Github Action CICD部署EKS
【创建IAM USER】
参考文章: https://www.pangzai.win/aws-%E5%85%81%E8%AE%B8-iam-%E7%94%A8%E6%88%B7%E8%AE%BF%E9%97%AE-eks-cluster/
- 需要创建IAM USER以便github action能够使用这个账号push image到ECR
- 绑定以下的权限到这个user上 , 主要的权限是能够上传镜像到ECR和在EKS机器当中更新deployment的image版本
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRPermissions",
"Effect": "Allow",
"Action": [
"eks:DescribeCluster", #这个是为了登入eks使用的
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*"
}
]
}3. 创建ClusterRole, 然后把这个ClusterRole绑定在一个group
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deployment-updater
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: deployment-updater-binding
subjects:
- kind: Group
name: deployment-updater-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: deployment-updater
apiGroup: rbac.authorization.k8s.io3. 把你的IAM User 绑定到这个权限当中
eksctl create iamidentitymapping --cluster <YourClusterName> --region <YourRegion> --arn <IAM USER ARN> --group deployment-updater-group --username <IAM USERNAME>【Github Workflow 文件】
name: Production
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
env:
IMAGE_VERSION: ${{ vars.env }}-${{ github.run_number }}
IMAGE_REPO: "soundbox/backend"
jobs:
build:
environment: production
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Login to Amazon ECR
id: ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Set IMAGE_FULL_REPO_URL environment variable
run: echo "IMAGE_FULL_REPO_URL=${IMAGE_REPO}:${IMAGE_VERSION}" >> $GITHUB_ENV
- name: Build Docker Image with GitHub Build Number
run: |
docker build \
--file dockerfile \
--tag ${{ steps.ecr.outputs.registry }}/${IMAGE_FULL_REPO_URL} \
--build-arg redisConfig=${{ secrets.REDIS_CONFIG }} \
--build-arg mysqlConfig=${{ secrets.MYSQL_CONFIG }} \
.
- name: Push Docker Image to ECR
run: docker push ${{ steps.ecr.outputs.registry }}/${IMAGE_FULL_REPO_URL}
- name: Update kubeconfig
run: aws eks update-kubeconfig --name ${{ vars.EKS_CLUSTER_NAME }} --region ${{ secrets.AWS_REGION }}
- name: Set new image in Kubernetes
run: |
kubectl set image deployment/soundbox-api-live-deployment soundbox-api-live-container=${{ steps.ecr.outputs.registry }}/${IMAGE_FULL_REPO_URL} -n soundbox
kubectl rollout status deployment/soundbox-api-live-deployment -n soundbox
Facebook评论