-
Notifications
You must be signed in to change notification settings - Fork 12
80 lines (77 loc) · 3.47 KB
/
aks.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
on:
workflow_dispatch:
push:
branches: [ main ]
pull_request:
branches: [ main ]
name: AKS - Build, Scan and Deploy
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
# checkout the repo
- name: 'Checkout GitHub Action'
uses: actions/checkout@main
- name: 'Login via Azure CLI'
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: 'Log in Docker'
uses: azure/docker-login@v1
with:
login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }}
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: 'Build Image'
run: |
docker build . -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/pythonserver:${{ github.sha }}
- name: Prisma Cloud image scan
id: scan
uses: PaloAltoNetworks/prisma-cloud-scan@v1
with:
pcc_console_url: ${{ secrets.PCC_CONSOLE_URL }}
pcc_user: ${{ secrets.PCC_USER }}
pcc_pass: ${{ secrets.PCC_PASS }}
image_name: ${{ secrets.REGISTRY_LOGIN_SERVER }}/pythonserver:${{ github.sha }}
- name: 'Push image'
run: |
docker push ${{ secrets.REGISTRY_LOGIN_SERVER }}/pythonserver:${{ github.sha }}
- name: Set up kubelogin for non-interactive login
run: |
curl -LO https://github.com/Azure/kubelogin/releases/download/v0.0.20/kubelogin-linux-amd64.zip
sudo unzip -j kubelogin-linux-amd64.zip -d /usr/local/bin
rm -f kubelogin-linux-amd64.zip
kubelogin --version
- name: Set AKS context
id: set-context
uses: azure/aks-set-context@v3
with:
resource-group: '${{ secrets.resource_group }}'
cluster-name: '${{ secrets.cluster_name }}'
admin: 'false'
use-kubelogin: 'true'
- name: Setup kubectl
id: install-kubectl
uses: azure/setup-kubectl@v3
- name: Update Registry URL
run: |
sed -i.bak 's/pcgithub.azurecr.io/${{ secrets.REGISTRY_LOGIN_SERVER }}/' aks-deployment.yml
- name: Set up deployment environment variables
run: |
kustomize create --resources aks-deployment.yml,aks-serviceaccount.yaml
kustomize edit add patch --kind Deployment --patch '[{"op":"add","path":"/spec/template/spec/containers/0/env","value":[{"name":"BLOB_ENDPOINT","value":"'"${{secrets.BLOB_ENDPOINT}}"'"},{"name":"CONTAINER_NAME","value":"'"${{secrets.CONTAINER_NAME}}"'"}]}]' --group apps
if [ -n "${{ secrets.AWI_CLIENTID }}" ]
then
kustomize edit add patch --kind ServiceAccount --patch '[{"op":"add","path":"/metadata/annotations","value":{"azure.workload.identity/client-id":"'"${{secrets.AWI_CLIENTID}}"'"}}]'
kustomize edit add patch --kind Deployment --patch '[{"op":"add","path":"/spec/template/spec/serviceAccountName","value":"workload-identity-sa"}]' --group apps
fi
kustomize build . -o aks-deployment-kustomized.yml
- name: Deploy to AKS
id: deploy-aks
uses: Azure/k8s-deploy@v4
with:
namespace: 'default'
manifests: |
aks-deployment-kustomized.yml
images: '${{ secrets.REGISTRY_LOGIN_SERVER }}/pythonserver:${{ github.sha }}'
annotate-namespace: 'false'