diff --git a/.gitea/workflows/build-and-push.yaml b/.gitea/workflows/build-and-push.yaml index ab86065..b1c5bb6 100644 --- a/.gitea/workflows/build-and-push.yaml +++ b/.gitea/workflows/build-and-push.yaml @@ -11,106 +11,66 @@ jobs: build-and-push: runs-on: orchestration-platform container: - image: docker:latest + image: docker:27-cli steps: - name: Install tools run: | - apk add --no-cache git curl + apk add --no-cache git - name: Checkout code run: | - git clone --branch "${GITHUB_REF_NAME}" "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" . + git clone --depth 1 --branch "${GITHUB_REF_NAME}" "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" . - - name: Determine image tag + - name: Check Dockerfile + run: | + test -f Dockerfile || { echo "Dockerfile not found"; exit 1; } + + - name: Determine image metadata id: meta run: | - if echo "${{ gitea.ref }}" | grep -q "refs/tags/"; then - TAG=$(echo "${{ gitea.ref }}" | sed 's|refs/tags/||') + REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||; s|/.*$||') + IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}" + + if echo "${{ gitea.ref }}" | grep -q '^refs/tags/'; then + TAG=$(echo "${{ gitea.ref }}" | sed 's|refs/tags/v\?||') + EXTRA_TAG="" else TAG="latest" + EXTRA_TAG="main-${{ gitea.sha }}" fi + + echo "registry_host=${REGISTRY_HOST}" >> "$GITHUB_OUTPUT" + echo "image=${IMAGE}" >> "$GITHUB_OUTPUT" echo "tag=${TAG}" >> "$GITHUB_OUTPUT" + echo "extra_tag=${EXTRA_TAG}" >> "$GITHUB_OUTPUT" + + - name: Login to Gitea registry + run: | + echo "${{ secrets.REGISTRY_TOKEN }}" | docker login \ + "${{ steps.meta.outputs.registry_host }}" \ + --username "${{ secrets.REGISTRY_USERNAME }}" \ + --password-stdin - name: Build image run: | - REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||') - IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}:${{ steps.meta.outputs.tag }}" - docker build -t "${IMAGE}" . - echo "image=${IMAGE}" >> "$GITHUB_OUTPUT" - id: build + docker build \ + --label "org.opencontainers.image.source=${{ gitea.server_url }}/${{ gitea.repository }}" \ + --label "org.opencontainers.image.revision=${{ gitea.sha }}" \ + -t "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.tag }}" \ + . - # TODO: Registry push is currently blocked. - # The Gitea ingress only routes /gitea/ to the backend; the Docker registry - # API (/v2/) returns 404 from nginx. A separate Ingress rule for /v2 -> gitea-http:3000 - # (without rewrite-target) is needed before push can work. - - name: Push image (skipped - registry ingress not configured) + - name: Add trace tag + if: ${{ steps.meta.outputs.extra_tag != '' }} run: | - REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||') - IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}:${{ steps.meta.outputs.tag }}" - echo "⚠️ Skipping push: Gitea container registry is not reachable." - echo " The ingress does not route /v2/ to Gitea (returns 404 from nginx)." - echo " Fix: Add a separate Ingress for path /v2 pointing to gitea-http:3000 without rewrite-target." - echo "" - echo " Image built successfully: ${IMAGE}" - echo " To push manually once ingress is fixed:" - echo " crane auth login \${REGISTRY_HOST} -u -p " - echo " crane push image.tar \${IMAGE}" + docker tag \ + "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.tag }}" \ + "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.extra_tag }}" - # PoC: Verify Helm + K8s API access from the CI runner - - name: "PoC: Helm upgrade feasibility check" + - name: Push image run: | - echo "=== 1. Install Helm ===" - apk add --no-cache helm || { - # Fallback: install from official script if not in apk - curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | sh - } - helm version + docker push "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.tag }}" - echo "" - echo "=== 2. Check in-cluster credentials ===" - SA_TOKEN_PATH="/var/run/secrets/kubernetes.io/serviceaccount" - if [ -f "${SA_TOKEN_PATH}/token" ]; then - echo "✅ ServiceAccount token found" - echo " Namespace: $(cat ${SA_TOKEN_PATH}/namespace)" - else - echo "❌ No ServiceAccount token mounted — Helm cannot authenticate to the API server" - exit 1 - fi - - echo "" - echo "=== 3. Test K8s API connectivity ===" - KUBE_API="https://kubernetes.default.svc" - TOKEN=$(cat ${SA_TOKEN_PATH}/token) - CA_CERT="${SA_TOKEN_PATH}/ca.crt" - HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ - --cacert "${CA_CERT}" \ - -H "Authorization: Bearer ${TOKEN}" \ - "${KUBE_API}/api/v1/namespaces/$(cat ${SA_TOKEN_PATH}/namespace)") - echo " API response: HTTP ${HTTP_CODE}" - if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "403" ]; then - echo "✅ API server is reachable (${HTTP_CODE})" - else - echo "❌ API server not reachable (HTTP ${HTTP_CODE})" - exit 1 - fi - - echo "" - echo "=== 4. Test Helm list (current namespace) ===" - NAMESPACE=$(cat ${SA_TOKEN_PATH}/namespace) - helm list --namespace "${NAMESPACE}" 2>&1 || echo "⚠️ helm list failed — likely RBAC issue" - - echo "" - echo "=== 5. Dry-run Helm upgrade (no actual changes) ===" - echo " Attempting dry-run with a dummy chart to verify permissions..." - helm upgrade --install helm-poc-test oci://registry-1.docker.io/bitnamicharts/nginx \ - --namespace "${NAMESPACE}" \ - --dry-run \ - --set replicaCount=0 2>&1 || echo "⚠️ Dry-run failed — check RBAC permissions for the runner ServiceAccount" - - echo "" - echo "=== Summary ===" - echo "If steps 1-4 passed, Helm upgrade from CI is technically feasible." - echo "RBAC may need to be extended for the runner ServiceAccount to allow:" - echo " - get/list/create/update Deployments, Services, ConfigMaps, Secrets" - echo " - in the target namespace for user deployments" \ No newline at end of file + if [ -n "${{ steps.meta.outputs.extra_tag }}" ]; then + docker push "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.extra_tag }}" + fi \ No newline at end of file