alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 10 Actions 2 Activity

Compare commits

base: alexlebens:74e89b676896d6ae7a31ee5be0881f6853b48db7
Branches Tags
alexlebens:main alexlebens:renovate/meilisearch-0.x alexlebens:renovate/traefik-crds-1.x alexlebens:renovate/migrate-config alexlebens:renovate/cilium-1.x alexlebens:renovate/unified-goharborregistry-photon alexlebens:renovate/unified-goharborharbor-registryctl alexlebens:renovate/unified-goharborharbor-portal alexlebens:renovate/unified-goharborharbor-jobservice alexlebens:renovate/unified-goharborharbor-exporter alexlebens:renovate/unified-goharborharbor-core alexlebens:dev alexlebens:manifests
..
compare: alexlebens:main
Branches Tags
alexlebens:renovate/meilisearch-0.x alexlebens:renovate/traefik-crds-1.x alexlebens:renovate/migrate-config alexlebens:renovate/cilium-1.x alexlebens:renovate/unified-goharborregistry-photon alexlebens:renovate/unified-goharborharbor-registryctl alexlebens:renovate/unified-goharborharbor-portal alexlebens:renovate/unified-goharborharbor-jobservice alexlebens:renovate/unified-goharborharbor-exporter alexlebens:renovate/unified-goharborharbor-core alexlebens:main alexlebens:dev alexlebens:manifests

16 Commits
74e89b6768 ... main

Author SHA1 Message Date
Alex Lebens
dfdbc6bff5 dev (#4785)
Some checks are pending
render-manifests / render-manifests (push) Has started running
Details
renovate / renovate (push) Successful in 3m53s
Details 
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Reviewed-on: #4785
 2026-03-16 05:14:58 +00:00
Alex Lebens
b50508a71a dev (#4776)
All checks were successful
lint-test-helm / lint-helm (push) Successful in 1m1s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
renovate / renovate (push) Successful in 2m27s
Details 
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Reviewed-on: #4776
 2026-03-15 22:51:25 +00:00
Renovate Bot
61cbec9fdd chore(deps): update harbor.alexlebens.net/images/site-documentation docker tag to v0.3.0 (#4775)
Some checks failed
lint-test-helm / lint-helm (push) Successful in 24s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
renovate / renovate (push) Has been cancelled
Details 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [harbor.alexlebens.net/images/site-documentation](https://gitea.alexlebens.dev/alexlebens/site-documentation) | minor | `0.2.0` → `0.3.0` |

---

### Release Notes

<details>
<summary>alexlebens/site-documentation (harbor.alexlebens.net/images/site-documentation)</summary>

### [`v0.3.0`](https://gitea.alexlebens.dev/alexlebens/site-documentation/blob/HEAD/CHANGELOG.md#030-2026-03-15)

[Compare Source](https://gitea.alexlebens.dev/alexlebens/site-documentation/compare/0.2.0...0.3.0)

##### Features

- add and update pre-commit ([972bbff](972bbffb41))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=-->

Reviewed-on: #4775
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
 2026-03-15 22:50:30 +00:00
Renovate Bot
742d074c3f chore(deps): update ghcr.io/linuxserver/plex:1.43.0 docker digest to 84f8646 (#4773)
All checks were successful
lint-test-helm / lint-helm (push) Successful in 1m37s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
renovate / renovate (push) Successful in 3m49s
Details
2026-03-15 22:34:42 +00:00
Alex Lebens
06b288e17c Merge (#4771)
Some checks failed
lint-test-helm / lint-helm (push) Successful in 42s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
renovate / renovate (push) Has been cancelled
Details 
Reviewed-on: #4771
 2026-03-15 22:32:42 +00:00
Alex Lebens
2278a4f048 feat: add and update pre-commit (#4770)
All checks were successful
renovate / renovate (push) Successful in 1m12s
Details 
Reviewed-on: #4770
 2026-03-15 21:57:31 +00:00
Alex Lebens
cdd4b0162a feat: remove old workflows (#4769)
All checks were successful
renovate / renovate (push) Successful in 2m46s
Details 
Reviewed-on: #4769
 2026-03-15 21:50:42 +00:00
Alex Lebens
2e7be7edbe feat: remove push render
All checks were successful
renovate / renovate (push) Successful in 2m6s
Details
2026-03-15 16:42:36 -05:00
Alex Lebens
383f29e421 feat: use vars
All checks were successful
renovate / renovate (push) Successful in 3m8s
Details
2026-03-15 16:27:31 -05:00
Alex Lebens
b43cdeba18 feat: use PR instead of date
All checks were successful
renovate / renovate (push) Successful in 1m48s
Details
2026-03-15 16:16:30 -05:00
Alex Lebens
bde7552ae1 feat: more specific condition for push event 2026-03-15 16:16:30 -05:00
Renovate Bot
3830d32c67 chore(deps): update freikin/dawarich docker tag to v1.3.4 (#4767)
All checks were successful
lint-test-helm / lint-helm (push) Successful in 29s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
render-manifests / render-manifests (push) Successful in 33s
Details
renovate / renovate (push) Successful in 2m44s
Details 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [freikin/dawarich](https://github.com/Freika/dawarich) | patch | `1.3.3` → `1.3.4` |

---

### Release Notes

<details>
<summary>Freika/dawarich (freikin/dawarich)</summary>

### [`v1.3.4`](https://github.com/Freika/dawarich/blob/HEAD/CHANGELOG.md#134---2026-03-15)

[Compare Source](https://github.com/Freika/dawarich/compare/1.3.3...1.3.4)

##### Changed

- Redesigned onboarding modal with two paths: "I have data" (inline file import) and "Start tracking" (app download + QR code). New users with existing location data can now start importing within 2 clicks of signing up.
- Onboarding completion is now persisted server-side (`settings.onboarding_completed`) instead of relying solely on localStorage, preventing the modal from reappearing after browser data clears.
- Route opacity data migration now runs as a background job instead of inline during migration, improving deployment reliability for large instances.

##### Fixed

- Fix admin and supporter tooltip overflowing the page on narrow screens. [#&#8203;1449](https://github.com/Freika/dawarich/issues/1449)
- Fix date navigation arrow tooltips overlapping with the navbar on map pages. [#&#8203;2229](https://github.com/Freika/dawarich/issues/2229) [#&#8203;2100](https://github.com/Freika/dawarich/issues/2100)
- Fix infinite loading spinner when a trip has no points in its date range. [#&#8203;2293](https://github.com/Freika/dawarich/issues/2293)
- Fix Insights monthly digest panels disappearing when switching months. [#&#8203;2305](https://github.com/Freika/dawarich/issues/2305)
- Fix suggested visit confirm/decline not removing the visit from the list. [#&#8203;2307](https://github.com/Freika/dawarich/issues/2307)
- Fix Stats page reloading when clicking "countries, cities" link. [#&#8203;2270](https://github.com/Freika/dawarich/issues/2270)
- Fix map base layer selection not being restored after page reload (Maps v1). [#&#8203;2093](https://github.com/Freika/dawarich/issues/2093)
- Fix duplicate country names in stats caused by geocoder returning different spellings. [#&#8203;2044](https://github.com/Freika/dawarich/issues/2044)
- Fix total distance display overlapping layer picker when distance is in miles. [#&#8203;2017](https://github.com/Freika/dawarich/issues/2017)
- Fix default route opacity displaying as 6000% for new users. [#&#8203;1891](https://github.com/Freika/dawarich/issues/1891)
- Fix shared month stats map missing hexagons from the last day of the month. [#&#8203;1934](https://github.com/Freika/dawarich/issues/1934)
- Fix Nominatim reverse geocoder producing all places named "Suggested place" instead of actual place names. [#&#8203;2182](https://github.com/Freika/dawarich/issues/2182)
- Fix IDL-crossing route segmenter returning inconsistent coordinate types. `unwrapCoordinates` now always returns a uniform array-of-arrays structure. [#&#8203;2038](https://github.com/Freika/dawarich/issues/2038)
- Fix a migration taking too long. [#&#8203;2375](https://github.com/Freika/dawarich/issues/2375)
- Fix family sharing not including the requesting user's own location. [#&#8203;2153](https://github.com/Freika/dawarich/issues/2153)
- The "Destroy" button on the trip page is now orange. [#&#8203;2348](https://github.com/Freika/dawarich/issues/2348)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIiwiaW1hZ2UiXX0=-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4767
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
 2026-03-15 21:06:09 +00:00
Renovate Bot
92892732d0 chore(deps): update dependency freika/dawarich to v1.3.4 (#4766)
All checks were successful
render-manifests / render-manifests (push) Has been skipped
Details
lint-test-helm / lint-helm (push) Successful in 17s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
renovate / renovate (push) Successful in 1m33s
Details
2026-03-15 20:49:21 +00:00
Renovate Bot
d71b0597cc chore(deps): update dependency binwiederhier/ntfy to v2.19.0 (#4755)
Some checks failed
lint-test-helm / lint-helm (push) Successful in 11s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
render-manifests / render-manifests (push) Successful in 33s
Details
renovate / renovate (push) Has been cancelled
Details 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [binwiederhier/ntfy](https://github.com/binwiederhier/ntfy) | minor | `2.18.0` → `2.19.0` |
| [binwiederhier/ntfy](https://ntfy.sh/) ([source](https://github.com/binwiederhier/ntfy)) | minor | `v2.18.0` → `v2.19.0` |

---

### Release Notes

<details>
<summary>binwiederhier/ntfy (binwiederhier/ntfy)</summary>

### [`v2.19.0`](https://github.com/binwiederhier/ntfy/releases/tag/v2.19.0)

[Compare Source](https://github.com/binwiederhier/ntfy/compare/v2.18.0...v2.19.0)

This is a fast-follow release that enables Postgres read replica support.

To offload read-heavy queries from the primary database, you can optionally configure one or more read replicas using the `database-replica-urls` option. When configured, non-critical read-only queries (e.g. fetching messages, checking access permissions, etc) are distributed across the replicas using round-robin, while all writes and correctness-critical reads continue to go to the primary. If a replica becomes unhealthy, ntfy automatically falls back to the primary until the replica recovers.

**Features:**

- Support [PostgreSQL read replicas](https://docs.ntfy.sh/config/#postgresql-experimental) for offloading non-critical read queries via `database-replica-urls` config option ([#&#8203;1648](https://github.com/binwiederhier/ntfy/pull/1648))
- Add interactive [config generator](https://docs.ntfy.sh/config/#config-generator) to the documentation to help create server configuration files ([#&#8203;1654](https://github.com/binwiederhier/ntfy/pull/1654))

**Bug fixes + maintenance:**

- Web: Throttle notification sound in web app to play at most once every 2 seconds (similar to [#&#8203;1550](https://github.com/binwiederhier/ntfy/issues/1550), thanks to [@&#8203;jlaffaye](https://github.com/jlaffaye) for reporting)
- Web: Add hover tooltips to icon buttons in web app account and preferences pages ([#&#8203;1565](https://github.com/binwiederhier/ntfy/issues/1565), thanks to [@&#8203;jermanuts](https://github.com/jermanuts) for reporting)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4755
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
 2026-03-15 20:46:41 +00:00
Alex Lebens
1a70faa2e9 feat: use the user url for messages
All checks were successful
renovate / renovate (push) Successful in 2m4s
Details
2026-03-15 15:40:46 -05:00
Alex Lebens
e1e54e567d feat: more specific condition for push event 2026-03-15 15:40:46 -05:00
19 changed files with 174 additions and 1842 deletions
Expand all files Collapse all files

2
.gitea/workflows/lint-test-docker.yaml
View File

@@ -131,4 +131,4 @@ jobs:
tags: action,failed tags: action,failed
details: "Docker linting for compose dirs: ${{ steps.check-dir-changes.outputs.compose-dir-csv }}" details: "Docker linting for compose dirs: ${{ steps.check-dir-changes.outputs.compose-dir-csv }}"
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png' icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "View Logs", "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]' actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'

8
.gitea/workflows/lint-test-helm.yaml
View File

@@ -218,9 +218,9 @@ jobs:
priority: 3 priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}' headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed tags: action,failed
details: "Helm linting for cluster '${CLUSTER}' failed on charts: ${{ steps.lint.outputs.failed-charts }}" details: "Helm linting for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.lint.outputs.failed-charts }}"
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png' icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "View Run", "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]' actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
image: true image: true
validate-kubeconform: validate-kubeconform:
@@ -361,7 +361,7 @@ jobs:
priority: 3 priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}' headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed tags: action,failed
details: "Kubeconform for cluster '${CLUSTER}' failed on charts: ${{ steps.validate.outputs.failed-charts }}" details: "Kubeconform for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.validate.outputs.failed-charts }}"
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png' icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "View Run", "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]' actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
image: true image: true

463
.gitea/workflows/render-manifests-automerge.yaml
View File

@@ -1,463 +0,0 @@
name: render-manifests-automerge
on:
workflow_dispatch:
# pull_request:
# branches:
# - main
# paths:
# - 'clusters/cl01tl/helm/**'
# types:
# - closed
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME_BASE: auto/update-manifests-automerge
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests-automerge:
runs-on: ubuntu-js
if: ${{ (github.event.pull_request.merged == true) && (contains(github.event.pull_request.labels.*.name, 'automerge')) }}
steps:
- name: Checkout Main
uses: actions/checkout@v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Cache Helm Dependencies
uses: actions/cache@v5
with:
path: |
~/.cache/helm
~/.config/helm
key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
restore-keys: |
helm-cache-${{ runner.os }}-
- name: Prepare Manifest Branch
id: prepare-manifest-branch
run: |
cd ${MANIFEST_DIR}
BRANCH_NAME="${BRANCH_NAME_BASE}-$(date +%Y%m%d%H%M%S)"
echo ""
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
echo ""
echo ">> Creating branch ..."
git checkout -b $BRANCH_NAME
echo "----"
echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITEA_OUTPUT
- name: Check which Directories have Changes
id: check-dir-changes
run: |
cd "${MAIN_DIR}"
echo ""
echo ">> Checking for changes from HEAD^..HEAD ..."
# Extract the chart names from the git diff
RENDER_DIR=$(git diff --name-only HEAD^..HEAD | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
if [ -n "${RENDER_DIR}" ]; then
echo ""
echo ">> Directories to Render:"
echo "${RENDER_DIR}"
echo "----"
echo "changes-detected=true" >> "$GITEA_OUTPUT"
echo "render-dir<<EOF" >> "$GITEA_OUTPUT"
echo "${RENDER_DIR}" >> "$GITEA_OUTPUT"
echo "EOF" >> "$GITEA_OUTPUT"
else
echo ""
echo ">> No chart changes detected"
echo "changes-detected=false" >> "$GITEA_OUTPUT"
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd "${MAIN_DIR}"
echo ""
echo ">> Adding repositories for chart dependencies ..."
for DIR in ${RENDER_DIR}; do
helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
| tail -n +2 \
| awk 'NF > 0 { print $1, $3 }' \
| while read -r REPO_NAME REPO_URL; do
if [[ "${REPO_URL}" == oci://* ]]; then
echo ""
echo ">> Ignoring OCI repo: ${REPO_URL}"
elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
helm repo add "${REPO_NAME}" "${REPO_URL}"
fi
done || true
done
if helm repo list > /dev/null 2>&1; then
echo ""
echo ">> Update repository cache ..."
helm repo update
fi
echo "----"
- name: Remove Changed Manifest Files
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd "${MANIFEST_DIR}"
echo ""
echo ">> Remove manfiest files and rebuild from source ..."
for DIR in ${RENDER_DIR}; do
CHART_PATH=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}
echo "${CHART_PATH}"
rm -rf ${CHART_PATH}/*
done
echo "----"
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ""
echo ">> Rendering Manifests ..."
render_chart() {
local DIR="$1"
local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
local CHART_NAME=$(basename "${CHART_PATH}")
echo ""
echo ">> Rendering ..."
echo ">> Chart: ${CHART_NAME}"
echo ">> Path: ${CHART_PATH}"
if [ -f "${CHART_PATH}/Chart.yaml" ]; then
local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
mkdir -p "${OUTPUT_FOLDER}"
cd "${CHART_PATH}"
echo ""
echo ">> Updating helm dependencies ..."
helm dependency update --skip-refresh > /dev/null
echo ""
echo ">> Linting helm chart ..."
helm lint --namespace "${CHART_NAME}" --quiet
local NAMESPACE="${CHART_NAME}"
case "${CHART_NAME}" in
"stack")
NAMESPACE="argocd"
echo ""
echo ">> Special Rendering into 'argocd' namespace ..."
;;
"cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
NAMESPACE="kube-system"
echo ""
echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
;;
*)
echo ""
echo ">> Standard Rendering for ${CHART_NAME} ..."
esac
echo ""
echo ">> Formating rendered template ..."
local TEMPLATE
TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
# Format and split rendered template
echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for ${CHART_NAME} rendered to ${OUTPUT_FOLDER}:"
ls $OUTPUT_FOLDER
echo ""
else
echo ""
echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
echo ""
fi
}
export -f render_chart
export MAIN_DIR CLUSTER MANIFEST_DIR
# Run rendering in parallel
for DIR in ${RENDER_DIR}; do
echo "${DIR}"
done | xargs -n 1 -P 4 -I {} bash -c 'render_chart "$@"' _ {}
echo "----"
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd "${MANIFEST_DIR}"
GIT_CHANGES=$(git status --porcelain)
if [ -n "${GIT_CHANGES}" ]; then
echo ""
echo ">> Changes detected"
git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT
else
echo ""
echo ">> No changes detected, skipping PR creation"
fi
echo "----"
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
env:
BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
run: |
cd "${MANIFEST_DIR}"
echo ""
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "chore: Update manifests after automerge"
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
echo ""
echo ">> Pushing changes to ${REPO_URL} ..."
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
echo "----"
echo "push=true" >> "$GITEA_OUTPUT"
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
PAYLOAD=$( jq -n \
--arg head "${BRANCH_NAME}" \
--arg base "${BASE_BRANCH}" \
--arg title "Automated Manifest Update - Automerge" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. This is expected to be automerged." \
'{head: $head, base: $base, title: $title, body: $body}' )
echo ">> Creating PR from branch ${BRANCH_NAME} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url)
echo ">> Pull Request URL: $PR_URL"
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
PR_NUMBER=$(cat response_body.json | jq -r .number)
echo ">> Pull Request Number: $PR_NUMBER"
echo "pull-request-number=${PR_NUMBER}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then
echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
elif [ "$HTTP_STATUS" == "409" ]; then
echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
exit 1
fi
echo "----"
- name: Merge Changes
id: merge-changes
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}/merge"
PAYLOAD=$( jq -n \
--arg Do "merge" \
'{Do: $Do}' )
echo ">> Merging PR with ID: ${PR_NUMBER}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "200" ]; then
echo ">> Pull Request merged successfully!"
echo "pull-request-operation=merged" >> $GITEA_OUTPUT
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
echo "pull-request-operation=failed" >> $GITEA_OUTPUT
exit 1
fi
echo "----"
- name: Cleanup Branch
if: failure()
env:
BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
run: |
cd ${MANIFEST_DIR}
echo ">> Removing branch: ${BRANCH_NAME}"
git push origin --delete ${BRANCH_NAME}
echo "----"
- name: ntfy Merged
uses: niniyas/ntfy-action@master
if: steps.merge-changes.outputs.pull-request-operation == 'merged'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render PR Merged - Infrastructure"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Automerge Manifest rendering for Infrastructure!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure - Infrastructure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Automerge Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests-automerge.yaml", "clear": true}]'
image: true

445
.gitea/workflows/render-manifests-dispatch.yaml
View File

@@ -1,445 +0,0 @@
name: render-manifests-dispatch
on:
workflow_dispatch:
# schedule:
# - cron: '0 15 * * *'
# workflow_dispatch:
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME: auto/update-manifests
ASSIGNEE: alexlebens
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests-dispatch:
runs-on: ubuntu-js
steps:
- name: Checkout Main
uses: actions/checkout@v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Cache Helm Dependencies
uses: actions/cache@v5
with:
path: |
~/.cache/helm
~/.config/helm
key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
restore-keys: |
helm-cache-${{ runner.os }}-
- name: Prepare Manifest Branch
run: |
cd "${MANIFEST_DIR}"
echo ""
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
echo ""
echo ">> Checking if PR branch exists ..."
if git ls-remote --exit-code --heads origin "${BRANCH_NAME}" > /dev/null 2>&1; then
echo ""
echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
git fetch origin "${BRANCH_NAME}"
git checkout "${BRANCH_NAME}"
git pull --rebase
else
echo ""
echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
git checkout -b "${BRANCH_NAME}"
fi
echo "----"
- name: Check which Directories have Changes
id: check-dir-changes
run: |
cd "${MAIN_DIR}"
echo ""
echo ">> Triggered on dispatch, will check all paths ..."
# Extract names of charts
RENDER_DIR=$(find "clusters/${CLUSTER}/helm" -mindepth 1 -maxdepth 1 -type d -exec basename {} \; | sort -u)
if [ -n "${RENDER_DIR}" ]; then
echo ""
echo ">> Directories to Render:"
echo "${RENDER_DIR}"
echo "----"
echo "changes-detected=true" >> "$GITEA_OUTPUT"
echo "render-dir<<EOF" >> "$GITEA_OUTPUT"
echo "${RENDER_DIR}" >> "$GITEA_OUTPUT"
echo "EOF" >> "$GITEA_OUTPUT"
else
echo ">> No directories found"
echo "changes-detected=false" >> "$GITEA_OUTPUT"
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd "${MAIN_DIR}"
echo ""
echo ">> Adding repositories for chart dependencies ..."
for DIR in ${RENDER_DIR}; do
helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
| tail -n +2 \
| awk 'NF > 0 { print $1, $3 }' \
| while read -r REPO_NAME REPO_URL; do
if [[ "${REPO_URL}" == oci://* ]]; then
echo ""
echo ">> Ignoring OCI repo: ${REPO_URL}"
elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
helm repo add "${REPO_NAME}" "${REPO_URL}"
fi
done || true
done
if helm repo list > /dev/null 2>&1; then
echo ""
echo ">> Update repository cache ..."
helm repo update
fi
echo "----"
- name: Remove Changed Manifest Files
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd "${MANIFEST_DIR}"
echo ""
echo ">> Remove manfiest files and rebuild from source ..."
for DIR in ${RENDER_DIR}; do
CHART_PATH=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}
echo "${CHART_PATH}"
rm -rf ${CHART_PATH}/*
done
echo "----"
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ""
echo ">> Rendering Manifests ..."
render_chart() {
local DIR="$1"
local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
local CHART_NAME=$(basename "${CHART_PATH}")
echo ""
echo ">> Rendering ..."
echo ">> Chart: ${CHART_NAME}"
echo ">> Path: ${CHART_PATH}"
if [ -f "${CHART_PATH}/Chart.yaml" ]; then
local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
mkdir -p "${OUTPUT_FOLDER}"
cd "${CHART_PATH}"
echo ""
echo ">> Updating helm dependencies ..."
helm dependency update --skip-refresh > /dev/null
echo ""
echo ">> Linting helm chart ..."
helm lint --namespace "${CHART_NAME}" --quiet
local NAMESPACE="${CHART_NAME}"
case "${CHART_NAME}" in
"stack")
NAMESPACE="argocd"
echo ""
echo ">> Special Rendering into 'argocd' namespace ..."
;;
"cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
NAMESPACE="kube-system"
echo ""
echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
;;
*)
echo ""
echo ">> Standard Rendering for ${CHART_NAME} ..."
esac
echo ""
echo ">> Formating rendered template ..."
local TEMPLATE
TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
# Format and split rendered template
echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for ${CHART_NAME} rendered to ${OUTPUT_FOLDER}:"
ls $OUTPUT_FOLDER
echo ""
else
echo ""
echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
echo ""
fi
}
export -f render_chart
export MAIN_DIR CLUSTER MANIFEST_DIR
# Run rendering in parallel
for DIR in ${RENDER_DIR}; do
echo "${DIR}"
done | xargs -n 1 -P 4 -I {} bash -c 'render_chart "$@"' _ {}
echo "----"
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd "${MANIFEST_DIR}"
GIT_CHANGES=$(git status --porcelain)
if [ -n "${GIT_CHANGES}" ]; then
echo ""
echo ">> Changes detected"
git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT
else
echo ""
echo ">> No changes detected, skipping PR creation"
fi
echo "----"
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
run: |
cd "${MANIFEST_DIR}"
echo ""
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "chore: Update manifests after change"
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
echo ""
echo ">> Pushing changes to ${REPO_URL} ..."
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
echo "----"
echo "HEAD_BRANCH=${BRANCH_NAME}" >> "$GITEA_OUTPUT"
echo "push=true" >> "$GITEA_OUTPUT"
- name: Check for Pull Request
id: check-for-pull-requst
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
HTTP_STATUS=$(
curl -X GET \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
echo ">> Pull Request has been found open, will update"
PR_INDEX=$(cat response_body.json | jq -r .[0].number)
echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
echo "pull-request-index=true" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
echo ">> Pull Request found, but was closed"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
else
echo ">> Pull Request not found"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
fi
echo "----"
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
PAYLOAD=$( jq -n \
--arg head "${HEAD_BRANCH}" \
--arg base "${BASE_BRANCH}" \
--arg assignee "${ASSIGNEE}" \
--arg title "Automated Manifest Update" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
'{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url)
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
PR_ID=$(cat response_body.json | jq -r .id)
echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then
echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
elif [ "$HTTP_STATUS" == "409" ]; then
echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
exit 1
fi
echo "----"
- name: ntfy Created
uses: niniyas/ntfy-action@master
if: steps.create-pull-request.outputs.pull-request-operation == 'created'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render PR Created - Infrastructure"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure - Infrastructure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
image: true

451
.gitea/workflows/render-manifests-merge.yaml
View File

@@ -1,451 +0,0 @@
name: render-manifests-merge
on:
workflow_dispatch:
# pull_request:
# branches:
# - main
# paths:
# - 'clusters/cl01tl/helm/**'
# types:
# - closed
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME: auto/update-manifests
ASSIGNEE: alexlebens
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests-merge:
runs-on: ubuntu-js
if: ${{ (github.event.pull_request.merged == true) && !(contains(github.event.pull_request.labels.*.name, 'automerge')) }}
steps:
- name: Checkout Main
uses: actions/checkout@v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Cache Helm Dependencies
uses: actions/cache@v5
with:
path: |
~/.cache/helm
~/.config/helm
key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
restore-keys: |
helm-cache-${{ runner.os }}-
- name: Prepare Manifest Branch
run: |
cd "${MANIFEST_DIR}"
echo ""
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
echo ""
echo ">> Checking if PR branch exists ..."
if git ls-remote --exit-code --heads origin "${BRANCH_NAME}" > /dev/null 2>&1; then
echo ""
echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
git fetch origin "${BRANCH_NAME}"
git checkout "${BRANCH_NAME}"
git pull --rebase
else
echo ""
echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
git checkout -b "${BRANCH_NAME}"
fi
echo "----"
- name: Check which Directories have Changes
id: check-dir-changes
run: |
cd "${MAIN_DIR}"
echo ""
echo ">> Checking for changes from HEAD^..HEAD ..."
# Extract the chart names from the git diff
RENDER_DIR=$(git diff --name-only HEAD^..HEAD | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
if [ -n "${RENDER_DIR}" ]; then
echo ""
echo ">> Directories to Render:"
echo "${RENDER_DIR}"
echo "----"
echo "changes-detected=true" >> "$GITEA_OUTPUT"
echo "render-dir<<EOF" >> "$GITEA_OUTPUT"
echo "${RENDER_DIR}" >> "$GITEA_OUTPUT"
echo "EOF" >> "$GITEA_OUTPUT"
else
echo ""
echo ">> No chart changes detected"
echo "changes-detected=false" >> "$GITEA_OUTPUT"
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd "${MAIN_DIR}"
echo ""
echo ">> Adding repositories for chart dependencies ..."
for DIR in ${RENDER_DIR}; do
helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
| tail -n +2 \
| awk 'NF > 0 { print $1, $3 }' \
| while read -r REPO_NAME REPO_URL; do
if [[ "${REPO_URL}" == oci://* ]]; then
echo ""
echo ">> Ignoring OCI repo: ${REPO_URL}"
elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
helm repo add "${REPO_NAME}" "${REPO_URL}"
fi
done || true
done
if helm repo list > /dev/null 2>&1; then
echo ""
echo ">> Update repository cache ..."
helm repo update
fi
echo "----"
- name: Remove Changed Manifest Files
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd "${MANIFEST_DIR}"
echo ""
echo ">> Remove manfiest files and rebuild from source ..."
for DIR in ${RENDER_DIR}; do
CHART_PATH=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}
echo "${CHART_PATH}"
rm -rf ${CHART_PATH}/*
done
echo "----"
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ""
echo ">> Rendering Manifests ..."
render_chart() {
local DIR="$1"
local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
local CHART_NAME=$(basename "${CHART_PATH}")
echo ""
echo ">> Rendering ..."
echo ">> Chart: ${CHART_NAME}"
echo ">> Path: ${CHART_PATH}"
if [ -f "${CHART_PATH}/Chart.yaml" ]; then
local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
mkdir -p "${OUTPUT_FOLDER}"
cd "${CHART_PATH}"
echo ""
echo ">> Updating helm dependencies ..."
helm dependency update --skip-refresh > /dev/null
echo ""
echo ">> Linting helm chart ..."
helm lint --namespace "${CHART_NAME}" --quiet
local NAMESPACE="${CHART_NAME}"
case "${CHART_NAME}" in
"stack")
NAMESPACE="argocd"
echo ""
echo ">> Special Rendering into 'argocd' namespace ..."
;;
"cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
NAMESPACE="kube-system"
echo ""
echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
;;
*)
echo ""
echo ">> Standard Rendering for ${CHART_NAME} ..."
esac
echo ""
echo ">> Formating rendered template ..."
local TEMPLATE
TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
# Format and split rendered template
echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for ${CHART_NAME} rendered to ${OUTPUT_FOLDER}:"
ls $OUTPUT_FOLDER
echo ""
else
echo ""
echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
echo ""
fi
}
export -f render_chart
export MAIN_DIR CLUSTER MANIFEST_DIR
# Run rendering in parallel
for DIR in ${RENDER_DIR}; do
echo "${DIR}"
done | xargs -n 1 -P 4 -I {} bash -c 'render_chart "$@"' _ {}
echo "----"
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd "${MANIFEST_DIR}"
GIT_CHANGES=$(git status --porcelain)
if [ -n "${GIT_CHANGES}" ]; then
echo ""
echo ">> Changes detected"
git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT
else
echo ""
echo ">> No changes detected, skipping PR creation"
fi
echo "----"
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
run: |
cd "${MANIFEST_DIR}"
echo ""
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "chore: Update manifests after change"
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
echo ""
echo ">> Pushing changes to ${REPO_URL} ..."
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
echo "----"
echo "HEAD_BRANCH=${BRANCH_NAME}" >> "$GITEA_OUTPUT"
echo "push=true" >> "$GITEA_OUTPUT"
- name: Check for Pull Request
id: check-for-pull-requst
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
HTTP_STATUS=$(
curl -X GET \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
echo ">> Pull Request has been found open, will update"
PR_INDEX=$(cat response_body.json | jq -r .[0].number)
echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
echo "pull-request-index=true" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
echo ">> Pull Request found, but was closed"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
else
echo ">> Pull Request not found"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
fi
echo "----"
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
PAYLOAD=$( jq -n \
--arg head "${HEAD_BRANCH}" \
--arg base "${BASE_BRANCH}" \
--arg assignee "${ASSIGNEE}" \
--arg title "Automated Manifest Update" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
'{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url)
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
PR_ID=$(cat response_body.json | jq -r .id)
echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then
echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
elif [ "$HTTP_STATUS" == "409" ]; then
echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
exit 1
fi
echo "----"
- name: ntfy Created
uses: niniyas/ntfy-action@master
if: steps.create-pull-request.outputs.pull-request-operation == 'created'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render PR Created - Infrastructure"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure - Infrastructure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
image: true

449
.gitea/workflows/render-manifests-push.yaml
View File

@@ -1,449 +0,0 @@
name: render-manifests-push
on:
workflow_dispatch:
# push:
# branches:
# - main
# paths:
# - 'clusters/cl01tl/helm/**'
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME: auto/update-manifests
ASSIGNEE: alexlebens
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests-push:
runs-on: ubuntu-js
if: gitea.event.commits[0].author.username != 'renovate-bot'
steps:
- name: Checkout Main
uses: actions/checkout@v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Cache Helm Dependencies
uses: actions/cache@v5
with:
path: |
~/.cache/helm
~/.config/helm
key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
restore-keys: |
helm-cache-${{ runner.os }}-
- name: Prepare Manifest Branch
run: |
cd "${MANIFEST_DIR}"
echo ""
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
echo ">> Checking if PR branch exists ..."
if git ls-remote --exit-code --heads origin "${BRANCH_NAME}" > /dev/null 2>&1; then
echo ""
echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
git fetch origin "${BRANCH_NAME}"
git checkout "${BRANCH_NAME}"
git pull --rebase
else
echo ""
echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
git checkout -b "${BRANCH_NAME}"
fi
echo "----"
- name: Check which Directories have Changes
id: check-dir-changes
run: |
cd "${MAIN_DIR}"
echo ""
echo ">> Checking for changes ..."
# Extract the chart names from the git diff
RENDER_DIR=$(git diff --name-only ${{ gitea.event.before }}..HEAD | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
if [ -n "${RENDER_DIR}" ]; then
echo ""
echo ">> Directories to Render:"
echo "${RENDER_DIR}"
echo "----"
echo "changes-detected=true" >> "$GITEA_OUTPUT"
echo "render-dir<<EOF" >> "$GITEA_OUTPUT"
echo "${RENDER_DIR}" >> "$GITEA_OUTPUT"
echo "EOF" >> "$GITEA_OUTPUT"
else
echo ""
echo ">> No chart changes detected"
echo "changes-detected=false" >> "$GITEA_OUTPUT"
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd "${MAIN_DIR}"
echo ""
echo ">> Adding repositories for chart dependencies ..."
for DIR in ${RENDER_DIR}; do
helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
| tail -n +2 \
| awk 'NF > 0 { print $1, $3 }' \
| while read -r REPO_NAME REPO_URL; do
if [[ "${REPO_URL}" == oci://* ]]; then
echo ""
echo ">> Ignoring OCI repo: ${REPO_URL}"
elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
helm repo add "${REPO_NAME}" "${REPO_URL}"
fi
done || true
done
if helm repo list > /dev/null 2>&1; then
echo ""
echo ">> Update repository cache ..."
helm repo update
fi
echo "----"
- name: Remove Changed Manifest Files
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd "${MANIFEST_DIR}"
echo ""
echo ">> Remove manfiest files and rebuild from source ..."
for DIR in ${RENDER_DIR}; do
CHART_PATH=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}
echo ""
echo "${CHART_PATH}"
rm -rf ${CHART_PATH}/*
done
echo "----"
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ""
echo ">> Rendering Manifests ..."
render_chart() {
local DIR="$1"
local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
local CHART_NAME=$(basename "${CHART_PATH}")
echo ""
echo ">> Rendering ..."
echo ">> Chart: ${CHART_NAME}"
echo ">> Path: ${CHART_PATH}"
if [ -f "${CHART_PATH}/Chart.yaml" ]; then
local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
mkdir -p "${OUTPUT_FOLDER}"
cd "${CHART_PATH}"
echo ""
echo ">> Updating helm dependencies ..."
helm dependency update --skip-refresh > /dev/null
echo ""
echo ">> Linting helm chart ..."
helm lint --namespace "${CHART_NAME}" --quiet
local NAMESPACE="${CHART_NAME}"
case "${CHART_NAME}" in
"stack")
NAMESPACE="argocd"
echo ""
echo ">> Special Rendering into 'argocd' namespace ..."
;;
"cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
NAMESPACE="kube-system"
echo ""
echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
;;
*)
echo ""
echo ">> Standard Rendering for ${CHART_NAME} ..."
esac
echo ""
echo ">> Formating rendered template ..."
local TEMPLATE
TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
# Format and split rendered template
echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for ${CHART_NAME} rendered to ${OUTPUT_FOLDER}:"
ls $OUTPUT_FOLDER
echo ""
else
echo ""
echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
echo ""
fi
}
export -f render_chart
export MAIN_DIR CLUSTER MANIFEST_DIR
# Run rendering in parallel
for DIR in ${RENDER_DIR}; do
echo "${DIR}"
done | xargs -n 1 -P 4 -I {} bash -c 'render_chart "$@"' _ {}
echo "----"
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd "${MANIFEST_DIR}"
GIT_CHANGES=$(git status --porcelain)
if [ -n "${GIT_CHANGES}" ]; then
echo ""
echo ">> Changes detected"
git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT
else
echo ""
echo ">> No changes detected, skipping PR creation"
fi
echo "----"
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
run: |
cd "${MANIFEST_DIR}"
echo ""
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "chore: Update manifests after change"
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
echo ""
echo ">> Pushing changes to ${REPO_URL} ..."
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
echo "----"
echo "HEAD_BRANCH=${BRANCH_NAME}" >> "$GITEA_OUTPUT"
echo "push=true" >> "$GITEA_OUTPUT"
- name: Check for Pull Request
id: check-for-pull-requst
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
HTTP_STATUS=$(
curl -X GET \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
echo ">> Pull Request has been found open, will update"
PR_INDEX=$(cat response_body.json | jq -r .[0].number)
echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
echo "pull-request-index=true" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
echo ">> Pull Request found, but was closed"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
else
echo ">> Pull Request not found"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
fi
echo "----"
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
PAYLOAD=$( jq -n \
--arg head "${HEAD_BRANCH}" \
--arg base "${BASE_BRANCH}" \
--arg assignee "${ASSIGNEE}" \
--arg title "Automated Manifest Update" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
'{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url)
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
PR_ID=$(cat response_body.json | jq -r .id)
echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then
echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
elif [ "$HTTP_STATUS" == "409" ]; then
echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
exit 1
fi
echo "----"
- name: ntfy Created
uses: niniyas/ntfy-action@master
if: steps.create-pull-request.outputs.pull-request-operation == 'created'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render PR Created - Infrastructure"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure - Infrastructure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
image: true

32
.gitea/workflows/render-manifests.yaml
View File

@@ -6,12 +6,6 @@ on:
workflow_dispatch: workflow_dispatch:
push:
branches:
- main
paths:
- 'clusters/cl01tl/helm/**'
pull_request: pull_request:
branches: branches:
- main - main
@@ -34,7 +28,6 @@ jobs:
if: >- if: >-
github.event_name == 'schedule' || github.event_name == 'schedule' ||
github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_dispatch' ||
(github.event_name == 'push' && github.actor != 'renovate-bot') ||
(github.event_name == 'pull_request' && github.event.pull_request.merged == true) (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
steps: steps:
- name: Checkout Main - name: Checkout Main
@@ -95,10 +88,6 @@ jobs:
DIFF_TARGET="HEAD^..HEAD" DIFF_TARGET="HEAD^..HEAD"
elif [[ "${{ github.event_name }}" == "push" ]]; then
echo ">> Mode: Push (Standard)"
DIFF_TARGET="${{ github.event.before }}..HEAD"
fi fi
echo "" echo ""
@@ -111,6 +100,7 @@ jobs:
- name: Prepare Manifest Branch - name: Prepare Manifest Branch
id: prepare-manifest-branch id: prepare-manifest-branch
env: env:
PR_NUMBER: ${{ github.event.pull_request.number }}
IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }} IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
run: | run: |
cd "${MANIFEST_DIR}" cd "${MANIFEST_DIR}"
@@ -120,10 +110,10 @@ jobs:
git config user.email "gitea-bot@alexlebens.net" git config user.email "gitea-bot@alexlebens.net"
if [[ "$IS_AUTOMERGE" == "true" ]]; then if [[ "$IS_AUTOMERGE" == "true" ]]; then
BRANCH_NAME="${BRANCH_NAME_BASE}-automerge-${PR_NUMBER}"
echo "" echo ""
echo ">> Creating branch ${BRANCH_NAME} ..." echo ">> Creating branch ${BRANCH_NAME} ..."
BRANCH_NAME="${BRANCH_NAME_BASE}-automerge-$(date +%Y%m%d%H%M%S)" git checkout -B "$BRANCH_NAME"
git checkout -b "$BRANCH_NAME"
else else
echo "" echo ""
@@ -416,7 +406,6 @@ jobs:
echo "----" echo "----"
echo "pull-request-exists=$(cat response_body.json | jq -r .[0].number)" >> "$GITHUB_OUTPUT" echo "pull-request-exists=$(cat response_body.json | jq -r .[0].number)" >> "$GITHUB_OUTPUT"
echo "pull-request-url=$(cat response_body.json | jq -r .[0].html_url)" >> "$GITHUB_OUTPUT"
else else
echo "" echo ""
@@ -468,7 +457,6 @@ jobs:
echo "" echo ""
echo "----" echo "----"
echo "pull-request-url=$(jq -r .html_url response_body.json)" >> "$GITHUB_OUTPUT"
echo "pull-request-id=$(jq -r .id response_body.json)" >> "$GITHUB_OUTPUT" echo "pull-request-id=$(jq -r .id response_body.json)" >> "$GITHUB_OUTPUT"
echo "pull-request-number=$(jq -r .number response_body.json)" >> "$GITHUB_OUTPUT" echo "pull-request-number=$(jq -r .number response_body.json)" >> "$GITHUB_OUTPUT"
echo "pull-request-operation=created" >> "$GITHUB_OUTPUT" echo "pull-request-operation=created" >> "$GITHUB_OUTPUT"
@@ -589,9 +577,9 @@ jobs:
priority: 3 priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}' headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed tags: action,successfully,completed
details: "Created renderd manifests for cluster '${CLUSTER}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}" details: "Created renderd manifests for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png" icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "View PR", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]' actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
- name: ntfy Updated - name: ntfy Updated
uses: niniyas/ntfy-action@master uses: niniyas/ntfy-action@master
@@ -603,9 +591,9 @@ jobs:
priority: 3 priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}' headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed tags: action,successfully,completed
details: "Updated rendered manifests PR for cluster '${CLUSTER}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}" details: "Updated rendered manifests PR for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png" icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "View PR", "url": "${{ steps.check-for-pull-request.outputs.pull-request-url }}", "clear": true}]' actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
- name: ntfy Merged - name: ntfy Merged
uses: niniyas/ntfy-action@master uses: niniyas/ntfy-action@master
@@ -617,9 +605,9 @@ jobs:
priority: 3 priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}' headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed tags: action,successfully,completed
details: "Automerged manifest rendering for cluster '${CLUSTER}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}" details: "Automerged manifest rendering for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png" icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "View PR", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]' actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
- name: ntfy Failed - name: ntfy Failed
uses: niniyas/ntfy-action@master uses: niniyas/ntfy-action@master
@@ -633,4 +621,4 @@ jobs:
tags: action,failed tags: action,failed
details: "Manifest rendering for Infrastructure has failed!" details: "Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png" icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "View Logs", "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]' actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'

6
.pre-commit-config.yaml
View File

@@ -1,6 +1,6 @@
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks - repo: https://github.com/pre-commit/pre-commit-hooks
rev: v2.3.0 rev: v6.0.0
hooks: hooks:
- id: end-of-file-fixer - id: end-of-file-fixer
- id: trailing-whitespace - id: trailing-whitespace
@@ -9,7 +9,9 @@ repos:
exclude: '^.*\/templates\/.*$' exclude: '^.*\/templates\/.*$'
args: args:
- --multi - --multi
- id: check-merge-conflict
- id: check-json
- repo: https://github.com/IamTheFij/docker-pre-commit - repo: https://github.com/IamTheFij/docker-pre-commit
rev: v2.0.0 rev: v3.0.1
hooks: hooks:
- id: docker-compose-check - id: docker-compose-check

2
clusters/cl01tl/helm/dawarich/Chart.yaml
View File

@@ -26,4 +26,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
# renovate: datasource=github-releases depName=Freika/dawarich # renovate: datasource=github-releases depName=Freika/dawarich
appVersion: 1.3.3 appVersion: 1.3.4

4
clusters/cl01tl/helm/dawarich/values.yaml
View File

@@ -9,7 +9,7 @@ dawarich:
main: main:
image: image:
repository: freikin/dawarich repository: freikin/dawarich
tag: 1.3.3 tag: 1.3.4
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
command: ["web-entrypoint.sh"] command: ["web-entrypoint.sh"]
args: ["bin/rails", "server", "-p", "3000", "-b", "::"] args: ["bin/rails", "server", "-p", "3000", "-b", "::"]
@@ -106,7 +106,7 @@ dawarich:
sidekiq: sidekiq:
image: image:
repository: freikin/dawarich repository: freikin/dawarich
tag: 1.3.3 tag: 1.3.4
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
command: ["sidekiq-entrypoint.sh"] command: ["sidekiq-entrypoint.sh"]
args: ["sidekiq"] args: ["sidekiq"]

19
clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml
View File

@@ -358,6 +358,25 @@ spec:
resyncPeriod: 1h resyncPeriod: 1h
url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/traefik.json url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/traefik.json
---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
name: grafana-dashboard-tdarr
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-tdarr
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
instanceSelector:
matchLabels:
app: grafana-main
contentCacheDuration: 1h
folderUID: grafana-folder-service
resyncPeriod: 1h
url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/tdarr.json
--- ---
apiVersion: grafana.integreatly.org/v1beta1 apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard kind: GrafanaDashboard

2
clusters/cl01tl/helm/plex/values.yaml
View File

@@ -9,7 +9,7 @@ plex:
main: main:
image: image:
repository: ghcr.io/linuxserver/plex repository: ghcr.io/linuxserver/plex
tag: 1.43.0@sha256:79dfc89947410ec120a3e34cf68f746f6f154de20772e6f27b9998ca9bd65a5e tag: 1.43.0@sha256:84f8646e799f6636876ab4f283d9fc8f6c51d56098ea74cba82bfb85074b68df
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ

2
clusters/cl01tl/helm/site-documentation/values.yaml
View File

@@ -11,7 +11,7 @@ site-documentation:
main: main:
image: image:
repository: harbor.alexlebens.net/images/site-documentation repository: harbor.alexlebens.net/images/site-documentation
tag: 0.2.0 tag: 0.3.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
resources: resources:
requests: requests:

1
clusters/cl01tl/helm/tdarr/values.yaml
View File

@@ -165,6 +165,7 @@ tdarr:
tdarr-exporter: tdarr-exporter:
image: image:
name: homeylab/tdarr-exporter name: homeylab/tdarr-exporter
# renovate: datasource=docker depName=homeylab/tdarr-exporter
tag: 1.4.2 tag: 1.4.2
metrics: metrics:
serviceMonitor: serviceMonitor:

6
clusters/cl01tl/helm/trivy/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: trivy-operator
repository: https://aquasecurity.github.io/helm-charts/
version: 0.32.1
digest: sha256:7e25850fc3115f52e6c65151c76668929eee6713228e935862d9f156397c2ede
generated: "2026-03-15T17:21:41.373519-05:00"

23
clusters/cl01tl/helm/trivy/Chart.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v2
name: trivy
version: 1.0.0
description: Trivy
keywords:
- trivy
- vulnerability
- monitoring
- kubernetes
home: https://wiki.alexlebens.dev/s/
sources:
- https://github.com/aquasecurity/trivy
- https://github.com/aquasecurity/trivy-operator
- https://github.com/aquasecurity/trivy-operator/tree/main/deploy/helm
maintainers:
- name: alexlebens
dependencies:
- name: trivy-operator
version: 0.32.1
repository: https://aquasecurity.github.io/helm-charts/
icon: https://raw.githubusercontent.com/aquasecurity/trivy/main/docs/imgs/logo.png
# renovate: github=aquasecurity/trivy
appVersion: 0.32.1

11
clusters/cl01tl/helm/trivy/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Namespace
metadata:
name: trivy
labels:
app.kubernetes.io/name: trivy
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

87
clusters/cl01tl/helm/trivy/values.yaml Normal file
View File

@@ -0,0 +1,87 @@
trivy-operator:
targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
operator:
replicas: 1
scanJobsConcurrentLimit: 3
vulnerabilityScannerEnabled: true
sbomGenerationEnabled: true
clusterSbomCacheEnabled: true
configAuditScannerEnabled: true
rbacAssessmentScannerEnabled: true
infraAssessmentScannerEnabled: true
clusterComplianceEnabled: false
vulnerabilityScannerScanOnlyCurrentRevisions: true
accessGlobalSecretsAndServiceAccount: true
metricsFindingsEnabled: true
exposedSecretScannerEnabled: true
serviceMonitor:
enabled: true
trivy:
createConfig: true
image:
registry: mirror.gcr.io
repository: aquasec/trivy
tag: 0.69.3
storageClassEnabled: true
storageClassName: ceph-block
storageSize: "10Gi"
registry:
mirror:
"registry-1.docker.io": proxy-registry-1.docker.io
"quay.io": proxy-quay.io
"registry.k8s.io": proxy-registry.k8s
"gcr.io": proxy-gcr.io
"ghcr.io": proxy-ghcr.io
"hub.docker": proxy-hub.docker
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
slow: true
resources:
requests:
cpu: 100m
memory: 128M
supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
server:
resources:
requests:
cpu: 200m
memory: 512Mi
replicas: 1
nodeCollector:
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: var-lib-kube-scheduler
mountPath: /var/lib/kube-scheduler
readOnly: true
- name: var-lib-kube-controller-manager
mountPath: /var/lib/kube-controller-manager
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: etc-cni-netd
mountPath: /etc/cni/net.d/
readOnly: true
volumes:
- name: var-lib-etcd
hostPath:
path: /var/lib/etcd
- name: var-lib-kubelet
hostPath:
path: /var/lib/kubelet
- name: var-lib-kube-scheduler
hostPath:
path: /var/lib/kube-scheduler
- name: var-lib-kube-controller-manager
hostPath:
path: /var/lib/kube-controller-manager
- name: etc-kubernetes
hostPath:
path: /etc/kubernetes
- name: etc-cni-netd
hostPath:
path: /etc/cni/net.d/

3
renovate.json
View File

@@ -57,6 +57,9 @@
"labels": [], "labels": [],
"prHourlyLimit": 0, "prHourlyLimit": 0,
"prConcurrentLimit": 0, "prConcurrentLimit": 0,
"baseBranches": [
"main"
],
"packageRules": [ "packageRules": [
{ {
"description": "Label charts", "description": "Label charts",