Deploy App Definition

Author: jfaltermeier

.github/workflows/publish-theia-ide-preview-comment.yml

@@ -0,0 +1,24 @@
+name: Comment on new PR
+
+permissions:
+  pull-requests: write
+
+on:
+  pull_request:
+    branches: [master]
+    types:
+      - opened
+
+jobs:
+  comment:
+    runs-on: ubuntu-latest
+    steps:
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #7.0.1
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: 'Thank you for opening the PR!\n\nThis comment will be replaced with a link to a Preview deployment as soon as it is ready.'
+            })

.github/workflows/publish-theia-ide-preview-deployment.yml

@@ -87,4 +87,76 @@ jobs:
           file: browser.Dockerfile
           push: true
           tags: |
-            europe-west3-docker.pkg.dev/kubernetes-238012/theia-ide-preview/theia-ide-preview:${{ env.IMAGE_TAG }}
+            europe-west3-docker.pkg.dev/kubernetes-238012/theia-ide-preview/theia-ide-preview:${{ env.IMAGE_TAG }}
+            
+      - name: Get GKE Credentials
+        uses: google-github-actions/get-gke-credentials@d0cee45012069b163a631894b98904a9e6723729 # v2.3.3
+        with:
+          cluster_name: github-theia-ide-preview
+          location: europe-west3-c
+      
+      - name: List sessions in theia-cloud namespace
+        run: kubectl get sessions -n theia-cloud
+      
+      - name: List apps in theia-cloud namespace
+        run: kubectl get appdefinitions -n theia-cloud
+
+      - name: Delete app definition if existent
+        run: kubectl delete appdefinitions theia-ide-${{ env.IMAGE_TAG }} -n theia-cloud || true
+
+      - name: Delete existing sessions
+        run: kubectl get sessions -n theia-cloud -o json | jq -r '.items[] | select(.spec.appDefinition == "theia-ide-${{ env.IMAGE_TAG }}") | .metadata.name' | xargs -r kubectl delete sessions -n theia-cloud
+
+      - name: Create app definition
+        run: |
+          cat <<EOF | kubectl apply -f -
+            apiVersion: theia.cloud/v1beta10
+            kind: AppDefinition
+            metadata:
+              name: theia-ide-${{ env.IMAGE_TAG }}
+              namespace: theia-cloud
+            spec:
+              downlinkLimit: 30000
+              image: europe-west3-docker.pkg.dev/kubernetes-238012/theia-ide-preview/theia-ide-preview:${{ env.IMAGE_TAG }}
+              imagePullPolicy: Always
+              ingressname: theia-cloud-demo-ws-ingress
+              limitsCpu: "2"
+              limitsMemory: 500M
+              maxInstances: 3
+              minInstances: 0
+              mountPath: /home/project/persisted
+              name: theia-ide-${{ env.IMAGE_TAG }}
+              port: 3000
+              requestsCpu: "100m"
+              requestsMemory: 300M
+              timeout: 15
+              uid: 101
+              uplinkLimit: 30000
+          EOF
+
+      - name: Update bot comment with  URL
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #7.0.1
+        with:
+          script: |
+            const {data: comments} = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.number,
+            })
+            const botComment = comments.find(comment => comment.user.id === 41898282)
+            const commentBody = "Preview deployment created at https://launch.theia-ide-preview.eclipsesource-munich.com/?appDef=theia-ide-${{ env.IMAGE_TAG }}\n\nWhen the deployment is cleaned up, this link will be removed again."
+            if (botComment) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: commentBody
+              })
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.number,
+                body: commentBody
+              })
+            }

.terraform/main.tf

@@ -67,6 +67,9 @@ resource "google_container_cluster" "primary" {
   remove_default_node_pool = true
   initial_node_count       = 1
   project                  = "kubernetes-238012"
+  workload_identity_config {
+    workload_pool = "kubernetes-238012.svc.id.goog"
+  }
 }
 
 # Node Pool
@@ -119,13 +122,21 @@ provider "helm" {
     host                   = "https://${google_container_cluster.primary.endpoint}"
     token                  = data.google_client_config.default.access_token
     cluster_ca_certificate = base64decode(google_container_cluster.primary.master_auth[0].cluster_ca_certificate)
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "gke-gcloud-auth-plugin"
+    }
   }
 }
 provider "kubectl" {
   load_config_file       = false
   host                   = "https://${google_container_cluster.primary.endpoint}"
   token                  = data.google_client_config.default.access_token
   cluster_ca_certificate = base64decode(google_container_cluster.primary.master_auth[0].cluster_ca_certificate)
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "gke-gcloud-auth-plugin"
+  }
 }
 
 # Install cert-manager
@@ -400,3 +411,54 @@ resource "helm_release" "theia-cloud" {
     value = var.cookiesecret
   }
 }
+
+# Configure service account
+#
+resource "kubectl_manifest" "cluster-role" {
+  depends_on = [helm_release.theia-cloud-crds]
+  yaml_body  = <<-EOF
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  metadata:
+    name: custom-resource-manager
+  rules:
+    - apiGroups: ["theia.cloud"]
+      resources: ["appdefinitions", "sessions"]
+      verbs: ["get", "list", "create", "delete"]
+  EOF
+}
+resource "kubectl_manifest" "cluster-role-binding" {
+  depends_on = [kubectl_manifest.cluster-role]
+  yaml_body  = <<-EOF
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: custom-resource-binding
+  subjects:
+    - kind: User
+      name: "github-theia-preview-deployer@kubernetes-238012.iam.gserviceaccount.com"
+      apiGroup: rbac.authorization.k8s.io
+  roleRef:
+    kind: ClusterRole
+    name: custom-resource-manager
+    apiGroup: rbac.authorization.k8s.io
+  EOF
+}
+resource "kubectl_manifest" "github-deployer-sa" {
+  yaml_body = <<-EOF
+  apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: github-deployer
+    namespace: theia-cloud
+    annotations:
+      iam.gke.io/gcp-service-account: github-theia-preview-deployer@kubernetes-238012.iam.gserviceaccount.com
+  EOF
+}
+resource "google_service_account_iam_binding" "workload-identity-binding" {
+  service_account_id = "projects/kubernetes-238012/serviceAccounts/github-theia-preview-deployer@kubernetes-238012.iam.gserviceaccount.com"
+  role               = "roles/iam.workloadIdentityUser"
+  members = [
+    "serviceAccount:kubernetes-238012.svc.id.goog[theia-cloud/github-deployer]"
+  ]
+}

.terraform/theia-cloud.yaml

@@ -3,7 +3,7 @@ app:
   name: Theia IDE Preview
 
 demoApplication:
-  install: false
+  install: true # at the moment we will lose the ingress if we delete the last app def
 
 hosts:
   usePaths: false
@@ -20,7 +20,7 @@ keycloak:
   enable: true
   realm: "TheiaCloud"
   clientId: "theia-cloud"
-  authUrl: "https://theia-ide-preview.eclipsesource-munich.com/keycloak"
+  authUrl: "https://theia-ide-preview.eclipsesource-munich.com/keycloak/"
 
 operator:
   eagerStart: false