- pull the repository
git clone git@github.com:Revolgy-Business-Solutions/circle-eks-helpers.git
-
update the orb yaml file
-
create the development version
circleci orb publish k8s.yml revolgy-business-solutions/eks-helpers@dev:0.0.2(3,4,...)
- promote development version to the production release
circleci orb publish promote revolgy-business-solutions/eks-helpers@dev:0.0.2 patch
- push the changes back to the repository
Creates an AWS configuration in ~/aws/
with two entries:
main
with the actual AWS credentials (supplied by parametersaws_access_key_id
andaws_secret_access_key
) and AWS region (supplied by parameteraws_region
)current
inherits frommain
and it also contains role arn (if supplied byaws_assume_role_arn
)
Decrypts encrypted YAML or JSON with SOPS.
It requires AWS configuration since the encryption is done via AWS Key Management Service. Creation of AWS config file is handled with configure_aws
command.
Command automatically uses current
profile with assume role. Specify aws_profile: main
if you don't need this functionality.
Example with current
profile:
steps:
- aws_decrypt:
input_file_path: << parameters.values_prefix >>/secret.enc.yaml
output_file_path: << parameters.values_prefix >>/secret.yaml
Example with main
profile:
steps:
- aws_decrypt:
input_file_path: << parameters.values_prefix >>/secret.enc.yaml
output_file_path: << parameters.values_prefix >>/secret.yaml
aws_profile: main
If you're not happy with the default SOPS version (3.3.0) you can even specify
custom release url with parameter sops_release_url
.
builds Docker image from the specified Dockerfile (supplied by parameter docker_dokckerfile
) and puts packed Docker image to the Circle CI workspace.
Built image is named and tagged with supplied parameters docker_image_name
and
docker_image_tag
steps:
- eks-helpers/build_docker:
docker_dockerfile: Dockerfile
docker_image_name: *docker_image_name
docker_image_tag: $CIRCLE_SHA1
pushes Docker image previously persisted to Circle CI workspace to the AWS ECR.
Name of the repository is derived from the aws_account_id
, aws_region
and
image's name.
steps:
- eks-helpers/push_ecr:
aws_assume_role_arn: *role_arn_staging_asia
aws_access_key_id: ${AWS_ACCESS_KEY_ID}
aws_secret_access_key: ${AWS_SECRET_ACCESS_KEY}
aws_account_id: *account_id_staging_asia
aws_region: *region_staging_asia
docker_image_name: *docker_image_name
docker_image_tag: $CIRCLE_SHA1
obtains Helm chart from the s3 repository. Once chart is obtained, it's persisted to the Circle CI workspace so downstream jobs can use it to install or upgrade Helm releases.
Plase note that we have only two Helm repositories:
s3 bucket | AWS account | AWS region |
---|---|---|
s3://purple-tech-helm-prod-fr |
purple-trading | eu-central-1 |
s3://purple-tech-helm-prod-sg |
axiory | ap-southeast-1 |
steps:
- eks-helpers/obtain_helm_chart:
aws_assume_role_arn: *role_arn_production_asia
aws_access_key_id: ${AWS_ACCESS_KEY_ID}
aws_secret_access_key: ${AWS_SECRET_ACCESS_KEY}
aws_region: *region_production_asia
helm_chart_version: *helm_chart_version
helm_chart_name: *helm_chart_name
helm_s3_bucket: *repository_bucket_asia
decrypts SOPS secrets files with command aws_decrypt
and persists them
to the Circle CI workspace. Output secrets have always the same path:
/tmp/out/secret.yaml
steps:
- eks-helpers/decrypt_secrets:
input_file_path: Helm/values/production-asia/secret.enc.yaml
aws_assume_role_arn: *role_arn_production_asia
aws_access_key_id: ${AWS_ACCESS_KEY_ID}
aws_secret_access_key: ${AWS_SECRET_ACCESS_KEY}
aws_region: *region_production_asia
deploys chart-php
to the EKS cluster. It always requires workspace with persisted
Helm chart (please see obtain_helm_chart
) and optionally decrypted secrets
(please see decrypt_secrets
).
If you don't need secrets - just skip the secrets_path
parameter.
Additional configuration parameters:
parameter | type | description |
---|---|---|
kubernetes_namespace_override |
string |
useful when you want to deploy Helm release to the namespace of your choice |
helm_additional_params |
string |
useful for supplying additional Helm params e.g. --recreate-pods |
helm_release_suffix |
string |
use this parameter when you want to distinguish releases from the same git branch e.g. eu or asia |
force_upgrade |
boolean |
appends --force to upgrade command if set to true , default value is false |
preview |
boolean |
passes value preview.enabled=true to the Helm chart, default value is false |
dry_run |
boolean |
when set to true , it appends --dry-run to upgrade account so no changes are made by executing deploy step, default value is false |
steps:
- eks-helpers/helm_deploy_php_simple:
aws_region: *region_production_eu
aws_access_key_id: ${AWS_ACCESS_KEY_ID}
aws_secret_access_key: ${AWS_SECRET_ACCESS_KEY}
aws_assume_role_arn: *role_arn_production_eu
aws_account_id: *account_id_production_eu
app_name: *app_name
values_path: Helm/values/production-eu/main.yaml
secrets_path: /tmp/out/secret.yaml
docker_image_nginx_name: *docker_image_nginx_name
docker_image_nginx_tag: $CIRCLE_SHA1
docker_image_fpm_name: *docker_image_fpm_name
docker_image_fpm_tag: $CIRCLE_SHA1
cluster_name: *cluster_name_production
helm_chart_name: *helm_chart_name
helm_chart_version: *helm_chart_version
dry_run: false
preview: false
deploys chart-nodejs
to the EKS cluster. It always requires workspace with persisted
Helm chart (please see obtain_helm_chart
) and optionally decrypted secrets
(please see decrypt_secrets
).
If you don't need secrets - just skip the secrets_path
parameter.
Additional configuration parameters:
parameter | type | description |
---|---|---|
kubernetes_namespace_override |
string |
useful when you want to deploy Helm release to the namespace of your choice |
helm_additional_params |
string |
useful for supplying additional Helm params e.g. --recreate-pods |
helm_release_suffix |
string |
use this parameter when you want to distinguish releases from the same git branch e.g. eu or asia |
force_upgrade |
boolean |
appends --force to upgrade command if set to true , default value is false |
preview |
boolean |
passes value preview.enabled=true to the Helm chart, default value is false |
dry_run |
boolean |
when set to true , it appends --dry-run to upgrade account so no changes are made by executing deploy step, default value is false |
helm_release_name_override |
string |
set when you don't want to use deterministic name convention for the Helm release name |
branch_name_override |
string |
set when you don't want to use the actual branch name in the application hostname e.g. staging |
steps:
- eks-helpers/helm_deploy_node_simple:
requires: ["approve_production"]
name: deploy_production
aws_region: *region_production_asia
aws_access_key_id: ${AWS_ACCESS_KEY_ID}
aws_secret_access_key: ${AWS_SECRET_ACCESS_KEY}
aws_assume_role_arn: *role_arn_production_asia
aws_account_id: *account_id_production_asia
app_name: *app_name
values_path: Helm/values/production-asia/main.yaml
secrets_path: /tmp/out/secret.yaml
docker_image_name: *docker_image_name
docker_image_tag: $CIRCLE_SHA1
cluster_name: *cluster_name_production_asia
helm_chart_name: *helm_chart_name
helm_chart_version: *helm_chart_version
dry_run: false
preview: false