name: deploy-trade-r001-canary on: push: branches: - main paths: - environments/sol/trade-r001-canary/** - .gitea/workflows/deploy-trade-r001-canary.yaml workflow_dispatch: jobs: apply: runs-on: k3s-deploy steps: - name: Checkout repository uses: actions/checkout@v4 - name: Materialize kubeconfig env: K3S_KUBECONFIG_B64: ${{ secrets.K3S_KUBECONFIG_B64 }} run: | test -n "$K3S_KUBECONFIG_B64" printf '%s' "$K3S_KUBECONFIG_B64" | base64 -d >/tmp/kubeconfig chmod 600 /tmp/kubeconfig - name: Install kubectl run: | curl -fsSL -o /tmp/kubectl https://dl.k8s.io/release/v1.34.6/bin/linux/amd64/kubectl install -m 0755 /tmp/kubectl /usr/local/bin/kubectl kubectl version --client - name: Verify prerequisite secrets env: KUBECONFIG: /tmp/kubeconfig run: | kubectl -n trade-r001-canary get secret trade-postgres trade-hasura trade-api trade-frontend-tokens trade-basic-auth trade-ingestor-tokens gitea-registry - name: Recreate bootstrap jobs env: KUBECONFIG: /tmp/kubeconfig run: | kubectl -n trade-r001-canary delete job postgres-migrate hasura-bootstrap --ignore-not-found=true - name: Apply canary environment env: KUBECONFIG: /tmp/kubeconfig run: | kubectl apply -k environments/sol/trade-r001-canary kubectl get ns trade-r001-canary --show-labels kubectl -n trade-r001-canary get svc,resourcequota,limitrange - name: Restart application surface env: KUBECONFIG: /tmp/kubeconfig run: | kubectl -n trade-r001-canary rollout restart deploy/hasura deploy/trade-api deploy/trade-frontend deploy/trade-ingestor - name: Wait for database and metadata bootstrap env: KUBECONFIG: /tmp/kubeconfig run: | kubectl -n trade-r001-canary wait --for=condition=complete job/postgres-migrate --timeout=300s kubectl -n trade-r001-canary wait --for=condition=complete job/hasura-bootstrap --timeout=300s - name: Wait for application rollouts env: KUBECONFIG: /tmp/kubeconfig run: | kubectl -n trade-r001-canary rollout status deploy/hasura --timeout=300s kubectl -n trade-r001-canary rollout status deploy/trade-api --timeout=300s kubectl -n trade-r001-canary rollout status deploy/trade-frontend --timeout=300s kubectl -n trade-r001-canary rollout status deploy/trade-ingestor --timeout=300s kubectl -n trade-r001-canary get deploy,pods -o wide - name: Verify trade-ingestor runtime env: KUBECONFIG: /tmp/kubeconfig run: | sleep 10 pod_name="$(kubectl -n trade-r001-canary get pod -l app.kubernetes.io/name=trade-ingestor -o jsonpath='{.items[0].metadata.name}')" restart_count="$(kubectl -n trade-r001-canary get pod "$pod_name" -o jsonpath='{.status.containerStatuses[0].restartCount}')" test "${restart_count}" = "0" kubectl -n trade-r001-canary logs "$pod_name" --tail=20 - name: Verify canary namespace connectivity env: KUBECONFIG: /tmp/kubeconfig run: | kubectl -n trade-r001-canary delete pod canary-netcheck --ignore-not-found=true kubectl -n trade-r001-canary run canary-netcheck \ --image=python:3.12-alpine \ --restart=Never \ --command -- sleep 600 kubectl -n trade-r001-canary wait --for=condition=Ready pod/canary-netcheck --timeout=180s kubectl -n trade-r001-canary exec canary-netcheck -- python - <<'PY' import socket targets = [ ("postgres-host.trade-infra.svc.cluster.local", 5432), ("redis-host.trade-infra.svc.cluster.local", 6379), ] for host, port in targets: with socket.create_connection((host, port), timeout=5): print(f"OK {host}:{port}") PY kubectl -n trade-r001-canary exec canary-netcheck -- python - <<'PY' import urllib.request targets = [ "http://hasura:8080/healthz", "http://trade-api:8787/healthz", "http://trade-frontend:8081/healthz", ] for url in targets: with urllib.request.urlopen(url, timeout=10) as response: if response.status != 200: raise SystemExit(f"Unexpected status for {url}: {response.status}") print(f"OK {url}") PY kubectl -n trade-r001-canary delete pod canary-netcheck --wait=true