-
Notifications
You must be signed in to change notification settings - Fork 0
136 lines (107 loc) · 4.37 KB
/
main.yml
File metadata and controls
136 lines (107 loc) · 4.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: EKS CI/CD Pipeline
on:
push:
branches:
- main # Trigger the pipeline on every push to the 'main' branch
permissions:
id-token: write # This is required for requesting the JWT
contents: read
env:
AWS_REGION: us-east-1
EKS_CLUSTER_NAME: eks-git-cicd
# Use the full ECR URI
ECR_URI: 779310096771.dkr.ecr.us-east-1.amazonaws.com/meu-repo-nginx
#aa
jobs:
build_scan_and_deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
# 1. AWS Authentication (OIDC)
- name: Configure AWS Credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::779310096771:role/GithubActionsCI-CD-Role
aws-region: ${{ env.AWS_REGION }}
role-session-name: github-actions-cicd-session
# 2. ECR Login (for Push/Pull)
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
# 3. Build Docker Image
- name: Build Docker Image
id: build-image
env:
IMAGE_TAG: ${{ github.sha }} # Use the commit SHA as a unique tag
run: |
docker build -t $ECR_URI:latest .
docker tag $ECR_URI:latest $ECR_URI:$IMAGE_TAG
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
# 4. Security Scan (Trivy)
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.ECR_URI }}:${{ steps.build-image.outputs.image_tag }}
format: 'table'
exit-code: '1' # Fail the pipeline
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
# 5. Push to ECR
- name: Push Docker Image to ECR
env:
IMAGE_TAG: ${{ steps.build-image.outputs.image_tag }}
run: |
docker push $ECR_URI:$IMAGE_TAG
docker push $ECR_URI:latest
# 6. Deploy to EKS - CORRECTED BLOCK
# Ensures the kubectl binary is available in the PATH
- name: Install kubectl
uses: azure/setup-kubectl@v4
# ESSENTIAL: Authenticates with EKS using AWS/OIDC credentials.
# This command creates the necessary kubeconfig file for kubectl.
- name: Get Kubeconfig for EKS Authentication
run: |
aws eks update-kubeconfig \
--name ${{ env.EKS_CLUSTER_NAME }} \
--region ${{ env.AWS_REGION }} \
--alias eks-cicd-context
- name: Deploy to Kubernetes
env:
K8S_IMAGE: ${{ env.ECR_URI }}:${{ steps.build-image.outputs.image_tag }}
run: |
echo "Starting EKS Deployment with image: $K8S_IMAGE"
kubectl apply -f configmap.yaml
kubectl apply -f service.yaml
kubectl apply -f deployment.yaml
kubectl set image deployment/nginx-githubactions meu-nginx-container=$K8S_IMAGE
kubectl apply -f hpa.yaml
# 7. Display LoadBalancer Endpoint
- name: Display LoadBalancer Endpoint
id: get-lb-endpoint
env:
SERVICE_NAME: nginx-web-service # Nome do Service no seu service.yaml
run: |
echo "Waiting for Load Balancer DNS to be provisioned..."
MAX_RETRIES=12 # Tentar por 12 vezes
SLEEP_TIME=10 # Esperar 10 segundos entre as tentativas (Total: 120 segundos)
LOAD_BALANCER_DNS=""
RETRY_COUNT=0
while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
LOAD_BALANCER_DNS=$(kubectl get svc $SERVICE_NAME -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null)
if [ -n "$LOAD_BALANCER_DNS" ]; then
echo "::set-output name=load_balancer_url::http://$LOAD_BALANCER_DNS"
echo "Load Balancer DNS encontrado após $RETRY_COUNT tentativas."
break
fi
echo "Tentativa $((RETRY_COUNT + 1)) de $MAX_RETRIES: DNS ainda não disponível. Esperando $SLEEP_TIME segundos..."
sleep $SLEEP_TIME
RETRY_COUNT=$((RETRY_COUNT + 1))
done
if [ -z "$LOAD_BALANCER_DNS" ]; then
echo "::error::Tempo limite excedido. O Load Balancer DNS não foi provisionado após $(($MAX_RETRIES * $SLEEP_TIME)) segundos."
exit 1
fi
echo "--------------------------------------------------------"
echo "🎉 Your application is accessible at: http://$LOAD_BALANCER_DNS"
echo "--------------------------------------------------------"