OpenStaticFish/HetznerTerra
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix: fail fast during rancher secret wait
Deploy Cluster / Terraform (push) Waiting to run
Details
Deploy Cluster / Ansible (push) Blocked by required conditions
Details

Browse Source
This commit is contained in:
MichaelFisher1997
2026-05-03 20:15:12 +00:00
parent 496be23058
commit 82a9747fb9
1 changed files with 64 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/deploy.yml
+60 -7
View File
@@ -594,6 +594,7 @@ jobs:
env: env:
KUBECONFIG: outputs/kubeconfig KUBECONFIG: outputs/kubeconfig
RANCHER_BOOTSTRAP_PASSWORD: ${{ secrets.RANCHER_BOOTSTRAP_PASSWORD }} RANCHER_BOOTSTRAP_PASSWORD: ${{ secrets.RANCHER_BOOTSTRAP_PASSWORD }}
DOPPLER_HETZNERTERRA_SERVICE_TOKEN: ${{ secrets.DOPPLER_HETZNERTERRA_SERVICE_TOKEN }}
run: | run: |
set -euo pipefail set -euo pipefail
wait_for_resource() { wait_for_resource() {
@@ -809,20 +810,72 @@ jobs:
local timeout_seconds="$1" local timeout_seconds="$1"
local deadline local deadline
local force_sync local force_sync
local api_failures=0
deadline=$(($(date +%s) + timeout_seconds)) deadline=$(($(date +%s) + timeout_seconds))
while [ "$(date +%s)" -lt "${deadline}" ]; do if [ -z "${RANCHER_BOOTSTRAP_PASSWORD}" ]; then
force_sync="$(date +%s)" if [ -z "${DOPPLER_HETZNERTERRA_SERVICE_TOKEN}" ]; then
kubectl -n flux-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite || true echo "RANCHER_BOOTSTRAP_PASSWORD and DOPPLER_HETZNERTERRA_SERVICE_TOKEN are both empty; cannot seed Rancher bootstrap secret" >&2
kubectl -n cattle-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite || true exit 1
fi
RANCHER_BOOTSTRAP_PASSWORD="$(python3 - <<'PY'
import json
import os
import sys
import urllib.error
import urllib.request
token = os.environ.get("DOPPLER_HETZNERTERRA_SERVICE_TOKEN", "")
request = urllib.request.Request(
"https://api.doppler.com/v3/configs/config/secret?name=RANCHER_BOOTSTRAP_PASSWORD",
headers={"Authorization": f"Bearer {token}"},
)
try:
with urllib.request.urlopen(request, timeout=30) as response:
payload = json.load(response)
except Exception as exc:
print(f"failed to load RANCHER_BOOTSTRAP_PASSWORD from Doppler: {exc}", file=sys.stderr)
sys.exit(1)
value = payload.get("value")
if isinstance(value, dict):
secret = value.get("raw") or value.get("computed") or value.get("value")
else:
secret = value
if not secret:
print("Doppler returned an empty RANCHER_BOOTSTRAP_PASSWORD", file=sys.stderr)
sys.exit(1)
print(secret)
PY
)"
export RANCHER_BOOTSTRAP_PASSWORD
fi
while [ "$(date +%s)" -lt "${deadline}" ]; do
if ! kubectl get --raw=/readyz --request-timeout=10s >/dev/null 2>&1; then
api_failures=$((api_failures + 1))
echo "Kubernetes API is not ready while waiting for Rancher bootstrap secrets (${api_failures}/6)" >&2
if [ "${api_failures}" -ge 6 ]; then
kubectl -n kube-system get pods -o wide || true
exit 1
fi
sleep 10
continue
fi
api_failures=0
force_sync="$(date +%s)"
kubectl -n flux-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite >/dev/null 2>&1 || true
kubectl -n cattle-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite >/dev/null 2>&1 || true
if [ -n "${RANCHER_BOOTSTRAP_PASSWORD}" ]; then
for namespace in flux-system cattle-system; do for namespace in flux-system cattle-system; do
kubectl -n "${namespace}" create secret generic rancher-bootstrap-password \ kubectl -n "${namespace}" create secret generic rancher-bootstrap-password \
--from-literal=bootstrapPassword="${RANCHER_BOOTSTRAP_PASSWORD}" \ --from-literal=bootstrapPassword="${RANCHER_BOOTSTRAP_PASSWORD}" \
--dry-run=client -o yaml | kubectl apply -f - --dry-run=client -o yaml | kubectl apply -f - >/dev/null
done done
fi
if kubectl -n flux-system get secret/rancher-bootstrap-password >/dev/null 2>&1 \ if kubectl -n flux-system get secret/rancher-bootstrap-password >/dev/null 2>&1 \
&& kubectl -n cattle-system get secret/rancher-bootstrap-password >/dev/null 2>&1; then && kubectl -n cattle-system get secret/rancher-bootstrap-password >/dev/null 2>&1; then