Added github pipeline to build image

.github/workflows/release.yaml

@@ -0,0 +1,88 @@
+name: Release app
+
+on:
+  workflow_dispatch:
+
+jobs:
+  # docker-build-and-publish:
+  #   name: Build and publish docker image
+  #   permissions:
+  #     contents: read
+  #     id-token: write
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #   - uses: actions/checkout@v4
+
+  #   - name: Set up QEMU
+  #     uses: docker/setup-qemu-action@v3
+
+  #   - name: Set up Docker Buildx
+  #     uses: docker/setup-buildx-action@v2
+
+  #   - name: Login to GHCR
+  #     uses: docker/login-action@v2
+  #     with:
+  #       registry: ghcr.io
+  #       username: ${{ github.actor }}
+  #       password: ${{ github.token }}
+
+  #   - name: Docker meta
+  #     id: meta
+  #     uses: docker/metadata-action@v4
+  #     with:
+  #       images: ghcr.io/${{ github.repository }}
+  #       tags: |
+  #         type=sha
+  #         type=raw,value={{branch}}-{{sha}}-{{date 'X'}},enable=${{ startsWith(github.ref, 'refs/heads') }}
+  #         type=raw,value={{branch}},enable=${{ startsWith(github.ref, 'refs/heads') }}
+  #         type=raw,value=latest,enable={{is_default_branch}}
+
+  #   - name: Build and Push Docker Image
+  #     uses: docker/build-push-action@v4
+  #     with:
+  #       context: .
+  #       platforms: linux/x86_64
+  #       push: true
+  #       cache-from: type=gha
+  #       cache-to: type=gha,mode=max
+  #       tags: ${{ steps.meta.outputs.tags }}
+  #       labels: ${{ steps.meta.outputs.labels }}
+
+  # patch-values:
+  #   name: Patch values with new tag
+  #   needs: docker-build-and-publish
+  #   if: github.ref == 'refs/heads/master'
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #     - name: Update values.yaml
+  #       uses: fjogeleit/yaml-update-action@master
+  #       with:
+  #         valueFile: 'argocd/test-app/version.yaml'
+  #         propertyPath: 'image.tag'
+  #         value: ${{ github.sha }}
+  #         branch: master
+  #         createPR: false
+  #         message: 'Update test-app image Version to ${{ github.sha }}'
+
+  test:
+    name: "Test WIF"
+    runs-on: ubuntu-latest
+    timeout-minutes: 90
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: 'google-github-actions/auth@v2'
+        with:
+          project_id: 'earnest-reactor-416012'
+          workload_identity_provider: 'projects/200867752258/locations/global/workloadIdentityPools/github-actions/providers/github-actions'
+          service_account: [email protected]
+      - name: Set up Cloud SDK
+        uses: google-github-actions/[email protected]
+      # - name: set crdential_file
+      #   run: gcloud auth login --cred-file=${{steps.auth.outputs.credentials_file_path}}
+      - name: Run gcloud
+        run: gcloud compute instances list --zones europe-west1-c

terraform/argocd.tf

@@ -2,23 +2,23 @@ locals {
   argocd_values = {
     # Configure repository connection
     configs = {
-    #   credentialTemplates = {
-    #     github-ssh = {
-    #       url           = var.argocd_repository_url
-    #       sshPrivateKey = var.argocd_private_key
-    #     }
-    #   }
-    #   repositories = {
-    #     github = {
-    #       url = var.argocd_repository_url
-    #     }
-    #   }
+      credentialTemplates = {
+        github-ssh = {
+          url           = var.argocd_repository_url
+          sshPrivateKey = var.argocd_private_key
+        }
+      }
+      repositories = {
+        github = {
+          url = var.argocd_repository_url
+        }
+      }
     }
 
     # Configure initial applications list
-    # server = {
-    #   additionalApplications = yamldecode(var.argocd_applications_definition)
-    # }
+    server = {
+      additionalApplications = yamldecode(var.argocd_applications_definition)
+    }
 
     # Configure rbac to enable application CRD sync
     repoServer = {

terraform/artifact-repository.tf

@@ -0,0 +1,6 @@
+resource "google_artifact_registry_repository" "docker_repository" {
+  location      = var.region
+  repository_id = var.docker_repository_name
+  description   = "example docker repository"
+  format        = "DOCKER"
+}

terraform/github-iam.tf

@@ -0,0 +1,45 @@
+resource "google_iam_workload_identity_pool" "identity-pool" {
+  workload_identity_pool_id = "github-actions"
+}
+
+resource "google_iam_workload_identity_pool_provider" "github-oidc-provider" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.identity-pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "github-actions"
+  attribute_mapping = {
+    "google.subject" = "assertion.sub",
+    "attribute.actor" = "assertion.actor",
+    "attribute.repository" = "assertion.repository",
+    "attribute.repository_owner" = "assertion.repository_owner"
+  }
+  attribute_condition = "attribute.repository==\"${var.argocd_repository}\""
+  oidc {
+    issuer_uri = "https://token.actions.githubusercontent.com"
+  }
+}
+
+resource "google_service_account" "github-actions" {
+  account_id   = "github-actions"
+  display_name = "Github Actions"
+}
+
+resource "google_artifact_registry_repository_iam_member" "github-actions-docker-image-write" {
+  location      = var.region
+  repository = google_artifact_registry_repository.docker_repository.id
+  role = "roles/artifactregistry.writer"
+  member = "serviceAccount:${google_service_account.github-actions.email}"
+}
+
+resource "google_service_account_iam_binding" "github-actions" {
+  service_account_id = google_service_account.github-actions.id
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.identity-pool.name}/attribute.repository/${var.argocd_repository}",
+  ]
+}
+
+resource "google_project_iam_member" "test" {
+  project = var.project_id
+  role    = "roles/compute.viewer"
+  member  = "serviceAccount:${google_service_account.github-actions.email}"
+}

terraform/variables.tf

@@ -18,6 +18,10 @@ variable "subnetwork_name" {
   description = "The network name"
 }
 
+variable "docker_repository_name" {
+  description = "The name of artifacts repository containing docker images"
+}
+
 variable "project_id" {
   description = "The project ID to host the cluster in"
 }
@@ -40,4 +44,20 @@ variable "ip_range_nodes" {
 
 variable "argocd_version" {
     description = "Version of Argo CD to install"
-}
+}
+
+variable "argocd_repository_url" {
+    description = "Repository that would be used by ArgoCD as a source in SSH format"
+}
+
+variable "argocd_repository" {
+    description = "Repository that would be used by ArgoCD in github org/repo_name format, would be used in OIDC claims"
+}
+
+variable "argocd_private_key" {
+    description = "SSH key that would be used by ArgoCD to access source repository"
+}
+
+variable "argocd_applications_definition" {
+    description = "ArgoCD applications deffinition"
+}

terraform/vars.auto.tfvars

@@ -7,9 +7,38 @@ region = "europe-west1"
 cluster_name = "gke-cluster"
 network_name = "gke-cluster"
 subnetwork_name = "gke-cluster"
+docker_repository_name = "docker-repository"
 
 ip_range_pods = "192.168.0.0/16"
 ip_range_services = "10.96.0.0/12"
 ip_range_nodes = "10.32.0.0/20"
 
-argocd_version = "6.6.0"
+argocd_version = "6.6.0"
+
+argocd_repository_url = "[email protected]:dm3ch/p2p-devops-test.git"
+argocd_repository = "dm3ch/p2p-devops-test"
+argocd_private_key = <<EOF
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBaJt/inREf9/KHHY1g64NsklfQjEnomlRU7/HQOgSY/AAAAKAnR4flJ0eH
+5QAAAAtzc2gtZWQyNTUxOQAAACBaJt/inREf9/KHHY1g64NsklfQjEnomlRU7/HQOgSY/A
+AAAECci6H8KM4yIE2Xtdn0SqzHeOFfOSk7NrKbUpgGnadOd1om3+KdER/38ocdjWDrg2yS
+V9CMSeiaVFTv8dA6BJj8AAAAHWRtM2NoQERtM0NoLU1hY0Jvb2stUHJvLmxvY2Fs
+-----END OPENSSH PRIVATE KEY-----
+EOF
+argocd_applications_definition = <<EOF
+- name: apps
+  namespace: argocd
+  project: default
+  source:
+    repoURL: '[email protected]:dm3ch/p2p-devops-test.git'
+    path: argocd/apps
+    targetRevision: main
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+EOF