GCP #### Setup @@ -37,15 +37,13 @@ These are one-time "singleton" resources. Resources include: 1. Create a new file `secrets.auto.tfvars` 1. Generate a GitHub Personal Access Token 1. [Go here](https://github.com/settings/tokens) - 1. Create a new token with the scopes: - - `workflow` - - `read:org` - - `read:discussion` + 1. Create a new token for the Beta Spray repo + 1. Give it these scopes: + - Administration: R/W (for branch protection) + - Environments: R/W + - Secrets: R/W + - Variables: R/W 1. Add `github_token = ""` to the `tfvars` file -1. Generate a DigitalOcean Personal Access Token - 1. [Go here](https://cloud.digitalocean.com/account/api/tokens) - 1. Create a new token with the scopes: `Read` - 1. Add `digitalocean_token = ""` to the `tfvars` file 1. Auth to Google with `gcloud auth login` 1. ` terraform init -backend-config encryption_key=""` 1. MAKE SURE TO INCLUDE THE SPACE AT THE BEGINNING, so your shell doesn't store the key in command history diff --git a/deploy/terraform/core/github.tf b/deploy/terraform/core/github.tf index bc366d59..f83a3a7e 100644 --- a/deploy/terraform/core/github.tf +++ b/deploy/terraform/core/github.tf @@ -1,12 +1,12 @@ -# Create GH Actions secrets to auth with DigitalOcean and GCP +# Create GH Actions secrets to auth with GCP locals { # Use a mapping so we don't have to repeat a ton of boilerplate variables = { - CLUSTER_NAME = var.kubernetes_cluster_name + CLUSTER_NAME = var.kubernetes_cluster_name + CLUSTER_LOCATION = var.kubernetes_cluster_location } secrets = { - DIGITALOCEAN_ACCESS_TOKEN = var.digitalocean_token GOOGLE_WORKLOAD_ID_PROVIDER = module.oidc.provider_name GOOGLE_SERVICE_ACCOUNT = google_service_account.service_account.email } diff --git a/deploy/terraform/core/variables.tf b/deploy/terraform/core/variables.tf index b9cf3794..b677788a 100644 --- a/deploy/terraform/core/variables.tf +++ b/deploy/terraform/core/variables.tf @@ -1,9 +1,3 @@ -variable "digitalocean_token" { - description = "DigitalOcean Personal Access Token, to allow CI to auth with doctl" - type = string - sensitive = true -} - variable "github_owner" { description = "GitHub repository owner" default = "LucasPickering" @@ -37,9 +31,15 @@ variable "gcp_region" { } variable "kubernetes_cluster_name" { - description = "Name of the Kubernetes cluster (within DigitalOcean) that we'll deploy to" + description = "Name of the Kubernetes cluster (within GCP) that we'll deploy to" + type = string + default = "keskne-gke" +} + +variable "kubernetes_cluster_location" { + description = "Location (region or zone ) of the Kubernetes cluster (within GCP) that we'll deploy to" type = string - default = "keskne" + default = "us-east1-c" } variable "static_assets_bucket" {