-
Notifications
You must be signed in to change notification settings - Fork 4
196 lines (191 loc) · 8.1 KB
/
host.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
---
name: Host set configuration to host
on:
workflow_call:
inputs:
cfg_version:
required: true
type: string
host_name:
required: true
type: string
host_group:
required: true
type: string
host_stage:
required: true
type: string
execute_group:
required: true
type: string
secrets:
token:
required: true
ONEPASSWORD_VAULT:
required: true
KUBECONFIG:
required: true
RC_WEBHOOK:
required: true
# Not used, kept for compatibility with already running workflows
# Can be removed later
PROXY_CREDENTIALS:
required: false
permissions:
contents: read
jobs:
set_versions:
runs-on: ubuntu-24.04
if: inputs.execute_group == inputs.host_name || inputs.execute_group == inputs.host_group || inputs.execute_group == inputs.host_stage || inputs.execute_group == 'all'
concurrency:
group: ${{ inputs.host_name }}
cancel-in-progress: true
environment: ${{ inputs.host_name }}
steps:
- run: mkdir repo
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/dof_app_deploy
path: repo/dof_app_deploy
token: ${{ secrets.token }}
ref: ${{ inputs.cfg_version }}
- name: Export versions
shell: bash
working-directory: ${{github.workspace }}/repo/dof_app_deploy/ansible/host_vars/${{ inputs.host_name }}
run: |
# convert yaml to bash env vars to get git tags
# for example SCHULCLOUD_SERVER_IMAGE_TAG to SCHULCLOUD_SERVER_VERSION
sed -e "s/IMAGE_TAG: /VERSION=/g" version.yml >> $GITHUB_ENV
sed -e "s/IMAGE_TAG: /BRANCH_NAME: /g" version.yml >> branch_name.yml
echo "DOF_APP_DEPLOY_BRANCH_NAME: ${{ inputs.cfg_version }}" >> branch_name.yml
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/schulcloud-server
path: repo/schulcloud-server
token: ${{ secrets.token }}
ref: ${{ env.SCHULCLOUD_SERVER_VERSION }}
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/schulcloud-client
path: repo/schulcloud-client
token: ${{ secrets.token }}
ref: ${{ env.SCHULCLOUD_CLIENT_VERSION }}
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/nuxt-client
path: repo/nuxt-client
token: ${{ secrets.token }}
ref: ${{ env.NUXT_CLIENT_VERSION }}
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/superhero-dashboard
path: repo/superhero-dashboard
token: ${{ secrets.token }}
ref: ${{ env.SUPERHERO_DASHBOARD_VERSION }}
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/shd-client
path: repo/shd-client
token: ${{ secrets.token }}
ref: ${{ env.SHD_CLIENT_VERSION }}
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/h5p-staticfiles-server
path: repo/h5p-staticfiles-server
token: ${{ secrets.token }}
ref: ${{ env.H5P_STATICFILES_SERVER_VERSION }}
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/schulcloud-calendar
path: repo/schulcloud-calendar
token: ${{ secrets.token }}
ref: ${{ env.SCHULCLOUD_CALENDAR_VERSION }}
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/antivirus_check_service
path: repo/antivirus_check_service
token: ${{ secrets.token }}
ref: ${{ env.ANTIVIRUS_CHECK_SERVICE_VERSION }}
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/version-aggregator
path: repo/version-aggregator
token: ${{ secrets.token }}
ref: ${{ env.VERSION_AGGREGATOR_VERSION }}
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/tldraw-client
path: repo/tldraw-client
token: ${{ secrets.token }}
ref: ${{ env.TLDRAW_CLIENT_VERSION }}
- uses: actions/checkout@v4
with:
repository: hpi-schul-cloud/tldraw-server
path: repo/tldraw-server
token: ${{ secrets.token }}
ref: ${{ env.TLDRAW_SERVER_VERSION }}
- working-directory: ${{github.workspace }}
run: |
mkdir ansible
mkdir ansible/host_vars
mkdir ansible/group_vars
mkdir ansible/roles
mkdir ansible/collections
cd repo
find */ansible/roles -mindepth 1 -maxdepth 1 -type d -exec cp -rfv {} ../ansible/roles \;
find */ansible/host_vars -type d -name "${{ inputs.host_name }}" -exec cp -rfv {} ../ansible/host_vars \;
find */ansible/group_vars -type d -name "all" -exec cp -rfv {} ../ansible/group_vars \;
find */ansible/group_vars -type d -name "${{ inputs.host_group }}" -exec cp -rfv {} ../ansible/group_vars \;
find */ansible/group_vars -type d -name "${{ inputs.host_stage }}" -exec cp -rfv {} ../ansible/group_vars \;
cp dof_app_deploy/ansible/*.yml ../ansible
cp dof_app_deploy/ansible/hosts ../ansible
cp dof_app_deploy/ansible/collections/requirements.yml ../ansible/collections/requirements.yml
cd ..
- run: tar -cf ${{ inputs.host_name }}.tar ansible
- uses: actions/upload-artifact@v4
with:
name: ${{ inputs.host_name }}
path: ${{github.workspace }}/${{ inputs.host_name }}.tar
- uses: actions/setup-python@v5
with:
python-version: '3.13'
- name: Install python3-kubernetes
run: sudo apt-get install -y python3-kubernetes
- name: 1Password
working-directory: ${{github.workspace }}/ansible/host_vars/${{ inputs.host_name }}
run: |
echo "VAULT: ${{ secrets.ONEPASSWORD_VAULT }}" >> dof_deploy.yml
echo "ONEPASSWORD_OPERATOR_VAULT: ${{ secrets.ONEPASSWORD_VAULT }}" >> dof_deploy.yml
- working-directory: ${{github.workspace }}
run: ansible-galaxy install -r ansible/collections/requirements.yml
- working-directory: ${{github.workspace }}/ansible/roles/sys
run: |
mkdir files
echo "${{ secrets.KUBECONFIG }}" > files/config
# It's necessary for the ansible k8s module to define proxy options as environment vars
# (doesn't use the proxy defined in kubeconfig)
# https://github.com/kubernetes-client/python/issues/1862
# https://docs.ansible.com/ansible/latest/collections/kubernetes/core/k8s_module.html#parameter-proxy
# Format in kubeconfig is <protocoll>://<user>:<password>@<domain>:<port>
# Set K8S_AUTH_PROXY=<protocoll>://<domain>:<port>
# Set K8S_AUTH_PROXY_HEADERS_PROXY_BASIC_AUTH=<user>:<password>
# If proxy-url is not defined in the kubeconfig no variables are set
- name: Set proxy environment variable if included in the kubeconfig
working-directory: ${{github.workspace }}/ansible/roles/sys/files
run: |
yq ".clusters[0].cluster.proxy-url" config | sed -nr 's+(.*//).*@(.*)+K8S_AUTH_PROXY=\1\2+p' >> $GITHUB_ENV
yq ".clusters[0].cluster.proxy-url" config | sed -nr 's+.*//(.*)@.*+K8S_AUTH_PROXY_HEADERS_PROXY_BASIC_AUTH=\1+p' >> $GITHUB_ENV
- run: ansible-playbook ./playbook_rollout.yml --inventory-file hosts --limit "${{ inputs.host_name }}" -e 'ansible_python_interpreter=/usr/bin/python3'
working-directory: ${{github.workspace }}/ansible
- working-directory: ${{github.workspace }}/ansible/roles/sys/files
run: |
rm -rf /config
- name: Send Notification to Rocket Chat
uses: RocketChat/[email protected]
if: always() && contains(inputs.host_name, 'ref') || contains(inputs.host_name, 'prod')
with:
type: ${{ job.status }}
job_name: 'Rollout of ${{ inputs.host_name }} triggered by ${{ github.actor }}:'
url: ${{ secrets.RC_WEBHOOK }}
channel: '#release'
username: Autodeployment Info