This proyect is about GCP deployment with Github Actions, WIF Authentication, Docker... Not about ror code. The code is mostly based in Templatus, for further information refer to that repository.
This is some basic implementation of the new github actions cloudrun deployment. It uses WIF for Authentication as Google recomends, so no keys are needed.
Feel free to fork and modify this repository to satisfy your needs.
Currently working in the documentation
- Coming soon *
First of all, we need to create a service account.
IAM -> Service Accounts -> Create service account.
IAM Main Page -> Edit the service account
As the account is created, it has no permissions, so we need to grant.
- Artifact Registry Writer
- Cloud Run Admin
- Cloud Run Service Agent
- Secret Manager Accesor
1.Provider -> OIDC 2.Provider name -> Github-Actions 3.Issuer url -> https://token.actions.githubusercontent.com
--
In the next step we need to provide the attributes, this is the way to "authorize" api calls.
I'am making requests with these parameters, however you can use whatever you want. Keep in mind that you will need to update some things in the coming steps in order to make it work correctly.
You should select the service account created previously.
For the identities that can access the service account select: only matching the filter. As I said previously this is the what that calls are authorized, for further information you can refer to github docs.
Replace username/repository with your data.
As rails applications different secrets are used, DB_HOST, SECRET_KEY_BASE...
Github Actions need to authenticate in GCP in order to access the API. For that, I am using github enviroments, in order not to mix secrets, etc... in my CI configuration I use the deployment environment.
First of all we need to create that environment, in Settings -> Environments. Once its created we need to add our OICD identification parameters, WIF_PROVIDER and WIF_SERVICE_ACCOUNT
- WIF_PROVIDER: Go to the GCP Cloud Console, Workload identity Federation, select your pool, "edit" and there you shoud see it.
In other to make the rails app work, we need some secrets, as the DB_HOST or the SECRET_KEY_BASE. The way that I structure secrets, as you can see in the ci file.
secrets: |
DB_HOST=${{ secrets.SERVICE_NAME }}-dbhost:latest
DB_USERNAME=${{ secrets.SERVICE_NAME }}-dbusername:latest
DB_PASSWORD=${{ secrets.SERVICE_NAME }}-dbpassword:latest
SECRET_KEY_BASE=${{ secrets.SERVICE_NAME }}-secret-key:latest
You should AT LEAST create those secrets in GCP with your data.
I want to deploy my image updated once I create a new release, however you can change this in the release.yml file, where is all the config for the ci.