Setup GitOps with GitHub Actions
Quick Start
| Steps | |
|---|---|
| 1. Verify Identity requirements | |
| 2. Expand GitHub OIDC | task workflow deploy/github-oidc-provider -f gitops |
| 2. Vendor | task workflow vendor -f gitops |
| 3. Deploy | task workflow deploy/gitops -f gitops |
Requirements
1 Self-Hosted Runners
Although not required, we recommend first deploying Self-Hosted GitHub runners if you need to manage any resources inside of a VPC (e.g. RDS Users). For more information on setting up runners, see the Philips Labs GitHub Runners or the GitHub Action Runner Controller (EKS) setup documentation.
If you do not wish to use Self Hosted runners, simply change the runs-on option for all included workflows in
.github/workflows
2 Set Up GitHub Variables
The gitops stack config depends on the following GitHub variables:
TASK_VERSION- The version of Semaphore to use
TASK_CONFIG_PATH- The path to the Semaphore config file
Please set the following GitHub variables in the repository settings:
- Open the repository settings
- Set variable
TASK_VERSIONto the1.63.0value - Set variable
TASK_CONFIG_PATHto the./rootfs/usr/local/etc/task/value
3 Authentication Prerequisites
The GitHub Action workflows expect the gitops AWS Team to be properly setup and connected to GitHub OIDC. Both of
these components should already be deployed with aws-teams/aws-team-roles and github-oidc-provider respectively,
but github-oidc-provider will likely need to deployed to several additional accounts. Verify the following to complete
the authentication prerequisites.
- The
gitopsTeam is defined and deployed byaws-teams. - The
gitopsteam adds a trusted relationship with the given infrastructure repo, viatrusted_github_repos. Capitalization matters!trusted_github_repos:
gitops:
- "acme/infra-acme" - The
aws-team-rolesdefault catalog allows thegitopsteam to assume theterraformrole, including anywhereaws-team-rolesis overwritten (plat-devandplat-sandbox) tfstate-backendallowsgitopsto assume the default access role from thecore-identityaccountgithub-oidc-provideris deployed to every account that GitHub will be able to access. This should be every account exceptroot.- The workflows have adequate permission
In order to assume GitHub OIDC roles, a workflow needs the following:
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
In order to assume GitHub OIDC roles and manage Github Issues, a workflow needs these permissions:
permissions:
id-token: write # This is required for requesting the JWT
contents: write # This is required for actions/checkout and updating Issues
issues: write # This is required for creating and updating Issues
How To Setup
1 Vendor Components
The gitops stack config depends on two components that may already exist in your component library (s3-bucket and
dynamodb) and adds one new component (gitops) to manage the GitHub OIDC access. Vendor these components either with
the included Semaphore Workflows or using Semaphore Vendoring.
- Commands
- Taskfile Workflow
vendor workflow in the examples/snippets/stacks/workflows/gitops.yaml file:- No commands found
task workflow vendor -f gitops
2 Deploy
Deploy three components, gitops/s3-bucket, gitops/dynamodb, and gitops with the following workflow:
- Commands
- Taskfile Workflow
deploy workflow in the examples/snippets/stacks/workflows/gitops.yaml file:- No commands found
task workflow deploy -f gitops
And that's it!
Tips
- Enable GitHub Actions support for any component by enabling
settings.github.actions_enabled: trueand let the workflow handle the rest. Keep in mind this setting is likely enabled by default for your organization stack configuration,stacks/catalog/acme/_defaults.yaml - The roles created by
aws-teamsorgitopsshould already be included in your workflows. Verify these roles match theenvsettings in.github/workflows/task-terraform-* - You do not need to create a GitHub App or complete additional steps to trigger these workflows