注意:GitHub Enterprise Server 目前不支持 GitHub 托管的运行器。 可以在 GitHub public roadmap 上查看有关未来支持计划的更多信息。
Introduction
This guide explains how to use GitHub Actions to build a containerized application, push it to Google Container Registry (GCR), and deploy it to Google Kubernetes Engine (GKE) when there is a push to the main branch.
GKE is a managed Kubernetes cluster service from Google Cloud that can host your containerized workloads in the cloud or in your own datacenter. For more information, see Google Kubernetes Engine.
Prerequisites
Before you proceed with creating the workflow, you will need to complete the following steps for your Kubernetes project. This guide assumes the root of your project already has a Dockerfile and a Kubernetes Deployment configuration file. For an example, see google-github-actions.
Creating a GKE cluster
To create the GKE cluster, you will first need to authenticate using the gcloud CLI. For more information on this step, see the following articles:
For example:
$ gcloud container clusters create $GKE_CLUSTER \ --project=$GKE_PROJECT \ --zone=$GKE_ZONEEnabling the APIs
Enable the Kubernetes Engine and Container Registry APIs. For example:
$ gcloud services enable \ containerregistry.googleapis.com \ container.googleapis.comConfiguring a service account and storing its credentials
This procedure demonstrates how to create the service account for your GKE integration. It explains how to create the account, add roles to it, retrieve its keys, and store them as a base64-encoded encrypted repository secret named GKE_SA_KEY.
-
Create a new service account:
$ gcloud iam service-accounts create $SA_NAME -
Retrieve the email address of the service account you just created:
$ gcloud iam service-accounts list -
Add roles to the service account. Note: Apply more restrictive roles to suit your requirements.
$ gcloud projects add-iam-policy-binding $GKE_PROJECT \ --member=serviceAccount:$SA_EMAIL \ --role=roles/container.admin $ gcloud projects add-iam-policy-binding $GKE_PROJECT \ --member=serviceAccount:$SA_EMAIL \ --role=roles/storage.admin $ gcloud projects add-iam-policy-binding $GKE_PROJECT \ --member=serviceAccount:$SA_EMAIL \ --role=roles/container.clusterViewer -
Download the JSON keyfile for the service account:
$ gcloud iam service-accounts keys create key.json --iam-account=$SA_EMAIL -
Store the service account key as a secret named
GKE_SA_KEY:$ export GKE_SA_KEY=$(cat key.json | base64)For more information about how to store a secret, see "Encrypted secrets."
Storing your project name
Store the name of your project as a secret named GKE_PROJECT. For more information about how to store a secret, see "Encrypted secrets."
(Optional) Configuring kustomize
Kustomize is an optional tool used for managing YAML specs. After creating a kustomization file, the workflow below can be used to dynamically set fields of the image and pipe in the result to kubectl. For more information, see kustomize usage.
(Optional) Configure a deployment environment
环境用于描述常规部署目� �,例如 production、staging 或 development。 当 GitHub Actions 工作流部署到某个环境时,该环境将显示在存储库的主页上。 � 可以使用环境来要求批准才能继续作业,限制哪些分支可以触发工作流,或限制对机密的访问。 有关创建环境的详细信息,请参阅“使用环境进行部署”。
Creating the workflow
Once you've completed the prerequisites, you can proceed with creating the workflow.
The following example workflow demonstrates how to build a container image and push it to GCR. It then uses the Kubernetes tools (such as kubectl and kustomize) to pull the image into the cluster deployment.
Under the env key, change the value of GKE_CLUSTER to the name of your cluster, GKE_ZONE to your cluster zone, DEPLOYMENT_NAME to the name of your deployment, and IMAGE to the name of your image.
如果配置了部署环境,请将 environment 的值更改为环境的名称。 如果未配置环境 ,请� 除 environment 密钥。
# 此工作流使用未经 GitHub 认证的操作。 # 它们由第三方提供,并受 # 单独的服务条款、隐私政策和支持 # 文档。 # GitHub 建议将操作固定到提交 SHA。 # 若要获取较新版本,需要更新 SHA。 # 还可以引用� �记或分支,但该操作可能会更改而不发出警告。 name: Build and Deploy to GKE on: push: branches: - main env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} GKE_CLUSTER: cluster-1 # Add your cluster name here. GKE_ZONE: us-central1-c # Add your cluster zone here. DEPLOYMENT_NAME: gke-test # Add your deployment name here. IMAGE: static-site jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest environment: production steps: - name: Checkout uses: actions/checkout@v2 # Setup gcloud CLI - uses: google-github-actions/setup-gcloud@94337306dda8180d967a56932ceb4ddcf01edae7 with: service_account_key: ${{ secrets.GKE_SA_KEY }} project_id: ${{ secrets.GKE_PROJECT }} # Configure Docker to use the gcloud command-line tool as a credential # helper for authentication - run: |- gcloud --quiet auth configure-docker # Get the GKE credentials so we can deploy to the cluster - uses: google-github-actions/get-gke-credentials@fb08709ba27618c31c09e014e1d8364b02e5042e with: cluster_name: ${{ env.GKE_CLUSTER }} location: ${{ env.GKE_ZONE }} credentials: ${{ secrets.GKE_SA_KEY }} # Build the Docker image - name: Build run: |- docker build \ --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ --build-arg GITHUB_SHA="$GITHUB_SHA" \ --build-arg GITHUB_REF="$GITHUB_REF" \ . # Push the Docker image to Google Container Registry - name: Publish run: |- docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" # Set up kustomize - name: Set up Kustomize run: |- curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 chmod u+x ./kustomize # Deploy the Docker image to the GKE cluster - name: Deploy run: |- ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA ./kustomize build . | kubectl apply -f - kubectl rollout status deployment/$DEPLOYMENT_NAME kubectl get services -o wideAdditional resources
For more information on the tools used in these examples, see the following documentation:
- For the full starter workflow, see the "Build and Deploy to GKE" workflow.
- For more starter workflows and accompanying code, see Google's GitHub Actions example workflows.
- The Kubernetes YAML customization engine: Kustomize.
- "Deploying a containerized web application" in the Google Kubernetes Engine documentation.