Closed dario-vega closed 2 years ago
What value are you providing for OCI_CLI_REGION
? I want to make sure I can reproduce this accurately. Note that this should be set to eu-paris-1
not your home region for this workflow.
Yes, the value for OCI_CLI_REGION
is eu-paris-1
I am using the same values used to setup access to my Kubernetes cluster in Cloud Shell.
oci ce cluster create-kubeconfig --cluster-id ocid1.cluster.oc1.eu-paris-1.aaaaa....a --file $HOME/.kube/config --region eu-paris-1 --token-version 2.0.0 --kube-endpoint PUBLIC_ENDPOINT
Can you share your GitHub Actions YAML file, perhaps? Just so I can get all the right things are configured to enable this to work. Once that's confirmed, we can look at your GitHub Secrets and how they're formatted.
Here is the full script - I have 2 clusters in 2 different regions. It is working in us-ashburn-1
name: Deploy Demo VoD in OCI
on:
push:
branches:
- main
paths:
- 'demo-vod/*'
- '.github/workflows/deploy-oke-oci-cli-demo-vod.yml'
workflow_dispatch:
env:
IMAGE_NAME: demo-vod-streaming-app
jobs:
deploy-oci:
name: Deploy VoD Demo in OCI
#needs: push-build-image
runs-on: ubuntu-latest
environment: OCI
env:
OCI_CLI_USER: ${{ secrets.OCI_CLI_USER }}
OCI_CLI_TENANCY: ${{ secrets.OCI_CLI_TENANCY }}
OCI_CLI_FINGERPRINT: ${{ secrets.OCI_CLI_FINGERPRINT }}
OCI_CLI_KEY_CONTENT: ${{ secrets.OCI_CLI_KEY_CONTENT }}
OCI_CLI_REGION: ${{ secrets.OCI_CLI_REGION }}
steps:
- uses: actions/checkout@v2
- name: Retrieve the OCID of a named compartment in tenancy
uses: oracle-actions/run-oci-cli-command@v1.0
id: find-compartment-id
with:
command: 'iam compartment list --compartment-id-in-subtree=true'
query: "data[?name=='davega'].id"
- name: Set the ddl-table-name
id: ddl-table-name
run: |
DDL_TABLE=$(cat demo-vod/demo-stream-acct.ddl)
DDL_TABLE="${DDL_TABLE//$'\n'/' '}"
DDL_TABLE="${DDL_TABLE//$'\r'/' '}"
echo $DDL_TABLE
echo "::set-output name=ddl-table-name::${DDL_TABLE,,}"
- name: Set the ddl-limits
id: table-limits
run: |
TABLE_LIMITS='{\"maxReadUnits\":50,\"maxStorageInGBs\":25,\"maxWriteUnits\": 50}'
echo $TABLE_LIMITS
echo "::set-output name=table-limits::${TABLE_LIMITS,,}"
- name: Create NoSQL Table
uses: oracle-actions/run-oci-cli-command@v1.0
id: create-table
with:
command: 'nosql table create --compartment-id ${{ steps.find-compartment-id.outputs.raw_output }} --name stream_acct --ddl-statement "${{ steps.ddl-table-name.outputs.ddl-table-name }}" --table-limits "${{ steps.table-limits.outputs.table-limits }}" --wait-for-state SUCCEEDED --wait-for-state FAILED'
- name: Retrieve the display name and table limits of the NoSQL tables in my compartment
uses: oracle-actions/run-oci-cli-command@v1.0
id: find-tables
with:
command: 'nosql table list --compartment-id ${{ steps.find-compartment-id.outputs.raw_output }}'
query: 'data.items[*].{name:name,tlimits:\"table-limits\"}'
- name: List the display name and table limits of the NoSQL tables in my compartment
run: |
echo ${{ steps.find-tables.outputs.output }} | jq .
- name: Configure Kubectl for Oracle Container Engine for Kubernetes (OKE)
uses: oracle-actions/configure-kubectl-oke@v1.0
id: configure-kubectl-oke-action
with:
cluster: ${{ secrets.OKE_CLUSTER_OCID }}
- name: Deploy oracle-app-ndcs-deployment and Get all resources
run: |
kubectl apply -f ./oracle-app-ndcs-deployment.yaml
sleep 120
kubectl get all
Does your cluster in Paris have a public endpoint? If not, GitHub won't be able to configure kubectl
to connect to it.
Yes. and I tested using Cloud Shell. I opened the port 6443 too.
oci ce cluster create-kubeconfig --cluster-id ocid1.cluster.oc1.eu-paris-1.aaaaa....a
--file $HOME/.kube/config --region eu-paris-1 --token-version 2.0.0
--kube-endpoint PUBLIC_ENDPOINT
Interesting. That command is essentially exactly what the action is running under the hood, so this is intriguing. Could you perhaps set the repo private and run the action with debug logging enabled? That would give us more insight, but may expose OCIDs if the repo is public.
Note that Cloud Shell can access clusters via their private IP and you shouldn't need to open any ports for the Kubernetes API if you have a public endpoint. It connects to the control plane which is managed by OCI, not you.
Can you please check oci ce cluster list --compartment-id <compartment_ocid>
or oci ce cluster get --cluster-id <cluster_ocid>
and check the endpoints
stanza to make sure the public endpoint actually has a public IP address?
"endpoint-config": {
"is-public-ip-enabled": true,
"nsg-ids": [],
"subnet-id": "ocid1.subnet.oc1.eu-paris-1.aaaaaaaaq7....eb6lu6t6watspa"
},
"endpoints": {
"kubernetes": null,
"private-endpoint": "10.0.0.111:6443",
"public-endpoint": "141.xxx.xxx.255:6443",
"vcn-hostname-endpoint": "cu......4a.sub09161125410.demoevents.oraclevcn.com:6443"
},
My current repository is public. I don't have the option [Environments] in private repositories. When trying to run my current workflow in a private repository but it is normal
Error: The process '/home/runner/.local/bin/oci' failed with exit code 1
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Retrieve the OCID of a named compartment in tenancy
Do I need to change to use secrets instead of Environments?
You should be using Secrets regardless of whether you use environments or not. If you're using environments, you need to make sure you're retrieving the correct secrets for the workflow to complete successfully.
I am setting the variables, the workflow runs successfully if I use Ashburn. I will test with another non home region
Let me spin up some OKE clusters in a non-home region and see if I can reproduce the issue.
I am executing the following step in my workflow:
It is working when running in
us-ashburn-1
. Unfortunately, when running the same workflow usingeu-paris-1
as the target region, I have the following error:Can you help me with it?
Note: To validate that I have access from the public endpoint, I am testing the deployment using Cloud Shell