Hi All, I have written a workflow to deploy GKE i...
# general
h
Hi All, I have written a workflow to deploy GKE infrastructure in GCP and deploy a Helm chart. Please review it and help me make it production-ready.
Copy code
name: Deploy GKE and Chart

on:
  push:
    branches: [ "*" ]
  pull_request:
    # Exclude branches with release versions and master
    branches-ignore:
      - main
      - 'v*.*'  

jobs:
  pulumi-up:
    name: pulumi-up
    runs-on: gcp-pulumi-runner-label-1
    environment: dev

    env:
      ACTION: ${{ vars.ACTION }}
      GCP_PROJECT: ${{ vars.GCP_PROJECT }}
      GCP_ZONE: ${{ vars.GCP_ZONE }}
      GCP_SERVICE_ACCOUNT: ${{ vars.GCP_SERVICE_ACCOUNT }}
      GKE_CLUSTER_NAME: ${{ vars.GKE_CLUSTER_NAME }}
      MACHINE_TYPE: ${{ vars.MACHINE_TYPE }}
      NETWORK: ${{ vars.NETWORK }}
      NODE_COUNT: ${{ vars.NODE_COUNT }}      
      PULUMI_STACK: ${{ vars.PULUMI_STACK }}
      SUB_NETWORK: ${{ vars.SUB_NETWORK }}
      NAMESPACE: ${{ vars.NAMESPACE }}
      PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
      GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }}
      GCR_BLACKJACK_SA: ${{ secrets.GCR_BLACKJACK_SECRET }}
 
    steps:
      - name: Set Google Cloud credentials
        run: |
          echo "$GCP_CREDENTIALS" > /home/itadmin/sa/service-account-key.json
          
      - name: Set Google Cloud credentials
        run: |
          echo "$GCR_BLACKJACK_SA" > /home/itadmin/sa/blackjack-account-key.json    

      - name: Print Env Variables
        run: |          
            echo "GCP_PROJECT...$GCP_PROJECT"         
            echo "GCP_ZONE...$GCP_ZONE" 
            echo "PULUMI_ACCESS_TOKEN......$PULUMI_ACCESS_TOKEN"
            echo "GCP_CREDENTIALS......$GCP_CREDENTIALS"
            echo "GCP_SERVICE_ACCOUNT...$GCP_SERVICE_ACCOUNT"
            echo "GKE_CLUSTER_NAME...$GKE_CLUSTER_NAME"
            echo "MACHINE_TYPE...$MACHINE_TYPE"
            echo "NETWORK...$NETWORK"
            echo "NODE_COUNT...$NODE_COUNT"            
            echo "PULUMI_STACK...$PULUMI_STACK"
            echo "SUB_NETWORK...$SUB_NETWORK"
            echo "GCR_BLACKJACK_SA...$GCR_BLACKJACK_SA"
            echo "NAMESPACE...$NAMESPACE"


      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Print current working directory
        run: pwd
        
      - name: Check Pulumi version
        run: pulumi version

      - name: Check gcloud version
        run: gcloud --version 

      - name: Check if stack exists
        id: check_stack
        run: |
          if pulumi stack ls | grep -q $PULUMI_STACK; then
            echo "result=STACK_DOES_EXIST" >> $GITHUB_OUTPUT
          else
            echo "result=STACK_DOES_NOT_EXIST" >> $GITHUB_OUTPUT
          fi
        shell: bash
      
      - name: Print stack existence check result
        run: |
          echo "Stack existence check result: ${{ steps.check_stack.outputs.result }}"
    
      - name: Initialize Pulumi stack if it doesn't exist
        if: steps.check_stack.outputs.result == 'STACK_DOES_NOT_EXIST'
        run: |
           echo "Initializing Pulumi stack since it doesn't exist..."
           pulumi stack init $PULUMI_STACK

      - name: Create pulumi configuration
        run: |
           pulumi stack select --stack $PULUMI_STACK --non-interactive 
           pulumi config set gcp:project $GCP_PROJECT 
           pulumi config set gcp:zone $GCP_ZONE
           pulumi config set gcp:credentials /home/itadmin/sa/service-account-key.json          
           gcloud auth activate-service-account $GCP_SERVICE_ACCOUNT --key-file=/home/itadmin/sa/service-account-key.json
                
      - name: Deploy GKE resources
        if: env.ACTION == 'up'         
        run: |
           pulumi up --yes --logtostderr --non-interactive           
        
      - name: Destroy GKE resources
        if: env.ACTION == 'destroy'
        run: |
           pulumi destroy --yes --logtostderr --non-interactive
      
      - name: Configure kubeconfig and get nodes
        if: env.ACTION == 'up'
        run: |
          pulumi stack output kubeconfig --show-secrets > cluster.conf
          mkdir -p /home/itadmin/.kube/
          cp cluster.conf /home/itadmin/.kube/config
          gcloud auth activate-service-account $GCP_SERVICE_ACCOUNT --key-file=/home/itadmin/sa/service-account-key.json
          kubectl get nodes > /home/itadmin/ws/node-info.html 
          
          
      - name: Deploy Helm Chart
        if: env.ACTION == 'up'
        run: |
          if ! kubectl get namespace $NAMESPACE &> /dev/null; then
           echo "Namespace $NAMESPACE does not exist. Creating..."
           kubectl create namespace $NAMESPACE
          else
           echo "Namespace $NAMESPACE already exists. Skipping creation..."
          fi
          echo "Namespace created...." 
          kubectl apply -f <https://github.com/cert-manager/cert-manager/releases/download/v1.5.5/cert-manager.crds.yaml>
          echo "Apply cert-manager.crds...." 
          helm repo add jetstack <https://charts.jetstack.io>
          echo "Helm repo jetstack added ..."
          helm repo update
          echo "helm repo updated..."          
          if ! kubectl get namespace cert-manager &> /dev/null; then
           echo "Namespace cert-manager does not exist. Creating..."
           kubectl create namespace cert-manager
          else
           echo "Namespace cert-manager already exists. Skipping creation..."
          fi
          wget -q <https://hclcr.io/files/sofy/scripts/cert-manager-setup.sh>
          sed -i "/read/d" cert-manager-setup.sh
          sed -i "s/DELETION=.*/DELETION=Y/" cert-manager-setup.sh
          sed -i "s/DELETION^^/DELETION/g" cert-manager-setup.sh
          chmod +x cert-manager-setup.sh
          if helm ls -n cert-manager | grep -q cert-manager; then
           echo "Chart cert-manager exists." 
          #  helm delete cert-manager -n cert-manager
          else
           echo "Chart cert-manager does not exist. Deploying cert manager..."
           ./cert-manager-setup.sh > cert-manager-setup.log 2>&1
           cat cert-manager-setup.log
          fi
          echo "Cert manager installed..."   
          kubectl apply -f <https://app.getambassador.io/yaml/emissary/2.2.2/emissary-crds.yaml>
          echo "Emissary CRDS applied..."
          if kubectl get secret gcr-secret -n hxbf-1 &> /dev/null; then
           echo "gcr-secret already exists. Skipping installation..."
          else
            echo "gcr-secret does not exist. Creating..."
            kubectl create secret docker-registry gcr-secret --docker-server=gcr.io --docker-username=_json_key --docker-password="$(cat /home/itadmin/sa/blackjack-account-key.json)" -n $NAMESPACE
          fi          
          echo "Created GCP secret..."
          helm repo add stable <https://charts.helm.sh/stable>
          echo "Helm repo stable added..."
          helm repo update
          echo "helm repo updated..."
          if helm ls -n hxbf-1 | grep -q "nfs-server"; then
           echo "nfs-server already exists. Skipping installation..."
          else
           echo "nfs-server does not exist. Installing..."
           helm install nfs-server stable/nfs-server-provisioner --set persistence.enabled=true,persistence.storageClass=standard,persistence.size=200Gi -n $NAMESPACE
          fi
          echo "NFS configured..."
          helm install bf-mcm /home/itadmin/sofy/chart.tgz -n $NAMESPACE > helm_install.log 2>&1
          echo "Installed helm chart..."