Add K8S pipeline (#4)

create1st · web-flow · commit f81b04d34fbe · 2021-03-20T20:18:00.000+11:00
K8S pipeline
diff --git a/.buildkite/pipeline-aws-ops.yaml b/.buildkite/pipeline-aws-ops.yaml
@@ -1,36 +1,38 @@
 env:
-  ACTION_AWS_ROTATE_SECRETS: 'rotate-secrets'
+  BUILDKITE_CLEAN_CHECKOUT: true
 
-  PROFILE_DEV: 'dev'
+  AWS_ACTION_ROTATE_SECRETS: 'rotate-secrets'
 
-  AGENT_DEVOPS: 'dev-ops'
+  AWS_IAM_ACCOUNT_DEV: 'AWS_IAM_ACCOUNT_DEV'
+
+  BK_AGENT_DEVOPS: 'dev-aws-ops'
 steps:
-  - block: 'DevOps'
+  - block: ':aws: DevOps'
     fields:
       - select: 'Select operation'
         options:
           - label: 'Rotate secrets'
             value: ${ACTION_AWS_ROTATE_SECRETS}
-        key: DEVOPS_ACTION
+        key: AWS_ACTION
         requires: true
       - select: 'Select environment'
         options:
           - label: 'Development'
-            value: ${PROFILE_DEV}
-        key: DEVOPS_PROFILE
+            value: ${AWS_IAM_ACCOUNT_DEV}
+        key: AWS_IAM_ACCOUNT
         requires: true
       - text: 'Reason?'
-        key: DEVOPS_ACTION_REASON
+        key: BK_ACTION_REASON
         required: true
   
-  - label: 'DevOps Apply'
+  - label: ':aws: DevOps Apply'
     branches: 'main'
     command: '.buildkite/scripts/aws-ops.sh'
     agents:
-      queue: ${AGENT_DEVOPS}
+      queue: ${BK_AGENT_DEVOPS}
       
-  - label: 'Annotate build'
+  - label: ':buildkite: Annotate build'
     branches: 'main'
     command: '.buildkite/scripts/bk-annotate.sh'
     agents:
-      queue: ${AGENT_DEVOPS}
+      queue: ${BK_AGENT_DEVOPS}
diff --git a/.buildkite/pipeline-k8s-ops.yaml b/.buildkite/pipeline-k8s-ops.yaml
@@ -0,0 +1,41 @@
+env:
+  BUILDKITE_CLEAN_CHECKOUT: true
+  
+  K8S_ACTION_START: 'start'
+  K8S_ACTION_STOP: 'stop'
+
+  AWS_IAM_ACCOUNT_DEV: 'AWS_IAM_ACCOUNT_DEV'
+
+  BK_AGENT_DEVOPS: 'dev-k8s-ops'
+steps:
+  - block: ':k8s: DevOps'
+#    branches: "main"
+    fields:
+      - select: 'Select operation'
+        options:
+          - label: 'Start'
+            value: ${K8S_ACTION_START}
+          - label: 'Stop'
+            value: ${K8S_ACTION_STOP}
+        key: K8S_ACTION
+        requires: true
+      - select: 'Select environment'
+        options:
+          - label: 'Development'
+            value: ${AWS_IAM_ACCOUNT_DEV}
+        key: AWS_IAM_ACCOUNT
+        requires: true
+      - text: 'Reason?'
+        key: BK_ACTION_REASON
+        required: true
+
+  - label: ':k8s: Starting action'
+    command: '.buildkite/scripts/k8s-ops.sh'
+    agents:
+      queue: ${BK_AGENT_DEVOPS}
+
+  - label: ':buildkite: Annotate build'
+    #    branches: 'main'
+    command: '.buildkite/scripts/bk-annotate.sh'
+    agents:
+      queue: ${BK_AGENT_DEVOPS}
diff --git a/.buildkite/pipeline.yaml b/.buildkite/pipeline.yaml
@@ -1,20 +1,23 @@
 env:
+  BUILDKITE_CLEAN_CHECKOUT: true
+
   INFRA_PATH: 'infrastructure'
-  AGENT_GLOBAL: 'global'
+
+  BK_AGENT_GLOBAL: 'global'
 steps:
-  - label: "Triggering pipelines"
+  - label: ":buildkite: Triggering pipelines"
     plugins:
       - chronotc/monorepo-diff#1.3.2:
           diff: "git diff --name-only HEAD~1" # ".buildkite/scripts/diff-against-last-successful-build.sh"
           watch:
             - path: infrastructure/terraform/
               config:
                 command: "buildkite-agent pipeline upload ${INFRA_PATH}/.buildkite/pipeline.yaml"
-                label: "Triggered infrastructure update"
+                label: ":terraform: Triggered infrastructure update"
                 env:
                   - INFRA_PATH
     agents:
-      queue: ${AGENT_GLOBAL}
+      queue: ${BK_AGENT_GLOBAL}
 
 #          wait: ~
 
diff --git a/.buildkite/scripts/aws-assume-role.sh b/.buildkite/scripts/aws-assume-role.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -uexo pipefail
+
+AWS_SECRET_ID="docker-localstack-aws-secret"
+AWS_IAM_ROLE_NAME="docker-localstack-aws-role"
+
+AWS_IAM_ACCOUNT=$(buildkite-agent meta-data get "AWS_IAM_ACCOUNT")
+
+echo "Assuming role: '${AWS_IAM_ACCOUNT}'"
+echo "Build: ${BUILDKITE_BUILD_NUMBER}"
+
+AWS_IAM_ROLE="arn:aws:iam::${AWS_IAM_ACCOUNT}:role/${AWS_IAM_ROLE_NAME}"
+AWS_IAM_ROLE_JSON=$(aws sts assume-role --role-arn ${AWS_IAM_ROLE} --role-session-name "buildkite-pipeline-devops-build-${BUILDKITE_BUILD_NUMBER}" --query Credentials)
+export AWS_SESSION_TOKEN=$(echo ${AWS_IAM_ROLE_JSON} | jq -r .Credentials.SessionToken)
+export AWS_ACCESS_KEY_ID=$(echo ${AWS_IAM_ROLE_JSON} | jq -r .Credentials.AccessKeyId)
+export AWS_SECRET_ACCESS_KEY=$(echo ${AWS_IAM_ROLE_JSON} | jq -r .Credentials.SecretAccessKey)
+
+echo "Using AWS credentials:"
+echo "  AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}"
+echo "  AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}"
+echo "  AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}"
diff --git a/.buildkite/scripts/aws-ops.sh b/.buildkite/scripts/aws-ops.sh
@@ -2,53 +2,24 @@
 
 set -uexo pipefail
 
-AWS_SECRET_ID="docker-localstack-secret"
-AWS_ROLE_NAME="docker-localstack-role"
-AWS_IAM_ACCOUNT_DEV="AWS_IAM_ACCOUNT_DEV"
+AWS_ACTION_ROTATE_SECRETS="rotate-secrets"
 
-PROFILE_DEV="dev"
+AWS_ACTION=$(buildkite-agent meta-data get "AWS_ACTION")
 
-ACTION_AWS_ROTATE_SECRETS="rotate-secrets"
+echo "Executing '${AWS_ACTION}'"
 
-PROFILE=$(buildkite-agent meta-data get "DEVOPS_PROFILE")
-ACTION=$(buildkite-agent meta-data get "DEVOPS_ACTION")
+.buildkite/scripts/aws-assume-role.sh
 
-echo "Executing '${ACTION}' on '${PROFILE}'"
-
-case ${PROFILE} in
-${PROFILE_DEV})
-  AWS_IAM_ACCOUNT=${AWS_IAM_ACCOUNT_DEV}
-  ;;
-
-*)
-  echo "Unknown profile: '${PROFILE}'"
-  exit 1
-  ;;
-esac
-
-echo "Build: ${BUILDKITE_BUILD_NUMBER}"
-
-AWS_IAM_ROLE="arn:aws:iam::${AWS_IAM_ACCOUNT}:role/${AWS_ROLE_NAME}"
-AWS_ROLE_JSON=$(aws sts assume-role --role-arn ${AWS_IAM_ROLE} --role-session-name "buildkite-pipeline-devops-build-${BUILDKITE_BUILD_NUMBER}" --query Credentials)
-export AWS_SESSION_TOKEN=$(echo ${AWS_ROLE_JSON} | jq -r .Credentials.SessionToken)
-export AWS_ACCESS_KEY_ID=$(echo ${AWS_ROLE_JSON} | jq -r .Credentials.AccessKeyId)
-export AWS_SECRET_ACCESS_KEY=$(echo ${AWS_ROLE_JSON} | jq -r .Credentials.SecretAccessKey)
-
-echo "Using AWS credentials:"
-echo "  AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}"
-echo "  AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}"
-echo "  AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}"
-
-case ${ACTION} in
-${ACTION_AWS_ROTATE_SECRETS})
+case ${AWS_ACTION} in
+${AWS_ACTION_ROTATE_SECRETS})
   AWS_SECRET_VALUE_JSON=$(aws secretsmanager get-secret-value --secret-id ${AWS_SECRET_ID})
   AWS_SECRET_VALUE=$(echo ${AWS_SECRET_VALUE_JSON} | jq -r ".SecretString | fromjson | .password")
   # modify resources using ${AWS_SECRET_VALUE}
   aws secretsmanager rotate-secret --secret-id ${AWS_SECRET_ID}
   ;;
 
 *)
-  echo "Unsupported operation: '${ACTION}'"
+  echo "Unsupported operation: '${AWS_ACTION}'"
   exit 1
   ;;
 esac
diff --git a/.buildkite/scripts/bk-annotate.sh b/.buildkite/scripts/bk-annotate.sh
@@ -2,6 +2,6 @@
 
 set -uexo pipefail
 
-REASON=$(buildkite-agent meta-data get "DEVOPS_ACTION_REASON")
+REASON=$(buildkite-agent meta-data get "BK_ACTION_REASON")
 
 echo ${REASON} | buildkite-agent annotate --append
diff --git a/.buildkite/scripts/k8s-ops.sh b/.buildkite/scripts/k8s-ops.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -uexo pipefail
+
+K8S_CLUSTER_NAME="docker-localstack-k8s-cluster"
+K8S_NODE_GROUP_NAME="docker-localstack-k8s-node-group"
+K8S_NODE_GROUP_SIZE="docker-localstack-k8s-node-group"
+
+K8S_ACTION_START="start"
+K8S_ACTION_STOP="stop"
+
+K8S_ACTION=$(buildkite-agent meta-data get "K8S_ACTION")
+
+echo "Executing '${K8S_ACTION}'"
+
+.buildkite/scripts/aws-assume-role.sh
+
+case ${K8S_ACTION} in
+${K8S_ACTION_STOP})
+  eksctl get cluster
+  eksctl get nodegroup --cluster ${K8S_CLUSTER_NAME}
+  eksctl scale nodegroup --cluster ${K8S_CLUSTER_NAME} --name ${K8S_NODE_GROUP_NAME} --nodes 0
+  ;;
+
+${K8S_ACTION_START})
+  eksctl get cluster
+  eksctl get nodegroup --cluster ${K8S_CLUSTER_NAME}
+  eksctl scale nodegroup --cluster ${K8S_CLUSTER_NAME} --name ${K8S_NODE_GROUP_NAME} --nodes ${K8S_NODE_GROUP_SIZE}
+  ;;
+
+*)
+  echo "Unsupported operation: '${K8S_ACTION}'"
+  exit 1
+  ;;
+esac
diff --git a/README.md b/README.md
@@ -10,12 +10,15 @@ export TF_CLI_ARGS_apply="-no-color"
 export TF_CLI_ARGS_plan="-no-color"
 bk run -E SSH_AUTH_SOCK="$SSH_AUTH_SOCK"
 bk run .buildkite/pipeline-aws-ops.yaml
+bk run .buildkite/pipeline-k8s-ops.yaml
 ```
 
 ### Buildkite
 * https://github.com/chronotc/monorepo-diff-buildkite-plugin
 * https://github.com/buildkite-plugins/docker-compose-buildkite-plugin
 * https://github.com/buildkite-plugins/artifacts-buildkite-plugin
+* https://github.com/cultureamp/aws-assume-role-buildkite-plugin
+  https://github.com/buildkite-plugins/ecr-buildkite-plugin
 
 ### Docker
 
diff --git a/infrastructure/.buildkite/pipeline.yaml b/infrastructure/.buildkite/pipeline.yaml
@@ -3,7 +3,7 @@ env:
 
   PROFILE_DEV: 'dev'
 
-  AGENT_DEV: 'dev'
+  BK_AGENT_INFRA: 'infra'
 steps:
   - label: ':terraform: Validate'
     plugins:
@@ -12,7 +12,7 @@ steps:
         pull: validate
         run: validate
     agents:
-      queue: ${AGENT_DEV}
+      queue: ${BK_AGENT_INFRA}
     env:
       INFRA_PATH: ${INFRA_PATH:-.}
 
@@ -23,7 +23,7 @@ steps:
         pull: fmt
         run: fmt
     agents:
-      queue: ${AGENT_DEV}
+      queue: ${BK_AGENT_INFRA}
     env:
       INFRA_PATH: ${INFRA_PATH:-.}
 
@@ -38,7 +38,7 @@ steps:
           from: ${INFRA_PATH:-.}/tf-plan-dev
           to: tf-plan-dev
     agents:
-      queue: ${AGENT_DEV}
+      queue: ${BK_AGENT_INFRA}
     env:
       PROFILE: ${PROFILE_DEV}
       INFRA_PATH: ${INFRA_PATH:-.}
@@ -58,7 +58,7 @@ steps:
           from: tf-plan-dev
           to: ${INFRA_PATH:-.}/tf-plan-dev
     agents:
-      queue: ${AGENT_DEV}
+      queue: ${BK_AGENT_INFRA}
     env:
       PROFILE: ${PROFILE_DEV}
       INFRA_PATH: ${INFRA_PATH:-.}
