Set up automatic deployment to k8s

Author: pimterry

.github/workflows/build-and-deploy.yml

@@ -1,10 +1,11 @@
 name: CI
 on: [push]
 jobs:
-  publish-hidora:
-    name: Deploy to Docker Hub & Scaleway
-    if: github.event_name != 'pull_request'
+  deploy:
+    name: Publish container and deploy
+    if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
+    environment: production
     permissions:
       contents: read
       packages: write
@@ -47,7 +48,26 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           build-args: VERSION=${{ github.sha }}
 
-      - name: Redeploy container
+      - name: Configure Kubectl
+        run: |
+          kubectl config set-cluster scw-cluster \
+            --server="${{ vars.K8S_SERVER_ADDRESS }}" \
+            --certificate-authority=<(echo "${{ vars.K8S_CA_CERT }}" | base64 -d) \
+            --embed-certs=true
+
+          kubectl config set-credentials deployer --token="${{ secrets.K8S_DEPLOY_TOKEN }}"
+
+          kubectl config set-context default --cluster=scw-cluster --user=deployer
+          kubectl config use-context default
+
+      - name: Deploy to Kubernetes
+        run: |
+          sed "s|/anonymizing-reverse-proxy:latest|/anonymizing-reverse-proxy:sha-${GITHUB_SHA::7}|g" deploy/deployment.yaml | \
+            kubectl apply -f - \
+              -f deploy/service.yaml \
+              -f deploy/routes.yaml
+
+      - name: Redeploy SCW container
         uses: httptoolkit/scaleway-serverless-container-deploy-action@v1
         with:
           container_id: ${{ vars.SCW_API_CONTAINER_ID }}

deploy/deployment.yaml

@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: anonymizing-reverse-proxy
+  namespace: anonymizing-reverse-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: anonymizing-reverse-proxy
+  template:
+    metadata:
+      labels:
+        app: anonymizing-reverse-proxy
+    spec:
+      containers:
+        - name: server
+          image: ghcr.io/httptoolkit/anonymizing-reverse-proxy:latest # GHA replaces :latest on build
+          ports:
+            - containerPort: 4000
+          env:
+            - name: ports
+              value: "4000"
+            - name: ERRORS_DOMAIN
+              value: "http://errors.httptoolkit.tech"
+            - name: EVENTS_DOMAIN
+              value: "http://events.httptoolkit.tech"
+            - name: TRUSTED_PROXIES
+              value: "172.16.4.0/22"

deploy/routes.yaml

@@ -0,0 +1,23 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: anonymizing-reverse-proxy-route
+  namespace: anonymizing-reverse-proxy
+spec:
+  parentRefs:
+    - name: primary-gateway
+      namespace: gateway
+      sectionName: https-httptoolkit-tech
+    - name: secondary-gateway
+      namespace: gateway
+      sectionName: https-httptoolkit-tech
+  hostnames:
+    - "anonymizing-reverse-proxy.httptoolkit.tech"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: anonymizing-reverse-proxy
+          port: 4000

deploy/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: anonymizing-reverse-proxy
+  namespace: anonymizing-reverse-proxy
+spec:
+  selector:
+    app: anonymizing-reverse-proxy
+  ports:
+    - name: http-port
+      protocol: TCP
+      port: 4000
+      targetPort: 4000