183 lines
7.1 KiB
YAML
183 lines
7.1 KiB
YAML
name: "Deploy stand by werf to kubernetes"
|
||
on:
|
||
workflow_call:
|
||
inputs:
|
||
stand_name:
|
||
description: 'Общее наименование стенда'
|
||
required: true
|
||
type: string
|
||
kube_namespace:
|
||
description: 'Местоположение для деплоя в кластере'
|
||
required: true
|
||
type: string
|
||
docker_repo_path:
|
||
default: private.docker.wilix.dev
|
||
required: false
|
||
type: string
|
||
docker_images_path:
|
||
description: 'Относительный путь для образов проекта'
|
||
required: true
|
||
type: string
|
||
vault_secrets_base_path:
|
||
description: 'Базовый путь для секретов проекта в vault'
|
||
required: true
|
||
type: string
|
||
has_secrets:
|
||
default: true
|
||
required: false
|
||
type: boolean
|
||
werf_secret_key_vault_location:
|
||
description: "Имя секрета, содержащего ключ для дешифрования werf, расположенного по базовому пути в vault"
|
||
default: werf_secret_key
|
||
required: false
|
||
type: string
|
||
notification_enabled:
|
||
description: "Включение оповещений о разворачивании, требуется иметь url для оповещений в vault"
|
||
default: true
|
||
required: false
|
||
type: boolean
|
||
notification_channel:
|
||
description: "Канал для оповещений о результатах деплоя"
|
||
default: internal_projects_notifications
|
||
required: false
|
||
type: string
|
||
werf_debug:
|
||
default: false
|
||
required: false
|
||
type: boolean
|
||
secrets:
|
||
VAULT_ROLE_ID:
|
||
required: true
|
||
VAULT_SECRET_ID:
|
||
required: true
|
||
|
||
jobs:
|
||
converge:
|
||
name: Deploy stand
|
||
runs-on: ubuntu-latest
|
||
steps:
|
||
|
||
- name: Checkout code
|
||
uses: actions/checkout@v3
|
||
with:
|
||
fetch-depth: 0
|
||
|
||
# FIXME Эти секреты нужно будет сделать полностью различными для проектов, идеально - краткосрочные генерируемые vault
|
||
- id: import-secrets
|
||
uses: https://github.com/hashicorp/vault-action@v2
|
||
with:
|
||
url: https://vault.wilix.dev
|
||
method: approle
|
||
roleId: ${{ secrets.VAULT_ROLE_ID }}
|
||
secretId: ${{ secrets.VAULT_SECRET_ID }}
|
||
secrets: |
|
||
dev/wilix/main/data/ci local_cluster_kube_config_base64 ;
|
||
dev/wilix/main/data/ci docker_registry_username ;
|
||
dev/wilix/main/data/ci docker_registry_password ;
|
||
|
||
- name: Login to nexus docker
|
||
uses: https://github.com/docker/login-action@v2
|
||
with:
|
||
registry: ${{ inputs.docker_repo_path }}
|
||
username: ${{ steps.import-secrets.outputs.docker_registry_username }}
|
||
password: ${{ steps.import-secrets.outputs.docker_registry_password }}
|
||
|
||
- name: Install werf
|
||
uses: https://github.com/werf/actions/install@v1.2
|
||
|
||
- name: Add helm repositories
|
||
run: |
|
||
werf helm repo add wilix-dysnix https://artifacts.wilix.dev/repository/helm-dysnix
|
||
werf helm repo add wilix-bitnami https://artifacts.wilix.dev/repository/helm-bitnami
|
||
|
||
- name: Get werf secret key if need
|
||
if: ${{ inputs.has_secrets }}
|
||
uses: https://github.com/hashicorp/vault-action@v2
|
||
with:
|
||
url: https://vault.wilix.dev
|
||
method: approle
|
||
roleId: ${{ secrets.VAULT_ROLE_ID }}
|
||
secretId: ${{ secrets.VAULT_SECRET_ID }}
|
||
secrets: |
|
||
${{ inputs.vault_secrets_base_path }} ${{ inputs.werf_secret_key_vault_location }} | WERF_SECRET_KEY ;
|
||
|
||
- name: Setup secrets if need
|
||
if: ${{ inputs.has_secrets }}
|
||
run: echo "WERF_SECRET_VALUES_STAND=.helm/secret-values-${{ inputs.stand_name }}.yaml" >> "$GITHUB_ENV"
|
||
|
||
- name: Setup debug if need
|
||
if: ${{ inputs.werf_debug }}
|
||
run: echo "WERF_LOG_DEBUG=true" >> "$GITHUB_ENV"
|
||
|
||
- name: Deploy
|
||
run: werf converge
|
||
env:
|
||
WERF_ENV: ${{ inputs.stand_name }}
|
||
WERF_VALUES_STAND: '.helm/values-${{ inputs.stand_name }}.yaml'
|
||
WERF_NAMESPACE: ${{ inputs.kube_namespace }}
|
||
WERF_REPO: ${{ inputs.docker_repo_path }}/${{ inputs.docker_images_path }}
|
||
WERF_KUBECONFIG_BASE64: ${{ steps.import-secrets.outputs.local_cluster_kube_config_base64 }}
|
||
|
||
- name: Get notification url
|
||
if: ${{ inputs.notification_enabled && (job.status == 'success' || job.status == 'failure') }}
|
||
uses: https://github.com/hashicorp/vault-action@v2
|
||
with:
|
||
url: https://vault.wilix.dev
|
||
method: approle
|
||
roleId: ${{ secrets.VAULT_ROLE_ID }}
|
||
secretId: ${{ secrets.VAULT_SECRET_ID }}
|
||
secrets: |
|
||
${{ inputs.vault_secrets_base_path }} notification_url | MATTERMOST_WEBHOOK_URL ;
|
||
|
||
- name: prepare success notification body
|
||
uses: https://github.com/finnp/create-file-action@master
|
||
if: ${{ inputs.notification_enabled }}
|
||
env:
|
||
FILE_NAME: "mattermost.json"
|
||
FILE_DATA: |
|
||
{
|
||
"channel": "${{ inputs.notification_channel }}",
|
||
"attachments": [
|
||
{
|
||
"fallback": "Деплой прошел успешно для ${{ gitea.repository }}",
|
||
"text": "Деплой прошел успешно для ${{ gitea.repository }} в ${{ inputs.stand_name }}",
|
||
"color": "#00FF00",
|
||
"fields": [
|
||
{
|
||
"short": true,
|
||
"title": "Сборка",
|
||
"value": "https://git.wilix.dev/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
|
||
- name: prepare failed notification body
|
||
uses: https://github.com/finnp/create-file-action@master
|
||
if: ${{ inputs.notification_enabled && failure() }}
|
||
env:
|
||
FILE_NAME: "mattermost.json"
|
||
FILE_DATA: |
|
||
{
|
||
"channel": "${{ inputs.notification_channel }}",
|
||
"attachments": [
|
||
{
|
||
"fallback": "Деплой упал для ${{ gitea.repository }}",
|
||
"text": "Деплой упал для ${{ gitea.repository }} в ${{ inputs.stand_name }}",
|
||
"color": "#FF0000",
|
||
"fields": [
|
||
{
|
||
"short": true,
|
||
"title": "Сборка",
|
||
"value": "https://git.wilix.dev/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
|
||
- name: loop fail notification
|
||
uses: https://github.com/mattermost/action-mattermost-notify@master
|
||
if: ${{ inputs.notification_enabled && (job.status == 'success' || job.status == 'failure') }}
|