From bbb511189ea1fc821909ff3114d1a91f46d7c6a8 Mon Sep 17 00:00:00 2001
From: gitea_admin <noreply@gitea.eu>
Date: Tue, 28 Apr 2026 08:20:34 +0000
Subject: [PATCH] Update .gitea/workflows/build-and-push.yaml

---
 .gitea/workflows/build-and-push.yaml | 60 +++++++++++++++++++++++++++-
 1 file changed, 59 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/build-and-push.yaml b/.gitea/workflows/build-and-push.yaml
index b10f80d..ab86065 100644
--- a/.gitea/workflows/build-and-push.yaml
+++ b/.gitea/workflows/build-and-push.yaml
@@ -55,4 +55,62 @@ jobs:
           echo "   Image built successfully: ${IMAGE}"
           echo "   To push manually once ingress is fixed:"
           echo "     crane auth login \${REGISTRY_HOST} -u <user> -p <token>"
-          echo "     crane push image.tar \${IMAGE}"
\ No newline at end of file
+          echo "     crane push image.tar \${IMAGE}"
+
+      # PoC: Verify Helm + K8s API access from the CI runner
+      - name: "PoC: Helm upgrade feasibility check"
+        run: |
+          echo "=== 1. Install Helm ==="
+          apk add --no-cache helm || {
+            # Fallback: install from official script if not in apk
+            curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | sh
+          }
+          helm version
+
+          echo ""
+          echo "=== 2. Check in-cluster credentials ==="
+          SA_TOKEN_PATH="/var/run/secrets/kubernetes.io/serviceaccount"
+          if [ -f "${SA_TOKEN_PATH}/token" ]; then
+            echo "✅ ServiceAccount token found"
+            echo "   Namespace: $(cat ${SA_TOKEN_PATH}/namespace)"
+          else
+            echo "❌ No ServiceAccount token mounted — Helm cannot authenticate to the API server"
+            exit 1
+          fi
+
+          echo ""
+          echo "=== 3. Test K8s API connectivity ==="
+          KUBE_API="https://kubernetes.default.svc"
+          TOKEN=$(cat ${SA_TOKEN_PATH}/token)
+          CA_CERT="${SA_TOKEN_PATH}/ca.crt"
+          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+            --cacert "${CA_CERT}" \
+            -H "Authorization: Bearer ${TOKEN}" \
+            "${KUBE_API}/api/v1/namespaces/$(cat ${SA_TOKEN_PATH}/namespace)")
+          echo "   API response: HTTP ${HTTP_CODE}"
+          if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "403" ]; then
+            echo "✅ API server is reachable (${HTTP_CODE})"
+          else
+            echo "❌ API server not reachable (HTTP ${HTTP_CODE})"
+            exit 1
+          fi
+
+          echo ""
+          echo "=== 4. Test Helm list (current namespace) ==="
+          NAMESPACE=$(cat ${SA_TOKEN_PATH}/namespace)
+          helm list --namespace "${NAMESPACE}" 2>&1 || echo "⚠️  helm list failed — likely RBAC issue"
+
+          echo ""
+          echo "=== 5. Dry-run Helm upgrade (no actual changes) ==="
+          echo "   Attempting dry-run with a dummy chart to verify permissions..."
+          helm upgrade --install helm-poc-test oci://registry-1.docker.io/bitnamicharts/nginx \
+            --namespace "${NAMESPACE}" \
+            --dry-run \
+            --set replicaCount=0 2>&1 || echo "⚠️  Dry-run failed — check RBAC permissions for the runner ServiceAccount"
+
+          echo ""
+          echo "=== Summary ==="
+          echo "If steps 1-4 passed, Helm upgrade from CI is technically feasible."
+          echo "RBAC may need to be extended for the runner ServiceAccount to allow:"
+          echo "  - get/list/create/update Deployments, Services, ConfigMaps, Secrets"
+          echo "  - in the target namespace for user deployments"
\ No newline at end of file