Skip to content

chore: sync cluster policies (#767) #1204

chore: sync cluster policies (#767)

chore: sync cluster policies (#767) #1204

Workflow file for this run

name: Deploy
on:
push:
branches:
- "main"
tags:
- "v*.*.*"
paths:
- "k8s/**"
- ".github/workflows/deploy.yaml"
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
jobs:
push-to-oci-prod:
runs-on: ubuntu-latest
environment: prod
env:
DEPLOYMENT_ENV: prod
steps:
- name: 📑 Checkout
uses: actions/checkout@v4
- name: ⚙️ Install flux
uses: fluxcd/flux2/action@main
# TODO: Make `Push to GHCR OCI` into a GitHub Action
- name: 🗳️ Push to GHCR OCI
run: |
flux push artifact oci://ghcr.io/${{ github.repository }}/manifests-${{ env.DEPLOYMENT_ENV }}:${{ github.sha }} \
--path=./k8s \
--source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" \
--creds=${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}
flux tag artifact oci://ghcr.io/${{ github.repository }}/manifests-${{ env.DEPLOYMENT_ENV }}:${{ github.sha }} \
--tag ${{ github.ref_name }} \
--creds=${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}
flux tag artifact oci://ghcr.io/${{ github.repository }}/manifests-${{ env.DEPLOYMENT_ENV }}:${{ github.sha }} \
--tag latest \
--creds=${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}
deploy-prod:
runs-on: ubuntu-latest
needs:
- push-to-oci-prod
environment: prod
env:
DEPLOYMENT_ENV: prod
steps:
- name: ⚙️ Setup Flux
uses: fluxcd/flux2/action@main
# TODO: Make `Setup KSail` into a GitHub Action
# - name: ⚙️ Setup KSail
# run: |
# sudo wget -qO /usr/local/bin/ksail "https://getbin.io/devantler/ksail"
# sudo chmod +x /usr/local/bin/ksail
# - name: ⚙️ Setup Testkube
# uses: kubeshop/setup-testkube@v1
# TODO: Make `Setup K8sGPT` into a GitHub Action
# - name: ⚙️ Setup K8sGPT
# run: |
# sudo wget -qO- "https://getbin.io/k8sgpt-ai/k8sgpt" | tar xvz
# sudo mv k8sgpt /usr/local/bin/k8sgpt
# sudo chmod +x /usr/local/bin/k8sgpt
# TODO: Remove this step, and ensure any dependent step relies on KUBECONFIG env instead
- name: 🛠️ Add kubeconfig to host
run: |
mkdir ~/.kube
echo "${{ secrets.PROD_KUBE_CONFIG }}" > ~/.kube/config
chmod 600 ~/.kube/config
export KUBECONFIG=~/.kube/config
export KUBE_CONFIG_PATH=~/.kube/config
- name: 🛠️ Set kube context
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.PROD_KUBE_CONFIG }}
# TODO: Install Cilium with Flux
# https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml
- name: 🚀 Deploy Cilium
run: |
helm repo add cilium https://helm.cilium.io/
helm repo update
helm upgrade --install \
cilium \
cilium/cilium \
--namespace kube-system \
--set ipam.mode=kubernetes \
--set kubeProxyReplacement=true \
--set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--set cgroup.autoMount.enabled=false \
--set cgroup.hostRoot=/sys/fs/cgroup \
--set hubble.relay.enabled=true \
--set hubble.ui.enabled=true
- name: 🚀 Deploy Flux
run: |
flux check --pre
flux install
- name: 🔐 Create secret for SOPS
uses: azure/k8s-create-secret@v5
with:
secret-type: generic
secret-name: sops-age
namespace: flux-system
string-data: '{ "sops.agekey": "${{ secrets.PROD_SOPS_AGE_KEY }}" }'
- name: 🔁 Create OCI Source and Kustomization
run: |
flux create source oci flux-system \
--url=oci://ghcr.io/${{ github.repository }}/manifests-${{ env.DEPLOYMENT_ENV }} \
--tag=latest
flux create kustomization flux-system \
--source=OCIRepository/flux-system \
--path=clusters/homelab-${{ env.DEPLOYMENT_ENV }}/flux-system \
--prune=true
- name: 🔁 Reconcile
run: flux reconcile source oci flux-system
# - name: 👀 Check reconciliation
# run: ksail check
# - name: 🧪 Test
# run: echo "No tests"
# - name: 🪲 Analyze
# if: always()
# run: |
# k8sgpt auth add --backend ollama --model "gemma2:2b" --password "${{ secrets.OPEN_WEBUI_API_TOKEN }}" --baseurl https://open-webui.devantler.com/ollama
# k8sgpt auth default -p ollama
# # k8sgpt integration activate trivy --no-install --namespace trivy-operator
# # k8sgpt integration activate kyverno --no-install --namespace kyverno
# # k8sgpt filters add GatewayClass,Gateway,HTTPRoute,HorizontalPodAutoScaler,PodDisruptionBudget,NetworkPolicy
# # k8sgpt filters remove VulnerabilityReport,ConfigAuditReport
# k8sgpt filters list
# output=$(k8sgpt analyze --with-doc)
# echo "$output"
# # if [[ "$output" != *"No problems detected"* ]]; then
# # exit 1
# # fi
# TODO: Make revert into a GitHub Action
- name: ↩️ Revert - Get latest package version
if: failure()
id: github_package_version
run: |
latest_version=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/user/packages/container/${{ github.event.repository.name }}%2Fmanifests-${{ env.DEPLOYMENT_ENV }}/versions" | jq '.[0].id')
echo "ID=$latest_version" >> "$GITHUB_OUTPUT"
- name: ↩️ Revert - Delete latest package version
if: ${{ failure() && steps.github_package_version.outputs.ID != '' }}
uses: actions/delete-package-versions@v5
with:
package-type: container
package-name: ${{ github.event.repository.name }}/manifests-${{ env.DEPLOYMENT_ENV }}
package-version-ids: ${{ steps.github_package_version.outputs.ID }}
- name: ↩️ Revert - Retag latest
if: ${{ failure() && steps.github_package_version.outputs.ID != '' }}
run: |
latest_sha_tag=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/user/packages/container/${{ github.event.repository.name }}%2Fmanifests-${{ env.DEPLOYMENT_ENV }}/versions" | jq '.[0].metadata.container.tags[0]' | tr -d '"')
flux tag artifact oci://ghcr.io/${{ github.repository }}/manifests-${{ env.DEPLOYMENT_ENV }}:$latest_sha_tag \
--tag latest \
--creds=${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}