Migrate from DO to GKE

.github/workflows/build-deploy.yml

@@ -25,6 +25,9 @@ jobs:
     uses: ./.github/workflows/deploy.yml
     needs:
       - build
+    permissions:
+      contents: read
+      id-token: write
     with:
       # Default to production for master push
       environment: ${{ inputs.environment || 'production' }}

.github/workflows/deploy.yml

@@ -39,17 +39,25 @@ jobs:
       url: https://${{ needs.read-env.outputs.hostname }}/
     needs:
       - read-env
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Install doctl
-        uses: digitalocean/action-doctl@v2
+      - name: Google Cloud auth
+        uses: google-github-actions/auth@v0
         with:
-          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+          # Auth with the *keskne* project because that's where the cluster is hosted
+          service_account: ${{ secrets.KESKNE_GOOGLE_SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ secrets.KESKNE_GOOGLE_WORKLOAD_ID_PROVIDER }}
 
       - name: Save kubeconfig
-        run: doctl kubernetes cluster kubeconfig save ${{ vars.CLUSTER_NAME }} --expiry-seconds 600
+        uses: google-github-actions/get-gke-credentials@v1
+        with:
+          cluster_name: ${{ vars.KESKNE_CLUSTER_NAME }}
+          location: ${{ vars.KESKNE_CLUSTER_LOCATION }}
 
       - name: Helm deploy
         # The two TLS secrets have to be put in files because they're multi-line

api/scripts/db.sh

@@ -40,6 +40,10 @@ restore_kube() {
 
     echo "Restoring latest backup to $pod_namespace..."
     # TODO finish this part
+    # Step 1: download files from prod bucket
+    # Step 2: anonymize
+    # Step 3: upload to dev bucket
+    # Step 4: restore
 }
 
 # Download latest backup from production, and restore it to the local DB

deploy/README.md

@@ -29,23 +29,21 @@ These are one-time "singleton" resources. Resources include:
 
 - Google Cloud OIDC creds ([see here](https://github.com/google-github-actions/auth#setup))
 - GCS static assets bucket
-- GitHub Actions secrets to auth with DigitalOcean and GCP
+- GitHub Actions secrets to auth with GCP
 
 #### Setup
 
 1. `cd deploy/terraform/core`
 1. Create a new file `secrets.auto.tfvars`
 1. Generate a GitHub Personal Access Token
    1. [Go here](https://github.com/settings/tokens)
-   1. Create a new token with the scopes:
-      - `workflow`
-      - `read:org`
-      - `read:discussion`
+   1. Create a new token for the Beta Spray repo
+   1. Give it these scopes:
+      - Administration: R/W (for branch protection)
+      - Environments: R/W
+      - Secrets: R/W
+      - Variables: R/W
    1. Add `github_token = "<token>"` to the `tfvars` file
-1. Generate a DigitalOcean Personal Access Token
-   1. [Go here](https://cloud.digitalocean.com/account/api/tokens)
-   1. Create a new token with the scopes: `Read`
-   1. Add `digitalocean_token = "<token>"` to the `tfvars` file
 1. Auth to Google with `gcloud auth login`
 1. ` terraform init -backend-config encryption_key="<key>"`
    1. MAKE SURE TO INCLUDE THE SPACE AT THE BEGINNING, so your shell doesn't store the key in command history

deploy/helm/templates/api.yml

@@ -63,6 +63,9 @@ spec:
                 secretKeyRef:
                   name: google-oauth-client
                   key: secret
+            # Backup is done by a job but we need this for restoring
+            - name: BETA_SPRAY_BACKUP_BUCKET
+              value: "{{ .Values.databaseBackupBucket }}"
             - name: BETA_SPRAY_MEDIA_BUCKET
               value: "{{ .Values.mediaBucket }}"
             # https://django-storages.readthedocs.io/en/latest/backends/gcloud.html#authentication

deploy/terraform/core/github.tf

@@ -1,27 +1,24 @@
-# Create GH Actions secrets to auth with DigitalOcean and GCP
+# Create GH Actions secrets to auth with GCP
 
 locals {
   # Use a mapping so we don't have to repeat a ton of boilerplate
-  variables = {
-    CLUSTER_NAME = var.kubernetes_cluster_name
-  }
   secrets = {
-    DIGITALOCEAN_ACCESS_TOKEN   = var.digitalocean_token
     GOOGLE_WORKLOAD_ID_PROVIDER = module.oidc.provider_name
     GOOGLE_SERVICE_ACCOUNT      = google_service_account.service_account.email
   }
 }
 
-resource "github_actions_variable" "variables" {
-  for_each      = local.variables
-  repository    = var.github_repository
-  variable_name = each.key
-  value         = each.value
-}
-
 resource "github_actions_secret" "secrets" {
   for_each        = local.secrets
   repository      = var.github_repository
   secret_name     = each.key
   plaintext_value = each.value
 }
+
+# Create a service account for the keskne project, to access GKE
+module "keskne" {
+  source                  = "github.com/LucasPickering/keskne//terraform/modules/github-ci"
+  github_repository_owner = "LucasPickering"
+  github_repository       = "beta-spray"
+  service_account_id      = "beta-spray-github-ci-sa"
+}

deploy/terraform/core/iam.tf

@@ -15,3 +15,14 @@ resource "google_project_iam_custom_role" "database_backup" {
     "storage.multipartUploads.listParts",
   ]
 }
+
+resource "google_project_iam_custom_role" "database_restore" {
+  role_id     = "storage.databaseRestore"
+  title       = "Database Restore storage user"
+  description = "Role to download database backup objects from a bucket"
+  permissions = [
+    "storage.buckets.get",
+    "storage.objects.get",
+    "storage.objects.list",
+  ]
+}

deploy/terraform/core/outputs.tf

@@ -1,6 +1,11 @@
 output "database_backup_role" {
   value       = google_project_iam_custom_role.database_backup.name
-  description = "Name of the IAM role used to access database backup buckets"
+  description = "Name of the IAM role used to access database backup buckets for upload"
+}
+
+output "database_restore_role" {
+  value       = google_project_iam_custom_role.database_restore.name
+  description = "Name of the IAM role used to access database backup buckets for download"
 }
 
 output "project_id" {

deploy/terraform/core/variables.tf

@@ -1,9 +1,3 @@
-variable "digitalocean_token" {
-  description = "DigitalOcean Personal Access Token, to allow CI to auth with doctl"
-  type        = string
-  sensitive   = true
-}
-
 variable "github_owner" {
   description = "GitHub repository owner"
   default     = "LucasPickering"
@@ -36,12 +30,6 @@ variable "gcp_region" {
   type        = string
 }
 
-variable "kubernetes_cluster_name" {
-  description = "Name of the Kubernetes cluster (within DigitalOcean) that we'll deploy to"
-  type        = string
-  default     = "keskne"
-}
-
 variable "static_assets_bucket" {
   description = "Name of storage bucket to store static assets"
   default     = "beta-spray-static"

deploy/terraform/env/storage.tf

@@ -47,6 +47,13 @@ resource "google_storage_bucket" "database_backup" {
   uniform_bucket_level_access = true
 }
 
+# API SA can download objects from DB backup bucket
+resource "google_storage_bucket_iam_binding" "database_backup_read" {
+  bucket  = google_storage_bucket.database_backup.name
+  role    = var.database_restore_role
+  members = ["serviceAccount:${google_service_account.api_service_account.email}"]
+}
+
 # Backup SA can upload objects to DB Backup bucket
 resource "google_storage_bucket_iam_binding" "database_backup_write" {
   bucket  = google_storage_bucket.database_backup.name

deploy/terraform/env/variables.tf

@@ -34,6 +34,13 @@ variable "database_backup_role" {
   default     = "projects/beta-spray/roles/storage.databaseBackup"
 }
 
+
+variable "database_restore_role" {
+  description = "GCloud IAM role for database restore"
+  type        = string
+  default     = "projects/beta-spray/roles/storage.databaseRestore"
+}
+
 variable "deployment_branch_policy" {
   description = "Deployment branch policy for GitHub Actions Environment"
   type = object({