Refactor workflow steps into reusable scripts
This commit is contained in:
parent
02c30229ca
commit
ffb5510382
26
.github/workflows/app-pipeline-chartmuseum.yml
vendored
26
.github/workflows/app-pipeline-chartmuseum.yml
vendored
@ -1,26 +0,0 @@
|
||||
name: Setup Chartmuseum Server
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/app-pipeline-chartmuseum.yml'
|
||||
workflow_dispatch:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
setup-chartmuseum-server:
|
||||
uses: svc-design/actions/.github/workflows/setup-chartmuseum-server.yml@main
|
||||
with:
|
||||
domain: 'svc.plus'
|
||||
cluster_name: 'k3s-server'
|
||||
ssh_host_ip: '35.77.36.144'
|
||||
ssh_host_name: 'k3s-server'
|
||||
secrets:
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
ADMIN_PASSWORD: ${{ secrets.ADMIN_INIT_PASSWORD }}
|
||||
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||
98
.github/workflows/app-pipeline-grafana-alloy.yml
vendored
98
.github/workflows/app-pipeline-grafana-alloy.yml
vendored
@ -1,98 +0,0 @@
|
||||
name: Deploy Grafana Alloy Agent
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/app-pipeline-grafana-alloy.yml'
|
||||
workflow_dispatch:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
setup-cn-gateway-log-agent:
|
||||
uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main
|
||||
with:
|
||||
domain: 'svc.plus'
|
||||
cluster_name: 'cn-k3s-cluster'
|
||||
ssh_host_name: 'cn-gateway'
|
||||
ssh_host_ip: '110.42.238.110'
|
||||
loki_journal_sources: |
|
||||
loki_journal_sources_vpn.yml
|
||||
loki_journal_sources_gateway.yml
|
||||
loki_journal_sources_k3s_agent.yml
|
||||
dry-run: 'false'
|
||||
secrets:
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||
|
||||
setup-cn-k3s-server-log-agent:
|
||||
uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main
|
||||
with:
|
||||
domain: 'svc.plus'
|
||||
cluster_name: 'cn-k3s-cluster'
|
||||
ssh_host_name: 'cn-k3s-server'
|
||||
ssh_host_ip: '8.130.93.47'
|
||||
loki_journal_sources: |
|
||||
loki_journal_sources_vpn.yml
|
||||
loki_journal_sources_k3s_server.yml
|
||||
dry-run: 'false'
|
||||
secrets:
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||
|
||||
setup-cn-hw-node-log-agent:
|
||||
uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main
|
||||
with:
|
||||
domain: 'svc.plus'
|
||||
cluster_name: 'cn-k3s-cluster'
|
||||
ssh_host_name: 'cn-hw-node'
|
||||
ssh_host_ip: '139.9.139.22'
|
||||
loki_journal_sources: |
|
||||
loki_journal_sources_vpn.yml
|
||||
loki_journal_sources_k3s_agent.yml
|
||||
dry-run: 'false'
|
||||
secrets:
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||
|
||||
setup-global-gateway-log-agent:
|
||||
uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main
|
||||
with:
|
||||
domain: 'svc.plus'
|
||||
cluster_name: 'global-k3s-cluster'
|
||||
ssh_host_name: 'global-gateway'
|
||||
ssh_host_ip: '52.196.108.28'
|
||||
loki_journal_sources: |
|
||||
loki_journal_sources_vpn.yml
|
||||
loki_journal_sources_gateway.yml
|
||||
loki_journal_sources_k3s_agent.yml
|
||||
dry-run: 'false'
|
||||
secrets:
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||
|
||||
setup-global-k3s-server-log-agent:
|
||||
uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main
|
||||
with:
|
||||
domain: 'svc.plus'
|
||||
cluster_name: 'global-k3s-cluster'
|
||||
ssh_host_name: 'k3s-server'
|
||||
ssh_host_ip: '43.207.193.125'
|
||||
loki_journal_sources: |
|
||||
loki_journal_sources_vpn.yml
|
||||
loki_journal_sources_k3s_server.yml
|
||||
loki_journal_sources_postgresql.yml
|
||||
dry-run: 'false'
|
||||
secrets:
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||
43
.github/workflows/app-pipeline-harbor.yml
vendored
43
.github/workflows/app-pipeline-harbor.yml
vendored
@ -1,43 +0,0 @@
|
||||
name: Setup Harbor Server
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/app-pipeline-harbor.yml'
|
||||
workflow_dispatch:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
setup-global-harbor-server:
|
||||
uses: svc-design/actions/.github/workflows/setup-harbor-server.yml@main
|
||||
with:
|
||||
domain: 'svc.plus'
|
||||
cluster_name: 'global-k3s-server'
|
||||
ssh_host_ip: '43.207.193.125'
|
||||
ssh_host_name: 'k3s-server'
|
||||
ssh_host_domain: 'global-k3s-server.svc.plus'
|
||||
secrets:
|
||||
OSS_AK: ${{ secrets.OSS_AK }}
|
||||
OSS_SK: ${{ secrets.OSS_SK }}
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
|
||||
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||
|
||||
setup-cn-harbor-server:
|
||||
uses: svc-design/actions/.github/workflows/setup-harbor-server.yml@main
|
||||
with:
|
||||
domain: 'svc.plus'
|
||||
cluster_name: 'cn-k3s-server'
|
||||
ssh_host_ip: '8.130.93.47'
|
||||
ssh_host_name: 'cn-k3s-server'
|
||||
ssh_host_domain: 'cn-k3s-server.svc.plus'
|
||||
registry: 'registry.cn-wulanchabu.aliyuncs.com/svc-design'
|
||||
secrets:
|
||||
OSS_AK: ${{ secrets.OSS_AK }}
|
||||
OSS_SK: ${{ secrets.OSS_SK }}
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
|
||||
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||
@ -1,23 +0,0 @@
|
||||
name: Setup Keycloak Server
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/app-pipeline-keycloak-server.yml'
|
||||
workflow_dispatch:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
setup-keycloak-server:
|
||||
uses: svc-design/actions/.github/workflows/deploy-docker-keycloak-server.yml@main
|
||||
with:
|
||||
domain: 'onwalk.net'
|
||||
ssh_host_ip: '139.9.139.22'
|
||||
ssh_host_name: 'hw-node'
|
||||
ssh_host_domain: 'hw-node.svc.plus'
|
||||
secrets:
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||
123
.github/workflows/app-pipeline-template.yaml
vendored
Normal file
123
.github/workflows/app-pipeline-template.yaml
vendored
Normal file
@ -0,0 +1,123 @@
|
||||
name: GitOps Application Deployment Template
|
||||
|
||||
env:
|
||||
GITOPS_REPO: "https://github.com/svc-design/gitops"
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/app-pipeline-template.yaml'
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
environment:
|
||||
description: 'Optional environment override for manual runs'
|
||||
required: false
|
||||
default: ''
|
||||
application:
|
||||
description: 'Optional application override for manual runs'
|
||||
required: false
|
||||
default: ''
|
||||
|
||||
jobs:
|
||||
setup-container-gitops:
|
||||
name: Setup FluxCD Agent (${matrix.env} · ${matrix.cluster_or_vhosts})
|
||||
strategy:
|
||||
matrix: &deployment_matrix
|
||||
include:
|
||||
- env: sit
|
||||
cluster_or_vhosts: vhosts-sit
|
||||
app_name: harbor
|
||||
gitops_type: vhosts
|
||||
gitops_branch: main
|
||||
gitops_path: ''
|
||||
gitops_playbook: sync/config.yaml
|
||||
ssh_host: hw-node.svc.plus
|
||||
ssh_host_ip: '139.9.139.22'
|
||||
- env: nat
|
||||
cluster_or_vhosts: k3s-nat
|
||||
app_name: chaos-mesh
|
||||
gitops_type: container
|
||||
gitops_branch: main
|
||||
gitops_path: clusters/k3s-nat
|
||||
gitops_playbook: ''
|
||||
- env: prod
|
||||
cluster_or_vhosts: k3s-prod
|
||||
app_name: cloud-native-app
|
||||
gitops_type: container
|
||||
gitops_branch: main
|
||||
gitops_path: clusters/k3s-prod
|
||||
gitops_playbook: ''
|
||||
if: |
|
||||
matrix.gitops_type == 'container' &&
|
||||
(github.event_name != 'workflow_dispatch' ||
|
||||
github.event.inputs.application == '' ||
|
||||
github.event.inputs.application == matrix.app_name) &&
|
||||
(github.event_name != 'workflow_dispatch' ||
|
||||
github.event.inputs.environment == '' ||
|
||||
github.event.inputs.environment == matrix.env)
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Prepare kubeconfig
|
||||
env:
|
||||
RAW_KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }}
|
||||
run: scripts/workflows/prepare-kubeconfig.sh
|
||||
shell: bash
|
||||
|
||||
- name: Install Flux CLI
|
||||
uses: fluxcd/flux2-action@v2
|
||||
with:
|
||||
version: '2.2.3'
|
||||
|
||||
- name: Install FluxCD components
|
||||
run: scripts/workflows/install-flux-components.sh
|
||||
shell: bash
|
||||
|
||||
- name: Configure GitOps reconciliation
|
||||
env:
|
||||
GITOPS_BRANCH: ${{ matrix.gitops_branch }}
|
||||
GITOPS_PATH: ${{ matrix.gitops_path }}
|
||||
run: scripts/workflows/configure-flux-gitops.sh
|
||||
shell: bash
|
||||
|
||||
setup-vhosts-gitops:
|
||||
name: Setup XConfig Agent (${matrix.env} · ${matrix.cluster_or_vhosts})
|
||||
needs: []
|
||||
strategy:
|
||||
matrix: *deployment_matrix
|
||||
if: |
|
||||
matrix.gitops_type == 'vhosts' &&
|
||||
(github.event_name != 'workflow_dispatch' ||
|
||||
github.event.inputs.application == '' ||
|
||||
github.event.inputs.application == matrix.app_name) &&
|
||||
(github.event_name != 'workflow_dispatch' ||
|
||||
github.event.inputs.environment == '' ||
|
||||
github.event.inputs.environment == matrix.env)
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Install Ansible
|
||||
run: scripts/workflows/install-ansible.sh
|
||||
shell: bash
|
||||
|
||||
- name: Configure SSH access and inventory
|
||||
env:
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
TARGET_HOST: ${{ matrix.ssh_host }}
|
||||
TARGET_IP: ${{ matrix.ssh_host_ip }}
|
||||
run: scripts/workflows/configure-ssh-inventory.sh
|
||||
shell: bash
|
||||
|
||||
- name: Generate XConfig agent playbook
|
||||
env:
|
||||
GITOPS_BRANCH: ${{ matrix.gitops_branch }}
|
||||
GITOPS_PLAYBOOK: ${{ matrix.gitops_playbook }}
|
||||
run: scripts/workflows/generate-xconfig-playbook.sh
|
||||
shell: bash
|
||||
|
||||
- name: Deploy XConfig agent
|
||||
env:
|
||||
ANSIBLE_HOST_KEY_CHECKING: 'False'
|
||||
GITOPS_BRANCH: ${{ matrix.gitops_branch }}
|
||||
GITOPS_PLAYBOOK: ${{ matrix.gitops_playbook }}
|
||||
run: scripts/workflows/deploy-xconfig-agent.sh
|
||||
shell: bash
|
||||
24
.github/workflows/app-pipeline-vault.yml
vendored
24
.github/workflows/app-pipeline-vault.yml
vendored
@ -1,24 +0,0 @@
|
||||
name: Setup Vault Server
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/app-pipeline-vault.yml'
|
||||
workflow_dispatch:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
setup-vault-server:
|
||||
uses: svc-design/actions/.github/workflows/setup-vault.yml@main
|
||||
with:
|
||||
domain: 'svc.plus'
|
||||
cluster_name: 'k3s-server'
|
||||
ssh_host_ip: '35.77.36.144'
|
||||
ssh_host_name: 'k3s-server'
|
||||
ssh_host_domain: 'k3s-server.svc.plus'
|
||||
secrets:
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||
@ -1,83 +0,0 @@
|
||||
name: Alicloud Landing Zone Baseline
|
||||
|
||||
on:
|
||||
push:
|
||||
paths:
|
||||
- 'iac_modules/pulumi/**'
|
||||
- 'config/alicloud/**'
|
||||
- '.github/workflows/iac-pipeline-alicloud-landingzone-baseline.yaml'
|
||||
pull_request:
|
||||
branches: [main]
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
deploy_action:
|
||||
description: "Deployment action to execute"
|
||||
type: choice
|
||||
options:
|
||||
- init
|
||||
- magrate
|
||||
- upgrade
|
||||
- backup
|
||||
- restore
|
||||
- destroy
|
||||
default: upgrade
|
||||
deploy_dry_run:
|
||||
description: "Run deployment steps in dry-run mode"
|
||||
type: choice
|
||||
options:
|
||||
- 'true'
|
||||
- 'false'
|
||||
default: 'true'
|
||||
|
||||
env:
|
||||
PULUMI_CI: 'true'
|
||||
CONFIG_PATH: config/alicloud
|
||||
|
||||
jobs:
|
||||
preview:
|
||||
name: Preview baseline changes
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: '3.10'
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install -r requirements.txt
|
||||
- name: Pulumi preview
|
||||
uses: pulumi/actions@v4
|
||||
with:
|
||||
command: preview
|
||||
stack-name: alicloud/baseline-dev
|
||||
work-dir: iac_modules/pulumi
|
||||
env:
|
||||
ALICLOUD_ACCESS_KEY_ID: ${{ secrets.ALICLOUD_ACCESS_KEY_ID }}
|
||||
ALICLOUD_ACCESS_KEY_SECRET: ${{ secrets.ALICLOUD_ACCESS_KEY_SECRET }}
|
||||
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
|
||||
|
||||
apply:
|
||||
name: Apply to production stack
|
||||
needs: preview
|
||||
if: github.ref == 'refs/heads/main'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: '3.10'
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install -r requirements.txt
|
||||
- name: Pulumi up
|
||||
uses: pulumi/actions@v4
|
||||
with:
|
||||
command: up
|
||||
stack-name: alicloud/baseline-prod
|
||||
work-dir: iac_modules/pulumi
|
||||
env:
|
||||
ALICLOUD_ACCESS_KEY_ID: ${{ secrets.ALICLOUD_ACCESS_KEY_ID }}
|
||||
ALICLOUD_ACCESS_KEY_SECRET: ${{ secrets.ALICLOUD_ACCESS_KEY_SECRET }}
|
||||
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
|
||||
@ -1,153 +0,0 @@
|
||||
name: Provision Monitor Server Infrastructure
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
deploy_action:
|
||||
description: "Deployment action to execute"
|
||||
type: choice
|
||||
options:
|
||||
- init
|
||||
- magrate
|
||||
- upgrade
|
||||
- backup
|
||||
- restore
|
||||
- destroy
|
||||
default: upgrade
|
||||
deploy_dry_run:
|
||||
description: "Run deployment steps in dry-run mode"
|
||||
type: choice
|
||||
options:
|
||||
- 'true'
|
||||
- 'false'
|
||||
default: 'true'
|
||||
pull_request:
|
||||
branches: [main]
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- '.github/workflows/iac-pipeline-infrastructure-monitor-server.yml'
|
||||
|
||||
env:
|
||||
DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || '' }}
|
||||
DEPLOY_DRY_RUN: ${{ github.event.inputs.deploy_dry_run || '' }}
|
||||
ANSIBLE_USER: ${{ secrets.VPS_USER }}
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
ANSIBLE_LOAD_CALLBACK_PLUGINS: 'true'
|
||||
|
||||
jobs:
|
||||
pre-setup:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Pre-setup confirmation
|
||||
run: echo "Pre-setup stage completed"
|
||||
|
||||
deploy:
|
||||
needs: pre-setup
|
||||
if: github.ref == 'refs/heads/main'
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
site: [otel.svc.plus]
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Determine deployment context
|
||||
run: |
|
||||
set -euo pipefail
|
||||
dry_run="${DEPLOY_DRY_RUN}"
|
||||
if [[ "${GITHUB_EVENT_NAME}" != "workflow_dispatch" ]]; then
|
||||
dry_run="true"
|
||||
fi
|
||||
echo "EFFECTIVE_DRY_RUN=${dry_run}" >> "$GITHUB_ENV"
|
||||
action="${DEPLOY_ACTION:-upgrade}"
|
||||
if [[ -z "${action}" ]]; then
|
||||
action="upgrade"
|
||||
fi
|
||||
echo "EFFECTIVE_DEPLOY_ACTION=${action}" >> "$GITHUB_ENV"
|
||||
|
||||
- name: Checkout infrastructure playbooks
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
repository: svc-design/gitops
|
||||
path: gitops
|
||||
|
||||
- name: Install Ansible
|
||||
run: |
|
||||
set -euo pipefail
|
||||
python3 -m pip install --upgrade pip
|
||||
python3 -m pip install ansible
|
||||
cat <<'CFG' > ~/.ansible.cfg
|
||||
[defaults]
|
||||
stdout_callback = yaml
|
||||
callbacks_enabled = profile_tasks,timer
|
||||
bin_ansible_callbacks = True
|
||||
CFG
|
||||
|
||||
- name: Configure Ansible Vault password
|
||||
env:
|
||||
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
if [[ -z "${ANSIBLE_VAULT_PASSWORD:-}" ]]; then
|
||||
echo "ANSIBLE_VAULT_PASSWORD secret is not configured" >&2
|
||||
exit 1
|
||||
fi
|
||||
printf '%s' "${ANSIBLE_VAULT_PASSWORD}" > ~/.vault_password
|
||||
chmod 600 ~/.vault_password
|
||||
|
||||
- name: Configure SSH access
|
||||
env:
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
install -m 700 -d ~/.ssh
|
||||
echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
|
||||
chmod 600 ~/.ssh/id_rsa
|
||||
ssh-keyscan -H "${{ matrix.site }}" >> ~/.ssh/known_hosts
|
||||
|
||||
- name: Prepare provisioning inputs
|
||||
id: prepare_provisioning
|
||||
working-directory: gitops
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
echo "inventory=playbooks/inventory.ini" >> "$GITHUB_OUTPUT"
|
||||
echo "skip=false" >> "$GITHUB_OUTPUT"
|
||||
|
||||
extra_flags=()
|
||||
if [[ "${EFFECTIVE_DRY_RUN}" == "true" ]]; then
|
||||
extra_flags+=("--check")
|
||||
fi
|
||||
printf 'extra_flags=%s\n' "${extra_flags[*]}" >> "$GITHUB_OUTPUT"
|
||||
|
||||
monitor_playbook="playbooks/deploy_monitor_server.yml"
|
||||
if [[ ! -f "$monitor_playbook" ]]; then
|
||||
echo "Required playbook ${monitor_playbook} was not found" >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "monitor_playbook=${monitor_playbook}" >> "$GITHUB_OUTPUT"
|
||||
|
||||
case "${EFFECTIVE_DEPLOY_ACTION}" in
|
||||
destroy|backup|backup-rollout|restore)
|
||||
echo "skip=true" >> "$GITHUB_OUTPUT"
|
||||
echo "Action ${EFFECTIVE_DEPLOY_ACTION} is not supported for monitor server provisioning" >&2
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
|
||||
- name: Provision Monitor Server
|
||||
if: steps.prepare_provisioning.outputs.skip != 'true'
|
||||
working-directory: gitops
|
||||
env:
|
||||
INVENTORY: ${{ steps.prepare_provisioning.outputs.inventory }}
|
||||
EXTRA_FLAGS: ${{ steps.prepare_provisioning.outputs.extra_flags }}
|
||||
MONITOR_PLAYBOOK: ${{ steps.prepare_provisioning.outputs.monitor_playbook }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
flags=()
|
||||
if [[ -n "${EXTRA_FLAGS}" ]]; then
|
||||
flags+=(${EXTRA_FLAGS})
|
||||
fi
|
||||
ansible-playbook -i "${INVENTORY}" "${MONITOR_PLAYBOOK}" "${flags[@]}" --limit "${{ matrix.site }}"
|
||||
@ -1,43 +0,0 @@
|
||||
name: Setup ArgoCD Server
|
||||
|
||||
env:
|
||||
STATE: "create" # 可以根据需要更改初始状态, 可选create,update, destroy
|
||||
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/iac-pipeline-signal-cluster-argo-server.yml'
|
||||
workflow_dispatch:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
apply-cluster-resources:
|
||||
uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main
|
||||
with:
|
||||
config: 'signal-cluster-config-argo-server.yaml'
|
||||
secrets:
|
||||
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
|
||||
setup-k3s-cluster-with-argo-server:
|
||||
uses: svc-design/actions/.github/workflows/setup-k3s-cluster-argocd.yml@main
|
||||
with:
|
||||
domain: 'onwalk.net'
|
||||
cluster_name: 'argocd'
|
||||
ssh_host_name: 'argocd'
|
||||
secrets:
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
VAULT_URL: ${{ secrets.VAULT_URL }}
|
||||
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
needs:
|
||||
- apply-cluster-resources
|
||||
@ -1,73 +0,0 @@
|
||||
name: Setup Chaos-mesh Server
|
||||
|
||||
env:
|
||||
STATE: "create" # 可以根据需要更改初始状态, 可选create,update, destroy
|
||||
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/iac-pipeline-signal-cluster-chaos-mesh.yml'
|
||||
workflow_dispatch:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
apply-cluster-resources:
|
||||
uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main
|
||||
with:
|
||||
config: 'signal-cluster-config-chaosmesh-server.yaml'
|
||||
secrets:
|
||||
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
|
||||
setup-k3s-cluster:
|
||||
uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main
|
||||
with:
|
||||
domain: 'onwalk.net'
|
||||
cluster_name: 'chaosmesh'
|
||||
ssh_host_name: 'chaosmesh'
|
||||
secrets:
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
VAULT_URL: ${{ secrets.VAULT_URL }}
|
||||
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
needs:
|
||||
- apply-cluster-resources
|
||||
|
||||
setup-iac-pipeline-signal-cluster-chaos-mesh-server:
|
||||
uses: svc-design/actions/.github/workflows/setup-chaos-mesh.yaml@main
|
||||
with:
|
||||
domain: 'onwalk.net'
|
||||
cluster_name: 'chaosmesh'
|
||||
ssh_host_name: 'chaosmesh'
|
||||
secrets:
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
needs:
|
||||
- setup-k3s-cluster
|
||||
|
||||
setup-deepflow-server:
|
||||
uses: svc-design/actions/.github/workflows/setup-deepflow-server.yml@main
|
||||
with:
|
||||
domain: 'onwalk.net'
|
||||
cluster_name: 'chaosmesh'
|
||||
ssh_host_name: 'chaosmesh'
|
||||
secrets:
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
needs:
|
||||
- setup-k3s-cluster
|
||||
@ -1,60 +0,0 @@
|
||||
name: Setup harbor Server with IAC
|
||||
|
||||
env:
|
||||
STATE: "create" # 可以根据需要更改初始状态, 可选create,update, destroy
|
||||
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/setup-harbor-server.yml'
|
||||
workflow_dispatch:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
apply-cluster-resources:
|
||||
uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main
|
||||
with:
|
||||
config: 'signal-cluster-config-chaosmesh-server.yaml'
|
||||
secrets:
|
||||
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
|
||||
setup-k3s-cluster:
|
||||
uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main
|
||||
with:
|
||||
domain: 'onwalk.net'
|
||||
cluster_name: 'chaosmesh'
|
||||
ssh_host_name: 'chaosmesh'
|
||||
secrets:
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
VAULT_URL: ${{ secrets.VAULT_URL }}
|
||||
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
needs:
|
||||
- apply-cluster-resources
|
||||
|
||||
setup-iac-pipeline-signal-cluster-harbor-server:
|
||||
uses: svc-design/actions/.github/workflows/setup-harbor-server.yml@main
|
||||
with:
|
||||
domain: 'onwalk.net'
|
||||
cluster_name: 'chaosmesh'
|
||||
ssh_host_name: 'chaosmesh'
|
||||
secrets:
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
OSS_AK: ${{ secrets.OSS_AK }}
|
||||
OSS_SK: ${{ secrets.OSS_SK }}
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
SSH_USER: ${{ secrets.SSH_USER }}
|
||||
needs:
|
||||
- setup-k3s-cluster
|
||||
@ -1,59 +0,0 @@
|
||||
name: Setup Jenkins Server
|
||||
|
||||
env:
|
||||
STATE: "create" # 可以根据需要更改初始状态, 可选create,update, destroy
|
||||
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/iac-pipeline-signal-cluster-jenkins.yml'
|
||||
workflow_dispatch:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
apply-cluster-resources:
|
||||
uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main
|
||||
with:
|
||||
config: 'signal-cluster-config-jenkins-server.yaml'
|
||||
secrets:
|
||||
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
|
||||
setup-k3s-cluster:
|
||||
uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main
|
||||
with:
|
||||
domain: 'onwalk.net'
|
||||
cluster_name: 'jenkins'
|
||||
ssh_host_name: 'jenkins'
|
||||
secrets:
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
VAULT_URL: ${{ secrets.VAULT_URL }}
|
||||
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
needs:
|
||||
- apply-cluster-resources
|
||||
|
||||
setup-jenkins-server:
|
||||
uses: svc-design/actions/.github/workflows/setup-jenkins-server.yaml@main
|
||||
with:
|
||||
domain: 'onwalk.net'
|
||||
cluster_name: 'jenkins'
|
||||
ssh_host_name: 'jenkins'
|
||||
secrets:
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
ADMIN_PASSWORD: ${{ secrets.ADMIN_INIT_PASSWORD }}
|
||||
needs:
|
||||
- setup-k3s-cluster
|
||||
@ -1,59 +0,0 @@
|
||||
name: Signal K3S Cluster Pipeline Keycloak with IAC tools
|
||||
|
||||
env:
|
||||
STATE: "create" # 可以根据需要更改初始状态, 可选create,update, destroy
|
||||
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/iac-pipeline-signal-cluster-keycloak.yml'
|
||||
workflow_dispatch:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
apply-cluster-resources:
|
||||
uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main
|
||||
with:
|
||||
config: 'signal-cluster-config.yaml'
|
||||
secrets:
|
||||
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
|
||||
setup-k3s-cluster:
|
||||
uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main
|
||||
with:
|
||||
domain: 'svc-dev.ink'
|
||||
cluster_name: 'monitor'
|
||||
ssh_host_name: 'monitor'
|
||||
secrets:
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
VAULT_URL: ${{ secrets.VAULT_URL }}
|
||||
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
needs:
|
||||
- apply-cluster-resources
|
||||
|
||||
setup-keycloak-server:
|
||||
uses: svc-design/actions/.github/workflows/setup-keycloak-server.yml@main
|
||||
with:
|
||||
domain: 'svc-dev.ink'
|
||||
cluster_name: 'monitor'
|
||||
ssh_host_name: 'monitor'
|
||||
secrets:
|
||||
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
DNS_AK: ${{ secrets.DNS_AK }}
|
||||
DNS_SK: ${{ secrets.DNS_SK }}
|
||||
SSH_USER: ${{ secrets.HOST_USER }}
|
||||
ADMIN_PASSWORD: ${{ secrets.ADMIN_INIT_PASSWORD }}
|
||||
needs:
|
||||
- setup-k3s-cluster
|
||||
2
clusters/k3s-prod/cloud-native-app/helmfile.yaml
Normal file
2
clusters/k3s-prod/cloud-native-app/helmfile.yaml
Normal file
@ -0,0 +1,2 @@
|
||||
# Placeholder helmfile for cloud-native-app deployments.
|
||||
# Populate with real release definitions as needed.
|
||||
38
scripts/workflows/configure-flux-gitops.sh
Executable file
38
scripts/workflows/configure-flux-gitops.sh
Executable file
@ -0,0 +1,38 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
: "${GITOPS_REPO:?GITOPS_REPO is required}"
|
||||
: "${GITOPS_BRANCH:?GITOPS_BRANCH is required}"
|
||||
: "${GITOPS_PATH:?GitOps path is not configured for container matrix entry}"
|
||||
|
||||
cat <<EOF_CONFIG > git-repository.yaml
|
||||
apiVersion: source.toolkit.fluxcd.io/v1beta2
|
||||
kind: GitRepository
|
||||
metadata:
|
||||
name: ${GITOPS_PATH//\//-}-gitops
|
||||
namespace: gitops-system
|
||||
spec:
|
||||
interval: 1m0s
|
||||
ref:
|
||||
branch: ${GITOPS_BRANCH}
|
||||
url: ${GITOPS_REPO}
|
||||
EOF_CONFIG
|
||||
|
||||
cat <<EOF_KUSTOMIZE > kustomization.yaml
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: ${GITOPS_PATH//\//-}-sync
|
||||
namespace: gitops-system
|
||||
spec:
|
||||
interval: 1m0s
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: ${GITOPS_PATH//\//-}-gitops
|
||||
path: ./${GITOPS_PATH}
|
||||
prune: true
|
||||
wait: true
|
||||
EOF_KUSTOMIZE
|
||||
|
||||
kubectl apply -f git-repository.yaml
|
||||
kubectl apply -f kustomization.yaml
|
||||
18
scripts/workflows/configure-ssh-inventory.sh
Executable file
18
scripts/workflows/configure-ssh-inventory.sh
Executable file
@ -0,0 +1,18 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
: "${SSH_PRIVATE_KEY:?SSH_PRIVATE_KEY is required}"
|
||||
: "${SSH_USER:?SSH_USER is required}"
|
||||
: "${TARGET_HOST:?TARGET_HOST is required}"
|
||||
: "${TARGET_IP:?TARGET_IP is required}"
|
||||
|
||||
install -m 700 -d "${HOME}/.ssh"
|
||||
printf '%s\n' "${SSH_PRIVATE_KEY}" > "${HOME}/.ssh/id_rsa"
|
||||
chmod 600 "${HOME}/.ssh/id_rsa"
|
||||
ssh-keyscan -H "${TARGET_HOST}" >> "${HOME}/.ssh/known_hosts" 2>/dev/null || true
|
||||
ssh-keyscan -H "${TARGET_IP}" >> "${HOME}/.ssh/known_hosts" 2>/dev/null || true
|
||||
|
||||
cat <<EOF_INVENTORY > inventory.ini
|
||||
[vhosts]
|
||||
${TARGET_HOST} ansible_host=${TARGET_IP} ansible_user=${SSH_USER}
|
||||
EOF_INVENTORY
|
||||
12
scripts/workflows/deploy-xconfig-agent.sh
Executable file
12
scripts/workflows/deploy-xconfig-agent.sh
Executable file
@ -0,0 +1,12 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
: "${GITOPS_REPO:?GITOPS_REPO is required}"
|
||||
: "${GITOPS_BRANCH:?GITOPS_BRANCH is required}"
|
||||
: "${GITOPS_PLAYBOOK:?GitOps playbook path is required for vhosts matrix entry}"
|
||||
|
||||
ANSIBLE_HOST_KEY_CHECKING=${ANSIBLE_HOST_KEY_CHECKING:-False}
|
||||
export ANSIBLE_HOST_KEY_CHECKING
|
||||
|
||||
ansible-playbook -i inventory.ini install-xconfig-agent.yml \
|
||||
--extra-vars "gitops_repo=${GITOPS_REPO} gitops_branch=${GITOPS_BRANCH} gitops_playbook=${GITOPS_PLAYBOOK}"
|
||||
101
scripts/workflows/generate-xconfig-playbook.sh
Executable file
101
scripts/workflows/generate-xconfig-playbook.sh
Executable file
@ -0,0 +1,101 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
: "${GITOPS_PLAYBOOK:?GitOps playbook path is required for vhosts matrix entry}"
|
||||
|
||||
cat <<'PLAYBOOK' > install-xconfig-agent.yml
|
||||
- hosts: all
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Ensure build dependencies are installed
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- build-essential
|
||||
- curl
|
||||
- git
|
||||
- pkg-config
|
||||
- libssl-dev
|
||||
state: present
|
||||
update_cache: true
|
||||
|
||||
- name: Install Rust toolchain when missing
|
||||
ansible.builtin.shell: |
|
||||
set -euo pipefail
|
||||
if ! command -v rustup >/dev/null 2>&1; then
|
||||
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
|
||||
fi
|
||||
args:
|
||||
creates: "{{ ansible_env.HOME }}/.cargo/bin/rustup"
|
||||
|
||||
- name: Build cw-agent binary
|
||||
# noqa command-instead-of-shell
|
||||
ansible.builtin.shell: |
|
||||
set -euo pipefail
|
||||
work_dir=$(mktemp -d)
|
||||
trap 'rm -rf "${work_dir}"' EXIT
|
||||
git clone --depth 1 https://github.com/svc-design/XConfig "${work_dir}/XConfig"
|
||||
cd "${work_dir}/XConfig/CraftWeaveAgent"
|
||||
. "{{ ansible_env.HOME }}/.cargo/env"
|
||||
cargo build --release
|
||||
install -D -m 0755 target/release/cw-agent /usr/local/bin/cw-agent
|
||||
args:
|
||||
creates: /usr/local/bin/cw-agent
|
||||
|
||||
- name: Ensure agent working directories exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
loop:
|
||||
- /etc
|
||||
- /var/lib/cw-agent
|
||||
|
||||
- name: Configure cw-agent
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/cw-agent.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
content: |
|
||||
repo: "{{ gitops_repo }}"
|
||||
branch: {{ gitops_branch }}
|
||||
interval: 60
|
||||
playbook:
|
||||
- {{ gitops_playbook }}
|
||||
|
||||
- name: Install cw-agent systemd service
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/systemd/system/cw-agent.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Xconfig Agent Service
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/local/bin/cw-agent daemon --config /etc/cw-agent.conf
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
User=root
|
||||
Environment=RUST_LOG=info
|
||||
WorkingDirectory=/var/lib/cw-agent
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
- name: Reload systemd manager configuration
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
|
||||
- name: Enable and restart cw-agent
|
||||
ansible.builtin.systemd:
|
||||
name: cw-agent.service
|
||||
enabled: true
|
||||
state: restarted
|
||||
PLAYBOOK
|
||||
5
scripts/workflows/install-ansible.sh
Executable file
5
scripts/workflows/install-ansible.sh
Executable file
@ -0,0 +1,5 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y ansible
|
||||
5
scripts/workflows/install-flux-components.sh
Executable file
5
scripts/workflows/install-flux-components.sh
Executable file
@ -0,0 +1,5 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
kubectl create namespace gitops-system --dry-run=client -o yaml | kubectl apply -f -
|
||||
flux install --namespace=gitops-system --components-extra=image-reflector-controller,image-automation-controller
|
||||
18
scripts/workflows/prepare-kubeconfig.sh
Executable file
18
scripts/workflows/prepare-kubeconfig.sh
Executable file
@ -0,0 +1,18 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
RAW_KUBE_CONFIG=${RAW_KUBE_CONFIG:-}
|
||||
if [[ -z "${RAW_KUBE_CONFIG}" ]]; then
|
||||
echo "KUBE_CONFIG secret is not configured" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p "${HOME}/.kube"
|
||||
|
||||
if printf '%s' "${RAW_KUBE_CONFIG}" | base64 -d >"${HOME}/.kube/config" 2>/dev/null; then
|
||||
true
|
||||
else
|
||||
printf '%s' "${RAW_KUBE_CONFIG}" >"${HOME}/.kube/config"
|
||||
fi
|
||||
|
||||
chmod 600 "${HOME}/.kube/config"
|
||||
Loading…
Reference in New Issue
Block a user