Files
trade-gitops/.gitea/workflows/deploy-sol-public-edge.yaml
mpabi d16dcc2aa7
Some checks failed
deploy-sol-public-edge / apply (push) Has been cancelled
fix(sol): bootstrap public edge host firewall in workflow
2026-04-12 20:12:32 +02:00

140 lines
5.1 KiB
YAML

name: deploy-sol-public-edge
on:
push:
branches:
- main
paths:
- environments/sol/public-edge/**
- .gitea/workflows/deploy-sol-public-edge.yaml
workflow_dispatch:
jobs:
apply:
runs-on: k3s-deploy
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install OpenSSH client
run: |
if ! command -v ssh >/dev/null 2>&1; then
apt-get update
apt-get install -y --no-install-recommends openssh-client
fi
- name: Materialize sol SSH key
env:
SOL_SSH_PRIVATE_KEY_B64: ${{ secrets.SOL_SSH_PRIVATE_KEY_B64 }}
run: |
test -n "$SOL_SSH_PRIVATE_KEY_B64"
install -d -m 0700 "$HOME/.ssh"
printf '%s' "$SOL_SSH_PRIVATE_KEY_B64" | base64 -d >"$HOME/.ssh/sol_mevnode"
chmod 600 "$HOME/.ssh/sol_mevnode"
- name: Prepare host firewall
run: |
ssh_target() {
ssh \
-i "$HOME/.ssh/sol_mevnode" \
-o IdentitiesOnly=yes \
-o StrictHostKeyChecking=no \
user@149.50.96.162 \
"$@"
}
ensure_rule() {
local port="$1"
local comment="$2"
local pattern="${port}/tcp on enp6s0"
if ssh_target "sudo ufw status numbered | grep -F -- $(printf '%q' "$pattern") >/dev/null"; then
echo "ufw rule already present: ${pattern}"
else
ssh_target "sudo ufw allow in on enp6s0 to any port ${port} proto tcp comment '${comment}'"
echo "added ufw rule: ${pattern}"
fi
}
ensure_rule 80 trade-public-http
ensure_rule 443 trade-public-https
ssh_target "sudo ufw status numbered"
- name: Materialize kubeconfig
env:
K3S_KUBECONFIG_B64: ${{ secrets.K3S_KUBECONFIG_B64 }}
run: |
test -n "$K3S_KUBECONFIG_B64"
printf '%s' "$K3S_KUBECONFIG_B64" | base64 -d >/tmp/kubeconfig
chmod 600 /tmp/kubeconfig
- name: Install kubectl
run: |
curl -fsSL -o /tmp/kubectl https://dl.k8s.io/release/v1.34.6/bin/linux/amd64/kubectl
install -m 0755 /tmp/kubectl /usr/local/bin/kubectl
kubectl version --client
- name: Apply public edge resources
env:
KUBECONFIG: /tmp/kubeconfig
run: |
kubectl apply -f environments/sol/public-edge/cert-manager-namespace.yaml
kubectl apply -f environments/sol/public-edge/cert-manager-helmchart.yaml
kubectl apply -f environments/sol/public-edge/traefik-helmchart.yaml
- name: Wait for cert-manager
env:
KUBECONFIG: /tmp/kubeconfig
run: |
for attempt in $(seq 1 60); do
if kubectl -n cert-manager get deploy cert-manager cert-manager-cainjector cert-manager-webhook >/dev/null 2>&1; then
break
fi
sleep 5
done
kubectl -n cert-manager rollout status deploy/cert-manager --timeout=300s
kubectl -n cert-manager rollout status deploy/cert-manager-cainjector --timeout=300s
kubectl -n cert-manager rollout status deploy/cert-manager-webhook --timeout=300s
- name: Wait for traefik
env:
KUBECONFIG: /tmp/kubeconfig
run: |
for attempt in $(seq 1 60); do
if kubectl -n kube-system get ds traefik >/dev/null 2>&1; then
break
fi
sleep 5
done
kubectl -n kube-system rollout status ds/traefik --timeout=300s
- name: Wait for issuer
env:
KUBECONFIG: /tmp/kubeconfig
run: |
kubectl wait --for=condition=Established crd/certificates.cert-manager.io --timeout=300s
kubectl apply -f environments/sol/public-edge/letsencrypt-prod-clusterissuer.yaml
kubectl apply -f environments/sol/public-edge/trade-frontend-public-ingress.yaml
kubectl wait --for=jsonpath='{.status.conditions[?(@.type=="Ready")].status}'=True clusterissuer/letsencrypt-prod --timeout=300s
- name: Verify HTTP ingress
env:
KUBECONFIG: /tmp/kubeconfig
run: |
kubectl -n trade-r001-canary get ingress trade-frontend-public -o wide
kubectl -n kube-system get ds traefik -o wide
curl -fsS --resolve trade.mpabi.pl:80:149.50.96.162 http://trade.mpabi.pl/healthz
- name: Report TLS state
env:
KUBECONFIG: /tmp/kubeconfig
run: |
resolved_ip="$(getent ahostsv4 trade.mpabi.pl | awk 'NR==1 {print $1}')"
echo "resolved_ip=${resolved_ip:-<none>}"
kubectl -n trade-r001-canary get certificate,order,challenge || true
if [ "${resolved_ip:-}" = "149.50.96.162" ]; then
kubectl -n trade-r001-canary wait --for=jsonpath='{.status.conditions[?(@.type=="Ready")].status}'=True certificate/trade-mpabi-pl-tls --timeout=600s
curl -fsS --resolve trade.mpabi.pl:443:149.50.96.162 https://trade.mpabi.pl/healthz
else
echo "DNS still does not point trade.mpabi.pl to 149.50.96.162; skipped TLS readiness gate."
fi