-
Notifications
You must be signed in to change notification settings - Fork 0
247 lines (212 loc) · 8.5 KB
/
transform.yaml
File metadata and controls
247 lines (212 loc) · 8.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
name: Coral Secure Build
########
# Usage:
# * Update env.GITOPS_REPO to point to your own Cluster GitOps Repo
# * Create a GitHub Actions secret:
# * Name: GITOPS_PAT
# * Value: A Personal Access Token with the `repo` scope
########
on:
workflow_dispatch:
inputs:
zarf:
type: boolean
default: false
description: "Select to run Zarf package and upload."
push:
branches: [main]
concurrency: transform
env:
AZURE_LOG_ANALYTICS_KEY: ${{ secrets.AZURE_LOG_ANALYTICS_KEY }}
AZURE_LOG_ANALYTICS_WORKSPACE_ID: ${{ secrets.AZURE_LOG_ANALYTICS_WORKSPACE_ID }}
CORAL_LOG_FILE: coral.log
GITHUB_TOKEN: ${{ secrets.GITOPS_PAT }}
GITOPS_REPO: sweanan/error-fix-cp-gitops # TODO: Replace this with your own repository
SOPS_PUBLIC_KEY: ${{ secrets.SOPS_PUBLIC_KEY }}
SS_PUBLIC_KEY: ${{ secrets.SS_PUBLIC_KEY }}
# optional vars
DEPLOY_INFRA: ${{ secrets.DEPLOY_INFRA }} # defaults to true
AZURE_CLOUD: ${{ secrets.AZURE_CLOUD }} # defaults to AzureCloud
SOPS_KEY_NAME: ${{ secrets.SOPS_KEY_NAME }} # defaults to sops-age
WORKLOAD_NAME: ${{ secrets.WORKLOAD_NAME }} # defaults to ntwkobsv
REGION: ${{ secrets.REGION }} # defaults to eastus
DEPLOY_ENV: ${{ secrets.DEPLOY_ENV }} # defaults to dev
RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} # Is generated if not defined
STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} # Is generated if not defined
AKV_NAME: ${{ secrets.AKV_NAME }} # Is generated if not defined
ACR_NAME: ${{ secrets.ACR_NAME }} # Is generated if not defined
AKS_NAME: ${{ secrets.AKS_NAME }} # Is generated if not defined
VM_SIZE: ${{ secrets.VM_SIZE }} # defaults to standard_e2ds_v5
# Zarf vars for image retrieval if no ACR_NAME present
CONTAINER_REGISTRY_URL: ${{ secrets.CONTAINER_REGISTRY_URL }}
CONTAINER_REGISTRY_USER: ${{ secrets.CONTAINER_REGISTRY_USER }}
CONTAINER_REGISTRY_ACCESS_TOKEN: ${{ secrets.CONTAINER_REGISTRY_ACCESS_TOKEN }}
jobs:
transform:
runs-on: ubuntu-latest
steps:
- name: Check for ENV defaults
run: |
[[ -z $DEPLOY_INFRA ]] && echo "DEPLOY_INFRA=true" >> $GITHUB_ENV
[[ -z $AZURE_CLOUD ]] && echo "AZURE_CLOUD=AzureCloud" >> $GITHUB_ENV
[[ -z $SOPS_KEY_NAME ]] && echo "SOPS_KEY_NAME=sops-age" >> $GITHUB_ENV
echo "GITOPS_REPO_OWNER=$(echo $GITOPS_REPO | awk -F "/" '{ print $1 }')" >> $GITHUB_ENV
- name: Configure Git
run: |
git config --global user.name github-actions
git config --global user.email github-actions@github.com
git config --global credential.helper store
mkdir -p ~/.config/git
echo "https://git:${{ secrets.GITOPS_PAT }}@github.com/" > ~/.config/git/credentials
- name: Clone Control Plane Repo
uses: actions/checkout@v3
with:
repository: ${{ github.repository }}
path: "controlplane"
token: ${{ secrets.GITOPS_PAT }}
- name: Checkout tools-install repo
uses: actions/checkout@v3
with:
repository: benc-uk/tools-install
path: tools-install
- name: Bootstrap local tools
shell: bash
run: |
chmod +x tools-install/**.sh
echo $HOME
mkdir -p $HOME/.local/bin
ls -la $HOME/.local/bin
cd tools-install
./base.sh
./sops.sh
./kubectl.sh
./kustomize.sh
# ls -la $HOME/.local/bin
echo $PATH
- name: Install flux
shell: bash
run: curl -s https://fluxcd.io/install.sh | sudo bash
- name: Login to Azure Cloud with CLI
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: ${{ env.AZURE_CLOUD }}
- name: Deploy and Configure Infrastructure
working-directory: controlplane
shell: bash
run: bash infrastructure/deploy.sh --github
- name: Set ENV vars
working-directory: controlplane
shell: bash
run: |
if [[-f infrastructure/state ]]; then
echo "KEYVAULT_NAME=$(awk '/KEYVAULT_NAME/ { print $2 }' infrastructure/state)" >> $GITHUB_ENV
else
echo "KEYVAULT_NAME=$AKV_NAME" >> $GITHUB_ENV
fi
echo "$KEYVAULT_NAME"
USER_INPUT=${{ github.event.inputs.zarf }}
echo "RUN_ZARF=${USER_INPUT:-"false"}" >> $GITHUB_ENV
- name: Generate AGE keys
id: generate-age-keys
working-directory: controlplane
shell: bash
run: bash ./scripts/pipeline/generateAgeKeys.sh
- name: Deploy SOPS keys
working-directory: controlplane
shell: bash
run: bash ./scripts/pipeline/deploySopsKeys.sh
- name: Get AKV Secrets
shell: bash
run: bash ./controlplane/scripts/pipeline/populateSecrets.sh
- name: Update template references
working-directory: controlplane
run: |
sed -i -- "s|<PIPELINE-REPLACES-REPO>|${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}|g" templates/*.yaml
if [ -n "$(git status templates --porcelain)" ]; then
git add templates
[ -n "$(git diff-index --cached HEAD)" ] && git commit -m "[no ci] Updated template references"
git push origin
fi
- name: Clone Cluster GitOps Repo
uses: actions/checkout@v3
with:
repository: ${{ env.GITOPS_REPO }}
path: "gitops"
token: ${{ secrets.GITOPS_PAT }}
- name: Install Coral CLI
run: npm i -g @coraldev/cli
- name: Coral - Update Assignments
run: coral assign ./controlplane --verbose
- name: Commit Assignments
id: commit_assignments
working-directory: controlplane
run: |
if [ -n "$(git status assignments --porcelain)" ]; then
git add assignments
[ -n "$(git diff-index --cached HEAD)" ] && git commit -m "[no ci] Updated cluster assignments"
git push origin
else
echo "No new assignments"
fi
SHA=$(git rev-parse HEAD)
echo "::set-output name=SHA::$SHA"
- name: Coral - Render templates
run: coral render ./controlplane ./gitops --verbose
- name: Coral - Update GitOps repo
run: coral apply ./controlplane ./gitops --verbose
- name: Create the flux gotk files
shell: bash
run: bash ./controlplane/scripts/pipeline/createFluxGotk.sh
- name: Update patches with patchesStrategicMerge
working-directory: gitops
run: |
if [ -d clusters ]; then
echo "Update patches with patchesStrategicMerge inside"
find clusters -type f -iname kustomization.yaml -not -path *flux-system* -exec sed -i -e 's/patches:/patchesStrategicMerge:/g' {} \;
fi
- name: Add SOPS Provider
run: |
echo "Add SOPS Provider inside"
gotk_yamls=($(find gitops/clusters/dev -iwholename *flux-system/kustomization.yaml))
echo "found gotk_yamls: gotk_yamls"
for gotk_yamls in "${gotk_yamls[@]}"
do
echo "copying to $gotk_yamls "
cp controlplane/scripts/templates/gotk-kustomization.yaml "$gotk_yamls"
done
- name: Update Secrets
shell: bash
run: bash ./controlplane/scripts/pipeline/getUpdatedSecrets.sh
- name: Encrypt SOPS Secrets
shell: bash
run: bash ./controlplane/scripts/pipeline/encryptSecrets.sh
- name: Commit GitOps changes
working-directory: gitops
run: |
if [ -n "$(git status --porcelain)" ]; then
git pull
git add .
git commit -m "Update from control plane commit ${{ steps.commit_assignments.outputs.SHA }}"
git push origin main
else
echo "No changes made to cluster gitops repo"
fi
- name: Bootstrap Flux
working-directory: controlplane
shell: bash
run: bash ./scripts/pipeline/fluxBootStrap.sh --github
- name: Archive log file
if: always()
uses: actions/upload-artifact@v3
with:
name: coral-log-file
path: ${{ env.CORAL_LOG_FILE }}
- name: Package and Upload Zarf Tar
if: env.RUN_ZARF == 'true'
run: |
sudo ./controlplane/scripts/pipeline/installZarf.sh -v v0.23.2 -t cli
./controlplane/scripts/pipeline/uploadZarf.sh
# - name: Encrypt Sealed Secrets
# shell: bash
# run: bash ./controlplane/scripts/pipeline/encryptSecrets.sh ss