简介
本指南介绍如何使用 GitHub Actions 构建容器化应用程序,将其推送到 Google Container Registry (GCR),并在将代码推送到 main 分支时将其部署到 Google Kubernetes Engine (GKE)。
GKE 是 Google Cloud 提供的托管 Kubernetes 集群服务,可以在云端或您自己的数据中心托管您的容器化工作负载。有关更多信息,请参阅 Google Kubernetes Engine。
注意:如果您的 GitHub Actions 工作流程需要访问支持 OpenID Connect (OIDC) 的云提供商的资源,您可以配置您的工作流程以直接向云提供商进行身份验证。这将使您不再需要将这些凭据存储为长期密钥,并提供其他安全优势。有关更多信息,请参阅 "关于使用 OpenID Connect 加固安全性的信息"
先决条件
在继续创建工作流程之前,您需要为您的 Kubernetes 项目完成以下步骤。本指南假设您的项目根目录中已存在 Dockerfile 和 Kubernetes 部署配置文件。
创建 GKE 集群
要创建 GKE 集群,您首先需要使用 gcloud CLI 进行身份验证。有关此步骤的更多信息,请参阅以下文章
例如
$ gcloud container clusters create $GKE_CLUSTER \ --project=$GKE_PROJECT \ --zone=$GKE_ZONE
$ gcloud container clusters create $GKE_CLUSTER \
--project=$GKE_PROJECT \
--zone=$GKE_ZONE
启用 API
启用 Kubernetes Engine 和 Container Registry API。例如
$ gcloud services enable \ containerregistry.googleapis.com \ container.googleapis.com
$ gcloud services enable \
containerregistry.googleapis.com \
container.googleapis.com
配置服务帐户并存储其凭据
此过程演示了如何为您的 GKE 集成创建服务帐户。它解释了如何创建帐户、向其添加角色、检索其密钥以及将它们存储为名为 GKE_SA_KEY 的 base64 编码加密存储库密钥。
-
创建一个新的服务帐户
Shell gcloud iam service-accounts create $SA_NAME
gcloud iam service-accounts create $SA_NAME -
检索您刚刚创建的服务帐户的电子邮件地址
Shell gcloud iam service-accounts list
gcloud iam service-accounts list -
向服务帐户添加角色。
注意:应用更严格的角色以满足您的要求。
Shell gcloud projects add-iam-policy-binding $GKE_PROJECT \ --member=serviceAccount:$SA_EMAIL \ --role=roles/container.admin gcloud projects add-iam-policy-binding $GKE_PROJECT \ --member=serviceAccount:$SA_EMAIL \ --role=roles/storage.admin gcloud projects add-iam-policy-binding $GKE_PROJECT \ --member=serviceAccount:$SA_EMAIL \ --role=roles/container.clusterViewer
gcloud projects add-iam-policy-binding $GKE_PROJECT \ --member=serviceAccount:$SA_EMAIL \ --role=roles/container.admin gcloud projects add-iam-policy-binding $GKE_PROJECT \ --member=serviceAccount:$SA_EMAIL \ --role=roles/storage.admin gcloud projects add-iam-policy-binding $GKE_PROJECT \ --member=serviceAccount:$SA_EMAIL \ --role=roles/container.clusterViewer -
下载服务帐户的 JSON 密钥文件
Shell gcloud iam service-accounts keys create key.json --iam-account=$SA_EMAIL
gcloud iam service-accounts keys create key.json --iam-account=$SA_EMAIL -
将服务帐户密钥存储为名为
GKE_SA_KEY的密钥Shell export GKE_SA_KEY=$(cat key.json | base64)
export GKE_SA_KEY=$(cat key.json | base64)有关如何存储密钥的更多信息,请参阅“在 GitHub Actions 中使用密钥”。
存储您的项目名称
将您的项目名称存储为名为 GKE_PROJECT 的密钥。有关如何存储密钥的更多信息,请参阅“在 GitHub Actions 中使用密钥”。
(可选) 配置 kustomize
Kustomize 是一种用于管理 YAML 规范的可选工具。在创建 kustomization 文件后,可以使用以下工作流动态设置映像的字段并将结果传递给 kubectl。有关更多信息,请参阅 kustomize 使用。
(可选) 配置部署环境
环境用于描述一般的部署目标,例如 production、staging 或 development。当 GitHub Actions 工作流部署到环境时,环境将显示在存储库的主页上。您可以使用环境来要求批准才能继续执行作业,限制哪些分支可以触发工作流,使用自定义部署保护规则来控制部署,或限制对密钥的访问。有关创建环境的更多信息,请参阅“使用环境进行部署”。
创建工作流
完成先决条件后,您可以继续创建工作流。
以下示例工作流演示了如何构建容器映像并将其推送到 GCR。然后,它使用 Kubernetes 工具(例如 kubectl 和 kustomize)将映像拉入集群部署。
在 env 密钥下,将 GKE_CLUSTER 的值更改为您的集群名称,将 GKE_ZONE 更改为您的集群区域,将 DEPLOYMENT_NAME 更改为您的部署名称,将 IMAGE 更改为您的映像名称。
如果您配置了部署环境,请将 environment 的值更改为您的环境名称。如果您没有配置环境,或者您的工作流位于私有存储库中,并且您没有使用 GitHub Enterprise Cloud,请删除 environment 密钥。
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# GitHub recommends pinning actions to a commit SHA.
# To get a newer version, you will need to update the SHA.
# You can also reference a tag or branch, but the action may change without warning.
name: Build and Deploy to GKE
on:
push:
branches:
- main
env:
PROJECT_ID: ${{ secrets.GKE_PROJECT }}
GKE_CLUSTER: cluster-1 # Add your cluster name here.
GKE_ZONE: us-central1-c # Add your cluster zone here.
DEPLOYMENT_NAME: gke-test # Add your deployment name here.
IMAGE: static-site
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
environment: production
steps:
- name: Checkout
uses: actions/checkout@v4
# Setup gcloud CLI
- uses: google-github-actions/setup-gcloud@1bee7de035d65ec5da40a31f8589e240eba8fde5
with:
service_account_key: ${{ secrets.GKE_SA_KEY }}
project_id: ${{ secrets.GKE_PROJECT }}
# Configure Docker to use the gcloud command-line tool as a credential
# helper for authentication
- run: |-
gcloud --quiet auth configure-docker
# Get the GKE credentials so we can deploy to the cluster
- uses: google-github-actions/get-gke-credentials@db150f2cc60d1716e61922b832eae71d2a45938f
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_ZONE }}
credentials: ${{ secrets.GKE_SA_KEY }}
# Build the Docker image
- name: Build
run: |-
docker build \
--tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \
--build-arg GITHUB_SHA="$GITHUB_SHA" \
--build-arg GITHUB_REF="$GITHUB_REF" \
.
# Push the Docker image to Google Container Registry
- name: Publish
run: |-
docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA"
# Set up kustomize
- name: Set up Kustomize
run: |-
curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64
chmod u+x ./kustomize
# Deploy the Docker image to the GKE cluster
- name: Deploy
run: |-
./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA
./kustomize build . | kubectl apply -f -
kubectl rollout status deployment/$DEPLOYMENT_NAME
kubectl get services -o wide
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# GitHub recommends pinning actions to a commit SHA.
# To get a newer version, you will need to update the SHA.
# You can also reference a tag or branch, but the action may change without warning.
name: Build and Deploy to GKE
on:
push:
branches:
- main
env:
PROJECT_ID: ${{ secrets.GKE_PROJECT }}
GKE_CLUSTER: cluster-1 # Add your cluster name here.
GKE_ZONE: us-central1-c # Add your cluster zone here.
DEPLOYMENT_NAME: gke-test # Add your deployment name here.
IMAGE: static-site
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
environment: production
steps:
- name: Checkout
uses: actions/checkout@v4
# Setup gcloud CLI
- uses: google-github-actions/setup-gcloud@1bee7de035d65ec5da40a31f8589e240eba8fde5
with:
service_account_key: ${{ secrets.GKE_SA_KEY }}
project_id: ${{ secrets.GKE_PROJECT }}
# Configure Docker to use the gcloud command-line tool as a credential
# helper for authentication
- run: |-
gcloud --quiet auth configure-docker
# Get the GKE credentials so we can deploy to the cluster
- uses: google-github-actions/get-gke-credentials@db150f2cc60d1716e61922b832eae71d2a45938f
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_ZONE }}
credentials: ${{ secrets.GKE_SA_KEY }}
# Build the Docker image
- name: Build
run: |-
docker build \
--tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \
--build-arg GITHUB_SHA="$GITHUB_SHA" \
--build-arg GITHUB_REF="$GITHUB_REF" \
.
# Push the Docker image to Google Container Registry
- name: Publish
run: |-
docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA"
# Set up kustomize
- name: Set up Kustomize
run: |-
curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64
chmod u+x ./kustomize
# Deploy the Docker image to the GKE cluster
- name: Deploy
run: |-
./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA
./kustomize build . | kubectl apply -f -
kubectl rollout status deployment/$DEPLOYMENT_NAME
kubectl get services -o wide
其他资源
有关这些示例中使用的工具的更多信息,请参阅以下文档
- 有关完整的入门工作流程,请参阅 "构建并部署到 GKE" 工作流程。
- Kubernetes YAML 自定义引擎:Kustomize。
- Google Kubernetes Engine 文档中的 "部署容器化 Web 应用程序"。