Deploy prod #24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy prod | |
| on: | |
| push: | |
| branches: | |
| - master | |
| paths: | |
| - '.github/workflows/deploy-prod.yml' | |
| - Dockerfile | |
| workflow_dispatch: | |
| env: | |
| CHART_NAME: 'ghost' | |
| INGRESS_HOST: 'www.funkypenguin.co.nz' | |
| KUBECONFIG_FILE: '${{ secrets.KUBECONFIG }}' | |
| CHART_REPO: 'https://charts.bitnami.com/bitnami' | |
| jobs: | |
| cr-build-image: | |
| name: Build image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout master | |
| uses: actions/checkout@master | |
| - name: Build container image | |
| run: docker build -t ghcr.io/${{ github.repository }}/${{ env.CHART_NAME }}:${{ github.sha }} . | |
| - name: Docker login to GitHub Packages | |
| env: | |
| DOCKER_USERNAME: ${{ github.actor }} | |
| DOCKER_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| run: docker login ghcr.io -u $DOCKER_USERNAME -p $DOCKER_PASSWORD | |
| # - name: Log in to the Container registry | |
| # uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 | |
| # with: | |
| # registry: ${{ env.REGISTRY }} | |
| # username: ${{ github.actor }} | |
| # password: ${{ secrets.GITHUB_TOKEN }} | |
| # - name: Extract metadata (tags, labels) for Docker | |
| # id: meta | |
| # uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 | |
| # with: | |
| # images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| # - name: Build and push Docker image | |
| # uses: docker/build-push-action@v3 | |
| # with: | |
| # context: . | |
| # push: true | |
| # tags: ${{ steps.meta.outputs.tags }} | |
| # labels: ${{ steps.meta.outputs.labels }} | |
| - name: Push image to GitHub Packages | |
| run: docker push ghcr.io/${{ github.repository }}/${{ env.CHART_NAME }}:${{ github.sha }} | |
| cr-deploy-chart: | |
| needs: | |
| - cr-build-image # No point proceeding if we don't have an image | |
| name: Deploy chart | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 'Install chart' | |
| uses: 'glopezep/[email protected]' # See https://github.com/deliverybot/helm/issues/66 | |
| with: | |
| release: '${{env.CHART_NAME}}' | |
| namespace: '${{env.CHART_NAME}}' | |
| helm: 'helm3' | |
| chart: '${{env.CHART_NAME}}' | |
| repository: '${{env.CHART_REPO}}' | |
| # Insert values.yaml overrides here, indented as you would in a regular YAML file | |
| values: | | |
| image: | |
| registry: ghcr.io | |
| repository: ${{ github.repository }}/${{ env.CHART_NAME }} | |
| tag: ${{ github.sha }} | |
| pullSecrets: | |
| - ghost-pullsecret | |
| extraEnvVars: | |
| - name: AWS_ACCESS_KEY_ID | |
| value: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| - name: AWS_ACCESS_SECRET_KEY | |
| value: ${{ secrets.AWS_ACCESS_SECRET_KEY }} | |
| - name: AWS_REGION | |
| value: ${{ secrets.AWS_REGION }} | |
| - name: AWS_BUCKET | |
| value: ${{ secrets.AWS_BUCKET }} | |
| resources: | |
| requests: | |
| memory: 150Mi | |
| cpu: 100m | |
| ghostProtocol: https | |
| ghostPort: 443 | |
| ghostHost: ${{ env.INGRESS_HOST }} | |
| ghostUsername: ${{ secrets.GHOST_USERNAME }} | |
| ghostEmail: ${{ secrets.GHOST_EMAIL }} | |
| ghostPassword: ${{ secrets.GHOST_PASSWORD }} | |
| ghostBlogTitle: Funky Penguin | |
| ghostEnableHttps: false | |
| updateStrategy: | |
| type: Recreate | |
| smtpHost: ${{ secrets.GHOST_SMTP_HOST }} | |
| smtpPort: ${{ secrets.GHOST_SMTP_PORT }} | |
| smtpUser: ${{ secrets.GHOST_SMTP_USER }} | |
| smtpPassword: ${{ secrets.GHOST_SMTP_PASSWORD }} | |
| smtpService: mailgun | |
| smtpFromAddress: [email protected] | |
| mysql: | |
| # Why not just let the chart give us a random password? | |
| # Because the data is going to persist in a PVC, even if we delete the helm | |
| # release, and when we re-create the helm release, we might actually _want_ our data ;) | |
| auth: | |
| password: ${{ secrets.GHOST_DB_PASSWORD }} | |
| rootPassword: ${{ secrets.GHOST_DB_ROOT_PASSWORD }} | |
| password: ${{ secrets.GHOST_DB_ROOT_PASSWORD }} | |
| primary: | |
| persistence: | |
| size: 1Gi | |
| service: | |
| type: ClusterIP # We'll access it via nginx-ingress-controller | |
| ingress: | |
| ## Set to true to enable ingress record generation | |
| ingressClassName: traefik | |
| enabled: true | |
| hostname: '${{ env.INGRESS_HOST }}' | |
| tls: true | |
| extraTls: | |
| - hosts: | |
| - '${{ env.INGRESS_HOST }}' | |
| secretName: letsencrypt-wildcard-cert | |
| annotations: | |
| cert-manager.io/cluster-issuer: "letsencrypt-prod" | |
| persistence: | |
| enabled: true | |
| size: 1Gi |