Skip to content

Commit

Permalink
ci with workload identity
Browse files Browse the repository at this point in the history
  • Loading branch information
aarushik93 committed Oct 20, 2024
1 parent 30376a8 commit f860cbe
Show file tree
Hide file tree
Showing 11 changed files with 268 additions and 12 deletions.
151 changes: 151 additions & 0 deletions .github/workflows/platform-autogpt-deploy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
name: AutoGPT Platform - Build, Push, and Deploy Dev

on:
workflow_dispatch:
push:
branches: [ dev ]
paths:
- 'autogpt_platform/backend/**'
- 'autogpt_platform/frontend/**'
- 'autogpt_platform/market/**'

permissions:
contents: 'read'
id-token: 'write'

env:
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
GKE_CLUSTER: dev-gke-cluster
GKE_ZONE: us-central1-a
NAMESPACE: dev-agpt

jobs:
build-push-deploy:
name: Build, Push, and Deploy
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0

- id: 'auth'
uses: 'google-github-actions/auth@v1'
with:
workload_identity_provider: 'projects/agpt-dev/locations/global/workloadIdentityPools/dev-pool/providers/github'
service_account: '[email protected]'

- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v1'

- name: 'Configure Docker'
run: |
gcloud auth configure-docker gcr.io
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1

- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Check for changes
id: check_changes
run: |
git fetch origin dev
BACKEND_CHANGED=$(git diff --name-only origin/dev HEAD | grep "^autogpt_platform/backend/" && echo "true" || echo "false")
FRONTEND_CHANGED=$(git diff --name-only origin/dev HEAD | grep "^autogpt_platform/frontend/" && echo "true" || echo "false")
MARKET_CHANGED=$(git diff --name-only origin/dev HEAD | grep "^autogpt_platform/market/" && echo "true" || echo "false")
echo "backend_changed=$BACKEND_CHANGED" >> $GITHUB_OUTPUT
echo "frontend_changed=$FRONTEND_CHANGED" >> $GITHUB_OUTPUT
echo "market_changed=$MARKET_CHANGED" >> $GITHUB_OUTPUT
- name: Get GKE credentials
uses: 'google-github-actions/get-gke-credentials@v1'
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_ZONE }}

- name: Build and Push Backend
if: steps.check_changes.outputs.backend_changed == 'true'
uses: docker/build-push-action@v2
with:
context: ./autogpt_platform
file: ./autogpt_platform/backend/Dockerfile
push: true
tags: gcr.io/${{ env.PROJECT_ID }}/autogpt-backend:${{ github.sha }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max

- name: Build and Push Frontend
if: steps.check_changes.outputs.frontend_changed == 'true'
uses: docker/build-push-action@v2
with:
context: ./autogpt_platform
file: ./autogpt_platform/frontend/Dockerfile
push: true
tags: gcr.io/${{ env.PROJECT_ID }}/autogpt-frontend:${{ github.sha }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max

- name: Build and Push Market
if: steps.check_changes.outputs.market_changed == 'true'
uses: docker/build-push-action@v2
with:
context: ./autogpt_platform
file: ./autogpt_platform/market/Dockerfile
push: true
tags: gcr.io/${{ env.PROJECT_ID }}/autogpt-market:${{ github.sha }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max

- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
- name: Set up Helm
uses: azure/setup-helm@v1
with:
version: v3.4.0

- name: Deploy Backend
if: steps.check_changes.outputs.backend_changed == 'true'
run: |
helm upgrade autogpt-server ./autogpt-server \
--namespace ${{ env.NAMESPACE }} \
-f autogpt-server/values.yaml \
-f autogpt-server/values.dev.yaml \
--set image.tag=${{ github.sha }}
- name: Deploy Websocket
if: steps.check_changes.outputs.backend_changed == 'true'
run: |
helm upgrade autogpt-websocket-server ./autogpt-websocket-server \
--namespace ${{ env.NAMESPACE }} \
-f autogpt-websocket-server/values.yaml \
-f autogpt-websocket-server/values.dev.yaml \
--set image.tag=${{ github.sha }}
- name: Deploy Market
if: steps.check_changes.outputs.market_changed == 'true'
run: |
helm upgrade autogpt-market ./autogpt-market \
--namespace ${{ env.NAMESPACE }} \
-f autogpt-market/values.yaml \
-f autogpt-market/values.dev.yaml \
--set image.tag=${{ github.sha }}
- name: Deploy Frontend
if: steps.check_changes.outputs.frontend_changed == 'true'
run: |
helm upgrade autogpt-builder ./autogpt-builder \
--namespace ${{ env.NAMESPACE }} \
-f autogpt-builder/values.yaml \
-f autogpt-builder/values.dev.yaml \
--set image.tag=${{ github.sha }}
4 changes: 2 additions & 2 deletions autogpt_platform/infra/helm/autogpt-builder/values.dev.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
# dev values, overwrite base values as needed.

image:
repository: us-east1-docker.pkg.dev/agpt-dev/agpt-builder-dev/agpt-builder-dev
repository: us-east1-docker.pkg.dev/agpt-dev/agpt-frontend-dev/agpt-frontend-dev
pullPolicy: Always
tag: "fe3d2a9"
tag: "latest"

serviceAccount:
annotations:
Expand Down
4 changes: 2 additions & 2 deletions autogpt_platform/infra/helm/autogpt-server/values.dev.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# dev values, overwrite base values as needed.

image:
repository: us-east1-docker.pkg.dev/agpt-dev/agpt-server-dev/agpt-server-dev
repository: us-east1-docker.pkg.dev/agpt-dev/agpt-backend-dev/agpt-backend-dev
pullPolicy: Always
tag: "latest"

Expand Down Expand Up @@ -58,7 +58,7 @@ resources:

livenessProbe:
httpGet:
path: /heath
path: /health
port: 8006
initialDelaySeconds: 30
periodSeconds: 10
Expand Down
4 changes: 2 additions & 2 deletions autogpt_platform/infra/helm/autogpt-server/values.prod.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -72,15 +72,15 @@ cors:

livenessProbe:
httpGet:
path: /heath
path: /health
port: 8006
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
readinessProbe:
httpGet:
path: /heath
path: /health
port: 8006
initialDelaySeconds: 30
periodSeconds: 10
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
replicaCount: 1 # not scaling websocket server for now

image:
repository: us-east1-docker.pkg.dev/agpt-dev/agpt-server-dev/agpt-server-dev
repository: us-east1-docker.pkg.dev/agpt-dev/agpt-backend-dev/agpt-backend-dev
tag: latest
pullPolicy: Always

Expand Down
46 changes: 42 additions & 4 deletions autogpt_platform/infra/terraform/environments/dev.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ service_accounts = {
"dev-agpt-market-sa" = {
display_name = "AutoGPT Dev Market Server Account"
description = "Service account for agpt dev market server"
},
"dev-github-actions-sa" = {
display_name = "GitHub Actions Dev Service Account"
description = "Service account for GitHub Actions deployments to dev"
}
}

Expand All @@ -51,6 +55,11 @@ workload_identity_bindings = {
service_account_name = "dev-agpt-market-sa"
namespace = "dev-agpt"
ksa_name = "dev-agpt-market-sa"
},
"dev-github-actions-workload-identity" = {
service_account_name = "dev-github-actions-sa"
namespace = "dev-agpt"
ksa_name = "dev-github-actions-sa"
}
}

Expand All @@ -59,7 +68,8 @@ role_bindings = {
"serviceAccount:[email protected]",
"serviceAccount:[email protected]",
"serviceAccount:[email protected]",
"serviceAccount:[email protected]"
"serviceAccount:[email protected]",
"serviceAccount:[email protected]"
],
"roles/cloudsql.client" = [
"serviceAccount:[email protected]",
Expand All @@ -80,7 +90,8 @@ role_bindings = {
"serviceAccount:[email protected]",
"serviceAccount:[email protected]",
"serviceAccount:[email protected]",
"serviceAccount:[email protected]"
"serviceAccount:[email protected]",
"serviceAccount:[email protected]"
]
"roles/compute.networkUser" = [
"serviceAccount:[email protected]",
Expand All @@ -93,12 +104,39 @@ role_bindings = {
"serviceAccount:[email protected]",
"serviceAccount:[email protected]",
"serviceAccount:[email protected]"
]
],
"roles/artifactregistry.writer" = [
"serviceAccount:[email protected]"
],
"roles/container.viewer" = [
"serviceAccount:[email protected]"
],
}

pods_ip_cidr_range = "10.1.0.0/16"
services_ip_cidr_range = "10.2.0.0/20"

public_bucket_names = ["website-artifacts"]
standard_bucket_names = []
bucket_admins = ["[email protected]", "[email protected]"]
bucket_admins = ["[email protected]", "[email protected]"]

workload_identity_pools = {
"dev-pool" = {
display_name = "Development Identity Pool"
providers = {
"github" = {
issuer_uri = "https://token.actions.githubusercontent.com"
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.repository" = "assertion.repository"
"attribute.repository_owner" = "assertion.repository_owner"
}
}
}
service_accounts = {
"dev-github-actions-sa" = [
"Significant-Gravitas/AutoGPT"
]
}
}
}
1 change: 1 addition & 0 deletions autogpt_platform/infra/terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ module "iam" {
service_accounts = var.service_accounts
workload_identity_bindings = var.workload_identity_bindings
role_bindings = var.role_bindings
workload_identity_pools = var.workload_identity_pools
}

module "storage" {
Expand Down
27 changes: 27 additions & 0 deletions autogpt_platform/infra/terraform/modules/iam/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,31 @@ resource "google_project_iam_binding" "role_bindings" {
role = each.key

members = each.value
}

resource "google_iam_workload_identity_pool" "pools" {
for_each = var.workload_identity_pools
workload_identity_pool_id = each.key
display_name = each.value.display_name
}

resource "google_iam_workload_identity_pool_provider" "providers" {
for_each = merge([
for pool_id, pool in var.workload_identity_pools : {
for provider_id, provider in pool.providers :
"${pool_id}/${provider_id}" => merge(provider, {
pool_id = pool_id
})
}
]...)

workload_identity_pool_id = split("/", each.key)[0]
workload_identity_pool_provider_id = split("/", each.key)[1]

attribute_mapping = each.value.attribute_mapping
oidc {
issuer_uri = each.value.issuer_uri
allowed_audiences = each.value.allowed_audiences
}
attribute_condition = "assertion.repository_owner==\"Significant-Gravitas\""
}
12 changes: 11 additions & 1 deletion autogpt_platform/infra/terraform/modules/iam/outputs.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,14 @@
output "service_account_emails" {
description = "The emails of the created service accounts"
value = { for k, v in google_service_account.service_accounts : k => v.email }
}
}

output "workload_identity_pools" {
value = google_iam_workload_identity_pool.pools
}

output "workload_identity_providers" {
value = {
for k, v in google_iam_workload_identity_pool_provider.providers : k => v.name
}
}
13 changes: 13 additions & 0 deletions autogpt_platform/infra/terraform/modules/iam/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,17 @@ variable "role_bindings" {
description = "Map of roles to list of members"
type = map(list(string))
default = {}
}

variable "workload_identity_pools" {
type = map(object({
display_name = string
providers = map(object({
issuer_uri = string
attribute_mapping = map(string)
allowed_audiences = optional(list(string))
}))
service_accounts = map(list(string)) # Map of SA to list of allowed principals
}))
default = {}
}
16 changes: 16 additions & 0 deletions autogpt_platform/infra/terraform/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -130,3 +130,19 @@ variable "bucket_admins" {
default = ["[email protected]", "[email protected]"]
}

variable "workload_identity_pools" {
type = map(object({
display_name = string
providers = map(object({
issuer_uri = string
attribute_mapping = map(string)
allowed_audiences = optional(list(string))
}))
service_accounts = map(list(string))
}))
default = {}
description = "Configuration for workload identity pools and their providers"
}



0 comments on commit f860cbe

Please sign in to comment.