Update release workflow

Signed-off-by: Heba Elayoty <[email protected]>
Azure · Mar 26, 2024 · 69aa3e2 · 69aa3e2
1 parent 8eddac3
commit 69aa3e2
Show file tree

Hide file tree

Showing 11 changed files with 349 additions and 217 deletions.
diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml
@@ -1,10 +1,9 @@
 name: Create, Scan and Publish KAITO image
 on:
-  pull_request:
-    branches:
-      - main
-      - release-**
-    types: [ closed ]
+  workflow_run:
+    workflows: [ "Push image to ACR" ]
+    types: [ completed ]
+    branches: [ release-** ]
 
 permissions:
   contents: write
@@ -16,51 +15,42 @@ env:
   IMAGE_NAME: 'workspace'
 
 jobs:
-  export-registry:
-    if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts')
-    runs-on: ubuntu-20.04
+  publish-images:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
     environment: preset-env
-    outputs:
-      registry: ${{ steps.export.outputs.registry }}
     steps:
-      - id: export
+      - id: get-registry
         run: |
           # registry must be in lowercase
-          echo "registry=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT
-
-  publish-images:
-    if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts')
-    needs:
-      - export-registry
-    env:
-      REGISTRY: ${{ needs.export-registry.outputs.registry }}
-    runs-on: ubuntu-20.04
-    environment: preset-env
-    steps:
+          echo " b=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_ENV
       - id: get-tag
         name: Get tag
-        run: echo "IMG_TAG=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_ENV
+        run: echo "RELEASE_VERSION=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_ENV
+
       - uses: actions/checkout@v4
         with:
           submodules: true
           fetch-depth: 0
-          ref: ${{ env.IMG_TAG }}
+          ref: ${{ env.RELEASE_VERSION }}
 
       - name: Login to ${{ env.REGISTRY }}
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set Image tag
         run: |
-          ver=${{ env.IMG_TAG }}
+          ver=${{ env.RELEASE_VERSION }}
           echo "IMG_TAG=${ver#"v"}" >> $GITHUB_ENV
+
       - name: Build image
         run: |
           OUTPUT_TYPE=type=registry make docker-build-kaito
         env:
-          VERSION: ${{ env.IMG_TAG }}
+          VERSION: ${{ env.RELEASE_VERSION }}
 
       - name: Scan ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
         uses: aquasecurity/trivy-action@master
@@ -76,9 +66,23 @@ jobs:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
 
+      - uses: ./.github/workflows/e2e-workflow.yaml
+        with:
+          git_sha: {{ github.event.pull_request.head.ref }}
+          isRelease: true
+          registry: ${{ env.REGISTRY }}
+          tag: ${{ env.RELEASE_VERSION }}
+        secrets:
+          E2E_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          E2E_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          E2E_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          E2E_AMRT_SECRET_NAME: ${{ secrets.AMRT_SECRET_NAME }}
+          E2E_ACR_AMRT_USERNAME: ${{ secrets.ACR_AMRT_USERNAME }}
+          E2E_ACR_AMRT_PASSWORD: ${{ secrets.ACR_AMRT_PASSWORD }}
+
       - name: 'Dispatch release tag'
         uses: peter-evans/repository-dispatch@v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          event-type: release-tag
-          client-payload: '{"isRelease": true,"registry": "$${{ env.REGISTRY }}","tag": "v${{ env.IMG_TAG }}"}'
+          event-type: create-release
+          client-payload: '{"tag": "v${{ env.IMG_TAG }}"}'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           submodules: true
           fetch-depth: 0

diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -1,8 +1,7 @@
 name: Create release
 on:
   repository_dispatch:
-    types: [ release-tag ]
-    branches: [ release-** ]
+    types: [ create-release ]
 
 permissions:
   id-token: write
@@ -14,18 +13,20 @@ env:
 
 jobs:
   create-release:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit
+
       - name: Set up Go ${{ env.GO_VERSION }}
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION  }}
+
       - name: Checkout the repository at the given SHA from the artifact
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           submodules: true
           fetch-depth: 0
@@ -38,3 +39,4 @@ jobs:
           args: release --rm-dist --timeout 60m --debug
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_CURRENT_TAG: ${{ github.event.client_payload.tag }}
diff --git a/.github/workflows/e2e-workflow.yaml b/.github/workflows/e2e-workflow.yaml
@@ -0,0 +1,205 @@
+name: kaito-e2e-workflow
+
+on:
+  workflow_call:
+    inputs:
+      git_sha:
+        type: string
+        required: true
+      tag:
+        type: string
+      isRelease:
+        type: boolean
+        default: false
+      registry:
+        type: string
+      region:
+        type: string
+        description: "the azure location to run the e2e test in"
+        default: "eastus"
+      k8s_version:
+        type: string
+        default: "1.27"
+    secrets:
+      E2E_CLIENT_ID:
+        required: true
+      E2E_TENANT_ID:
+        required: true
+      E2E_SUBSCRIPTION_ID:
+        required: true
+      E2E_AMRT_SECRET_NAME:
+        required: true
+      E2E_ACR_AMRT_USERNAME:
+        required: true
+      E2E_ACR_AMRT_PASSWORD:
+        required: true
+
+permissions:
+  contents: read # This is required for actions/checkout
+
+jobs:
+  e2e-tests:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # This is required for requesting the JWT
+    environment: e2e-test
+    env:
+      GO_VERSION: "1.20"
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ inputs.git_sha }}
+
+      - name: Set e2e Resource and Cluster Name
+        run: |
+          rand=$(git rev-parse --short ${{ inputs.git_sha }})
+
+          if [ "$rand" = "" ]; then
+             rand=$RANDOM
+          fi
+
+          echo "VERSION=${rand}" >> $GITHUB_ENV
+          echo "CLUSTER_NAME=kaito${rand}" >> $GITHUB_ENV
+          echo "RUN_LLAMA_13B=false" >> $GITHUB_ENV
+          echo "REGISTRY=kaito${rand}.azurecr.io" >> $GITHUB_ENV
+
+      - name: Set Registry
+        if: ${{ inputs.isRelease }}
+        run: |
+              echo "REGISTRY=${{ inputs.registry }}" >> $GITHUB_ENV
+              echo "VERSION=$(echo ${{ inputs.tag }} | tr -d v)" >> $GITHUB_ENV
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION  }}
+
+      - name: Az login
+        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
+        with:
+          client-id: ${{ secrets.E2E_CLIENT_ID }}
+          tenant-id: ${{ secrets.E2E_TENANT_ID }}
+          subscription-id: ${{ secrets.E2E_SUBSCRIPTION_ID }}
+
+      - uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+        id: install
+
+      - name: Create Resource Group
+        shell: bash
+        run: |
+          make create-rg
+        env:
+          AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }}
+
+      - name: Create ACR
+        shell: bash
+        run: |
+          make create-acr
+        env:
+          AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }}
+          AZURE_ACR_NAME: ${{ env.CLUSTER_NAME }}
+
+      - name: Create Azure Identity
+        uses: azure/[email protected]
+        with:
+          inlineScript: |
+            az identity create --name gpuIdentity --resource-group  ${{ env.CLUSTER_NAME }}
+
+      - name: build KAITO image
+        if: ${{ !inputs.isRelease }}
+        shell: bash
+        run: |
+          make docker-build-kaito
+        env:
+          REGISTRY: ${{ env.REGISTRY }}
+          VERSION: ${{ env.VERSION }}
+
+      - name: create cluster
+        shell: bash
+        run: |
+          make create-aks-cluster
+        env:
+          AZURE_ACR_NAME: ${{ env.CLUSTER_NAME }}
+          AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }}
+          AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }}
+          AZURE_LOCATION: ${{ inputs.region }}
+          AKS_K8S_VERSION: ${{ inputs.k8s_version }}
+
+      - name: Install gpu-provisioner helm chart
+        shell: bash
+        run: |
+          make gpu-provisioner-helm
+          kubectl wait --for=condition=available deploy "kaito-gpu-provisioner" -n gpu-provisioner --timeout=300s
+        env:
+          AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }}
+          AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }}
+
+      - uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
+        with:
+          client-id: ${{ secrets.E2E_CLIENT_ID }}
+          tenant-id: ${{ secrets.E2E_TENANT_ID }}
+          subscription-id: ${{ secrets.E2E_SUBSCRIPTION_ID }}
+
+      - name: Create Role Assignment
+        uses: azure/[email protected]
+        with:
+          inlineScript: |
+            IDENTITY_PRINCIPAL_ID="$(az identity show --name gpuIdentity --resource-group ${{ env.CLUSTER_NAME }} --query 'principalId' -otsv)"
+            az role assignment create --assignee ${IDENTITY_PRINCIPAL_ID} --scope "/subscriptions/${{ secrets.E2E_SUBSCRIPTION_ID }}/resourceGroups/${{ env.CLUSTER_NAME }}"  --role "Contributor"
+
+      - name: Create Azure Federated Identity
+        uses: azure/[email protected]
+        with:
+          inlineScript: |
+            AKS_OIDC_ISSUER="$(az aks show -n "${{ env.CLUSTER_NAME }}" -g "${{ env.CLUSTER_NAME }}" --query 'oidcIssuerProfile.issuerUrl' -otsv)"
+            az identity federated-credential create --name gpu-fed-credential --identity-name gpuIdentity --resource-group "${{ env.CLUSTER_NAME }}" \
+            --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:"gpu-provisioner:gpu-provisioner" --audience api://AzureADTokenExchange
+
+      - name: Install KAITO Workspace helm chart
+        shell: bash
+        run: |
+          make az-patch-install-helm
+          kubectl wait --for=condition=available deploy "kaito-workspace" -n kaito-workspace --timeout=300s
+        env:
+          AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }}
+          AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }}
+          REGISTRY: ${{ env.REGISTRY }}
+          VERSION: ${{ env.VERSION }}
+
+      - name: Add Secret Credentials
+        run: |
+          kubectl create secret docker-registry ${{ secrets.E2E_AMRT_SECRET_NAME }} \
+          --docker-server=${{ secrets.E2E_ACR_AMRT_USERNAME }}.azurecr.io \
+          --docker-username=${{ secrets.E2E_ACR_AMRT_USERNAME }} \
+          --docker-password=${{ secrets.E2E_ACR_AMRT_PASSWORD }}
+            
+      - name: Log kaito-workspace
+        run: |
+          kubectl get pods -n kaito-workspace -o name | grep "^pod/kaito-workspace" | sed 's/^pod\///' | xargs -I {} kubectl logs -n kaito-workspace {}
+
+      - name: Run e2e test
+        run: |
+          make kaito-workspace-e2e-test
+        env:
+          AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }}
+          RUN_LLAMA_13B: ${{ env.RUN_LLAMA_13B }}
+          AI_MODELS_REGISTRY: ${{ secrets.E2E_ACR_AMRT_USERNAME }}.azurecr.io
+          AI_MODELS_REGISTRY_SECRET: ${{ secrets.E2E_AMRT_SECRET_NAME }}
+
+      - name: Cleanup e2e resources
+        if: ${{ always() }}
+        uses: azure/[email protected]
+        with:
+          inlineScript: |
+            set +e
+            az group delete --name "${{ env.CLUSTER_NAME }}" --yes --no-wait || true
diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml
@@ -1,10 +1,8 @@
 name: publish_helm_chart
 
 on:
-  workflow_run:
-    workflows: [ "Create, Scan and Publish KAITO image" ]
-    types: [ completed ]
-    branches: [ release-** ]
+  repository_dispatch:
+    types: [ create-release ]
 
 permissions:
   id-token: write # This is required for requesting the JWT
@@ -17,13 +15,13 @@ permissions:
 jobs:
   release:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           submodules: true
           fetch-depth: 0
+          ref: ${{ github.event.client_payload.tag }}
 
       - name: Publish Workspace Helm chart
         uses: stefanprodan/[email protected]