-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add some examples and a GitHub integration test (#24)
- Loading branch information
Showing
13 changed files
with
291 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,3 +2,4 @@ | |
*.json | ||
*.json5 | ||
*.md | ||
examples |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
name: github-integration-test | ||
on: | ||
push: | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
rollout: | ||
runs-on: ubuntu-latest | ||
timeout-minutes: 15 | ||
permissions: | ||
contents: read | ||
id-token: write | ||
steps: | ||
- uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # v4 | ||
|
||
# if you're copying this into your repo | ||
# you would just need the run step | ||
# the build/start/cleanup are just used so we can run smoke tests in this repo | ||
- name: build | ||
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6 | ||
with: | ||
context: . | ||
tags: | | ||
rollout:latest | ||
- name: start | ||
run: | | ||
docker run \ | ||
-d \ | ||
-p 8080:8080 \ | ||
--rm \ | ||
--name=rollout \ | ||
-v ./examples/github/rollout.sh:/rollout.sh \ | ||
--env JWKS_URI="https://token.actions.githubusercontent.com/.well-known/jwks" \ | ||
--env JWT_AUD=https://github.com/lehigh-university-libraries \ | ||
rollout:latest | ||
for i in {1..5}; do | ||
if curl -s http://localhost:8080/healthcheck | grep "ok"; then | ||
echo "container ready" | ||
exit 0 | ||
fi | ||
echo "Waiting for container to be ready..." | ||
sleep 2 | ||
done | ||
echo "🚨 Container did not start in time" && exit 1 | ||
- name: run | ||
env: | ||
# TODO - replace with your rollout URL | ||
# and not the docker service we're running here in GitHub Action | ||
ROLLOUT_URL: http://localhost:8080/ | ||
run: ./examples/github/trigger-rollout.sh | ||
|
||
- name: cleanup | ||
if: ${{ always() }} | ||
run: | | ||
docker logs rollout | ||
docker stop rollout |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# Example CI/CD | ||
|
||
In this directory is [a docker-compose template](./docker-compose.yml) that would be deployed into your environment(s) to allow the CI/CD system to send requests to the rollout service. | ||
|
||
## GitHub | ||
|
||
In the [github](../.github/workflows/github-integration-test.yml) you will find a sample GitHub Action you could add to your GitHub repo to trigger deployments. | ||
|
||
## GitLab | ||
|
||
In the [gitlab](./gitlab) directory, you will find a sample `.gitlab-ci.yml` you could add to your GitLab repo to trigger deployments from self-hosted or gitlab.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
--- | ||
networks: | ||
default: | ||
services: | ||
# use traefik as a reverse proxy for rollout | ||
# swap it with your favorite (i.e. haproxy/nginx/etc) | ||
traefik: | ||
command: >- | ||
--api.insecure=true | ||
--api.dashboard=true | ||
--api.debug=true | ||
--ping=true | ||
--entryPoints.http.address=:80 | ||
--entryPoints.https.address=:443 | ||
--entryPoints.http.forwardedHeaders.trustedIPs=${FRONTEND_IP_1},${FRONTEND_IP_2},${FRONTEND_IP_3} | ||
--entryPoints.https.forwardedHeaders.trustedIPs=${FRONTEND_IP_1},${FRONTEND_IP_2},${FRONTEND_IP_3} | ||
--entryPoints.https.transport.respondingTimeouts.readTimeout=3600 | ||
--providers.file.filename=/etc/traefik/tls.yml | ||
--providers.docker=true | ||
--providers.docker.network=default | ||
--providers.docker.exposedByDefault=false | ||
labels: | ||
traefik.enable: false | ||
volumes: | ||
- ./certs:/etc/ssl/traefik:Z,ro | ||
- ./tls.yml:/etc/traefik/tls.yml:Z,ro | ||
- /var/run/docker.sock:/var/run/docker.sock:z | ||
healthcheck: | ||
test: traefik healthcheck --ping | ||
rollout: | ||
image: lehighlts/rollout:main | ||
labels: | ||
traefik.enable: true | ||
traefik.http.routers.rollout.entrypoints: https | ||
traefik.http.routers.rollout.rule: PathPrefix(`/path/to/rollout`) | ||
traefik.http.routers.rollout.tls.certresolver: *traefik-certresolver | ||
traefik.http.routers.rollout.tls: true | ||
traefik.http.services.rollout.loadbalancer.server.port: 8080 | ||
traefik.http.routers.rollout.middlewares: rollout-ip | ||
# add all your trusted domains | ||
traefik.http.middlewares.rollout-ip.ipwhitelist.sourcerange: 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1/32 | ||
# would increment to 1 if traefik (which is proxying this service) | ||
# was also behind a reverse proxy | ||
traefik.http.middlewares.rollout-ip.ipwhitelist.ipstrategy.depth: 0 | ||
volumes: | ||
- /optionally/your/code/base:/code | ||
- /optionally/other/files/to/help/with/git/docker/etc/auth:/some/other/path | ||
- ./rollout.sh:/rollout.sh | ||
# if you need to run docker commands in rollout.sh | ||
- /var/run/docker.sock:/var/run/docker.sock | ||
environment: | ||
JWKS_URI: ${JWKS_URI} | ||
JWT_AUD: $HOST | ||
CUSTOM_CLAIMS: ${CUSTOM_CLAIMS} | ||
GIT_BRANCH: ${GIT_BRANCH} | ||
ROLLOUT_LOCK_FILE: /tmp/rollout.lock |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# GitHub rollout example | ||
|
||
In this example, you can see the GitHub Action YML in [.github/workflows/github-integration-test.yml](../.github/workflows/github-integration-test.yml) that you could add to your GitHub repo to trigger deployments. | ||
|
||
The GitHub YML creates an OIDC token and uses that to authenticate to the rollout service. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -eou pipefail | ||
|
||
echo "Rolling out $GIT_BRANCH" | ||
echo "I might git pull or docker compose up -d here." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -eou pipefail | ||
|
||
echo "Fetching GitHub OIDC token" | ||
TOKEN=$(curl -s \ | ||
-H "Accept: application/json; api-version=2.0" \ | ||
-H "Content-Type: application/json" -d "{}" \ | ||
-H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ | ||
"$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -er '.value') | ||
|
||
# add some buffer to avoid iat issues | ||
sleep 5 | ||
|
||
echo "Triggering rollout via $ROLLOUT_URL" | ||
echo "${TOKEN}" | jq -rR 'split(".") | .[1] | @base64d | fromjson | .aud' | ||
|
||
for i in {1..3}; do | ||
STATUS=$(curl -s \ | ||
--max-time 900 \ | ||
-w '%{http_code}' \ | ||
-o /dev/null \ | ||
-d '{"git-branch": "'"${GITHUB_REF_NAME}"'"}' \ | ||
-H "Authorization: Bearer ${TOKEN}" \ | ||
"${ROLLOUT_URL}") | ||
|
||
echo "Received $STATUS" | ||
if [ "${STATUS}" = 200 ]; then | ||
echo "Rollout complete" | ||
exit 0 | ||
fi | ||
|
||
SLEEP_INTERVAL=$(( 60 * i )) | ||
echo "trying again in ${SLEEP_INTERVAL}s" | ||
sleep "${SLEEP_INTERVAL}" | ||
done | ||
|
||
echo "Rollout failed. Check logs" | ||
exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
workflow: | ||
auto_cancel: | ||
on_new_commit: interruptible | ||
|
||
stages: | ||
- build-lint-test-push | ||
- deploy | ||
|
||
build-lint-test-push: | ||
interruptible: true | ||
stage: build-lint-test | ||
id_tokens: | ||
ID_TOKEN_1: | ||
aud: your-dev-server-claim | ||
variables: | ||
ROLLOUT_URL: https://dev.example.com/proxied/path/to/rollout | ||
script: | ||
- YOUR LINT/BUILD SCRIPT(s) | ||
- ./trigger-rollout.sh # deploy to dev | ||
- YOUR TEST SCRIPT(S) | ||
- YOUR PUSH SCRIPT(s) | ||
tags: | ||
- your | ||
- runner | ||
- tags | ||
- dev | ||
- maybe they're all the same | ||
|
||
deploy_stage: | ||
stage: deploy | ||
dependencies: | ||
- push | ||
id_tokens: | ||
ID_TOKEN_1: | ||
aud: your-stage-server-claim | ||
variables: | ||
ROLLOUT_URL: https://stage.example.com/proxied/path/to/rollout | ||
script: | ||
- ./trigger-rollout.sh | ||
rules: | ||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH | ||
tags: | ||
- your | ||
- runner | ||
- tags | ||
- stage | ||
- maybe they're all the same | ||
|
||
deploy_prod: | ||
stage: deploy | ||
dependencies: | ||
- deploy_stage | ||
id_tokens: | ||
ID_TOKEN_1: | ||
aud: your-prod-server-claim | ||
variables: | ||
ROLLOUT_URL: https://prod.example.com/proxied/path/to/rollout | ||
script: | ||
- ./trigger-rollout.sh | ||
when: manual | ||
rules: | ||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH | ||
tags: | ||
- your | ||
- runner | ||
- tags | ||
- prod | ||
- maybe they're all the same |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# GitLab rollout example | ||
|
||
In this example, you can find the [.gitlab-ci.yml](./.gitlab-ci.yml) you could add to your repo, along with [a bash script](./trigger-rollout.sh) that calls the rollout service deployed in your environment(s). | ||
|
||
The GitLab CI deploys to a dev/stage/prod environment, and has exponential backoff on the deploy. | ||
|
||
See https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html for more information on the `id_tokens` YML spec. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -eou pipefail | ||
|
||
echo "Triggering rollout via $ROLLOUT_URL" | ||
echo "${ID_TOKEN_1}" | jq -rR 'split(".") | .[1] | @base64d | fromjson | .project_path + " " + .user_email + " " + .aud' | ||
|
||
for i in {1..3}; do | ||
STATUS=$(curl -s \ | ||
--max-time 900 \ | ||
-w '%{http_code}' \ | ||
-o /dev/null \ | ||
-d '{"git-branch": "'"${CI_COMMIT_BRANCH}"'"}' \ | ||
-H "Authorization: bearer ${ID_TOKEN_1}" \ | ||
"${ROLLOUT_URL}") | ||
|
||
echo "Received $STATUS" | ||
if [ "${STATUS}" = 200 ]; then | ||
echo "Rollout complete" | ||
exit 0 | ||
fi | ||
|
||
SLEEP_INTERVAL=$(( 60 * i )) | ||
echo "trying again in ${SLEEP_INTERVAL}s" | ||
sleep "${SLEEP_INTERVAL}" | ||
done | ||
|
||
echo "Rollout failed. Check logs" | ||
exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# traefik TLS config | ||
tls: | ||
stores: | ||
default: | ||
defaultCertificate: | ||
certFile: /etc/ssl/traefik/cert.pem | ||
keyFile: /etc/ssl/traefik/privkey.pem |