配置 GitHub 操作以创建容器实例Configure a GitHub action to create a container instance

Github 操作是 GitHub 中的一个功能套件,可以在存储代码的同一位置自动执行软件开发工作流,并针对拉取请求和问题进行协作。GitHub Actions is a suite of features in GitHub to automate your software development workflows in the same place you store code and collaborate on pull requests and issues.

使用 GitHub 操作部署到 Azure 容器实例可以自动将容器部署到 Azure 容器实例。Use the Deploy to Azure Container Instances GitHub action to automate deployment of a container to Azure Container Instances. 该操作可为容器实例设置属性(类似于在 az container create 命令中设置的属性)。The action allows you to set properties for a container instance similar to those in the az container create command.

本文介绍了如何在 GitHub 存储库中设置用于执行以下操作的工作流:This article shows how to set up a workflow in a GitHub repo that performs the following actions:

  • 基于 Dockerfile 生成映像Build an image from a Dockerfile
  • 将映像推送到 Azure 容器注册表Push the image to an Azure container registry
  • 将容器映像部署到 Azure 容器实例Deploy the container image to an Azure container instance

本文将介绍设置工作流的两种方式:This article shows two ways to set up the workflow:

  • 使用“部署到 Azure 容器实例”操作和其他操作在 GitHub 存储库中自行配置工作流。Configure a workflow yourself in a GitHub repo using the Deploy to Azure Container Instances action and other actions.
  • 使用 Azure CLI 的部署到 Azure 扩展中的 az container app up 命令。Use the az container app up command in the Deploy to Azure extension in the Azure CLI. 此命令简化了 GitHub 工作流的创建和部署步骤。This command streamlines creation of the GitHub workflow and deployment steps.

重要

适用于 Azure 容器实例的 GitHub 操作目前为预览版。The GitHub action for Azure Container Instances is currently in preview. 需同意补充使用条款才可使用预览版。Previews are made available to you on the condition that you agree to the supplemental terms of use. 在正式版 (GA) 推出之前,此功能的某些方面可能会有所更改。Some aspects of this feature may change prior to general availability (GA).

先决条件Prerequisites

  • GitHub 帐户 - 如果没有帐户,请在 https://github.com 上创建一个帐户。GitHub account - Create an account on https://github.com if you don't already have one.

  • Azure CLI - 可以使用 Azure CLI 的本地安装来完成 Azure CLI 步骤。Azure CLI - You can use a local installation of the Azure CLI to complete the Azure CLI steps. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

  • Azure 容器注册表 - 如果没有 Azure 容器注册表,请使用 Azure CLIAzure 门户或其他方法在基本层中创建一个容器注册表。Azure container registry - If you don't have one, create an Azure container registry in the Basic tier using the Azure CLI, Azure portal, or other methods. 记下用于部署的资源组,因为在 GitHub 工作流中需要使用它。Take note of the resource group used for the deployment, which is used for the GitHub workflow.

设置存储库Set up repo

  • 对于本文中的示例,请使用 GitHub 创建以下存储库的分支: https://github.com/Azure-Samples/acr-build-helloworld-nodeFor the examples in this article, use GitHub to fork the following repository: https://github.com/Azure-Samples/acr-build-helloworld-node

    此存储库包含用来为小型 Web 应用创建容器映像的 Dockerfile 和源文件。This repo contains a Dockerfile and source files to create a container image of a small web app.

    GitHub 中创建分支按钮(突出显示)的屏幕截图

  • 确保为你的存储库启用“操作”。Ensure Actions is enabled for your repository. 导航到你的分支存储库,并选择“设置” > “操作”。 Navigate to your forked repository and select Settings > Actions. 在“操作权限”中,确保已选中“为此存储库启用本地和第三方操作”。 In Actions permissions, ensure that Enable local and third party Actions for this repository is selected.

配置 GitHub 工作流Configure GitHub workflow

创建用于 Azure 身份验证的服务主体Create service principal for Azure authentication

在 GitHub 工作流中,需要提供 Azure 凭据,以便在 Azure CLI 中进行身份验证。In the GitHub workflow, you need to supply Azure credentials to authenticate to the Azure CLI. 以下示例创建一个服务主体,其“参与者”角色作用域限定为你的容器注册表的资源组。The following example creates a service principal with the Contributor role scoped to the resource group for your container registry.

首先获取你的资源组的资源 ID。First, get the resource ID of your resource group. 请将以下 az group show 命令中的占位符替换为你的组名称:Substitute the name of your group in the following az group show command:

groupId=$(az group show \
  --name <resource-group-name> \
  --query id --output tsv)

使用 az ad sp create-for-rbac 创建服务主体:Use az ad sp create-for-rbac to create the service principal:

az ad sp create-for-rbac \
  --scope $groupId \
  --role Contributor \
  --sdk-auth

输出类似于:Output is similar to:

{
  "clientId": "xxxx6ddc-xxxx-xxxx-xxx-ef78a99dxxxx",
  "clientSecret": "xxxx79dc-xxxx-xxxx-xxxx-aaaaaec5xxxx",
  "subscriptionId": "xxxx251c-xxxx-xxxx-xxxx-bf99a306xxxx",
  "tenantId": "xxxx88bf-xxxx-xxxx-xxxx-2d7cd011xxxx",
  "activeDirectoryEndpointUrl": "https://login.chinacloudapi.cn",
  "resourceManagerEndpointUrl": "https://management.chinacloudapi.cn/",
  "activeDirectoryGraphResourceId": "https://graph.chinacloudapi.cn/",
  "sqlManagementEndpointUrl": "https://management.core.chinacloudapi.cn:8443/",
  "galleryEndpointUrl": "https://gallery.chinacloudapi.cn/",
  "managementEndpointUrl": "https://management.core.chinacloudapi.cn/"
}

保存 JSON 输出,因为在稍后的步骤中需要使用它。Save the JSON output because it is used in a later step. 另请记下 clientId,在下一部分更新服务主体时需要使用它。Also, take note of the clientId, which you need to update the service principal in the next section.

更新用于注册表身份验证的服务主体Update service principal for registry authentication

更新 Azure 服务主体凭据,以允许对容器注册表拥有推送和拉取权限。Update the Azure service principal credentials to allow push and pull permissions on your container registry. 此步骤允许 GitHub 工作流使用服务主体向容器注册表进行身份验证This step allows the GitHub workflow to use the service principal to authenticate with your container registry.

获取你的容器注册表的资源 ID。Get the resource ID of your container registry. 请将以下 az acr show 命令中的占位符替换为你的注册表名称:Substitute the name of your registry in the following az acr show command:

registryId=$(az acr show \
  --name <registry-name> \
  --query id --output tsv)

使用 az role assignment create 分配 AcrPush 角色,此角色授予对注册表的推送和拉取访问权限。Use az role assignment create to assign the AcrPush role, which gives push and pull access to the registry. 替换为你的服务主体的客户端 ID:Substitute the client ID of your service principal:

az role assignment create \
  --assignee <ClientId> \
  --scope $registryId \
  --role AcrPush

将凭据保存到 GitHub 存储库Save credentials to GitHub repo

  1. 在 GitHub UI 中,导航到你的分支存储库,并选择“设置” > “机密”。 In the GitHub UI, navigate to your forked repository and select Settings > Secrets.

  2. 选择“添加新机密”以添加以下机密: Select Add a new secret to add the following secrets:

    SecretSecret ValueValue
    AZURE_CREDENTIALS 创建服务主体后显示的整个 JSON 输出The entire JSON output from the service principal creation
    REGISTRY_LOGIN_SERVER 注册表的登录服务器名称(全小写)。The login server name of your registry (all lowercase). 示例:myregistry.azurecr.cnExample: myregistry.azurecr.cn
    REGISTRY_USERNAME 创建服务主体后显示的 JSON 输出中的 clientIdThe clientId from the JSON output from the service principal creation
    REGISTRY_PASSWORD 创建服务主体后显示的 JSON 输出中的 clientSecretThe clientSecret from the JSON output from the service principal creation
    RESOURCE_GROUP 用来限定服务主体作用域的资源组名称The name of the resource group you used to scope the service principal

创建工作流文件Create workflow file

  1. 在 GitHub UI 中,选择“操作” > “新建工作流”。 In the GitHub UI, select Actions > New workflow.

  2. 选择“自己设置工作流”。 Select Set up a workflow yourself.

  3. 在“编辑新文件”中,粘贴以下 YAML 内容并覆盖示例代码。 In Edit new file, paste the following YAML contents to overwrite the sample code. 接受默认文件名 main.yml,或提供你选择的文件名。Accept the default filename main.yml, or provide a filename you choose.

  4. 选择“开始提交”,并提供你的提交内容的简短或详细说明(可选),然后选择“提交新文件”。 Select Start commit, optionally provide short and extended descriptions of your commit, and select Commit new file.

    on: [push]
    name: Linux_Container_Workflow
    
    jobs:
        build-and-deploy:
            runs-on: ubuntu-latest
            steps:
            # checkout the repo
            - name: 'Checkout GitHub Action'
              uses: actions/checkout@master
    
            - name: 'Login via Azure CLI'
              uses: azure/login@v1
              with:
                creds: ${{ secrets.AZURE_CREDENTIALS }}
    
            - name: 'Build and push image'
              uses: azure/docker-login@v1
              with:
                login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }}
                username: ${{ secrets.REGISTRY_USERNAME }}
                password: ${{ secrets.REGISTRY_PASSWORD }}
            - run: |
                docker build . -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/sampleapp:${{ github.sha }}
                docker push ${{ secrets.REGISTRY_LOGIN_SERVER }}/sampleapp:${{ github.sha }}
    
            - name: 'Deploy to Azure Container Instances'
              uses: 'azure/aci-deploy@v1'
              with:
                resource-group: ${{ secrets.RESOURCE_GROUP }}
                dns-name-label: ${{ secrets.RESOURCE_GROUP }}${{ github.run_number }}
                image: ${{ secrets.REGISTRY_LOGIN_SERVER }}/sampleapp:${{ github.sha }}
                registry-login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }}
                registry-username: ${{ secrets.REGISTRY_USERNAME }}
                registry-password: ${{ secrets.REGISTRY_PASSWORD }}
                name: aci-sampleapp
                location: 'chinaeast2'
    

验证工作流Validate workflow

提交工作流文件后,会触发该工作流。After you commit the workflow file, the workflow is triggered. 若要查看工作流进度,请导航到“操作” > “工作流”。 To review workflow progress, navigate to Actions > Workflows.

查看工作流进度

若要了解如何查看工作流中每个步骤的状态和结果,请参阅管理工作流运行See Managing a workflow run for information about viewing the status and results of each step in your workflow.

工作流完成后,运行 az container show 命令获取有关名为 aci-sampleapp 的容器实例的信息。When the workflow completes, get information about the container instance named aci-sampleapp by running the az container show command. 替换为你的资源组名称:Substitute the name of your resource group:

az container show \
  --resource-group <resource-group-name> \
  --name aci-sampleapp \
  --query "{FQDN:ipAddress.fqdn,ProvisioningState:provisioningState}" \
  --output table

输出类似于:Output is similar to:

FQDN                                   ProvisioningState
--------------------------------- -------------------
aci-action01.chinaeast2.azurecontainer.console.azure.cn  Succeeded

预配实例后,在浏览器中导航到容器的 FQDN,以查看正在运行的 Web 应用。After the instance is provisioned, navigate to the container's FQDN in your browser to view the running web app.

浏览器中正在运行的 Web 应用

使用“部署到 Azure”扩展Use Deploy to Azure extension

另外,也可以使用 Azure CLI 中的“部署到 Azure”扩展来配置工作流。Alternatively, use the Deploy to Azure extension in the Azure CLI to configure the workflow. 该扩展中的 az container app up 命令采用你的输入参数来设置一个工作流,以部署到 Azure 容器实例。The az container app up command in the extension takes input parameters from you to set up a workflow to deploy to Azure Container Instances.

Azure CLI 创建的工作流类似于可以使用 GitHub 手动创建的工作流。The workflow created by the Azure CLI is similar to the workflow you can create manually using GitHub.

其他先决条件Additional prerequisite

对于此方案,除了满足先决条件并完成存储库设置以外,还需要安装 Azure CLI 的 “部署到 Azure”扩展In addition to the prerequisites and repo setup for this scenario, you need to install the Deploy to Azure extension for the Azure CLI.

请运行 az extension add 命令来安装该扩展:Run the az extension add command to install the extension:

az extension add \
  --name deploy-to-azure

有关查找、安装和管理扩展的信息,请参阅在 Azure CLI 中使用扩展For information about finding, installing, and managing extensions, see Use extensions with Azure CLI.

运行 az container app upRun az container app up

若要运行 az container app up 命令,请至少提供:To run the az container app up command, provide at minimum:

  • Azure 容器注册表的名称,例如 myregistryThe name of your Azure container registry, for example, myregistry
  • GitHub 存储库的 URL,例如 https://github.com/<your-GitHub-Id>/acr-build-helloworld-nodeThe URL to your GitHub repo, for example, https://github.com/<your-GitHub-Id>/acr-build-helloworld-node

示例命令:Sample command:

az container app up \
  --acr myregistry \
  --repository https://github.com/myID/acr-build-helloworld-node

命令进度Command progress

  • 出现提示时,请提供你的 GitHub 凭据,或提供具有“存储库”和“用户”作用域的 GitHub 个人访问令牌 (PAT),以便向注册表进行身份验证。 When prompted, provide your GitHub credentials or provide a GitHub personal access token (PAT) that has repo and user scopes to authenticate with your registry. 如果提供了 GitHub 凭据,该命令将为你创建一个 PAT。If you provide GitHub credentials, the command creates a PAT for you.

  • 该命令将为工作流创建存储库机密:The command creates repo secrets for the workflow:

    • 用于 Azure CLI 的服务主体凭据Service principal credentials for the Azure CLI
    • 用于访问 Azure 容器注册表的凭据Credentials to access the Azure container registry
  • 在该命令将工作流文件提交到存储库后,会触发工作流。After the command commits the workflow file to your repo, the workflow is triggered.

输出类似于:Output is similar to:

[...]
Checking in file github/workflows/main.yml in the Github repository myid/acr-build-helloworld-node
Creating workflow...
GitHub Action Workflow has been created - https://github.com/myid/acr-build-helloworld-node/runs/515192398
GitHub workflow completed.
Workflow succeeded
Your app is deployed at:  http://acr-build-helloworld-node.chinaeast2.azurecontainer.console.azure.cn:8080/

验证工作流Validate workflow

工作流使用 GitHub 存储库的基名称(在本例中为 acr-build-helloworld-node)部署 Azure 容器实例。The workflow deploys an Azure container instance with the base name of your GitHub repo, in this case, acr-build-helloworld-node. 在浏览器中,可以浏览到所提供的链接来查看正在运行的 Web 应用。In your browser, you can browse to the link provided to view the running web app. 如果应用在除 8080 以外的端口上侦听,请改为在 URL 中指定该侦听端口。If your app listens on a port other than 8080, specify that in the URL instead.

若要在 GitHub UI 中查看每个步骤的工作流状态和结果,请参阅管理工作流运行To view the workflow status and results of each step in the GitHub UI, see Managing a workflow run.

清理资源Clean up resources

使用 az container delete 命令停止容器实例:Stop the container instance with the az container delete command:

az container delete \
  --name <instance-name>
  --resource-group <resource-group-name>

若要删除资源组及其包含的所有资源,请运行 az group delete 命令:To delete the resource group and all the resources in it, run the az group delete command:

az group delete \
  --name <resource-group-name>

后续步骤Next steps

浏览 GitHub 市场,了解用于自动执行开发工作流的其他操作Browse the GitHub Marketplace for more actions to automate your development workflow