forked from RocketChat/Rocket.Chat
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #22 from seekingalpha/ar_3271_noach_sa_devops_cleanup
Clean up the "Deploy to EC2" script and its GitHub Workflow
- Loading branch information
Showing
8 changed files
with
150 additions
and
230 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,34 +1,20 @@ | ||
name: Deploy to EC2 | ||
run-name: Deploy to ${{ inputs.environment }} (${{ inputs.version }}) | ||
|
||
on: | ||
workflow_dispatch: | ||
inputs: | ||
version: | ||
description: Tarball (either the full filename or just its {rc_version}.{commit_hash} substring) | ||
type: string | ||
description: | | ||
version: | ||
RC version + git commit number. | ||
For a list of available versions, look in | ||
s3://seekingalpha-rocketchat-builds/ | ||
for rocket.chat-VERSION.tgz | ||
Special versions: | ||
latest = version last built | ||
staging = version last deployed to staging | ||
production = version last deployed to production | ||
required: true | ||
|
||
environment: | ||
description: Deploy to | ||
type: choice | ||
description: chose the AWS environment | ||
options: | ||
- staging | ||
- production | ||
required: true | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref }}-${{ inputs.environment }} | ||
|
@@ -39,35 +25,43 @@ defaults: | |
|
||
jobs: | ||
deploy: | ||
name: deploy | ||
name: Deploy to EC2 | ||
environment: ${{ inputs.environment }} | ||
runs-on: [rocketchat] | ||
runs-on: rocketchat # https://github.com/seekingalpha/Rocket.Chat/settings/actions/runners | ||
steps: | ||
- name: Checkout code | ||
- name: CONFIG VARS # Log our configuration inputs right here at the top, so they are easy to find | ||
env: | ||
environment: ${{ inputs.environment }} | ||
version: ${{ inputs.version }} | ||
run: | | ||
echo | ||
echo 'Running the "Deploy to EC2" workflow with the following config vars:' | ||
echo " - version: $version" | ||
echo " - environment: $environment" | ||
- name: Checkout deploy script branch | ||
uses: actions/checkout@v4 | ||
|
||
- name: install dependencies. | ||
- name: Install dependencies | ||
run: | | ||
sudo apt-get update -y | ||
sudo apt-get install -y cloud-utils | ||
sudo apt-get install -y pssh | ||
sudo apt-get install -y gettext | ||
sudo apt-get install -y gettext # provides envsubst(1) template renderer | ||
- name: Configure AWS Credentials | ||
- name: Configure AWS credentials | ||
uses: aws-actions/configure-aws-credentials@v4 | ||
with: | ||
role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME }} | ||
aws-region: ${{ vars.AWS_REGION }} | ||
|
||
#this is the private key for ci user, used by jenkins slave, can be found in ssm parameter staging jenkins slave. that allows ssh to airflow. | ||
- name: install the ci private key | ||
- name: Obtain the SSH private key for logging in to RC EC2 instances | ||
uses: webfactory/[email protected] | ||
with: | ||
ssh-private-key: '${{ secrets.CI_SSH_PRIVATE_KEY }}' | ||
|
||
- name: Run deployment | ||
run: "$GITHUB_WORKSPACE/github.sh" | ||
shell: bash | ||
- name: Run deploy script | ||
run: ./github.sh | ||
env: | ||
ENVIRONMENT_NAME: ${{ inputs.environment }} | ||
environment: ${{ inputs.environment }} | ||
version: ${{ inputs.version }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
name: Rotate AWS secrets | ||
|
||
on: | ||
workflow_dispatch: | ||
schedule: | ||
- cron: '0 0 1 * *' # monthly | ||
|
||
|
||
jobs: | ||
rotate-aws-secrets: | ||
name: Rotate AWS secrets | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Rotate AWS secrets | ||
uses: kneemaa/[email protected] | ||
env: | ||
OWNER_REPOSITORY: ${{ github.repository }} | ||
PERSONAL_ACCESS_TOKEN: ${{ secrets.ROCKETCHAT_GITHUB_TOKEN }} | ||
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USER_GITHUB_ROCKETCHAT_ACCESS_KEY_ID }} | ||
GITHUB_ACCESS_KEY_NAME: AWS_USER_GITHUB_ROCKETCHAT_ACCESS_KEY_ID | ||
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_USER_GITHUB_ROCKETCHAT_SECRET_ACCESS_KEY }} | ||
GITHUB_SECRET_KEY_NAME: AWS_USER_GITHUB_ROCKETCHAT_SECRET_ACCESS_KEY |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,29 @@ | ||
# RC deploy scripts | ||
This repo contains Seeking Alpha's customized version | ||
of the Rocket.Chat server and web client. That code | ||
may be found in any of the `sa_patches_1.2.3` branches, | ||
which are forks of the `1.2.3` release tags, with our | ||
custom patches re-cherry-picked onto each new release. | ||
|
||
Overview of the deploy process: | ||
- The Jenkins job is configured to run a Groovy script named `Jenkinsfile`, | ||
passing it the job parameters (currently, just `version`) | ||
- The `Jenkinsfile` script invokes `Jenkinsfile.sh`, passing on all job parameters as environment variables | ||
- `Jenkinsfile.sh` uses the `*.sh.tpl` template files to prepare `*.sh` files which are executed on | ||
the rocketchat nodes via ssh: | ||
- `pre_install.sh` installs the RC bundle tarball and its dependencies into a temporary folder | ||
- `rotate_version.sh` swaps out the old installation folder with the new one | ||
This branch (`sa_devops`), however, is a mostly empty | ||
branch which serves two purposes: | ||
- The "Deploy to EC2" workflow, which copies a tarball | ||
from S3 onto the various RC EC2 instances and relaunches | ||
the RocketChat servers from it. | ||
- The "Rotate AWS secrets" monthly cronjob | ||
|
||
GitHub requires a branch to be marked as the "default" branch, | ||
which is used for three purposes: | ||
- Default target for new PRs | ||
- Definition of the scheduled cronjob workflows | ||
- Adds a "Run workflow" button to the Workflow run-history page | ||
if a `on: workflow_dispatch:` is defined for this workflow. | ||
(You may choose another branch to actually *run* workflow code, | ||
but the button only appears if the default branch defines it.) | ||
|
||
# The Deployment Process | ||
- The Deploy job (defined in .github/workflows/deploy.yml) | ||
obtains credentials and runs `./github.sh` | ||
- `github.sh` uses the `*.sh.tpl` template files to prepare `*.sh` files | ||
which are executed on the rocketchat EC2 nodes via ssh: | ||
- `install_tarball.sh` installs the RC bundle tarball and its dependencies into a temporary folder | ||
- `activate_new_build.sh` swaps out the old installation folder with the new one and HUPs the daemon |
2 changes: 1 addition & 1 deletion
2
rotate_version.sh.tpl → activate_new_build.sh.tpl
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
#!/bin/bash | ||
RC_DIR=$RC_DIR_ENVSUBST | ||
RC_DIR='$RC_DIR_ENVSUBST' | ||
|
||
set -e | ||
|
||
|
Oops, something went wrong.