Skip to content

CI/CD with GitHub Actions

Overview

The current setup is leveraging GitHub Actions and Kyma to create a CI/CD pipeline for building, releasing and deploying Docker image with XSK packaged with your application content.

Prerequisites

Create Service Account in Kyma for the CI/CD pipeline, as described bellow:

  1. Navigate to your Kyma cluster.
  2. Select your namespace (e.g. default).
  3. Go to ConfigurationService Accounts.
  4. Click the Create Service Account button.
  5. Enter the service account name (e.g. xsk).

Create Cluster Role in Kyma for the CI/CD pipeline, as described bellow:

  1. Navigate to your Kyma cluster.
  2. Go to ConfigurationCluster Roles.
  3. Click the Create Cluster Role button.
  4. Enter the cluster role name (e.g. xsk).
  5. Add the following API Groups:
    • (core)
    • apps
    • servicecatalog.k8s.io
    • networking.istio.io
    • servicecatalog.kyma-project.io
    • gateway.kyma-project.io
  6. Select * in the Resources dropdown, to match all resources.
  7. Select * in the Verbs dropdown, to match all verbs.
  8. Click the Create button.

Create Cluster Role Binding of the Cluster Role to the Service Account:

  1. Navigate to your Kyma cluster.
  2. Go to Cluster Role BindingsCluster Roles.
  3. Enter the cluster role binding name (e.g. xsk-default, note that the name is not namespace specific and should be unique for the whole cluster).
  4. Select the Cluster Role (e.g. xsk).
  5. Switch the Kind to ServiceAccount.
  6. Select the desired namespace (e.g. default).
  7. Select the service account (e.g. xsk).

Copy the Service Account token as later will be needed for the KYMA_TOKEN secret:

  1. Navigate to your Kyma cluster.
  2. Go to ConfigurationService Accounts.
  3. Select the Service Account (e.g. xsk).
  4. Select the secret for more details (e.g. xsk-token-wf6jk).
  5. Click the Decode button to decode the secret.
  6. Copy the token value (e.g. eyJhbGciOiJS...).

Copy the Service Account certificate as later will be needed for the KYMA_CERTIFICATE secret:

  1. Navigate to your Kyma cluster.
  2. Go to ConfigurationService Accounts.
  3. Select the Service Account (e.g. xsk).
  4. Select the secret for more details (e.g. xsk-token-wf6jk).
  5. Click the Expand All button to see all content.
  6. Copy the ca.crt value (e.g. LS0tLS1CRUdJ...).

Setup

  1. Navigate to your GitHub repository.
  2. Create .github/workflows/<pipeline-name>.yaml file with the following content:

Info

The following GitHub Action builds XSK based Docker image for your application and push it to your Docker registry.

Note: Replace the <your-organization>/<your-repository> placeholder with a default organization and repository where the Docker image will be pushed (can be changed when triggering the GitHub Action).

  • Application Repository must be in lower case.
  • If you set this environment publishPackageInRepository to true will add LABEL to your image and will publish your new image in your Github repository packages and if is false will publish to your Github organization.
name: Build Application Image

on:
  workflow_dispatch:
    inputs:
      xskRepository:
        description: XSK Repository
        required: true
        type: choice
        options: 
        - 'dirigiblelabs/xsk-kyma'
        - 'dirigiblelabs/xsk-kyma-runtime-distro' 
        - 'dirigiblelabs/xsk-cf'
        - 'dirigiblelabs/xsk'
      xskVersion:
        description: XSK Version
        required: true
        default: 'latest'
      applicationRepository:
        description: Application Repository
        required: true
        default: '<your-organization>/<your-repository>'
      applicationReleaseVersion:
        description: Application Release Version
        required: true

jobs:
  build:
    runs-on: ubuntu-latest
    env:
      publishPackageInRepository: false
    steps:
      - name: Release Input Parameters
        run: |
          echo "Release Type: ${{ github.event.inputs.releaseType }}"
          echo "Application Repository: ${{ github.event.inputs.applicationRepository }}"
          echo "Application Release Version: ${{ github.event.inputs.applicationReleaseVersion }}"
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Build Dockerfile
        run: |
          $publishPackageInRepository == 'true' &&
          LABEL='LABEL org.opencontainers.image.source https://github.com/${{ github.event.inputs.applicationRepository }}' ||
          LABEL=''

          PUBLIC='/usr/local/tomcat/target/dirigible/repository/root/registry/public'

          DOCKERFILE_CONTENT=$(cat << EOF
          FROM scratch as build
          COPY . "$PUBLIC/"
          FROM ${{ github.event.inputs.xskRepository }}:${{ github.event.inputs.xskVersion }}
          COPY --from=build --chown=nonroot:nonroot "$PUBLIC/" "$PUBLIC/"
          $LABEL
          EOF
          )
          echo "$DOCKERFILE_CONTENT" >> Dockerfile
          echo "$DOCKERFILE_CONTENT"
      - name: Docker Login
        run: docker login ${{secrets.DOCKER_REGISTRY}} -u ${{secrets.DOCKER_USERNAME}} -p ${{secrets.DOCKER_PASSWORD}}
      - name: Build Application Image
        run: |
          docker build . -t ${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:${{ github.event.inputs.applicationReleaseVersion }}
          docker tag ${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:${{ github.event.inputs.applicationReleaseVersion }} ${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:latest
          docker push ${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:${{ github.event.inputs.applicationReleaseVersion }}
          docker push ${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:latest

Info

The following GitHub Action deploys your XSK based Docker image to your Kyma cluster via Helm.

Note: Replace the <your-organization>/<your-repository> placeholder with a default organization and repository where the Docker image will be pushed (can be changed when triggering the GitHub Action).

name: Deploy Application Image

on:
  workflow_dispatch:
    inputs:
      applicationRepository:
        description: Application Repository
        required: true
        default: '<your-organization>/<your-repository>'
      applicationReleaseVersion:
        description: Application Release Version
        required: true

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Setup Kube Config File
        env:
          KYMA_CERTIFICATE: ${{ secrets.KYMA_CERTIFICATE }}
          KYMA_SERVER: ${{ secrets.KYMA_SERVER }}
          KYMA_TOKEN: ${{ secrets.KYMA_TOKEN }}
        run: |
          mkdir $HOME/.kube
          echo "
          apiVersion: v1
          kind: Config
          current-context: xsk
          clusters:
          - name: xsk
            cluster:
              certificate-authority-data: $KYMA_CERTIFICATE
              server: $KYMA_SERVER
          contexts:
          - name: xsk
            context:
              cluster: xsk
              user: xsk
          users:
          - name: xsk
            user:
              token: $KYMA_TOKEN" > $HOME/.kube/config
      - name: Export Kyma Host
        run: |
          export KYMA_API_SERVER=${{ secrets.KYMA_SERVER }}
          echo "KYMA_HOST=${KYMA_API_SERVER:12}" >> $GITHUB_ENV
      - name: Helm Upgrade Application Instance
        run: |
          chmod go-r $HOME/.kube/config
          helm repo add xsk https://www.xsk.io
          helm repo update
          helm upgrade --install xsk xsk/xsk \
          --set kyma.enabled=true \
          --set kyma.host=$KYMA_HOST \
          --set hana.enabled=true \
          --set hana.url='jdbc:sap://${{ secrets.HANA_URL }}/?encrypt=true&validateCertificate=false`' \
          --set hana.username=${{ secrets.HANA_USERNAME }} \
          --set hana.password='${{ secrets.HANA_PASSWORD }}' \
          --set persistentVolumeClaim.enabled=false \
          --set deployment.strategyType=RollingUpdate \
          --set application.privateDockerRegistry=true \
          --set application.dockerServer=${{secrets.DOCKER_REGISTRY}} \
          --set application.dockerUsername=${{secrets.DOCKER_USERNAME}} \
          --set application.dockerPassword=${{secrets.DOCKER_PASSWORD}} \
          --set application.dockerEmail=${{secrets.DOCKER_EMAIL}} \
          --set application.image=${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:${{ github.event.inputs.applicationReleaseVersion }}
GitHub Secrets

The following GitHub Secrets are required in order to successfully run the previously created GitHub Actions. To create GitHub secret:

  1. Navigate to your GitHub repository.
  2. Open the Settings tab.
  3. Go to SecretsActions.
  4. Click the New Repository Secret button.
Name Description Required for
DOCKER_REGISTRY The Docker Registry (e.g. docker.io, ghcr.io, etc.) Build
DOCKER_USERNAME The Docker Username (<your-docker-username>) Build
DOCKER_PASSWORD The Docker Password (<your-docker-password>) Build
DOCKER_EMAIL The Docker Email (<your-docker-email>) Deploy
HANA_URL The HANA Cloud URL (e.g. 7512c2q1-...:443) Deploy
HANA_USERNAME The HANA Cloud Username (<your-hana-cloud-username>) Deploy
HANA_PASSWORD The HANA Cloud Password (<your-hana-cloud-password>) Deploy
KYMA_CERTIFICATE The Kyma Certificate (e.g. LS0tLS1CRUdJTiBDRVJUS...) Deploy
KYMA_SERVER The Kyma Server (e.g. https://api.c-a7b1c6...ondemand.com) Deploy
KYMA_TOKEN The Kyma Token (e.g. eyJhbGciOiJSUzI1NiIsImtpZCI6In...) Deploy