actions/.gitea/workflows/werf-deploy-template.yml

name: "Deploy stand by werf to kubernetes"
on:
  workflow_call:
    inputs:
      stand_name:
        description: 'Общее наименование стенда'
        required: true
        type: string
      kube_namespace:
        description: 'Местоположение для деплоя в кластере'
        required: true
        type: string
      docker_repo_path:
        default: private.docker.wilix.dev
        required: false
        type: string
      docker_images_path:
        description: 'Относительный путь для образов проекта'
        required: true
        type: string
      vault_secrets_base_path:
        description: 'Базовый путь для секретов проекта в vault'
        required: true
        type: string
      has_secrets:
        default: true
        required: false
        type: boolean
      werf_secret_key_vault_location:
        description: "Имя секрета, содержащего ключ для дешифрования werf, расположенного по базовому пути в vault"
        default: werf_secret_key
        required: false
        type: string
      notification_enabled:
        description: "Включение оповещений о разворачивании, требуется иметь url для оповещений в vault"
        default: true
        required: false
        type: boolean
      custom_notification_hook_enabled:
        description: "Использовать ли кастомный url хук для оповещений (должен лежать в vault секрете проекта)"
        default: false
        required: false
        type: boolean
      notification_channel:
        description: "Канал для оповещений о результатах деплоя"
        default: internal_projects_notifications
        required: false
        type: string
      werf_debug:
        default: false
        required: false
        type: boolean
    secrets:
      VAULT_ROLE_ID:
        required: true
      VAULT_SECRET_ID:
        required: true

env:
  vault_main_base_path: dev/wilix/main/data/ci

jobs:
  converge:
    name: Deploy stand
    runs-on: ubuntu-latest
    steps:

      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      # FIXME Эти секреты нужно будет сделать полностью различными для проектов, идеально - краткосрочные генерируемые vault
      - id: import-secrets
        uses: https://github.com/hashicorp/vault-action@v2
        with:
          url: https://vault.wilix.dev
          method: approle
          roleId: ${{ secrets.VAULT_ROLE_ID }}
          secretId: ${{ secrets.VAULT_SECRET_ID }}
          secrets: |
            dev/wilix/main/data/ci local_cluster_kube_config_base64 ;
            dev/wilix/main/data/ci docker_registry_username ;
            dev/wilix/main/data/ci docker_registry_password ;

      - name: Login to nexus docker
        uses: https://github.com/docker/login-action@v2
        with:
          registry: ${{ inputs.docker_repo_path }}
          username: ${{ steps.import-secrets.outputs.docker_registry_username }}
          password: ${{ steps.import-secrets.outputs.docker_registry_password }}

      - name: Install werf
        uses: https://github.com/werf/actions/install@v1.2

      - name: Add helm repositories
        run: |
          werf helm repo add wilix-dysnix https://artifacts.wilix.dev/repository/helm-dysnix
          werf helm repo add wilix-bitnami https://artifacts.wilix.dev/repository/helm-bitnami

      - name: Get werf secret key if need
        if: ${{ inputs.has_secrets }}
        uses: https://github.com/hashicorp/vault-action@v2
        with:
          url: https://vault.wilix.dev
          method: approle
          roleId: ${{ secrets.VAULT_ROLE_ID }}
          secretId: ${{ secrets.VAULT_SECRET_ID }}
          secrets: |
            ${{ inputs.vault_secrets_base_path }} ${{ inputs.werf_secret_key_vault_location }} | WERF_SECRET_KEY ;

      - name: Setup secrets if need
        if: ${{ inputs.has_secrets }}
        run: echo "WERF_SECRET_VALUES_STAND=.helm/secret-values-${{ inputs.stand_name }}.yaml" >> "$GITHUB_ENV"

      - name: Setup debug if need
        if: ${{ inputs.werf_debug }}
        run: echo "WERF_LOG_DEBUG=true" >> "$GITHUB_ENV"

      - name: Deploy
        run: werf converge
        env:
          WERF_ENV: ${{ inputs.stand_name }}
          WERF_VALUES_STAND: '.helm/values-${{ inputs.stand_name }}.yaml'
          WERF_NAMESPACE: ${{ inputs.kube_namespace }}
          WERF_REPO: ${{ inputs.docker_repo_path }}/${{ inputs.docker_images_path }}
          WERF_KUBECONFIG_BASE64: ${{ steps.import-secrets.outputs.local_cluster_kube_config_base64 }}

      - name: Get general notification url
        if: ${{ inputs.notification_enabled && ! inputs.custom_notification_hook_enabled && (job.status == 'success' || job.status == 'failure') }}
        uses: https://github.com/hashicorp/vault-action@v2
        with:
          url: https://vault.wilix.dev
          method: approle
          roleId: ${{ secrets.VAULT_ROLE_ID }}
          secretId: ${{ secrets.VAULT_SECRET_ID }}
          secrets: |
            ${{ env.vault_main_base_path }} notification_url | MATTERMOST_WEBHOOK_URL ;

      - name: Get custom notification url
        if: ${{ inputs.notification_enabled && inputs.custom_notification_hook_enabled && (job.status == 'success' || job.status == 'failure') }}
        uses: https://github.com/hashicorp/vault-action@v2
        with:
          url: https://vault.wilix.dev
          method: approle
          roleId: ${{ secrets.VAULT_ROLE_ID }}
          secretId: ${{ secrets.VAULT_SECRET_ID }}
          secrets: |
            ${{ inputs.vault_secrets_base_path }} notification_url | MATTERMOST_WEBHOOK_URL ;

      - name: prepare success notification body
        uses: https://github.com/finnp/create-file-action@master
        if: ${{ inputs.notification_enabled }}
        env:
          FILE_NAME: "mattermost.json"
          FILE_DATA: |
            {
              "channel": "${{ inputs.notification_channel }}",
              "attachments": [
                {
                  "fallback": "Деплой прошел успешно для ${{ gitea.repository }}",
                  "text": "Деплой прошел успешно для ${{ gitea.repository }} в ${{ inputs.stand_name }}",
                  "color": "#00FF00",
                  "fields": [
                    {
                      "short": true,
                      "title": "Сборка",
                      "value": "https://git.wilix.dev/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}"
                    }
                  ]
                }
              ]
            }

      - name: prepare failed notification body
        uses: https://github.com/finnp/create-file-action@master
        if: ${{ inputs.notification_enabled && failure() }}
        env:
          FILE_NAME: "mattermost.json"
          FILE_DATA: |
            {
              "channel": "${{ inputs.notification_channel }}",
              "attachments": [
                {
                  "fallback": "Деплой упал для ${{ gitea.repository }}",
                  "text": "Деплой упал для ${{ gitea.repository }} в ${{ inputs.stand_name }}",
                  "color": "#FF0000",
                  "fields": [
                    {
                      "short": true,
                      "title": "Сборка",
                      "value": "https://git.wilix.dev/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}"
                    }
                  ]
                }
              ]
            }

      - name: loop fail notification
        uses: https://github.com/mattermost/action-mattermost-notify@master
        if: ${{ inputs.notification_enabled && (job.status == 'success' || job.status == 'failure') }}