csye7125-fall2023-group05/webapp

🟢 CD pipeline for webapp: helm release install/upgrade on GKE cluster

sydrawat01 opened this issue · 3 comments

  • Code changes are committed to GitHub. Jenkins can either monitor GitHub for changes or it can be configured to be notified by GitHub about the new commit.
  • Clone the repository with the latest code and build the container. Tag containers with git commit hash.
  • Push the container to your container registry.
  • Download the latest release of your Helm Chart from the repository.
  • Check if a (helm) release for the application exists on the cluster.
  • If a release does not exist, use the helm install command to install a release.
  • If a release exists, use the helm upgrade command to upgrade the release.
  • Helm release must use the new container built as part of this pipeline.

NOTE: Below mentioned scripts should run inside the Jenkinsfile pipeline.

Download latest release tarball

#!/bin/bash

# usage: ./download-latest-tarball.sh <repo-name>
# ex: ./download-latest-tarball.sh webapp-helm-chart

# download the latest tarball and untar it
VERSION="$(curl --silent -H "Authorization: token <github-pat-token>" \
  "https://api.github.com/repos/csye7125-fall2023-group05/$1/releases/latest" |
  grep '"tag_name":' |
  sed -E 's/.*"([^"]+)".*/\1/')"

echo "Downloading $1:$VERSION..."

curl -LO -H "Authorization: token <github-pat-token>" https://api.github.com/repos/csye7125-fall2023-group05/$1/tarball/"$VERSION"
mv "$VERSION" "$1".tar.gz

echo "opening up the tarball..."
tar -xzvf "$1".tar.gz

Tunnel into the GKE cluster using Service Account

#!/bin/bash

# running on AWS EC2 Jenkins instance

# install kubectl
sudo apt-get update
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update && sudo apt-get install kubectl -y
kubectl version --client
kubectl version

# install helm
sudo apt-get update
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg >/dev/null
sudo apt-get install apt-transport-https -y
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
sudo apt-get update && sudo apt-get install helm -y
helm version

# install gcloud
sudo apt-get install google-cloud-cli -y
gcloud version
gke-gcloud-auth-plugin --version

# activate service account after creating keys on gcloud console for the default
# service account create when creating the GKE cluster
# 897169510677-compute@developer.gserviceaccount.com
# scp the service account keys to jenkins server and the run the below command:
# eg: gcloud auth activate-service-account --key-file=gke-0021-default.json
gcloud auth activate-service-account --key-file=<service-account-keys>.json

gcloud config configurations list

# get cluster credentials into ~/.kube/config
# gcloud container clusters get-credentials pwncorp-primary-cluster --region us-east1 --project prod-gke-001
gcloud container clusters get-credential <cluster-name> --region us-east1 --project <project-name>

kubectl config view

# open tunnel to bastion host with k8s cluster admin credentials
# ssh -i gcp-compute k8s_cluster_adm_serviceaccount_iam_com@35.211.240.218 -L 8888:127.0.0.1:8888 -N -q -f

# opening tunnel as root user works successfully
ssh -i <private-key> <k8s_adm_service_account>@<bastion-host-ip> -L 8888:127.0.0.1:8888 -N -q -f

# set HTTPS_PROXY for tunnel
export HTTPS_PROXY=localhost:8888
echo $HTTPS_PROXY

# below commands will time out and show errors if we are not connected to the cluster via bastion host tunneling
kubectl version
kubectl get ns

Initial installation of helm charts and operators can be done by tunneling to the GKE cluster manually from the local machine.

❗ tunneling to bastion does not work inside Jenkins pipeline. We would need to make the cluster public in order to access the cluster inside the Jenkins pipeline to upgrade our helm charts.