Update .gitea/workflows/build-and-push.yaml
Some checks failed
Build and Push Container Image / build-and-push (push) Failing after 6s
Some checks failed
Build and Push Container Image / build-and-push (push) Failing after 6s
This commit is contained in:
@@ -55,4 +55,62 @@ jobs:
|
|||||||
echo " Image built successfully: ${IMAGE}"
|
echo " Image built successfully: ${IMAGE}"
|
||||||
echo " To push manually once ingress is fixed:"
|
echo " To push manually once ingress is fixed:"
|
||||||
echo " crane auth login \${REGISTRY_HOST} -u <user> -p <token>"
|
echo " crane auth login \${REGISTRY_HOST} -u <user> -p <token>"
|
||||||
echo " crane push image.tar \${IMAGE}"
|
echo " crane push image.tar \${IMAGE}"
|
||||||
|
|
||||||
|
# PoC: Verify Helm + K8s API access from the CI runner
|
||||||
|
- name: "PoC: Helm upgrade feasibility check"
|
||||||
|
run: |
|
||||||
|
echo "=== 1. Install Helm ==="
|
||||||
|
apk add --no-cache helm || {
|
||||||
|
# Fallback: install from official script if not in apk
|
||||||
|
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | sh
|
||||||
|
}
|
||||||
|
helm version
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "=== 2. Check in-cluster credentials ==="
|
||||||
|
SA_TOKEN_PATH="/var/run/secrets/kubernetes.io/serviceaccount"
|
||||||
|
if [ -f "${SA_TOKEN_PATH}/token" ]; then
|
||||||
|
echo "✅ ServiceAccount token found"
|
||||||
|
echo " Namespace: $(cat ${SA_TOKEN_PATH}/namespace)"
|
||||||
|
else
|
||||||
|
echo "❌ No ServiceAccount token mounted — Helm cannot authenticate to the API server"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "=== 3. Test K8s API connectivity ==="
|
||||||
|
KUBE_API="https://kubernetes.default.svc"
|
||||||
|
TOKEN=$(cat ${SA_TOKEN_PATH}/token)
|
||||||
|
CA_CERT="${SA_TOKEN_PATH}/ca.crt"
|
||||||
|
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
|
||||||
|
--cacert "${CA_CERT}" \
|
||||||
|
-H "Authorization: Bearer ${TOKEN}" \
|
||||||
|
"${KUBE_API}/api/v1/namespaces/$(cat ${SA_TOKEN_PATH}/namespace)")
|
||||||
|
echo " API response: HTTP ${HTTP_CODE}"
|
||||||
|
if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "403" ]; then
|
||||||
|
echo "✅ API server is reachable (${HTTP_CODE})"
|
||||||
|
else
|
||||||
|
echo "❌ API server not reachable (HTTP ${HTTP_CODE})"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "=== 4. Test Helm list (current namespace) ==="
|
||||||
|
NAMESPACE=$(cat ${SA_TOKEN_PATH}/namespace)
|
||||||
|
helm list --namespace "${NAMESPACE}" 2>&1 || echo "⚠️ helm list failed — likely RBAC issue"
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "=== 5. Dry-run Helm upgrade (no actual changes) ==="
|
||||||
|
echo " Attempting dry-run with a dummy chart to verify permissions..."
|
||||||
|
helm upgrade --install helm-poc-test oci://registry-1.docker.io/bitnamicharts/nginx \
|
||||||
|
--namespace "${NAMESPACE}" \
|
||||||
|
--dry-run \
|
||||||
|
--set replicaCount=0 2>&1 || echo "⚠️ Dry-run failed — check RBAC permissions for the runner ServiceAccount"
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "=== Summary ==="
|
||||||
|
echo "If steps 1-4 passed, Helm upgrade from CI is technically feasible."
|
||||||
|
echo "RBAC may need to be extended for the runner ServiceAccount to allow:"
|
||||||
|
echo " - get/list/create/update Deployments, Services, ConfigMaps, Secrets"
|
||||||
|
echo " - in the target namespace for user deployments"
|
||||||
Reference in New Issue
Block a user