name: Build & Deploy stripe-to-invoice (with DB secrets) on: push: branches: - main - feature/** - release/** tags: - "*" workflow_dispatch: jobs: # -------------------------------------------------- # BUILD IMAGE # -------------------------------------------------- build: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - name: Inject slug variables uses: rlespinasse/github-slug-action@v4 - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_TOKEN }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build & push image uses: docker/build-push-action@v6 with: context: . file: stripe_to_invoice/deployment/Dockerfile push: true tags: docker.io/kimjunte/stripe_to_invoice:${{ env.GITHUB_REF_SLUG }} # -------------------------------------------------- # APPLY DB SECRETS # -------------------------------------------------- secrets: name: Apply runtime DB secret runs-on: mealcraft-runners needs: build steps: - uses: actions/checkout@v4 - name: Install kubectl run: | sudo apt-get update sudo apt-get install -y curl ca-certificates gettext curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" sudo install -m 0755 kubectl /usr/local/bin/kubectl - name: Configure kubeconfig (in-cluster) run: | KUBE_HOST="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT" SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt kubectl config set-cluster microk8s \ --server="$KUBE_HOST" \ --certificate-authority="$CA_CERT" kubectl config set-credentials runner --token="$SA_TOKEN" kubectl config set-context runner-context \ --cluster=microk8s \ --user=runner kubectl config use-context runner-context - name: Decide environment run: | if [[ "$GITHUB_REF" == refs/heads/main || "$GITHUB_REF" == refs/tags/* || "$GITHUB_REF" == refs/heads/release/* ]]; then echo "ENV=prod" >> $GITHUB_ENV echo "NAMESPACE=default" >> $GITHUB_ENV echo "RUNTIME_SECRET=postgres-prod" >> $GITHUB_ENV echo "POSTGRES_HOST=postgres-prod.default.svc.cluster.local" >> $GITHUB_ENV echo "POSTGRES_DB=stripe_invoice" >> $GITHUB_ENV else echo "ENV=dev" >> $GITHUB_ENV echo "NAMESPACE=dev" >> $GITHUB_ENV echo "RUNTIME_SECRET=postgres-dev" >> $GITHUB_ENV echo "POSTGRES_HOST=postgres-dev.dev.svc.cluster.local" >> $GITHUB_ENV echo "POSTGRES_DB=stripe_invoice" >> $GITHUB_ENV fi - name: Load DB creds from db/.env and apply secret run: | set -a source db/.env set +a if [[ "$ENV" == "prod" ]]; then USER="$PROD_POSTGRES_USER" PASS="$PROD_POSTGRES_PASSWORD" else USER="$DEV_POSTGRES_USER" PASS="$DEV_POSTGRES_PASSWORD" fi DATABASE_URL="postgres://${USER}:${PASS}@${POSTGRES_HOST}:5432/${POSTGRES_DB}?sslmode=disable" kubectl create secret generic $RUNTIME_SECRET \ --namespace $NAMESPACE \ --from-literal=DATABASE_URL="$DATABASE_URL" \ --dry-run=client -o yaml | kubectl apply -f - - name: Apply Next env/secrets run: | set -e set -a source stripe_to_invoice/deployment/secrets/.env set +a if [[ "$ENV" == "prod" ]]; then STRIPE_SECRET_KEY="$PROD_STRIPE_SECRET_KEY" STRIPE_CLIENT_ID="$PROD_STRIPE_CLIENT_ID" APP_URL=$PROD_APP_URL AWS_REGION=$PROD_AWS_REGION AWS_ACCESS_KEY_ID=$PROD_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY=$PROD_AWS_SECRET_ACCESS_KEY SES_FROM_EMAIL=$PROD_SES_FROM_EMAIL else STRIPE_SECRET_KEY="$DEV_STRIPE_SECRET_KEY" STRIPE_CLIENT_ID="$DEV_STRIPE_CLIENT_ID" APP_URL=$DEV_APP_URL AWS_REGION=$DEV_AWS_REGION AWS_ACCESS_KEY_ID=$DEV_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY=$DEV_AWS_SECRET_ACCESS_KEY SES_FROM_EMAIL=$DEV_SES_FROM_EMAIL fi : "${STRIPE_SECRET_KEY:?missing STRIPE_SECRET_KEY}" : "${STRIPE_CLIENT_ID:?missing STRIPE_CLIENT_ID}" : "${NAMESPACE:?missing NAMESPACE}" : "${APP_URL:?missing APP_URL}" : "${AWS_REGION:?missing AWS_REGION}" : "${AWS_ACCESS_KEY_ID:?missing AWS_ACCESS_KEY_ID}" : "${AWS_SECRET_ACCESS_KEY:?missing AWS_SECRET_ACCESS_KEY}" : "${SES_FROM_EMAIL:?missing SES_FROM_EMAIL}" export STRIPE_SECRET_KEY STRIPE_CLIENT_ID NAMESPACE APP_URL AWS_REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY SES_FROM_EMAIL envsubst < stripe_to_invoice/deployment/secrets/stripe-secrets.yaml \ | kubectl apply -f - # -------------------------------------------------- # DEPLOY APP # -------------------------------------------------- deploy: runs-on: mealcraft-runners needs: - build - secrets steps: - uses: actions/checkout@v4 - name: Install kubectl run: | sudo apt-get update sudo apt-get install -y curl ca-certificates gettext curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" sudo install -m 0755 kubectl /usr/local/bin/kubectl - name: Configure kubeconfig (in-cluster) run: | KUBE_HOST="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT" SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) kubectl config set-cluster microk8s --server="$KUBE_HOST" --certificate-authority="$CA_CERT" kubectl config set-credentials runner --token="$SA_TOKEN" kubectl config set-context runner-context --cluster=microk8s --user=runner --namespace="$NAMESPACE" kubectl config use-context runner-context - name: Inject slug variables uses: rlespinasse/github-slug-action@v4 - name: Decide environment run: | if [[ "$GITHUB_REF" == refs/heads/release/* || "$GITHUB_REF" == refs/tags/* ]]; then echo "NAMESPACE=default" >> $GITHUB_ENV echo "DB_ENV=prod" >> $GITHUB_ENV echo "HOSTNAME=stripe-to-invoice.juntekim.com" >> $GITHUB_ENV else echo "NAMESPACE=dev" >> $GITHUB_ENV echo "DB_ENV=dev" >> $GITHUB_ENV echo "HOSTNAME=stripe-to-invoice.dev.juntekim.com" >> $GITHUB_ENV fi - name: Deploy application run: | export IMAGE="docker.io/kimjunte/stripe_to_invoice:$GITHUB_REF_SLUG" export NAMESPACE DB_ENV HOSTNAME envsubst < stripe_to_invoice/deployment/deployment.yaml | kubectl apply -f -