CI/CD with GitHub Actions
Overview
The current setup is leveraging GitHub Actions and Kyma to create a CI/CD pipeline for building, releasing and deploying Docker image with XSK packaged with your application content.
Prerequisites
Create Service Account
in Kyma for the CI/CD pipeline, as described bellow:
- Navigate to your Kyma cluster.
- Select your namespace (e.g.
default
). - Go to
Configuration
→Service Accounts
. - Click the
Create Service Account
button. - Enter the service account name (e.g.
xsk
).
Create Cluster Role
in Kyma for the CI/CD pipeline, as described bellow:
- Navigate to your Kyma cluster.
- Go to
Configuration
→Cluster Roles
. - Click the
Create Cluster Role
button. - Enter the cluster role name (e.g.
xsk
). - Add the following
API Groups
:- (core)
- apps
- servicecatalog.k8s.io
- networking.istio.io
- servicecatalog.kyma-project.io
- gateway.kyma-project.io
- Select
*
in theResources
dropdown, to match all resources. - Select
*
in theVerbs
dropdown, to match all verbs. - Click the
Create
button.
Create Cluster Role Binding
of the Cluster Role
to the Service Account
:
- Navigate to your Kyma cluster.
- Go to
Cluster Role Bindings
→Cluster Roles
. - Enter the cluster role binding name (e.g.
xsk-default
, note that the name is not namespace specific and should be unique for the whole cluster). - Select the
Cluster Role
(e.g.xsk
). - Switch the
Kind
toServiceAccount
. - Select the desired namespace (e.g.
default
). - Select the service account (e.g.
xsk
).
Copy the Service Account
token as later will be needed for the KYMA_TOKEN
secret:
- Navigate to your Kyma cluster.
- Go to
Configuration
→Service Accounts
. - Select the
Service Account
(e.g.xsk
). - Select the secret for more details (e.g.
xsk-token-wf6jk
). - Click the
Decode
button to decode the secret. - Copy the
token
value (e.g.eyJhbGciOiJS...
).
Setup
- Navigate to your GitHub repository.
- Create
.github/workflows/<pipeline-name>.yaml
file with the following content:
Info
The following GitHub Action builds XSK based Docker image for your application and push it to your Docker registry.
Note: Replace the <your-organization>/<your-repository>
placeholder with a default organization and repository where the Docker image will be pushed (can be changed when triggering the GitHub Action).
name: Build Application Image
on:
workflow_dispatch:
inputs:
xskRepository:
description: XSK Repository
required: true
type: choice
options:
- 'dirigiblelabs/xsk-kyma'
- 'dirigiblelabs/xsk-kyma-runtime-distro'
- 'dirigiblelabs/xsk-cf'
- 'dirigiblelabs/xsk'
xskVersion:
description: XSK Version
required: true
default: 'latest'
applicationRepository:
description: Application Repository
required: true
default: '<your-organization>/<your-repository>'
applicationReleaseVersion:
description: Application Release Version
required: true
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Release Input Parameters
run: |
echo "Release Type: ${{ github.event.inputs.releaseType }}"
echo "Application Repository: ${{ github.event.inputs.applicationRepository }}"
echo "Application Release Version: ${{ github.event.inputs.applicationReleaseVersion }}"
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Build Dockerfile
run: |
[ ${{github.event.inputs.xskRepository}} != 'dirigiblelabs/xsk-kyma-runtime-distro' ] &&
PUBLIC=('
RUN mkdir -p "/usr/local/tomcat/target/dirigible/repository/root/registry/public/"
COPY . "/usr/local/tomcat/target/dirigible/repository/root/registry/public/"
RUN rm -rf "/usr/local/tomcat/target/dirigible/repository/root/registry/public/Dockerfile"
RUN rm -rf "/usr/local/tomcat/target/dirigible/repository/root/registry/public/.github/"
') ||
PUBLIC=('COPY . "/usr/local/tomcat/target/dirigible/repository/root/registry/public/"')
DOCKERFILE_CONTENT=$(cat << EOF
FROM ${{ github.event.inputs.xskRepository }}:${{ github.event.inputs.xskVersion }}
$PUBLIC
EOF
)
echo "$DOCKERFILE_CONTENT" >> Dockerfile
echo "$DOCKERFILE_CONTENT"
- name: Docker Login
run: docker login ${{secrets.DOCKER_REGISTRY}} -u ${{secrets.DOCKER_USERNAME}} -p ${{secrets.DOCKER_PASSWORD}}
- name: Build Application Image
run: |
docker build . -t ${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:${{ github.event.inputs.applicationReleaseVersion }}
docker tag ${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:${{ github.event.inputs.applicationReleaseVersion }} ${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:latest
docker push ${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:${{ github.event.inputs.applicationReleaseVersion }}
docker push ${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:latest
Info
The following GitHub Action deploys your XSK based Docker image to your Kyma cluster via Helm.
Note: Replace the <your-organization>/<your-repository>
placeholder with a default organization and repository where the Docker image will be pushed (can be changed when triggering the GitHub Action).
name: Deploy Application Image
on:
workflow_dispatch:
inputs:
applicationRepository:
description: Application Repository
required: true
default: '<your-organization>/<your-repository>'
applicationReleaseVersion:
description: Application Release Version
required: true
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Setup Kube Config File
env:
KYMA_CERTIFICATE: ${{ secrets.KYMA_CERTIFICATE }}
KYMA_SERVER: ${{ secrets.KYMA_SERVER }}
KYMA_TOKEN: ${{ secrets.KYMA_TOKEN }}
run: |
mkdir $HOME/.kube
echo "
apiVersion: v1
kind: Config
current-context: xsk
clusters:
- name: xsk
cluster:
certificate-authority-data: $KYMA_CERTIFICATE
server: $KYMA_SERVER
contexts:
- name: xsk
context:
cluster: xsk
user: xsk
users:
- name: xsk
user:
token: $KYMA_TOKEN" > $HOME/.kube/config
- name: Export Kyma Host
run: |
export KYMA_API_SERVER=${{ secrets.KYMA_SERVER }}
echo "KYMA_HOST=${KYMA_API_SERVER:12}" >> $GITHUB_ENV
- name: Helm Upgrade Application Instance
run: |
helm repo add xsk https://www.xsk.io
helm repo update
helm upgrade --install xsk xsk/xsk \
--set kyma.enabled=true \
--set kyma.host=$KYMA_HOST \
--set hana.enabled=true \
--set hana.url='jdbc:sap://${{ secrets.HANA_URL }}/?encrypt=true&validateCertificate=false`' \
--set hana.username=${{ secrets.HANA_USERNAME }} \
--set hana.password='${{ secrets.HANA_PASSWORD }}' \
--set persistentVolumeClaim.enabled=false \
--set deployment.strategyType=RollingUpdate \
--set application.privateDockerRegistry=true \
--set application.dockerServer=${{secrets.DOCKER_REGISTRY}} \
--set application.dockerUsername=${{secrets.DOCKER_USERNAME}} \
--set application.dockerPassword=${{secrets.DOCKER_PASSWORD}} \
--set application.dockerEmail=${{secrets.DOCKER_EMAIL}} \
--set application.image=${{secrets.DOCKER_REGISTRY}}/${{ github.event.inputs.applicationRepository }}:${{ github.event.inputs.applicationReleaseVersion }}
GitHub Secrets
The following GitHub Secrets are required in order to successfully run the previously created GitHub Actions. To create GitHub secret:
- Navigate to your GitHub repository.
- Open the
Settings
tab. - Go to
Secrets
→Actions
. - Click the
New Repository Secret
button.
Name | Description | Required for |
---|---|---|
DOCKER_REGISTRY |
The Docker Registry (e.g. docker.io , ghcr.io , etc.) |
Build |
DOCKER_USERNAME |
The Docker Username (<your-docker-username> ) |
Build |
DOCKER_PASSWORD |
The Docker Password (<your-docker-password> ) |
Build |
DOCKER_EMAIL |
The Docker Email (<your-docker-email> ) |
Deploy |
HANA_URL |
The HANA Cloud URL (e.g. 7512c2q1-...:443 ) |
Deploy |
HANA_USERNAME |
The HANA Cloud Username (<your-hana-cloud-username> ) |
Deploy |
HANA_PASSWORD |
The HANA Cloud Password (<your-hana-cloud-password> ) |
Deploy |
KYMA_CERTIFICATE |
The Kyma Certificate (e.g. LS0tLS1CRUdJTiBDRVJUS... ) |
Deploy |
KYMA_SERVER |
The Kyma Server (e.g. https://api.c-a7b1c6...ondemand.com ) |
Deploy |
KYMA_TOKEN |
The Kyma Token (e.g. eyJhbGciOiJSUzI1NiIsImtpZCI6In... ) |
Deploy |