name: "Deploy stand by werf to kubernetes" on: workflow_call: inputs: stand_name: description: 'Общее наименование стенда' required: true type: string kube_namespace: description: 'Местоположение для деплоя в кластере' required: true type: string docker_repo_path: default: private.docker.wilix.dev required: false type: string docker_images_path: description: 'Относительный путь для образов проекта' required: true type: string vault_secrets_base_path: description: 'Базовый путь для секретов проекта в vault' required: true type: string has_secrets: default: true required: false type: boolean werf_secret_key_vault_location: description: "Имя секрета, содержащего ключ для дешифрования werf, расположенного по базовому пути в vault" default: werf_secret_key required: false type: string notification_enabled: description: "Включение оповещений о разворачивании, требуется иметь url для оповещений в vault" default: true required: false type: boolean custom_notification_hook_enabled: description: "Использовать ли кастомный url хук для оповещений (должен лежать в vault секрете проекта)" default: false required: false type: boolean notification_channel: description: "Канал для оповещений о результатах деплоя" default: internal_projects_notifications required: false type: string werf_debug: default: false required: false type: boolean secrets: VAULT_ROLE_ID: required: true VAULT_SECRET_ID: required: true env: vault_main_base_path: dev/wilix/main/data/ci jobs: converge: name: Deploy stand runs-on: ubuntu-22.04 steps: - name: Checkout code uses: actions/checkout@v3 with: fetch-depth: 0 # FIXME Эти секреты нужно будет сделать полностью различными для проектов, идеально - краткосрочные генерируемые vault - id: import-secrets uses: https://github.com/hashicorp/vault-action@v2 with: url: https://vault.wilix.dev method: approle roleId: ${{ secrets.VAULT_ROLE_ID }} secretId: ${{ secrets.VAULT_SECRET_ID }} secrets: | dev/wilix/main/data/ci local_cluster_kube_config_base64 ; dev/wilix/main/data/ci docker_registry_username ; dev/wilix/main/data/ci docker_registry_password ; - name: Login to nexus docker uses: https://github.com/docker/login-action@v2 with: registry: ${{ inputs.docker_repo_path }} username: ${{ steps.import-secrets.outputs.docker_registry_username }} password: ${{ steps.import-secrets.outputs.docker_registry_password }} - name: Install werf uses: https://github.com/werf/actions/install@v1.2 - name: Add helm repositories run: | werf helm repo add wilix-dysnix https://artifacts.wilix.dev/repository/helm-dysnix werf helm repo add wilix-bitnami https://artifacts.wilix.dev/repository/helm-bitnami - name: Get werf secret key if need if: ${{ inputs.has_secrets }} uses: https://github.com/hashicorp/vault-action@v2 with: url: https://vault.wilix.dev method: approle roleId: ${{ secrets.VAULT_ROLE_ID }} secretId: ${{ secrets.VAULT_SECRET_ID }} secrets: | ${{ inputs.vault_secrets_base_path }} ${{ inputs.werf_secret_key_vault_location }} | WERF_SECRET_KEY ; - name: Setup secrets if need if: ${{ inputs.has_secrets }} run: echo "WERF_SECRET_VALUES_STAND=.helm/secret-values-${{ inputs.stand_name }}.yaml" >> "$GITHUB_ENV" - name: Setup debug if need if: ${{ inputs.werf_debug }} run: echo "WERF_LOG_DEBUG=true" >> "$GITHUB_ENV" - name: Deploy run: werf converge env: WERF_ENV: ${{ inputs.stand_name }} WERF_VALUES_STAND: '.helm/values-${{ inputs.stand_name }}.yaml' WERF_NAMESPACE: ${{ inputs.kube_namespace }} WERF_REPO: ${{ inputs.docker_repo_path }}/${{ inputs.docker_images_path }} WERF_KUBECONFIG_BASE64: ${{ steps.import-secrets.outputs.local_cluster_kube_config_base64 }} - name: Get general notification url if: ${{ inputs.notification_enabled && ! inputs.custom_notification_hook_enabled && (job.status == 'success' || job.status == 'failure') }} uses: https://github.com/hashicorp/vault-action@v2 with: url: https://vault.wilix.dev method: approle roleId: ${{ secrets.VAULT_ROLE_ID }} secretId: ${{ secrets.VAULT_SECRET_ID }} secrets: | ${{ env.vault_main_base_path }} notification_url | MATTERMOST_WEBHOOK_URL ; - name: Get custom notification url if: ${{ inputs.notification_enabled && inputs.custom_notification_hook_enabled && (job.status == 'success' || job.status == 'failure') }} uses: https://github.com/hashicorp/vault-action@v2 with: url: https://vault.wilix.dev method: approle roleId: ${{ secrets.VAULT_ROLE_ID }} secretId: ${{ secrets.VAULT_SECRET_ID }} secrets: | ${{ inputs.vault_secrets_base_path }} notification_url | MATTERMOST_WEBHOOK_URL ; - name: prepare success notification body uses: https://github.com/finnp/create-file-action@master if: ${{ inputs.notification_enabled }} env: FILE_NAME: "mattermost.json" FILE_DATA: | { "channel": "${{ inputs.notification_channel }}", "attachments": [ { "fallback": "Деплой прошел успешно для ${{ gitea.repository }}", "text": "Деплой прошел успешно для ${{ gitea.repository }} в ${{ inputs.stand_name }}", "color": "#00FF00", "fields": [ { "short": true, "title": "Сборка", "value": "https://git.wilix.dev/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}" } ] } ] } - name: prepare failed notification body uses: https://github.com/finnp/create-file-action@master if: ${{ inputs.notification_enabled && failure() }} env: FILE_NAME: "mattermost.json" FILE_DATA: | { "channel": "${{ inputs.notification_channel }}", "attachments": [ { "fallback": "Деплой упал для ${{ gitea.repository }}", "text": "Деплой упал для ${{ gitea.repository }} в ${{ inputs.stand_name }}", "color": "#FF0000", "fields": [ { "short": true, "title": "Сборка", "value": "https://git.wilix.dev/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}" } ] } ] } - name: loop fail notification uses: https://github.com/mattermost/action-mattermost-notify@master if: ${{ inputs.notification_enabled && (job.status == 'success' || job.status == 'failure') }}