Pass secret to environment configs #2202
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Chartpress Publish and Deploy | |
on: | |
push: | |
branches: | |
- 'main' | |
- 'staging' | |
- 'development' | |
- 'fix/tiler_server' | |
jobs: | |
build: | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 120 | |
steps: | |
- uses: actions/checkout@v1 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GHCR_GITHUB_TOKEN }} | |
- name: Setup python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: '3.7' | |
- name: Setup git | |
run: git config --global user.email "[email protected]" && git config --global user.name "Github Action" | |
- name: Install Chartpress | |
run: | | |
pip install chartpress six ruamel.yaml | |
- name: Run Chartpress | |
run: chartpress --push | |
env: | |
GITHUB_TOKEN: ${{ secrets.GHCR_GITHUB_TOKEN }} | |
################ Development secrets ################ | |
- name: Staging - substitute secrets | |
if: github.ref == 'refs/heads/development' | |
uses: bluwy/substitute-string-action@v1 | |
with: | |
_input-file: 'values.development.template.yaml' | |
_format-key: '{{key}}' | |
_output-file: 'values.development.yaml' | |
AWS_SSL_ARN: ${{ secrets.AWS_SSL_ARN }} | |
## web | |
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }} | |
MAILER_ADDRESS: ${{ secrets.MAILER_ADDRESS }} | |
MAILER_DOMAIN: ${{ secrets.MAILER_DOMAIN }} | |
MAILER_PASSWORD: ${{ secrets.STAGING_MAILER_PASSWORD }} | |
MAILER_USERNAME: ${{ secrets.STAGING_MAILER_USERNAME }} | |
DEVELOPMENT_DB: ${{ secrets.STAGING_DB }} | |
DEVELOPMENT_DB_EBS: ${{ secrets.STAGING_DB_EBS }} | |
DEVELOPMENT_DB_PASSWORD: ${{ secrets.STAGING_DB_PASSWORD }} | |
DEVELOPMENT_DB_USER: ${{ secrets.STAGING_DB_USER }} | |
DEVELOPMENT_DOMAIN_NAME: staging.openhistoricalmap.org | |
DEVELOPMENT_ID_KEY: ${{ secrets.STAGING_ID_KEY }} | |
DEVELOPMENT_ID_APPLICATION: ${{ secrets.STAGING_ID_APPLICATION }} | |
DEVELOPMENT_OAUTH_CLIENT_ID: ${{ secrets.STAGING_OAUTH_CLIENT_ID }} | |
DEVELOPMENT_OAUTH_KEY: ${{ secrets.STAGING_OAUTH_KEY }} | |
DEVELOPMENT_S3_BUCKET: osmseed-dev | |
## tiler | |
DEVELOPMENT_TILER_DB_HOST: ${{ secrets.STAGING_TILER_DB_HOST }} | |
DEVELOPMENT_TILER_DB_PASSWORD: ${{ secrets.STAGING_TILER_DB_PASSWORD }} | |
DEVELOPMENT_TILER_CACHE_AWS_ACCESS_KEY_ID: ${{ secrets.STAGING_TILER_CACHE_AWS_ACCESS_KEY_ID }} | |
DEVELOPMENT_TILER_CACHE_AWS_SECRET_ACCESS_KEY: ${{ secrets.STAGING_TILER_CACHE_AWS_SECRET_ACCESS_KEY }} | |
DEVELOPMENT_SQS_QUEUE_URL: ${{ secrets.STAGING_SQS_QUEUE_URL }} | |
## tm | |
DEVELOPMENT_TM_DB_PASSWORD: ${{ secrets.STAGING_TM_DB_PASSWORD }} | |
DEVELOPMENT_TM_API_SECRET: ${{ secrets.STAGING_TM_API_SECRET }} | |
DEVELOPMENT_TM_CLIENT_ID: ${{secrets.STAGING_TM_CLIENT_ID}} | |
DEVELOPMENT_TM_CLIENT_SECRET: ${{secrets.STAGING_TM_CLIENT_SECRET}} | |
## nominatim | |
DEVELOPMENT_NOMINATIM_PG_PASSWORD: ${{ secrets.STAGING_NOMINATIM_PG_PASSWORD }} | |
## osmcha | |
DEVELOPMENT_OSMCHA_PG_PASSWORD: ${{ secrets.STAGING_OSMCHA_PG_PASSWORD }} | |
DEVELOPMENT_OSMCHA_API_CONSUMER_KEY: ${{ secrets.STAGING_OSMCHA_API_CONSUMER_KEY }} | |
DEVELOPMENT_OSMCHA_API_CONSUMER_SECRET: ${{ secrets.STAGING_OSMCHA_API_CONSUMER_SECRET }} | |
DEVELOPMENT_OSMCHA_DJANGO_SECRET_KEY: ${{ secrets.STAGING_OSMCHA_DJANGO_SECRET_KEY }} | |
DEVELOPMENT_OSMCHA_REACT_APP_MAPBOX_ACCESS_TOKEN: ${{ secrets.STAGING_OSMCHA_REACT_APP_MAPBOX_ACCESS_TOKEN }} | |
OHM_SLACK_WEBHOOK_URL: ${{ secrets.OHM_SLACK_WEBHOOK_URL }} | |
################ Staging secrets ################ | |
- name: Staging - substitute secrets | |
if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/development' | |
uses: bluwy/substitute-string-action@v1 | |
with: | |
_input-file: 'values.staging.template.yaml' | |
_format-key: '{{key}}' | |
_output-file: 'values.staging.yaml' | |
AWS_SSL_ARN: ${{ secrets.AWS_SSL_ARN }} | |
## web | |
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }} | |
MAILER_ADDRESS: ${{ secrets.MAILER_ADDRESS }} | |
MAILER_DOMAIN: ${{ secrets.MAILER_DOMAIN }} | |
MAILER_PASSWORD: ${{ secrets.STAGING_MAILER_PASSWORD }} | |
MAILER_USERNAME: ${{ secrets.STAGING_MAILER_USERNAME }} | |
STAGING_DB: ${{ secrets.STAGING_DB }} | |
STAGING_DB_EBS: ${{ secrets.STAGING_DB_EBS }} | |
STAGING_DB_PASSWORD: ${{ secrets.STAGING_DB_PASSWORD }} | |
STAGING_DB_USER: ${{ secrets.STAGING_DB_USER }} | |
STAGING_DOMAIN_NAME: staging.openhistoricalmap.org | |
STAGING_ID_KEY: ${{ secrets.STAGING_ID_KEY }} | |
STAGING_ID_APPLICATION: ${{ secrets.STAGING_ID_APPLICATION }} | |
STAGING_OAUTH_CLIENT_ID: ${{ secrets.STAGING_OAUTH_CLIENT_ID }} | |
STAGING_OAUTH_KEY: ${{ secrets.STAGING_OAUTH_KEY }} | |
STAGING_S3_BUCKET: ${{ secrets.STAGING_S3_BUCKET }} | |
## tiler | |
STAGING_TILER_DB_HOST: ${{ secrets.STAGING_TILER_DB_HOST }} | |
STAGING_TILER_DB_PASSWORD: ${{ secrets.STAGING_TILER_DB_PASSWORD }} | |
STAGING_TILER_CACHE_AWS_ACCESS_KEY_ID: ${{ secrets.STAGING_TILER_CACHE_AWS_ACCESS_KEY_ID }} | |
STAGING_TILER_CACHE_AWS_SECRET_ACCESS_KEY: ${{ secrets.STAGING_TILER_CACHE_AWS_SECRET_ACCESS_KEY }} | |
STAGING_SQS_QUEUE_URL: ${{ secrets.STAGING_SQS_QUEUE_URL }} | |
## tm | |
STAGING_TM_API_CONSUMER_KEY: ${{ secrets.STAGING_TM_API_CONSUMER_KEY }} | |
STAGING_TM_API_CONSUMER_SECRET: ${{ secrets.STAGING_TM_API_CONSUMER_SECRET }} | |
STAGING_TM_DB_PASSWORD: ${{ secrets.STAGING_TM_DB_PASSWORD }} | |
STAGING_TM_API_SECRET: ${{ secrets.STAGING_TM_API_SECRET }} | |
STAGING_TM_CLIENT_ID: ${{secrets.STAGING_TM_CLIENT_ID}} | |
STAGING_TM_CLIENT_SECRET: ${{secrets.STAGING_TM_CLIENT_SECRET}} | |
## nominatim | |
STAGING_NOMINATIM_PG_PASSWORD: ${{ secrets.STAGING_NOMINATIM_PG_PASSWORD }} | |
## osmcha | |
STAGING_OSMCHA_PG_PASSWORD: ${{ secrets.STAGING_OSMCHA_PG_PASSWORD }} | |
STAGING_OSMCHA_API_CONSUMER_KEY: ${{ secrets.STAGING_OSMCHA_API_CONSUMER_KEY }} | |
STAGING_OSMCHA_API_CONSUMER_SECRET: ${{ secrets.STAGING_OSMCHA_API_CONSUMER_SECRET }} | |
STAGING_OSMCHA_DJANGO_SECRET_KEY: ${{ secrets.STAGING_OSMCHA_DJANGO_SECRET_KEY }} | |
STAGING_OSMCHA_REACT_APP_MAPBOX_ACCESS_TOKEN: ${{ secrets.STAGING_OSMCHA_REACT_APP_MAPBOX_ACCESS_TOKEN }} | |
OHM_SLACK_WEBHOOK_URL: ${{ secrets.OHM_SLACK_WEBHOOK_URL }} | |
################ Production secrets ################ | |
- name: Production - substitute secrets | |
if: github.ref == 'refs/heads/main' | |
uses: bluwy/substitute-string-action@v1 | |
with: | |
_input-file: 'values.production.template.yaml' | |
_format-key: '{{key}}' | |
_output-file: 'values.production.yaml' | |
AWS_SSL_ARN: ${{ secrets.AWS_SSL_ARN }} | |
## web | |
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }} | |
MAILER_ADDRESS: ${{ secrets.MAILER_ADDRESS }} | |
MAILER_DOMAIN: ${{ secrets.MAILER_DOMAIN }} | |
MAILER_PASSWORD: ${{ secrets.MAILER_PASSWORD }} | |
MAILER_USERNAME: ${{ secrets.MAILER_USERNAME }} | |
PRODUCTION_DB: ${{ secrets.PRODUCTION_DB }} | |
PRODUCTION_DB_EBS: ${{ secrets.PRODUCTION_DB_EBS }} | |
PRODUCTION_DB_PASSWORD: ${{ secrets.PRODUCTION_DB_PASSWORD }} | |
PRODUCTION_DB_USER: ${{ secrets.PRODUCTION_DB_USER }} | |
PRODUCTION_DOMAIN_NAME: ${{ secrets.PRODUCTION_DOMAIN_NAME }} | |
PRODUCTION_ID_KEY: ${{ secrets.PRODUCTION_ID_KEY }} | |
PRODUCTION_ID_APPLICATION: ${{ secrets.PRODUCTION_ID_APPLICATION }} | |
PRODUCTION_OAUTH_CLIENT_ID: ${{ secrets.PRODUCTION_OAUTH_CLIENT_ID }} | |
PRODUCTION_OAUTH_KEY: ${{ secrets.PRODUCTION_OAUTH_KEY }} | |
PRODUCTION_S3_BUCKET: ${{ secrets.PRODUCTION_S3_BUCKET }} | |
PRODUCTION_DB_BACKUP_S3_BUCKET: ${{ secrets.PRODUCTION_DB_BACKUP_S3_BUCKET }} | |
## tiler | |
PRODUCTION_TILER_DB_HOST: ${{ secrets.PRODUCTION_TILER_DB_HOST }} | |
PRODUCTION_TILER_DB_PASSWORD: ${{ secrets.PRODUCTION_TILER_DB_PASSWORD }} | |
PRODUCTION_TILER_CACHE_AWS_ACCESS_KEY_ID: ${{ secrets.PRODUCTION_TILER_CACHE_AWS_ACCESS_KEY_ID }} | |
PRODUCTION_SQS_QUEUE_URL: ${{ secrets.PRODUCTION_SQS_QUEUE_URL }} | |
## tm | |
PRODUCTION_TILER_CACHE_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRODUCTION_TILER_CACHE_AWS_SECRET_ACCESS_KEY }} | |
PRODUCTION_TM_API_CONSUMER_KEY: ${{ secrets.PRODUCTION_TM_API_CONSUMER_KEY }} | |
PRODUCTION_TM_API_CONSUMER_SECRET: ${{ secrets.PRODUCTION_TM_API_CONSUMER_SECRET }} | |
PRODUCTION_TM_DB_PASSWORD: ${{ secrets.PRODUCTION_TM_DB_PASSWORD }} | |
PRODUCTION_TM_API_SECRET: ${{ secrets.PRODUCTION_TM_API_SECRET }} | |
PRODUCTION_TM_CLIENT_ID: ${{secrets.PRODUCTION_TM_CLIENT_ID}} | |
PRODUCTION_TM_CLIENT_SECRET: ${{secrets.PRODUCTION_TM_CLIENT_SECRET}} | |
## nominatim | |
PRODUCTION_NOMINATIM_PG_PASSWORD: ${{ secrets.PRODUCTION_NOMINATIM_PG_PASSWORD }} | |
## osmcha | |
PRODUCTION_OSMCHA_PG_PASSWORD: ${{ secrets.PRODUCTION_OSMCHA_PG_PASSWORD }} | |
PRODUCTION_OSMCHA_API_CONSUMER_KEY: ${{ secrets.PRODUCTION_OSMCHA_API_CONSUMER_KEY }} | |
PRODUCTION_OSMCHA_API_CONSUMER_SECRET: ${{ secrets.PRODUCTION_OSMCHA_API_CONSUMER_SECRET }} | |
PRODUCTION_OSMCHA_DJANGO_SECRET_KEY: ${{ secrets.PRODUCTION_OSMCHA_DJANGO_SECRET_KEY }} | |
PRODUCTION_OSMCHA_REACT_APP_MAPBOX_ACCESS_TOKEN: ${{ secrets.PRODUCTION_OSMCHA_REACT_APP_MAPBOX_ACCESS_TOKEN }} | |
OHM_SLACK_WEBHOOK_URL: ${{ secrets.OHM_SLACK_WEBHOOK_URL }} | |
- name: AWS Credentials | |
if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/development' | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: us-east-1 | |
- name: Setup Kubectl and Helm Dependencies | |
if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/development' | |
run: "sudo pip install awscli --ignore-installed six\nsudo curl -L -o /usr/bin/kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.17.7/2020-07-08/bin/linux/amd64/kubectl\nsudo chmod +x /usr/bin/kubectl\nsudo curl -o /usr/bin/aws-iam-authenticator https://amazon-eks.s3.us-west-2.amazonaws.com/1.17.7/2020-07-08/bin/linux/amd64/aws-iam-authenticator\nsudo chmod +x /usr/bin/aws-iam-authenticator\nwget https://get.helm.sh/helm-v3.5.0-linux-amd64.tar.gz -O helm.tar.gz\ntar -xvzf helm.tar.gz\nsudo mv linux-amd64/helm /usr/local/bin/ \nsudo chmod +x /usr/local/bin/helm\n #magic___^_^___line\n" | |
- name: Update kube-config staging | |
if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/development' | |
run: aws eks --region us-east-1 update-kubeconfig --name osmseed-staging | |
- name: Update kube-config prod | |
if: github.ref == 'refs/heads/main' | |
run: aws eks --region us-east-1 update-kubeconfig --name osmseed-production-v2 | |
- name: Install helm dependencies for | |
if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/development' | |
run: cd ohm && helm dep up | |
- name: Staging - helm deploy | |
if: github.ref == 'refs/heads/staging' | |
run: helm upgrade --install staging --wait ohm/ -f values.staging.yaml -f ohm/values.yaml | |
# - name: development - helm deploy | |
# if: github.ref == 'refs/heads/development' | |
# run: helm upgrade --install development --wait ohm/ -f values.staging.yaml -f ohm/values.yaml | |
- name: Production - helm deploy | |
if: github.ref == 'refs/heads/main' | |
run: helm upgrade --install production --wait ohm/ -f values.production.yaml -f ohm/values.yaml |