140 lines
5.1 KiB
YAML
140 lines
5.1 KiB
YAML
name: deploy-sol-public-edge
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- environments/sol/public-edge/**
|
|
- .gitea/workflows/deploy-sol-public-edge.yaml
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
apply:
|
|
runs-on: k3s-deploy
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install OpenSSH client
|
|
run: |
|
|
if ! command -v ssh >/dev/null 2>&1; then
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends openssh-client
|
|
fi
|
|
|
|
- name: Materialize sol SSH key
|
|
env:
|
|
SOL_SSH_PRIVATE_KEY_B64: ${{ secrets.SOL_SSH_PRIVATE_KEY_B64 }}
|
|
run: |
|
|
test -n "$SOL_SSH_PRIVATE_KEY_B64"
|
|
install -d -m 0700 "$HOME/.ssh"
|
|
printf '%s' "$SOL_SSH_PRIVATE_KEY_B64" | base64 -d >"$HOME/.ssh/sol_mevnode"
|
|
chmod 600 "$HOME/.ssh/sol_mevnode"
|
|
|
|
- name: Prepare host firewall
|
|
run: |
|
|
ssh_target() {
|
|
ssh \
|
|
-i "$HOME/.ssh/sol_mevnode" \
|
|
-o IdentitiesOnly=yes \
|
|
-o StrictHostKeyChecking=no \
|
|
user@149.50.96.162 \
|
|
"$@"
|
|
}
|
|
|
|
ensure_rule() {
|
|
local port="$1"
|
|
local comment="$2"
|
|
local pattern="${port}/tcp on enp6s0"
|
|
if ssh_target "sudo ufw status numbered | grep -F -- $(printf '%q' "$pattern") >/dev/null"; then
|
|
echo "ufw rule already present: ${pattern}"
|
|
else
|
|
ssh_target "sudo ufw allow in on enp6s0 to any port ${port} proto tcp comment '${comment}'"
|
|
echo "added ufw rule: ${pattern}"
|
|
fi
|
|
}
|
|
|
|
ensure_rule 80 trade-public-http
|
|
ensure_rule 443 trade-public-https
|
|
ssh_target "sudo ufw status numbered"
|
|
|
|
- name: Materialize kubeconfig
|
|
env:
|
|
K3S_KUBECONFIG_B64: ${{ secrets.K3S_KUBECONFIG_B64 }}
|
|
run: |
|
|
test -n "$K3S_KUBECONFIG_B64"
|
|
printf '%s' "$K3S_KUBECONFIG_B64" | base64 -d >/tmp/kubeconfig
|
|
chmod 600 /tmp/kubeconfig
|
|
|
|
- name: Install kubectl
|
|
run: |
|
|
curl -fsSL -o /tmp/kubectl https://dl.k8s.io/release/v1.34.6/bin/linux/amd64/kubectl
|
|
install -m 0755 /tmp/kubectl /usr/local/bin/kubectl
|
|
kubectl version --client
|
|
|
|
- name: Apply public edge resources
|
|
env:
|
|
KUBECONFIG: /tmp/kubeconfig
|
|
run: |
|
|
kubectl apply -f environments/sol/public-edge/cert-manager-namespace.yaml
|
|
kubectl apply -f environments/sol/public-edge/cert-manager-helmchart.yaml
|
|
kubectl apply -f environments/sol/public-edge/traefik-helmchart.yaml
|
|
|
|
- name: Wait for cert-manager
|
|
env:
|
|
KUBECONFIG: /tmp/kubeconfig
|
|
run: |
|
|
for attempt in $(seq 1 60); do
|
|
if kubectl -n cert-manager get deploy cert-manager cert-manager-cainjector cert-manager-webhook >/dev/null 2>&1; then
|
|
break
|
|
fi
|
|
sleep 5
|
|
done
|
|
kubectl -n cert-manager rollout status deploy/cert-manager --timeout=300s
|
|
kubectl -n cert-manager rollout status deploy/cert-manager-cainjector --timeout=300s
|
|
kubectl -n cert-manager rollout status deploy/cert-manager-webhook --timeout=300s
|
|
|
|
- name: Wait for traefik
|
|
env:
|
|
KUBECONFIG: /tmp/kubeconfig
|
|
run: |
|
|
for attempt in $(seq 1 60); do
|
|
if kubectl -n kube-system get ds traefik >/dev/null 2>&1; then
|
|
break
|
|
fi
|
|
sleep 5
|
|
done
|
|
kubectl -n kube-system rollout status ds/traefik --timeout=300s
|
|
|
|
- name: Wait for issuer
|
|
env:
|
|
KUBECONFIG: /tmp/kubeconfig
|
|
run: |
|
|
kubectl wait --for=condition=Established crd/certificates.cert-manager.io --timeout=300s
|
|
kubectl apply -f environments/sol/public-edge/letsencrypt-prod-clusterissuer.yaml
|
|
kubectl apply -f environments/sol/public-edge/trade-frontend-public-ingress.yaml
|
|
kubectl wait --for=jsonpath='{.status.conditions[?(@.type=="Ready")].status}'=True clusterissuer/letsencrypt-prod --timeout=300s
|
|
|
|
- name: Verify HTTP ingress
|
|
env:
|
|
KUBECONFIG: /tmp/kubeconfig
|
|
run: |
|
|
kubectl -n trade-r001-canary get ingress trade-frontend-public -o wide
|
|
kubectl -n kube-system get ds traefik -o wide
|
|
curl -fsS --resolve trade.mpabi.pl:80:149.50.96.162 http://trade.mpabi.pl/healthz
|
|
|
|
- name: Report TLS state
|
|
env:
|
|
KUBECONFIG: /tmp/kubeconfig
|
|
run: |
|
|
resolved_ip="$(getent ahostsv4 trade.mpabi.pl | awk 'NR==1 {print $1}')"
|
|
echo "resolved_ip=${resolved_ip:-<none>}"
|
|
kubectl -n trade-r001-canary get certificate,order,challenge || true
|
|
if [ "${resolved_ip:-}" = "149.50.96.162" ]; then
|
|
kubectl -n trade-r001-canary wait --for=jsonpath='{.status.conditions[?(@.type=="Ready")].status}'=True certificate/trade-mpabi-pl-tls --timeout=600s
|
|
curl -fsS --resolve trade.mpabi.pl:443:149.50.96.162 https://trade.mpabi.pl/healthz
|
|
else
|
|
echo "DNS still does not point trade.mpabi.pl to 149.50.96.162; skipped TLS readiness gate."
|
|
fi
|