feat: deploy networks via github actions (#10381)

just-mitch · web-flow · commit 7e19b3991ca3 · 2024-12-03T12:00:06.000-05:00
I used locally with [act](https://github.com/nektos/act) to deploy a smoke network in the new aztec-gke cluster.
diff --git a/.github/.gitignore b/.github/.gitignore
@@ -0,0 +1 @@
+.secrets
diff --git a/.github/workflows/network-deploy.yml b/.github/workflows/network-deploy.yml
@@ -1,18 +1,17 @@
-name: Aztec Network EKS Deployment
-
-# Manual trigerring of this workflow is intentionally disabled
-# Helm deployments do not support lock files
-# Without a lockfile, manual trigerring can lead to corrupted or partial deployments
+name: Aztec Network Deployment
 
 on:
-  push:
-    branches:
-      - staging
-      - production
-  pull_request:
-    branches:
-      - staging
-      - production
+  workflow_dispatch:
+    inputs:
+      namespace:
+        description: The namespace to deploy to, e.g. smoke
+        required: true
+      values_file:
+        description: The values file to use, e.g. 1-validators.yaml
+        required: true
+      aztec_docker_image:
+        description: The Aztec Docker image to use, e.g. aztecprotocol/aztec:da809c58290f9590836f45ec59376cbf04d3c4ce-x86_64
+        required: true
 
 jobs:
   network_deployment:
@@ -24,34 +23,67 @@ jobs:
 
     # Set up a variable based on the branch name
     env:
-      NAMESPACE: ${{ github.ref == 'refs/heads/production' && 'production' || 'staging' }}
+      AZTEC_DOCKER_IMAGE: ${{ inputs.aztec_docker_image }}
+      NAMESPACE: ${{ inputs.namespace }}
+      VALUES_FILE: ${{ inputs.values_file }}
       CHART_PATH: ./spartan/aztec-network
+      CLUSTER_NAME: aztec-gke
+      REGION: us-west1-a
+      TF_STATE_BUCKET: aztec-terraform
+      GKE_CLUSTER_CONTEXT: gke_testnet-440309_us-west1-a_aztec-gke
 
     steps:
-      # Step 1: Check out the repository's code
       - name: Checkout code
         uses: actions/checkout@v3
 
-      # Step 2: Configure AWS credentials using GitHub Secrets
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
 
-      # Step 3: Set up Kubernetes context for AWS EKS
-      - name: Configure kubectl with EKS cluster
+      - name: Install GKE Auth Plugin
         run: |
-          aws eks update-kubeconfig --region us-east-1 --name spartan
+          gcloud components install gke-gcloud-auth-plugin --quiet
 
-      # Step 4: Install Helm
-      - name: Install Helm
+      - name: Configure kubectl with GKE cluster
         run: |
-          curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+          gcloud container clusters get-credentials ${{ env.CLUSTER_NAME }} --region ${{ env.REGION }}
 
-      # Step 5: Apply Helm Chart
-      - name: Deploy Helm chart
+      - name: Ensure Terraform state bucket exists
         run: |
-          helm dependency update ${{ env.CHART_PATH }}
-          helm upgrade --install ${{ env.NAMESPACE }} ${{ env.CHART_PATH }} --namespace ${{ env.NAMESPACE }} --set network.public=true --atomic --create-namespace --timeout 20m
+          if ! gsutil ls gs://${{ env.TF_STATE_BUCKET }} >/dev/null 2>&1; then
+            echo "Creating GCS bucket for Terraform state..."
+            gsutil mb -l us-east4 gs://${{ env.TF_STATE_BUCKET }}
+            gsutil versioning set on gs://${{ env.TF_STATE_BUCKET }}
+          else
+            echo "Terraform state bucket already exists"
+          fi
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: "1.5.0" # Specify your desired version
+
+      - name: Terraform Init
+        working-directory: ./spartan/terraform/deploy-release
+        run: |
+          terraform init \
+            -backend-config="bucket=${{ env.TF_STATE_BUCKET }}" \
+            -backend-config="prefix=network-deploy/${{ env.REGION }}/${{ env.CLUSTER_NAME }}/${{ env.NAMESPACE }}/terraform.tfstate" \
+
+      - name: Terraform Plan
+        working-directory: ./spartan/terraform/deploy-release
+        run: |
+          terraform plan \
+            -var="release_name=${{ env.NAMESPACE }}" \
+            -var="values_file=${{ env.VALUES_FILE }}" \
+            -var="gke_cluster_context=${{ env.GKE_CLUSTER_CONTEXT }}" \
+            -var="aztec_docker_image=${{ env.AZTEC_DOCKER_IMAGE }}" \
+            -out=tfplan
+
+      - name: Terraform Apply
+        working-directory: ./spartan/terraform/deploy-release
+        run: terraform apply -auto-approve tfplan
diff --git a/spartan/terraform/deploy-release/main.tf b/spartan/terraform/deploy-release/main.tf
@@ -1,7 +1,7 @@
 terraform {
-  backend "s3" {
+  backend "gcs" {
     bucket = "aztec-terraform"
-    region = "eu-west-2"
+    prefix = "terraform/state"
   }
   required_providers {
     helm = {
diff --git a/spartan/terraform/gke-cluster/main.tf b/spartan/terraform/gke-cluster/main.tf
@@ -38,6 +38,24 @@ resource "google_project_iam_member" "gke_sa_roles" {
   member  = "serviceAccount:${google_service_account.gke_sa.email}"
 }
 
+# Create a new service account for Helm
+resource "google_service_account" "helm_sa" {
+  account_id   = "helm-sa"
+  display_name = "Helm Service Account"
+  description  = "Service account for Helm operations"
+}
+
+# Add IAM roles to the Helm service account
+resource "google_project_iam_member" "helm_sa_roles" {
+  for_each = toset([
+    "roles/container.admin",
+    "roles/storage.admin"
+  ])
+  project = var.project
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.helm_sa.email}"
+}
+
 # Create a GKE cluster
 resource "google_container_cluster" "primary" {
   name     = "spartan-gke"
