chore: sync cluster policies (#767) #1204
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy | |
on: | |
push: | |
branches: | |
- "main" | |
tags: | |
- "v*.*.*" | |
paths: | |
- "k8s/**" | |
- ".github/workflows/deploy.yaml" | |
workflow_dispatch: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: false | |
jobs: | |
push-to-oci-prod: | |
runs-on: ubuntu-latest | |
environment: prod | |
env: | |
DEPLOYMENT_ENV: prod | |
steps: | |
- name: 📑 Checkout | |
uses: actions/checkout@v4 | |
- name: ⚙️ Install flux | |
uses: fluxcd/flux2/action@main | |
# TODO: Make `Push to GHCR OCI` into a GitHub Action | |
- name: 🗳️ Push to GHCR OCI | |
run: | | |
flux push artifact oci://ghcr.io/${{ github.repository }}/manifests-${{ env.DEPLOYMENT_ENV }}:${{ github.sha }} \ | |
--path=./k8s \ | |
--source="$(git config --get remote.origin.url)" \ | |
--revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" \ | |
--creds=${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} | |
flux tag artifact oci://ghcr.io/${{ github.repository }}/manifests-${{ env.DEPLOYMENT_ENV }}:${{ github.sha }} \ | |
--tag ${{ github.ref_name }} \ | |
--creds=${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} | |
flux tag artifact oci://ghcr.io/${{ github.repository }}/manifests-${{ env.DEPLOYMENT_ENV }}:${{ github.sha }} \ | |
--tag latest \ | |
--creds=${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} | |
deploy-prod: | |
runs-on: ubuntu-latest | |
needs: | |
- push-to-oci-prod | |
environment: prod | |
env: | |
DEPLOYMENT_ENV: prod | |
steps: | |
- name: ⚙️ Setup Flux | |
uses: fluxcd/flux2/action@main | |
# TODO: Make `Setup KSail` into a GitHub Action | |
# - name: ⚙️ Setup KSail | |
# run: | | |
# sudo wget -qO /usr/local/bin/ksail "https://getbin.io/devantler/ksail" | |
# sudo chmod +x /usr/local/bin/ksail | |
# - name: ⚙️ Setup Testkube | |
# uses: kubeshop/setup-testkube@v1 | |
# TODO: Make `Setup K8sGPT` into a GitHub Action | |
# - name: ⚙️ Setup K8sGPT | |
# run: | | |
# sudo wget -qO- "https://getbin.io/k8sgpt-ai/k8sgpt" | tar xvz | |
# sudo mv k8sgpt /usr/local/bin/k8sgpt | |
# sudo chmod +x /usr/local/bin/k8sgpt | |
# TODO: Remove this step, and ensure any dependent step relies on KUBECONFIG env instead | |
- name: 🛠️ Add kubeconfig to host | |
run: | | |
mkdir ~/.kube | |
echo "${{ secrets.PROD_KUBE_CONFIG }}" > ~/.kube/config | |
chmod 600 ~/.kube/config | |
export KUBECONFIG=~/.kube/config | |
export KUBE_CONFIG_PATH=~/.kube/config | |
- name: 🛠️ Set kube context | |
uses: azure/k8s-set-context@v4 | |
with: | |
method: kubeconfig | |
kubeconfig: ${{ secrets.PROD_KUBE_CONFIG }} | |
# TODO: Install Cilium with Flux | |
# https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml | |
- name: 🚀 Deploy Cilium | |
run: | | |
helm repo add cilium https://helm.cilium.io/ | |
helm repo update | |
helm upgrade --install \ | |
cilium \ | |
cilium/cilium \ | |
--namespace kube-system \ | |
--set ipam.mode=kubernetes \ | |
--set kubeProxyReplacement=true \ | |
--set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \ | |
--set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \ | |
--set cgroup.autoMount.enabled=false \ | |
--set cgroup.hostRoot=/sys/fs/cgroup \ | |
--set hubble.relay.enabled=true \ | |
--set hubble.ui.enabled=true | |
- name: 🚀 Deploy Flux | |
run: | | |
flux check --pre | |
flux install | |
- name: 🔐 Create secret for SOPS | |
uses: azure/k8s-create-secret@v5 | |
with: | |
secret-type: generic | |
secret-name: sops-age | |
namespace: flux-system | |
string-data: '{ "sops.agekey": "${{ secrets.PROD_SOPS_AGE_KEY }}" }' | |
- name: 🔁 Create OCI Source and Kustomization | |
run: | | |
flux create source oci flux-system \ | |
--url=oci://ghcr.io/${{ github.repository }}/manifests-${{ env.DEPLOYMENT_ENV }} \ | |
--tag=latest | |
flux create kustomization flux-system \ | |
--source=OCIRepository/flux-system \ | |
--path=clusters/homelab-${{ env.DEPLOYMENT_ENV }}/flux-system \ | |
--prune=true | |
- name: 🔁 Reconcile | |
run: flux reconcile source oci flux-system | |
# - name: 👀 Check reconciliation | |
# run: ksail check | |
# - name: 🧪 Test | |
# run: echo "No tests" | |
# - name: 🪲 Analyze | |
# if: always() | |
# run: | | |
# k8sgpt auth add --backend ollama --model "gemma2:2b" --password "${{ secrets.OPEN_WEBUI_API_TOKEN }}" --baseurl https://open-webui.devantler.com/ollama | |
# k8sgpt auth default -p ollama | |
# # k8sgpt integration activate trivy --no-install --namespace trivy-operator | |
# # k8sgpt integration activate kyverno --no-install --namespace kyverno | |
# # k8sgpt filters add GatewayClass,Gateway,HTTPRoute,HorizontalPodAutoScaler,PodDisruptionBudget,NetworkPolicy | |
# # k8sgpt filters remove VulnerabilityReport,ConfigAuditReport | |
# k8sgpt filters list | |
# output=$(k8sgpt analyze --with-doc) | |
# echo "$output" | |
# # if [[ "$output" != *"No problems detected"* ]]; then | |
# # exit 1 | |
# # fi | |
# TODO: Make revert into a GitHub Action | |
- name: ↩️ Revert - Get latest package version | |
if: failure() | |
id: github_package_version | |
run: | | |
latest_version=$(curl -L \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
"https://api.github.com/user/packages/container/${{ github.event.repository.name }}%2Fmanifests-${{ env.DEPLOYMENT_ENV }}/versions" | jq '.[0].id') | |
echo "ID=$latest_version" >> "$GITHUB_OUTPUT" | |
- name: ↩️ Revert - Delete latest package version | |
if: ${{ failure() && steps.github_package_version.outputs.ID != '' }} | |
uses: actions/delete-package-versions@v5 | |
with: | |
package-type: container | |
package-name: ${{ github.event.repository.name }}/manifests-${{ env.DEPLOYMENT_ENV }} | |
package-version-ids: ${{ steps.github_package_version.outputs.ID }} | |
- name: ↩️ Revert - Retag latest | |
if: ${{ failure() && steps.github_package_version.outputs.ID != '' }} | |
run: | | |
latest_sha_tag=$(curl -L \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
"https://api.github.com/user/packages/container/${{ github.event.repository.name }}%2Fmanifests-${{ env.DEPLOYMENT_ENV }}/versions" | jq '.[0].metadata.container.tags[0]' | tr -d '"') | |
flux tag artifact oci://ghcr.io/${{ github.repository }}/manifests-${{ env.DEPLOYMENT_ENV }}:$latest_sha_tag \ | |
--tag latest \ | |
--creds=${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} |