Sample for using GitHub Actions for Azure Kubernetes Service (AKS) in an enterprise environment
This repository is a sample of how GitHub Actions can be used for Azure Kubernetes Service (AKS) in an enterprise environment.
It also leverages the following new features from Universe 2020:
Often the enterprise requirements are simply based on the requirements of a professional software development and deployment practice.
We focus in this sample on the following
This repository implements the following for fulfilling the requirements above.
As always it is just a sample, little bit simplified (only one app, no db, …) and needs to be adjusted for product/project specific requirements.
But it a definitely a good place to start.
Deploy to Test
in a PRmain
/merge of pull requestFor the dynamic DEV environments (per PR) the manual way of using the GitHub deployments API is used.
For the QA and PROD environments the new built-in way of GitHub environments & environment protection rules is used.
CODEOWNERS
file and the owner of application/pom.xml
infrastructure/
including the wrapper tf.ps1
.github/workflows/other_deploy_infra_environment.yaml
andapplication/src/main/webapp/books.html
and change something,RicardoNiepel-patch-1
and create a PR for itBranch - Build & Test App
was triggered and executed as required checksBranch protection rules
and see the required status checks to pass before merging.github/workflows/branch_build_test_app.yaml
and see the last two steps: GHCR and StatusDeploy to Test
and see how the bot starts the workflow.github/workflows/branch_create_app_deployment_by_label.yaml
and the .github/workflows/scripts/
folderBranch - Deploy App to PR Environment
,.github/workflows/branch_deploy_app_dev_pr_env.yaml
aks-cicd-enterprise/deployments
to see a dynamic Environment was createdBranch - Cleanup PR Environments
and Prod - Build, Test & Deploy App
Branch - Undeploy App
and how it deletes the PR environmentProd - Build, Test & Deploy App
.github/workflows/prod_build_test_deploy_app.yaml
prod
environmentRequired reviewers
to itmain
as the allowed branchqa
environmentmain
as the allowed branchThe GITHUB_TOKEN
has some protections around creating events that prevent downstream GitHub Actions workflow from triggering.
For that reason you need to create a GitHub Application created so that you can request temporary credentials on behalf of the application inside your workflows.
Please follow the instructions fo the used GitHub Action peter-murray/workflow-application-token-action.
Use REPO_AUTOMATION_APPLICATION_ID
and REPO_AUTOMATION_APPLICATION_KEY
for storing the output into the GitHub Secrets.
You need to create a PAT with read/write/delete:packages
access to communicate with ghcr.io.
Use REPO_AUTOMATION_APPLICATION_ID
and REPO_AUTOMATION_APPLICATION_KEY
for storing the output into the GitHub Secrets.
Use CR_PAT
for storing it into the GitHub Secrets.
Owner
right to the target Azure subscription
SubscriptionID="<GUID>"
az ad sp create-for-rbac -n "GitHub workflow aks-cicd-enterprise" --role Owner --scopes /subscriptions/$SubscriptionID
AZURE_SUBSCRIPTION
with the following template (replace <GUID>
accordingly):
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>"
}
After you have deployed the infrastructure into DEV, QA and PROD, you need to configure a bunch of secrets - used in this situation as environment specific variables.
Please store the following for the DEV environment as Repository secrets
and for the QA and PROD environments as Environment secrets
.
Following are some possible improvements to have a more advanced workflow.
Implement a proper version strategy, for example based on release tags.
Take a look at https://github.com/jonico/auto-scaling-github-runners-kubernetes-issueops to see how IssueOps can be implemented with GitHub actions. This could be used to implement a workflow for the infrastructure deployment and have a pipeline like
Terraform Plan (DEV) > Manual Approval > Terraform Apply (DEV) > Terraform Plan (QA) > Manual Approval > Terraform Apply (QA) > Terraform Plan (PROD) > Manual Approval > Terraform Apply (PROD)
A lot of the manual deployment workflows (DEV environment) is based on https://github.com/octodemo-containers/bookstore-advanced.
For the Terraform deployment https://github.com/olohmann/terraform-azure-runner is used to ease the Terraform pipeline deployments with an Azure state backend.