diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..0836bd3 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,35 @@ +--- +name: Continuous Integration + +on: + push: + pull_request: + workflow_dispatch: + +jobs: + yamllint: + name: Yaml lint + uses: theautomation/github-actions/.github/workflows/yamllint.yaml@main + + build-and-push-image: + name: Build and Push Image + needs: [yamllint] + uses: theautomation/github-actions/.github/workflows/build-and-push.yaml@main + with: + publish: true + + dispatch-update-manifest: + name: Repository Dispatch to Update Manifest + needs: [build-and-push-image] + runs-on: ubuntu-latest + steps: + - name: Repository Dispatch + uses: peter-evans/repository-dispatch@v2 + with: + token: ${{ secrets.PAT }} + repository: theautomation/gitops + event-type: update-manifest + client-payload: + '{"ref": "${{ github.ref }}", "repository": "${{ + github.repository}}", "registry": "ghcr.io", "sha": "${{ github.sha + }}"}' diff --git a/deploy/container/Containerfile b/Dockerfile similarity index 100% rename from deploy/container/Containerfile rename to Dockerfile diff --git a/cicd/.yamllint.yaml b/cicd/.yamllint.yaml deleted file mode 100644 index a415b3e..0000000 --- a/cicd/.yamllint.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -rules: - braces: enable - brackets: enable - colons: enable - commas: enable - comments: - level: warning - comments-indentation: - level: warning - document-end: disable - document-start: - level: warning - empty-lines: enable - empty-values: disable - hyphens: enable - indentation: enable - key-duplicates: enable - key-ordering: disable - line-length: - level: warning - max: 88 - new-line-at-end-of-file: enable - new-lines: enable - octal-values: disable - quoted-strings: disable - trailing-spaces: enable - truthy: - level: warning diff --git a/cicd/pipeline.yaml b/cicd/pipeline.yaml deleted file mode 100644 index f48302b..0000000 --- a/cicd/pipeline.yaml +++ /dev/null @@ -1,148 +0,0 @@ ---- -kind: pipeline -type: docker -name: validate - -steps: - - name: yamllint - image: sdesbure/yamllint:latest - commands: - - yamllint -c ./cicd/.yamllint.yaml . - ---- -kind: pipeline -type: docker -name: build - -depends_on: - - validate - -steps: - - name: build and push image - image: quay.io/buildah/stable - privileged: true - network_mode: host - environment: - REGISTRY_HOST: "harbor.lan.theautomation.nl/k8s" - CONTAINERFILE: "./deploy/container/Containerfile" - STORAGE_DRIVER: "overlay" - FORMAT: "docker" - CONTEXT: "." - TLSVERIFY: "false" - USERNAME: "robot-drone" - PASSWORD: - from_secret: harbor_registry_drone_password - commands: - - | - echo "Build image..." - buildah --build-arg BUILD_UID=1000 --build-arg BUILD_GID=1000 --storage-driver=$${STORAGE_DRIVER} bud --format=$${FORMAT} \ - --tls-verify=$${TLSVERIFY} -f $${CONTAINERFILE} \ - -t $${REGISTRY_HOST}/$${DRONE_REPO_NAME}:latest \ - -t $${REGISTRY_HOST}/$${DRONE_REPO_NAME}:$${DRONE_BUILD_NUMBER} \ - - | - echo "Push image with latest tag..." - buildah push --creds=$${USERNAME}:$${PASSWORD} \ - --tls-verify=$${TLSVERIFY} \ - $${REGISTRY_HOST}/$${DRONE_REPO_NAME}:latest \ - docker://$${REGISTRY_HOST}/$${DRONE_REPO_NAME}:latest - - | - echo "Push image with buildnumber tag..." - buildah push --creds=$${USERNAME}:$${PASSWORD} \ - --tls-verify=$${TLSVERIFY} \ - --digestfile=/tmp/image-digest \ - $${REGISTRY_HOST}/$${DRONE_REPO_NAME}:$${DRONE_BUILD_NUMBER} \ - docker://$${REGISTRY_HOST}/$${DRONE_REPO_NAME}:$${DRONE_BUILD_NUMBER} - ---- -kind: pipeline -type: docker -name: deploy - -depends_on: - - build - -steps: - - name: upgrade k8s manifest - image: alpine:3 - network_mode: host - environment: - REGISTRY_NAME: "k8s" - commands: - - sed -i -e - "s%/$${REGISTRY_NAME}/$${DRONE_REPO_NAME}:.*%/$${REGISTRY_NAME}/$${DRONE_REPO_NAME}:$${DRONE_BUILD_NUMBER}\"%1" - ./deploy/k8s/manifest.yaml - - - name: push k8s manifest - image: appleboy/drone-git-push:1-linux-amd64 - settings: - remote_name: "git@github.com:${DRONE_REPO}" - branch: ${DRONE_BRANCH} - force: false - commit: true - commit_message: "[bot] [skip ci] bump image tag" - author_name: ci-bot - ssh_key: - from_secret: github_ssh_key - - - name: apply k8s manifest - image: bitnami/kubectl - volumes: - - name: kubeconfig - path: /.kube - network_mode: host - commands: - - cat ./deploy/k8s/manifest.yaml - - kubectl apply -f ./deploy/k8s/manifest.yaml - -volumes: - - name: kubeconfig - host: - path: /var/lib/.kube - ---- -kind: pipeline -type: docker -name: notify - -depends_on: - - deploy - -trigger: - status: - - success - - failure - -steps: - - name: slack - image: plugins/slack - settings: - webhook: - from_secret: slack_webhook_url - channel: cicd - template: > - {{#success build.status}} - Build and deploy {{build.number}} of {{repo.name}} succeeded. - {{else}} - Build and deploy {{build.number}} of {{repo.name}} failed. - {{/success}} - ---- -kind: secret -name: harbor_registry_drone_password -get: - path: harbor-registry-drone-password - name: harbor-robot-password - ---- -kind: secret -name: github_ssh_key -get: - path: github-ssh-keys - name: id_rsa - ---- -kind: secret -name: slack_webhook_url -get: - path: slack-webhook-url - name: url diff --git a/deploy/k8s/manifest.yaml b/deploy/k8s/manifest.yaml deleted file mode 100644 index 98faf91..0000000 --- a/deploy/k8s/manifest.yaml +++ /dev/null @@ -1,193 +0,0 @@ ---- -kind: PersistentVolume -apiVersion: v1 -metadata: - name: pv-nfs-radicale-data - labels: - app: radicale -spec: - storageClassName: "freenas-nfs-manual-csi" - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - persistentVolumeReclaimPolicy: Retain - mountOptions: - - nfsvers=4 - - nolock - - noatime - csi: - driver: org.democratic-csi.node-manual - readOnly: false - fsType: nfs - volumeHandle: pv-nfs-radicale-data - volumeAttributes: - server: storage-server-lagg.lan.theautomation.nl - share: /mnt/r01_1tb/k8s/radicale-data - node_attach_driver: nfs - provisioner_driver: node-manual - ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: pvc-nfs-radicale-data - namespace: tools - labels: - app: radicale - annotations: - volume.beta.kubernetes.io/storage-class: "freenas-nfs-manual-csi" -spec: - storageClassName: freenas-nfs-manual-csi - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - volumeName: pv-nfs-radicale-data - ---- -kind: SealedSecret -apiVersion: bitnami.com/v1alpha1 -metadata: - name: radicale-users - namespace: tools -spec: - encryptedData: - users: AgDNUvOn79Q6gZ46yyVrLTIX9XmzLInMgj/skkqrzNPH2YUh+m23L0c6Rqt538fa4tdPd8mr+//pp9rDIXkRBX5UjXIU/udzxD44uCbDFB9bTzMqltO6QZo9AcEFi2Z5JpQ5CY1cOVcBEgjclUbGih7qQ440uEvGK/IOF8W8LLGTwGcUu68h5PWtOqMJAkavjzhKTEfmRmX3nJbJqRUh4YOiCmq0s9Wm1mfMmpsh7YvrFISmWnGNSkxl6HNzL/EitDNf5dii7g/un4wjDH2QiTzBLIHZMVgaDRKZ/osl+dk51DrvaL7FG7984uN21DTHxnb+j+bfGR6V9mw5Y9soEQvKdk5pquGxNiIbG6QTXBFhh7lXxXy8y6tUbcmMOaR5CvNLAnPNVpVX7AZKT6DbJzKgNE9rWlQgRKEXzmHDCHOYE9E5DltAzdr9NIub0ZXJpjMjGFLsN3h0uaD7zsMr/aHO5Jd/PnaAYHXd2qk7EykPmkYtH1+bk5lmIsU9RAGxmrgBtSrFTkZvLVEx9GTZFZSowtd06D2qZniJ4TxnlrqThfP+d0iAcPJ/q2CBYKUoEZv3hvHvSHORw+T6nTomvLqLCZ8+1OsRFBNI2upMHEr31Yv7NtA3zg4ZNaYsiETLr4g2raBBgkYz5LL3HQ3nGbMMA9b8wFzT8Zq+n6UJOLIfJDFg/YWNgJ3T/S/JJt4p8jLdMu2xLx7hJpYnImfj9HFjmsn4v6SQV+yjdirtWof3B/IqPuDsibq8B31ayJ2DUhdGbwi3mXo3MX/u0lOhGrWk1MW2ByVMG+N4UfoNJt1GyX2tllWrXvY0xTm8G7h73cY1HudiWDg3y/IKU1AZ7Nq0U1TRDUO1dId8AxeFfsJ9wllqIIzysL4wk8sjSeSq9QIitcouM+OBuMJNd6PACawSQah1/tzApLa4fRzJc8PissSAHHc2o/RdyT7kqznPqfl1sUUuCHQeEWVvxw== - template: - metadata: - labels: - app: radicale - name: users - namespace: tools - type: Opaque - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: radicale-config - namespace: tools - labels: - app: radicale -data: - config: |- - [server] - hosts = 0.0.0.0:5232 - [storage] - filesystem_folder = /data/collections - [web] - type = internal - [logging] - level = info - [auth] - type = htpasswd - htpasswd_filename = /etc/radicale/users - htpasswd_encryption = bcrypt - delay = 1 - realm = Radicale - Password Required - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: radicale - namespace: tools - labels: - app: radicale -spec: - replicas: 1 - selector: - matchLabels: - app: radicale - template: - metadata: - labels: - app: radicale - spec: - securityContext: - fsGroup: 1000 - containers: - - name: radicale - image: "harbor.lan.theautomation.nl/k8s/radicale:33" - resources: {} - command: ["/bin/sh", "/usr/local/bin/docker-entrypoint.sh"] - args: ["radicale", "--config", "/config/config"] - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsGroup: 1000 - ports: - - containerPort: 5232 - protocol: TCP - volumeMounts: - - name: collections - mountPath: /data/collections - - name: config - mountPath: /config/config - subPath: config - readOnly: true - - name: users - mountPath: /etc/radicale/users - subPath: users - readOnly: true - volumes: - - name: config - configMap: - name: radicale-config - - name: users - secret: - secretName: radicale-users - - name: collections - persistentVolumeClaim: - claimName: pvc-nfs-radicale-data - imagePullSecrets: - - name: harbor-registry-creds - ---- -kind: Service -apiVersion: v1 -metadata: - name: radicale - namespace: tools - labels: - app: radicale -spec: - selector: - app: radicale - type: ClusterIP - ports: - - name: dav - protocol: TCP - targetPort: 5232 - port: 5232 - ---- -kind: Ingress -apiVersion: networking.k8s.io/v1 -metadata: - name: radicale - namespace: tools - labels: - app: radicale - annotations: - nginx.ingress.kubernetes.io/configuration-snippet: |- - proxy_set_header X-Remote-User $remote_user; -spec: - ingressClassName: nginx-public - rules: - - host: radicale.theautomation.nl - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: radicale - port: - number: 5232 - tls: - - hosts: - - radicale.theautomation.nl - secretName: tls-wildcard-theautomation-nl