Permissions

  1. Follow this blog to create an OIDC provider and associate a role and policy to it that will allow your github action to access and modify your AWS resources. Make sure that the AmazonS3FullAccess, AmazonEKSWorkerNodePolicy and AmazonEKSClusterPolicy policies are attached to the role you create.

  2. You will also need to give this role access to your tensorkube cluster. You can do this by running this command after you have completed the first step.

eksctl create iamidentitymapping \
  --cluster tensorkube \
  --region us-east-1 \
  --arn <ROLE ARN> \
  --group system:masters \
  --username github

GitHub Action Workflow

A typical deployment workflow will look like this:

name: tensorkube deploy
on: 
  push:
    branches : [ release ]

permissions:
  id-token: write
  contents: read

jobs:
  deployment:
    runs-on: ubuntu-latest
    name: Tensorkube Deployment
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          path: <PROJECT_NAME>
      - name: AWS Configure
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-1
          role-to-assume: <GITHUB ROLE ARN>
      - name: Start Deployment
        uses: tensorfuse/tensorkube-github-deploy@latest_release
        with:
          token: <TENSORKUBE_TOKEN> # Please use GitHub secrets for this
          session_id: <TENSORKUBE_SESSION_ID> # Please use GitHub secrets for this
          path: <PROJECT NAME>
          gpus: <GPUS>
          gpu_type: <GPU TYPE>
          min_scale: <MIN PODS>
          max_scale: <MAX PODS>
          env: <DEPLOYMENT ENVIRONMENT>
          secrets: |
            <SECRET_1>
            <SECRET_2>
            ...

Explanation

  1. actions/checkout@v4 copies your code into the workspace/<PROJECT NAME> directory in the GitHub runner. The path/ project name is required because tensorkube creates the deployment using the name of the folder the code is in and the checkout action by default copies the code to the workspace directory, which will create a clash between different deployments because they will end up with the same deployment name.

  2. aws-actions/configure-aws-credentials@v4 gives the GitHub runner access to your AWS resources by allowing it to assume the role that you associated with the GitHub OIDC provider.

  3. tensorfuse/tensorkube-github-deploy@v1 deploys your application with tensorkube. Make sure that the path in this step and in actions/checkout@v4 is identical.

Parameters

The parameters you can specify in your deployment are:

  • token, Required, Your tensorkube token. Can be found in ~/.tensorkube/token after running tensorkube login. We recommend storing this as a GitHub action secret.

  • session_id, Required, Your tensorkube session_id. Can be found in ~/.tensorkube/token after running tensorkube login. We recommend storing this as a GitHub action secret.

  • gpus, Optional, Number of gpus to use. Default 0.

  • gpu_type, Optional, Type of GPU to use. Default is null.

  • cpu, Optional, Number of CPUs to use. Default is 100 milli CPU.

  • memory, Optional, Amount of memory to use. Default is 200 MB.

  • min_scale, Optional, Minimum number of replicas. Default is 0.

  • max_scale, Optional, Maximum number of replicas. Default is 3.

  • env, Optional, Environment in which to deploy. Default is null.

  • secrets, Optional, Secrets to be exposed as environment variables in your deployment. Default is

  • path, Optional, Path where to run the command. Default is (Not recommended to be left empty).