-
Notifications
You must be signed in to change notification settings - Fork 0
131 lines (114 loc) · 4.13 KB
/
deploy-eks-production.yml
File metadata and controls
131 lines (114 loc) · 4.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Deploy EKS Production
#
# Triggered after CI passes on the main branch.
# Uses GitHub Environment "eks-production" with strict protection rules:
# - Required reviewers: enabled (must approve before deployment proceeds)
# - Wait timer: 5 minutes
# - Separate environment secrets
#
# APPROVAL EMAIL NOTIFICATION:
# GitHub automatically sends email notifications to all designated environment
# reviewers when a deployment is pending approval. Configure reviewers in:
# Settings > Environments > eks-production > Required reviewers
#
# ROLLBACK:
# To rollback, run manually:
# helm rollback telemetryflow [REVISION] -n telemetryflow
# Or re-run this workflow from a previous commit on main.
name: Deploy EKS Production
on:
workflow_run:
workflows: [CI]
types: [completed]
branches: [main]
concurrency:
group: deploy_eks_production
cancel-in-progress: false
permissions:
contents: read
id-token: write
env:
HELM_CHART: helm/telemetryflow
RELEASE_NAME: telemetryflow
NAMESPACE: telemetryflow
jobs:
deploy:
name: Deploy to EKS Production
runs-on: ubuntu-latest
environment:
name: eks-production
# Protection rules configured in GitHub Settings > Environments:
# - Required reviewers: enabled
# - Wait timer: 5 minutes
steps:
- uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Login to Amazon ECR
uses: aws-actions/amazon-ecr-login@v2
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: v3.14.0
- name: Set up kubectl
uses: azure/setup-kubectl@v3
- name: Update kubeconfig for EKS
run: |
aws eks update-kubeconfig --name ${{ secrets.EKS_CLUSTER_NAME }} --region ${{ secrets.AWS_REGION }}
- name: Verify Required Secrets in Namespace
run: |
REQUIRED_SECRETS=(
"JWT_SECRET"
"SESSION_SECRET"
"ENCRYPTION_KEY"
"POSTGRES_PASSWORD"
"CLICKHOUSE_PASSWORD"
"REDIS_PASSWORD"
)
MISSING=0
for secret in "${REQUIRED_SECRETS[@]}"; do
if ! kubectl get secret telemetryflow-secrets -n "$NAMESPACE" -o jsonpath="{.data.$secret}" &>/dev/null; then
echo "::warning::Secret '$secret' not found in telemetryflow-secrets"
MISSING=1
fi
done
if [ "$MISSING" -eq 1 ]; then
echo "::error::Required secrets are missing. Run scripts/generate-secrets.sh first."
exit 1
fi
- name: Install CRDs
run: bash scripts/install-crds.sh
- name: Deploy via Helm
run: |
helm upgrade "$RELEASE_NAME" "$HELM_CHART" \
--install \
--namespace "$NAMESPACE" \
--create-namespace \
-f helm/telemetryflow/values.yaml \
-f manifest/tfo-eks-production.yaml \
--timeout 10m \
--wait \
--history-max 5
- name: Smoke Test
run: |
BACKEND_URL="$(kubectl get svc "$RELEASE_NAME"-tfo-backend -n "$NAMESPACE" -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null || echo "")"
if [ -z "$BACKEND_URL" ]; then
echo "No external hostname found, skipping smoke test"
exit 0
fi
HTTP_CODE="$(curl -s -o /dev/null -w "%{http_code}" "http://${BACKEND_URL}:8080/health/live" --max-time 10 || echo "000")"
if [ "$HTTP_CODE" -ne 200 ]; then
echo "::warning::Smoke test returned HTTP $HTTP_CODE"
else
echo "Smoke test passed (HTTP 200)"
fi
- name: Print Pod Status
if: always()
run: kubectl get pods -n "$NAMESPACE" -l app.kubernetes.io/instance="$RELEASE_NAME"
- name: Print HPA Status
if: always()
run: kubectl get hpa -n "$NAMESPACE" || echo "No HPA resources found"