From bd7a43e1518606bd630111b9af23a945de541546 Mon Sep 17 00:00:00 2001 From: Mohand Ou Idir Belfares Date: Wed, 17 Jun 2026 22:26:45 +0000 Subject: [PATCH] .gitea/workflows/ --- deploy.yml | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100644 deploy.yml diff --git a/deploy.yml b/deploy.yml new file mode 100644 index 0000000..b49daee --- /dev/null +++ b/deploy.yml @@ -0,0 +1,157 @@ +name: Deploy Stack + +on: + workflow_dispatch: + inputs: + service: + description: "Service to deploy" + required: true + type: choice + options: + - all + - airflow + - keycloak + - keycloak-db + - nginx + - monitoring + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup kubeconfig + run: | + mkdir -p ~/.kube + echo "${{ secrets.KUBECONFIG }}" | base64 -d > ~/.kube/config + + - name: Setup Helm + uses: azure/setup-helm@v4 + + - name: Add Helm repos + run: | + helm repo add apache-airflow https://airflow.apache.org + helm repo add codecentric https://codecentric.github.io/helm-charts + helm repo add bitnami https://charts.bitnami.com/bitnami + helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx + helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests + helm repo update + + - name: Deploy Nginx + if: ${{ inputs.service == 'all' || inputs.service == 'nginx' }} + run: | + helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \ + --namespace ingress-nginx \ + --create-namespace + + - name: Create Airflow git-sync SSH secret + if: ${{ inputs.service == 'all' || inputs.service == 'airflow' }} + env: + SSH_KEY: ${{ secrets.AIRFLOW_GITSYNC_SSH_KEY }} + run: | + kubectl create namespace airflow --dry-run=client -o yaml | kubectl apply -f - + printf '%s' "$SSH_KEY" | base64 -d > /tmp/gitSshKey + chmod 600 /tmp/gitSshKey + ssh-keyscan github.com 2>/dev/null > /tmp/known_hosts + kubectl create secret generic airflow-gitsync-ssh \ + --from-file=gitSshKey=/tmp/gitSshKey \ + --from-file=known_hosts=/tmp/known_hosts \ + --namespace airflow \ + --dry-run=client -o yaml | kubectl apply -f - + rm -f /tmp/gitSshKey /tmp/known_hosts + - name: Deploy Airflow + if: ${{ inputs.service == 'all' || inputs.service == 'airflow' }} + run: | + helm upgrade --install airflow apache-airflow/airflow \ + --namespace airflow \ + --create-namespace \ + --values helm/airflow/values.yaml + + - name: Deploy Keycloak PostgreSQL + if: ${{ inputs.service == 'all' || inputs.service == 'keycloak' || inputs.service == 'keycloak-db' }} + run: | + helm upgrade --install keycloak-db oci://registry-1.docker.io/bitnamicharts/postgresql \ + --namespace keycloak \ + --create-namespace \ + --set auth.username=keycloak \ + --set auth.password=keycloak \ + --set auth.database=keycloak \ + --wait + + - name: Deploy Keycloak + if: ${{ inputs.service == 'all' || inputs.service == 'keycloak' }} + run: | + helm upgrade --install keycloak codecentric/keycloakx \ + --namespace keycloak \ + --create-namespace \ + --values helm/keycloak/values.yaml \ + --wait + - name: Create monitoring namespace + if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }} + run: | + kubectl create namespace monitoring --dry-run=client -o yaml | kubectl apply -f - + + - name: Create Grafana OAuth secret + if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }} + run: | + kubectl create secret generic grafana-oauth-secret \ + -n monitoring \ + --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="${{ secrets.GRAFANA_CLIENT_SECRET }}" \ + --from-literal=GF_SECURITY_SECRET_KEY="${{ secrets.GRAFANA_SECRET_KEY }}" \ + --dry-run=client -o yaml | kubectl apply -f - + + - name: Create oauth2-proxy secrets + if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }} + run: | + kubectl create secret generic oauth2-proxy-prometheus \ + -n monitoring \ + --from-literal=client-id=prometheus \ + --from-literal=client-secret="${{ secrets.PROMETHEUS_CLIENT_SECRET }}" \ + --from-literal=cookie-secret="${{ secrets.OAUTH2_PROXY_COOKIE_SECRET }}" \ + --dry-run=client -o yaml | kubectl apply -f - + + kubectl create secret generic oauth2-proxy-alertmanager \ + -n monitoring \ + --from-literal=client-id=alertmanager \ + --from-literal=client-secret="${{ secrets.ALERTMANAGER_CLIENT_SECRET }}" \ + --from-literal=cookie-secret="${{ secrets.OAUTH2_PROXY_COOKIE_SECRET }}" \ + --dry-run=client -o yaml | kubectl apply -f - + + + # - name: Install/upgrade Prometheus CRDs (server-side, hors Helm) + # if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }} + # run: | + # kubectl apply --server-side --force-conflicts -f \ + # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/bundle.yaml \ + # --field-manager=prometheus-operator + + - name: Deploy Monitoring + if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }} + run: | + helm upgrade --install monitoring prometheus-community/kube-prometheus-stack \ + --namespace monitoring \ + --create-namespace \ + --values helm/monitoring/values.yaml \ + --version 61.9.0 \ + --timeout 5m + + - name: Deploy oauth2-proxy Prometheus + if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }} + run: | + helm upgrade --install oauth2-proxy-prometheus \ + oauth2-proxy/oauth2-proxy \ + --namespace monitoring \ + -f helm/monitoring/oauth2-proxy-prometheus.yaml \ + --cleanup-on-fail + + - name: Deploy oauth2-proxy Alertmanager + if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }} + run: | + helm upgrade --install oauth2-proxy-alertmanager \ + oauth2-proxy/oauth2-proxy \ + --namespace monitoring \ + -f helm/monitoring/oauth2-proxy-alertmanager.yaml \ + --cleanup-on-fail