-
Notifications
You must be signed in to change notification settings - Fork 1
118 lines (98 loc) · 5.26 KB
/
deploy_production.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: Deploy production
on:
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
jobs:
run-reusable-lint-and-test:
uses: ./.github/workflows/reusable_lint_and_test.yaml
secrets: inherit
deploy-production:
needs: run-reusable-lint-and-test
if: startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
env:
DEPLOYMENT_NAME: "production"
ECR_REGISTRY: ${{ secrets.PROD_EC2_ECR_REGISTRY }}
ECR_REGISTRY_IMAGE: ${{ secrets.PROD_EC2_ECR_REGISTRY_IMAGE }}
PRIVATE_KEY: ${{ secrets.PROD_SSH_PRIVATE_KEY }}
HOSTNAME: ${{ secrets.PROD_SSH_HOST }}
USER_NAME: ${{ secrets.PROD_USER_NAME }}
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.9'
- name: configure aws access credentials
run: |
mkdir -p ~/.aws
echo -e "[default]\nregion=eu-central-1" > ~/.aws/config
echo -e "[default]\naws_access_key_id=${{ secrets.PRODDATA_AWS_ACCESS_KEY_ID }}\naws_secret_access_key=${{ secrets.PRODDATA_AWS_SECRET_ACCESS_KEY }}" > ~/.aws/credentials
- name: install pipenv and aws
run: |
pip install pipenv==2021.5.29
pip install awscli --no-build-isolation
- name: download process definitions
run: |
chmod +x download-process-definitions.sh
./download-process-definitions.sh
- name: install dependencies needed for deployment
working-directory: ./rest
run: pipenv install --dev
- name: create env file
working-directory: ./rest/
run: |
echo "AWS_ACCESS_KEY_ID=${{ secrets.PRODDATA_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY=${{ secrets.PRODDATA_AWS_SECRET_ACCESS_KEY }}
SH_CLIENT_ID=${{ secrets.PRODUCTION_SH_CLIENT_ID }}
SH_CLIENT_SECRET=${{ secrets.PRODUCTION_SH_CLIENT_SECRET }}
BACKEND_VERSION=$GITHUB_REF_NAME
RESULTS_S3_BUCKET_NAME_MAIN=${{ secrets.RESULTS_S3_BUCKET_NAME_MAIN_PRODUCTION }}
RESULTS_S3_BUCKET_NAME_CREODIAS=${{ secrets.RESULTS_S3_BUCKET_NAME_CREODIAS_PRODUCTION }}
RESULTS_S3_BUCKET_NAME_USWEST=${{ secrets.RESULTS_S3_BUCKET_NAME_USWEST_PRODUCTION }}
RESULTS_S3_BUCKET_ACCESS_KEY_ID_MAIN=${{ secrets.RESULTS_S3_BUCKET_ACCESS_KEY_ID_MAIN_PRODUCTION }}
RESULTS_S3_BUCKET_ACCESS_KEY_ID_CREODIAS=${{ secrets.RESULTS_S3_BUCKET_ACCESS_KEY_ID_CREODIAS_PRODUCTION }}
RESULTS_S3_BUCKET_ACCESS_KEY_ID_USWEST=${{ secrets.RESULTS_S3_BUCKET_ACCESS_KEY_ID_USWEST_PRODUCTION }}
RESULTS_S3_BUCKET_SECRET_ACCESS_KEY_MAIN=${{ secrets.RESULTS_S3_BUCKET_SECRET_ACCESS_KEY_MAIN_PRODUCTION }}
RESULTS_S3_BUCKET_SECRET_ACCESS_KEY_CREODIAS=${{ secrets.RESULTS_S3_BUCKET_SECRET_ACCESS_KEY_CREODIAS_PRODUCTION }}
RESULTS_S3_BUCKET_SECRET_ACCESS_KEY_USWEST=${{ secrets.RESULTS_S3_BUCKET_SECRET_ACCESS_KEY_USWEST_PRODUCTION }}
USAGE_REPORTING_BASE_URL=${{ secrets.USAGE_REPORTING_BASE_URL_PRODUCTION }}
USAGE_REPORTING_AUTH_URL=${{ secrets.USAGE_REPORTING_AUTH_URL_PRODUCTION }}
USAGE_REPORTING_AUTH_CLIENT_ID=${{ secrets.USAGE_REPORTING_AUTH_CLIENT_ID_PRODUCTION }}
USAGE_REPORTING_AUTH_CLIENT_SECRET=${{ secrets.USAGE_REPORTING_AUTH_CLIENT_SECRET_PRODUCTION }}
LOGGING_LEVEL=${{ secrets.LOGGING_LEVEL_PRODUCTION }}
DEPLOYMENT_TYPE=production
" > .env
- name: build docker image with correct tags
working-directory: ./rest
run: docker build -t "$ECR_REGISTRY/$ECR_REGISTRY_IMAGE:$GITHUB_REF_NAME" -t "$ECR_REGISTRY/$ECR_REGISTRY_IMAGE:latest" --build-arg VERSION=$GITHUB_REF_NAME --build-arg VCS_REF=$GITHUB_SHA --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') .
- name: login for AWS ECR docker
working-directory: ./rest
run: aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin "$ECR_REGISTRY"
- name: push docker images (versioned with CI tag and "latest") to AWS ECR with docker
working-directory: ./rest
run: |
docker push "$ECR_REGISTRY/$ECR_REGISTRY_IMAGE:$GITHUB_REF_NAME"
docker push "$ECR_REGISTRY/$ECR_REGISTRY_IMAGE:latest"
- name: copy env file
working-directory: ./rest
run: |
echo "${PRIVATE_KEY}" > private_key && chmod 600 private_key
scp -o StrictHostKeyChecking=no -i private_key ./.env ${USER_NAME}@${HOSTNAME}:openEO/.env
- name: pull docker image and run
uses: appleboy/[email protected]
with:
key: ${{ secrets.PROD_SSH_PRIVATE_KEY }}
host: ${{ secrets.PROD_SSH_HOST }}
username: ${{ secrets.PROD_USER_NAME }}
envs: ECR_REGISTRY, ECR_REGISTRY_IMAGE
script: |
aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin "$ECR_REGISTRY/$ECR_REGISTRY_IMAGE"
docker pull "$ECR_REGISTRY/$ECR_REGISTRY_IMAGE:latest"
# stop and remove all containers
docker ps -aq | xargs docker stop | xargs docker rm
cd openEO
docker run -p 8000:8000 -d --env-file .env "$ECR_REGISTRY/$ECR_REGISTRY_IMAGE:latest"
# remove all dangling images
docker image prune --force