MichaelFisher1997
a0b07816b9
Some checks failed
Terraform Plan / Terraform Plan (push) Failing after 10s
Make Terraform the source of truth for node IPs, remove guest-agent/SSH discovery from the normal workflow path, simplify the bootstrap controller to a fresh-run flow, and swap the initial CNI to Flannel so cluster readiness is easier to prove before reintroducing more complex reconcile behavior.
182 lines
6.4 KiB
YAML
182 lines
6.4 KiB
YAML
name: Kubeadm Bootstrap
|
|
run-name: ${{ gitea.actor }} requested kubeadm bootstrap
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
confirm:
|
|
description: "Type BOOTSTRAP to run rebuild + kubeadm bootstrap"
|
|
required: true
|
|
type: string
|
|
|
|
concurrency:
|
|
group: kubeadm-bootstrap
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
bootstrap:
|
|
name: "Rebuild and Bootstrap Cluster"
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Validate confirmation phrase
|
|
run: |
|
|
if [ "${{ inputs.confirm }}" != "BOOTSTRAP" ]; then
|
|
echo "Confirmation failed. You must type BOOTSTRAP."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Checkout repository
|
|
uses: https://gitea.com/actions/checkout@v4
|
|
|
|
- name: Create SSH key
|
|
run: |
|
|
install -m 0700 -d ~/.ssh
|
|
KEY_SOURCE=""
|
|
KEY_CONTENT=""
|
|
KEY_B64="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE_BASE64 }}")"
|
|
if [ -n "$KEY_B64" ]; then
|
|
KEY_SOURCE="SSH_KEY_PRIVATE_BASE64"
|
|
KEY_CONTENT="$(printf '%s' "$KEY_B64" | base64 -d)"
|
|
else
|
|
KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
|
|
if [ -n "$KEY_CONTENT" ]; then
|
|
KEY_SOURCE="SSH_KEY_PRIVATE"
|
|
else
|
|
KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
|
|
KEY_SOURCE="KUBEADM_SSH_PRIVATE_KEY"
|
|
fi
|
|
fi
|
|
|
|
if [ -z "$KEY_CONTENT" ]; then
|
|
echo "Missing SSH private key secret. Set SSH_KEY_PRIVATE_BASE64, SSH_KEY_PRIVATE, or KUBEADM_SSH_PRIVATE_KEY."
|
|
exit 1
|
|
fi
|
|
|
|
KEY_CONTENT="$(printf '%s' "$KEY_CONTENT" | tr -d '\r')"
|
|
if printf '%s' "$KEY_CONTENT" | grep -q '\\n'; then
|
|
printf '%b' "$KEY_CONTENT" > ~/.ssh/id_ed25519
|
|
else
|
|
printf '%s\n' "$KEY_CONTENT" > ~/.ssh/id_ed25519
|
|
fi
|
|
chmod 0600 ~/.ssh/id_ed25519
|
|
|
|
if ! ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null 2>&1; then
|
|
echo "Invalid private key content from $KEY_SOURCE"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Set up Terraform
|
|
uses: hashicorp/setup-terraform@v2
|
|
with:
|
|
terraform_version: 1.6.6
|
|
terraform_wrapper: false
|
|
|
|
- name: Build Terraform backend files
|
|
working-directory: terraform
|
|
run: |
|
|
cat > secrets.auto.tfvars << EOF
|
|
pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
|
|
SSH_KEY_PUBLIC = "$(printf '%s' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r\n')"
|
|
EOF
|
|
|
|
cat > backend.hcl << EOF
|
|
bucket = "${{ secrets.B2_TF_BUCKET }}"
|
|
key = "terraform.tfstate"
|
|
region = "us-east-005"
|
|
endpoints = {
|
|
s3 = "${{ secrets.B2_TF_ENDPOINT }}"
|
|
}
|
|
access_key = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
|
|
secret_key = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
|
|
skip_credentials_validation = true
|
|
skip_metadata_api_check = true
|
|
skip_region_validation = true
|
|
skip_requesting_account_id = true
|
|
use_path_style = true
|
|
EOF
|
|
|
|
- name: Terraform init for state read
|
|
working-directory: terraform
|
|
run: terraform init -reconfigure -backend-config=backend.hcl
|
|
|
|
- name: Create kubeadm inventory
|
|
env:
|
|
KUBEADM_SSH_USER: ${{ secrets.KUBEADM_SSH_USER }}
|
|
run: |
|
|
set -euo pipefail
|
|
terraform -chdir=terraform output -json | ./nixos/kubeadm/scripts/render-inventory-from-tf-output.py > nixos/kubeadm/scripts/inventory.env
|
|
|
|
- name: Validate nix installation
|
|
run: |
|
|
if [ -x /nix/var/nix/profiles/default/bin/nix ]; then
|
|
/nix/var/nix/profiles/default/bin/nix --version
|
|
exit 0
|
|
fi
|
|
|
|
if command -v nix >/dev/null 2>&1; then
|
|
nix --version
|
|
exit 0
|
|
fi
|
|
|
|
echo "Nix missing; installing no-daemon Nix for this runner job"
|
|
if [ "$(id -u)" -eq 0 ]; then
|
|
mkdir -p /nix
|
|
chown root:root /nix
|
|
chmod 0755 /nix
|
|
|
|
if ! getent group nixbld >/dev/null 2>&1; then
|
|
groupadd --system nixbld
|
|
fi
|
|
|
|
for i in $(seq 1 10); do
|
|
if ! id "nixbld$i" >/dev/null 2>&1; then
|
|
useradd --system --create-home --home-dir /var/empty --shell /usr/sbin/nologin "nixbld$i"
|
|
fi
|
|
usermod -a -G nixbld "nixbld$i"
|
|
done
|
|
fi
|
|
sh <(curl -L https://nixos.org/nix/install) --no-daemon
|
|
|
|
if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
|
|
. "$HOME/.nix-profile/etc/profile.d/nix.sh"
|
|
elif [ -f "/root/.nix-profile/etc/profile.d/nix.sh" ]; then
|
|
. /root/.nix-profile/etc/profile.d/nix.sh
|
|
fi
|
|
|
|
export PATH="$HOME/.nix-profile/bin:/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:$PATH"
|
|
|
|
nix --version
|
|
|
|
- name: Install nixos-rebuild tool
|
|
env:
|
|
NIX_CONFIG: experimental-features = nix-command flakes
|
|
run: |
|
|
if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
|
|
. "$HOME/.nix-profile/etc/profile.d/nix.sh"
|
|
elif [ -f "/root/.nix-profile/etc/profile.d/nix.sh" ]; then
|
|
. /root/.nix-profile/etc/profile.d/nix.sh
|
|
fi
|
|
|
|
export PATH="$HOME/.nix-profile/bin:/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:$PATH"
|
|
|
|
nix profile install nixpkgs#nixos-rebuild
|
|
|
|
- name: Run cluster rebuild and bootstrap
|
|
env:
|
|
NIX_CONFIG: experimental-features = nix-command flakes
|
|
FAST_MODE: "1"
|
|
WORKER_PARALLELISM: "3"
|
|
REBUILD_TIMEOUT: "45m"
|
|
REBUILD_RETRIES: "2"
|
|
run: |
|
|
if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
|
|
. "$HOME/.nix-profile/etc/profile.d/nix.sh"
|
|
elif [ -f "/root/.nix-profile/etc/profile.d/nix.sh" ]; then
|
|
. /root/.nix-profile/etc/profile.d/nix.sh
|
|
fi
|
|
|
|
export PATH="$HOME/.nix-profile/bin:/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH"
|
|
|
|
./nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
|