Update .gitea/workflows/build-and-push.yaml
Some checks failed
Build and Push Container Image / build-and-push (push) Failing after 6s
Some checks failed
Build and Push Container Image / build-and-push (push) Failing after 6s
This commit is contained in:
@@ -11,106 +11,66 @@ jobs:
|
|||||||
build-and-push:
|
build-and-push:
|
||||||
runs-on: orchestration-platform
|
runs-on: orchestration-platform
|
||||||
container:
|
container:
|
||||||
image: docker:latest
|
image: docker:27-cli
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Install tools
|
- name: Install tools
|
||||||
run: |
|
run: |
|
||||||
apk add --no-cache git curl
|
apk add --no-cache git
|
||||||
|
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
run: |
|
run: |
|
||||||
git clone --branch "${GITHUB_REF_NAME}" "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" .
|
git clone --depth 1 --branch "${GITHUB_REF_NAME}" "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" .
|
||||||
|
|
||||||
- name: Determine image tag
|
- name: Check Dockerfile
|
||||||
|
run: |
|
||||||
|
test -f Dockerfile || { echo "Dockerfile not found"; exit 1; }
|
||||||
|
|
||||||
|
- name: Determine image metadata
|
||||||
id: meta
|
id: meta
|
||||||
run: |
|
run: |
|
||||||
if echo "${{ gitea.ref }}" | grep -q "refs/tags/"; then
|
REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||; s|/.*$||')
|
||||||
TAG=$(echo "${{ gitea.ref }}" | sed 's|refs/tags/||')
|
IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}"
|
||||||
|
|
||||||
|
if echo "${{ gitea.ref }}" | grep -q '^refs/tags/'; then
|
||||||
|
TAG=$(echo "${{ gitea.ref }}" | sed 's|refs/tags/v\?||')
|
||||||
|
EXTRA_TAG=""
|
||||||
else
|
else
|
||||||
TAG="latest"
|
TAG="latest"
|
||||||
|
EXTRA_TAG="main-${{ gitea.sha }}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
echo "registry_host=${REGISTRY_HOST}" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
|
||||||
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
|
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "extra_tag=${EXTRA_TAG}" >> "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
|
- name: Login to Gitea registry
|
||||||
|
run: |
|
||||||
|
echo "${{ secrets.REGISTRY_TOKEN }}" | docker login \
|
||||||
|
"${{ steps.meta.outputs.registry_host }}" \
|
||||||
|
--username "${{ secrets.REGISTRY_USERNAME }}" \
|
||||||
|
--password-stdin
|
||||||
|
|
||||||
- name: Build image
|
- name: Build image
|
||||||
run: |
|
run: |
|
||||||
REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||')
|
docker build \
|
||||||
IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}:${{ steps.meta.outputs.tag }}"
|
--label "org.opencontainers.image.source=${{ gitea.server_url }}/${{ gitea.repository }}" \
|
||||||
docker build -t "${IMAGE}" .
|
--label "org.opencontainers.image.revision=${{ gitea.sha }}" \
|
||||||
echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
|
-t "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.tag }}" \
|
||||||
id: build
|
.
|
||||||
|
|
||||||
# TODO: Registry push is currently blocked.
|
- name: Add trace tag
|
||||||
# The Gitea ingress only routes /gitea/ to the backend; the Docker registry
|
if: ${{ steps.meta.outputs.extra_tag != '' }}
|
||||||
# API (/v2/) returns 404 from nginx. A separate Ingress rule for /v2 -> gitea-http:3000
|
|
||||||
# (without rewrite-target) is needed before push can work.
|
|
||||||
- name: Push image (skipped - registry ingress not configured)
|
|
||||||
run: |
|
run: |
|
||||||
REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||')
|
docker tag \
|
||||||
IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}:${{ steps.meta.outputs.tag }}"
|
"${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.tag }}" \
|
||||||
echo "⚠️ Skipping push: Gitea container registry is not reachable."
|
"${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.extra_tag }}"
|
||||||
echo " The ingress does not route /v2/ to Gitea (returns 404 from nginx)."
|
|
||||||
echo " Fix: Add a separate Ingress for path /v2 pointing to gitea-http:3000 without rewrite-target."
|
|
||||||
echo ""
|
|
||||||
echo " Image built successfully: ${IMAGE}"
|
|
||||||
echo " To push manually once ingress is fixed:"
|
|
||||||
echo " crane auth login \${REGISTRY_HOST} -u <user> -p <token>"
|
|
||||||
echo " crane push image.tar \${IMAGE}"
|
|
||||||
|
|
||||||
# PoC: Verify Helm + K8s API access from the CI runner
|
- name: Push image
|
||||||
- name: "PoC: Helm upgrade feasibility check"
|
|
||||||
run: |
|
run: |
|
||||||
echo "=== 1. Install Helm ==="
|
docker push "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.tag }}"
|
||||||
apk add --no-cache helm || {
|
|
||||||
# Fallback: install from official script if not in apk
|
|
||||||
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | sh
|
|
||||||
}
|
|
||||||
helm version
|
|
||||||
|
|
||||||
echo ""
|
if [ -n "${{ steps.meta.outputs.extra_tag }}" ]; then
|
||||||
echo "=== 2. Check in-cluster credentials ==="
|
docker push "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.extra_tag }}"
|
||||||
SA_TOKEN_PATH="/var/run/secrets/kubernetes.io/serviceaccount"
|
fi
|
||||||
if [ -f "${SA_TOKEN_PATH}/token" ]; then
|
|
||||||
echo "✅ ServiceAccount token found"
|
|
||||||
echo " Namespace: $(cat ${SA_TOKEN_PATH}/namespace)"
|
|
||||||
else
|
|
||||||
echo "❌ No ServiceAccount token mounted — Helm cannot authenticate to the API server"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo ""
|
|
||||||
echo "=== 3. Test K8s API connectivity ==="
|
|
||||||
KUBE_API="https://kubernetes.default.svc"
|
|
||||||
TOKEN=$(cat ${SA_TOKEN_PATH}/token)
|
|
||||||
CA_CERT="${SA_TOKEN_PATH}/ca.crt"
|
|
||||||
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
||||||
--cacert "${CA_CERT}" \
|
|
||||||
-H "Authorization: Bearer ${TOKEN}" \
|
|
||||||
"${KUBE_API}/api/v1/namespaces/$(cat ${SA_TOKEN_PATH}/namespace)")
|
|
||||||
echo " API response: HTTP ${HTTP_CODE}"
|
|
||||||
if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "403" ]; then
|
|
||||||
echo "✅ API server is reachable (${HTTP_CODE})"
|
|
||||||
else
|
|
||||||
echo "❌ API server not reachable (HTTP ${HTTP_CODE})"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo ""
|
|
||||||
echo "=== 4. Test Helm list (current namespace) ==="
|
|
||||||
NAMESPACE=$(cat ${SA_TOKEN_PATH}/namespace)
|
|
||||||
helm list --namespace "${NAMESPACE}" 2>&1 || echo "⚠️ helm list failed — likely RBAC issue"
|
|
||||||
|
|
||||||
echo ""
|
|
||||||
echo "=== 5. Dry-run Helm upgrade (no actual changes) ==="
|
|
||||||
echo " Attempting dry-run with a dummy chart to verify permissions..."
|
|
||||||
helm upgrade --install helm-poc-test oci://registry-1.docker.io/bitnamicharts/nginx \
|
|
||||||
--namespace "${NAMESPACE}" \
|
|
||||||
--dry-run \
|
|
||||||
--set replicaCount=0 2>&1 || echo "⚠️ Dry-run failed — check RBAC permissions for the runner ServiceAccount"
|
|
||||||
|
|
||||||
echo ""
|
|
||||||
echo "=== Summary ==="
|
|
||||||
echo "If steps 1-4 passed, Helm upgrade from CI is technically feasible."
|
|
||||||
echo "RBAC may need to be extended for the runner ServiceAccount to allow:"
|
|
||||||
echo " - get/list/create/update Deployments, Services, ConfigMaps, Secrets"
|
|
||||||
echo " - in the target namespace for user deployments"
|
|
||||||
Reference in New Issue
Block a user