早前,GitHub 发布GitHub Actions项目,开发者可通过 GitHub Actions 存储和搜索代码,部分代码可直接运行。本文尝试使用AWS Lambda和API Gateway作为基本API,编写应用程序原型并用名为gourmet的容器运行函数,虽然这可能不会让代码易于管理,但至少不需要写API或者Web应用程序。
正如Lambda函数在AWS中运行一样,Github Actions是一种强大的管理方式,可直接扩展应用。使用AWS Lambda,可将代码挂接到几乎任何事件上,比如EC2创建、终止、DNS记录更改等,不需要运行服务器,只需加载代码就能正常工作。
本文作者针对此做了一些尝试,但需要CI服务器。为了拥有可测试的kubernetes集群,作者自建私有存储库,目前因内部有些混乱暂不准备开源。
无论如何,以下是项目文件夹:
├── .github│ ├── actions│ │ ├── deploy│ │ │ ├── deploy│ │ │ └── Dockerfile│ │ └── dryrun│ │ ├── Dockerfile│ │ └── dryrun│ └── main.workflow└── kubernetes ├── digitalocean.yaml ├── external-dns.yaml ├── micro.yaml ├── namespaces.yaml ├── nginx.yaml └── openvpn.yaml
kubernetes目录包含集群安装的所有东西。对于此存储库的每次新推送,需要检查是否可用命令kubectl apply -f./kubernetes --dryrun将其应用于kubernetes集群,并且当合并PR时,应用更改。
因此,作者在.github/main.workflow中创办了工作流:
## Workflow defines what we want to call a set of actions.## For every new push check if the changes can be applied to kubernetes ## using the action called: kubectl dryrunworkflow \u0026quot;after a push check if they apply to kubernetes\u0026quot; { on = \u0026quot;push\u0026quot; resolves = [\u0026quot;kubectl dryrun\u0026quot;]}## When a PR is merged trigger the action: kubectl deploy. To apply the new code to master.workflow \u0026quot;on merge to master deploy on kubernetes\u0026quot; { on = \u0026quot;pull_request\u0026quot; resolves = [\u0026quot;kubectl deploy\u0026quot;]}## This is the action that checks if the push can be applied to kubernetesaction \u0026quot;kubectl dryrun\u0026quot; { uses = \u0026quot;./.github/actions/dryrun\u0026quot; secrets = [\u0026quot;KUBECONFIG\u0026quot;]}## This is the action that applies the change to kubernetesaction \u0026quot;kubectl deploy\u0026quot; { uses = \u0026quot;./.github/actions/deploy\u0026quot; secrets = [\u0026quot;KUBECONFIG\u0026quot;]}
secrets是一组环境变量,可从外部设置值。如果帐户启用GitHub Action,则每个存储库的Setting都会有一个名为secrets的新标签。
本例,作者将KUBECONFIG设置为kubeconfig文件的base64,允许GitHub Action授权给Kubernetes集群。
两个操作类似,第一个操作位于 .github/actions/dryrun目录:
├── .github ├── actions └── dryrun ├── Dockerfile └── dryrun
包含一个 Dockerfile
FROM alpine:latest## The action name displayed by GitHubLABEL \u0026quot;com.github.actions.name\u0026quot;=\u0026quot;kubectl dryrun\u0026quot;## The description for the actionLABEL \u0026quot;com.github.actions.description\u0026quot;=\u0026quot;Check the kubernetes change to apply.\u0026quot;## https://developer.github.com/actions/creating-github-actions/creating-a-docker-container/#supported-feather-iconsLABEL \u0026quot;com.github.actions.icon\u0026quot;=\u0026quot;check\u0026quot;## The color of the action iconLABEL \u0026quot;com.github.actions.color\u0026quot;=\u0026quot;blue\u0026quot;RUN apk add --no-cache \\ bash \\ ca-certificates \\ curl \\ git \\ jqRUN curl -L -o /usr/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.13.0/bin/linux/amd64/kubectl \u0026amp;\u0026amp; \\ chmod +x /usr/bin/kubectl \u0026amp;\u0026amp; \\ kubectl version --clientCOPY dryrun /usr/bin/dryrunCMD [\u0026quot;dryrun\u0026quot;]
如上所示,只需要一个 Dockerfile,工作原理和 docker类似。Cmd dryrun 在这里是复制的 bash 脚本:
#!/bin/bashmain(){ echo \u0026quot;\u0026gt;\u0026gt;\u0026gt;\u0026gt; Action started\u0026quot; # Decode the secret passed by the action and paste the config in a file. echo $KUBECONFIG | base64 -d \u0026gt; ./kubeconfig.yaml echo \u0026quot;\u0026gt;\u0026gt;\u0026gt;\u0026gt; kubeconfig created\u0026quot; # Check if the kubernetes directory has change diff=$(git diff --exit-code HEAD~1 HEAD ./kubernetes) if [ $? -eq 1 ]; then echo \u0026quot;\u0026gt;\u0026gt;\u0026gt;\u0026gt; Detected a change inside the kubernetes directory\u0026quot; # Apply the changes with --dryrun just to validate them kubectl apply --kubeconfig ./kubeconfig.yaml --dry-run -f ./kubernetes else echo \u0026quot;\u0026gt;\u0026gt;\u0026gt;\u0026gt; No changed detected inside the ./kubernetes folder. Nothing to do.\u0026quot; fi}main \u0026quot;$@\u0026quot;
第二个操作和此几乎一样,Dockerfile是相同的,但CMD看起来是这样的:
#!/bin/bashmain(){ # Decode the secret passed by the action and paste the config in a file. echo $KUBECONFIG | base64 -d \u0026gt; ./kubeconfig.yaml # Check if it is an event generated by the PR is a merge merged=$(jq --raw-output .pull_request.merged \u0026quot;$GITHUB_EVENT_PATH\u0026quot;) # Retrieve the base branch for the PR because I would like to apply only PR merged to master baseRef=$(jq --raw-output .pull_request.base.ref \u0026quot;$GITHUB_EVENT_PATH\u0026quot;) if [[ \u0026quot;$merged\u0026quot; == \u0026quot;true\u0026quot; ]] \u0026amp;\u0026amp; [[ \u0026quot;$baseRef\u0026quot; == \u0026quot;master\u0026quot; ]]; then echo \u0026quot;\u0026gt;\u0026gt;\u0026gt;\u0026gt; PR merged into master. Shipping to k8s!\u0026quot; kubectl apply --kubeconfig ./kubeconfig.yaml -f ./kubernetes else echo \u0026quot;\u0026gt;\u0026gt;\u0026gt;\u0026gt; Nothing to do here!\u0026quot; fi}main \u0026quot;$@\u0026quot;
除此之外,工作流文件还有一个生成器,似乎效果不错。secrets允许开箱即用,并与第三方服务集成,也可用bash做任何想做的事情!