GitHub Actions

Continuous Deployment with GitHub Actions

Workflow Create Secret and Deploy to Kubernetes Dev Environment

Extend your GitHub Actions CI/CD pipeline to securely generate a MongoDB secret and deploy your Kubernetes manifests into a development namespace. This ensures automated, secure credential management and consistent application delivery.

1. Configuring the Dev-Deploy Job

Under jobs: in your workflow YAML, add a dev-deploy job that:

  • Replaces placeholders in your manifest files
  • Creates a Kubernetes secret for MongoDB credentials
  • Applies all manifests to your development namespace
name: Solar System Workflow

on:
  workflow_dispatch:
  push:
    branches:
      - main
      - 'feature/*'

env:
  MONGO_URI: 'mongodb+srv://supercluster.d83jj.mongodb.net/superData'
  MONGO_USERNAME: ${{ vars.MONGO_USERNAME }}
  MONGO_PASSWORD: ${{ secrets.MONGO_PASSWORD }}

jobs:
  unit-testing: … 
  code-coverage: … 
  docker: … 
  dev-deploy:
    name: Deploy to Dev Env
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Replace tokens in manifests
        uses: cschlieden/replace-tokens@v1
        with:
          tokenPrefix: '_{'
          tokenSuffix: '}'
          files:
            - kubernetes/development/*.yaml
        env:
          NAMESPACE: ${{ vars.NAMESPACE }}
          REPLICAS: ${{ vars.REPLICAS }}
          IMAGE: ${{ vars.DOCKERHUB_USERNAME }}/solar-system:${{ github.sha }}
          INGRESS_IP: ${{ env.INGRESS_IP }}

      - name: Show processed manifests
        run: cat kubernetes/development/*.yaml

      - name: Create MongoDB secret
        run: |
          kubectl -n ${{ vars.NAMESPACE }} create secret generic mongo-db-creds \
            --from-literal=MONGO_URI=${{ env.MONGO_URI }} \
            --from-literal=MONGO_USERNAME=${{ env.MONGO_USERNAME }} \
            --from-literal=MONGO_PASSWORD=${{ secrets.MONGO_PASSWORD }} \
            --save-config \
            --dry-run=client \
            -o yaml | kubectl apply -f -

      - name: Deploy manifests
        run: kubectl apply -f kubernetes/development

Note

Ensure that vars.NAMESPACE, vars.REPLICAS, and your Docker Hub credentials are configured in your GitHub repository settings.

Workflow Steps at a Glance

StepActionDescription
Checkoutactions/checkout@v3Clones your repository
Token Replacementreplace-tokens@v1Injects variables into Kubernetes YAML files
Secret Creationkubectl create secretGenerates or updates mongo-db-creds in namespace
Deploymentkubectl applyApplies all manifests in kubernetes/development

2. Kubernetes Deployment Manifest

In kubernetes/development/deployment.yaml, reference the mongo-db-creds secret to populate environment variables for your container:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: solar-system
  namespace: _{NAMESPACE}
  labels:
    app: solar-system
spec:
  replicas: _{REPLICAS}
  selector:
    matchLabels:
      app: solar-system
  template:
    metadata:
      labels:
        app: solar-system
    spec:
      containers:
        - name: solar-system
          image: _{IMAGE}
          imagePullPolicy: Always
          ports:
            - containerPort: 3000
              name: http
              protocol: TCP
      envFrom:
        - secretRef:
            name: mongo-db-creds

For more on Kubernetes secrets, see Kubernetes Secrets.

3. Why Use a Secret?

Your Dockerfile includes placeholder environment variables:

FROM node:18-alpine3.17
WORKDIR /usr/app
COPY package.json /usr/app/
RUN npm install
COPY . .

ENV MONGODB_URI=uriPlaceholder
ENV MONGO_USERNAME=usernamePlaceholder
ENV MONGO_PASSWORD=passwordPlaceholder

EXPOSE 3000
CMD ["npm", "start"]

By leveraging a Kubernetes secret:

  • You avoid hard-coding sensitive data
  • Credentials are injected at runtime
  • Configuration is decoupled from your application image

Warning

Never commit real credentials into source control. Use GitHub Secrets and Kubernetes Secrets to manage sensitive data.

4. Verify a Fresh development Namespace

Before deployment, confirm that the namespace is empty:

kubectl -n development get all
kubectl -n development get secrets
# NAME                 TYPE                                DATA   AGE
# default-token-xxxxx  kubernetes.io/service-account-token  3      47h

5. Watching GitHub Actions in Motion

When you push changes, the dev-deploy job runs alongside other CI tasks:

The image shows a GitHub Actions workflow in progress, displaying a series of jobs including unit testing, code coverage, containerization, and deployment.

5.1 Secret Creation Logs

kubectl -n development create secret generic mongo-db-creds \
  --from-literal=MONGO_URI=... \
  --from-literal=MONGO_USERNAME=... \
  --from-literal=MONGO_PASSWORD=...
# Output:
secret/mongo-db-creds created

5.2 Applying Manifests

kubectl apply -f kubernetes/development
# Output:
deployment.apps/solar-system created
ingress.networking.k8s.io/solar-system created
service/solar-system created

6. Validate Resources in the Cluster

Check that your secret and resources are live:

kubectl -n development get secrets
# NAME                 TYPE                                DATA   AGE
# default-token-xxxxx  kubernetes.io/service-account-token  3      47h
kubectl -n development get all
# NAME                                   READY   STATUS    RESTARTS   AGE
# pod/solar-system-xxxxx                 1/1     Running   0          30s
# NAME                  TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
# NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
# NAME                                         DESIRED   CURRENT   READY   AGE
# replicaset.apps/solar-system-xxxxx           2         2         2       1m

Retrieve your ingress host:

kubectl -n development get ing
# NAME           HOSTS                                             ADDRESS                                           PORTS   AGE
# solar-system   solar-system-development.172.232.87.200.nip.io   <none>                                            80      1m

7. Access the Application

Open the ingress hostname in your browser. You may see a self-signed TLS warning—proceed to view your live Solar System app:

The image shows a stylized representation of the solar system with planets orbiting the sun, alongside a web interface with options to view and search for planets.

Your Solar System application is now running in the development environment, ready for integration testing!

References

Watch Video

Watch video content

Previous
Workflow Replace Placeholders Tokens