diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 1123b8c..841b20f 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -292,6 +292,30 @@ jobs: done } + pull_required_image() { + local image="$1" + local host_ip="$2" + local attempts="$3" + local sleep_seconds="$4" + local failure_message="$5" + local pulled=false + + for attempt in $(seq 1 "${attempts}"); do + echo "Pre-pulling ${image} on ${host_ip} (${attempt}/${attempts})" + if ssh -i "$HOME/.ssh/id_ed25519" -o StrictHostKeyChecking=no -o ConnectTimeout=10 "ubuntu@${host_ip}" \ + "sudo k3s crictl inspecti '${image}' >/dev/null 2>&1 || ((sudo k3s crictl pull --platform linux/amd64 '${image}' || sudo k3s crictl pull '${image}') && sudo k3s crictl inspecti '${image}' >/dev/null 2>&1)"; then + pulled=true + break + fi + sleep "${sleep_seconds}" + done + + if [ "${pulled}" != "true" ]; then + echo "${failure_message} ${image} on ${host_ip}" >&2 + exit 1 + fi + } + eso_diagnostics() { kubectl -n flux-system get kustomizations,ocirepositories,helmrepositories,helmcharts,helmreleases || true kubectl -n flux-system describe kustomization addon-external-secrets || true @@ -418,20 +442,7 @@ jobs: ghcr.io/fluxcd/kustomize-controller:v1.8.1 \ ghcr.io/fluxcd/helm-controller:v1.5.1 \ ghcr.io/fluxcd/notification-controller:v1.8.1; do - pulled=false - for attempt in $(seq 1 "${FLUX_IMAGE_PULL_ATTEMPTS}"); do - echo "Pre-pulling ${image} on ${PRIMARY_CP_IP} (${attempt}/${FLUX_IMAGE_PULL_ATTEMPTS})" - if ssh -i "$HOME/.ssh/id_ed25519" -o StrictHostKeyChecking=no -o ConnectTimeout=10 "ubuntu@${PRIMARY_CP_IP}" \ - "sudo k3s crictl inspecti '${image}' >/dev/null 2>&1 || ((sudo k3s crictl pull --platform linux/amd64 '${image}' || sudo k3s crictl pull '${image}') && sudo k3s crictl inspecti '${image}' >/dev/null 2>&1)"; then - pulled=true - break - fi - sleep "${FLUX_IMAGE_PULL_SLEEP}" - done - if [ "${pulled}" != "true" ]; then - echo "Failed to pre-pull required Flux image ${image} on ${PRIMARY_CP_IP}" >&2 - exit 1 - fi + pull_required_image "${image}" "${PRIMARY_CP_IP}" "${FLUX_IMAGE_PULL_ATTEMPTS}" "${FLUX_IMAGE_PULL_SLEEP}" "Failed to pre-pull required Flux image" done # Apply CRDs and controllers first kubectl apply -f clusters/prod/flux-system/gotk-components.yaml @@ -456,6 +467,7 @@ jobs: # Wait directly on the ESO Helm objects; Kustomization readiness hides useful failure details. wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-external-secrets 600 kubectl -n flux-system annotate kustomization/addon-external-secrets reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite + pull_required_image oci.external-secrets.io/external-secrets/external-secrets:v2.1.0 "${PRIMARY_CP_IP}" 45 10 "Failed to pre-pull required External Secrets image" wait_for_flux_oci_helm_release external-secrets external-secrets external-secrets 600s 600 wait_for_resource "" crd/clustersecretstores.external-secrets.io 900 wait_for_resource "" crd/externalsecrets.external-secrets.io 900 diff --git a/infrastructure/addons/external-secrets/helmrelease-external-secrets.yaml b/infrastructure/addons/external-secrets/helmrelease-external-secrets.yaml index 8bde2fa..73ff0d7 100644 --- a/infrastructure/addons/external-secrets/helmrelease-external-secrets.yaml +++ b/infrastructure/addons/external-secrets/helmrelease-external-secrets.yaml @@ -19,13 +19,25 @@ spec: retries: 3 values: installCRDs: true + image: + repository: oci.external-secrets.io/external-secrets/external-secrets + tag: v2.1.0 + pullPolicy: IfNotPresent nodeSelector: kubernetes.io/hostname: k8s-cluster-cp-1 webhook: failurePolicy: Ignore + image: + repository: oci.external-secrets.io/external-secrets/external-secrets + tag: v2.1.0 + pullPolicy: IfNotPresent nodeSelector: kubernetes.io/hostname: k8s-cluster-cp-1 certController: + image: + repository: oci.external-secrets.io/external-secrets/external-secrets + tag: v2.1.0 + pullPolicy: IfNotPresent nodeSelector: kubernetes.io/hostname: k8s-cluster-cp-1 serviceMonitor: