├── .github ├── dependabot.yml └── workflows │ ├── debug.yml │ ├── docker-ci.yml │ ├── test-bootstrap.yml │ ├── test-discord.yml │ ├── test-helm-dependencies.yml │ ├── test-helm-lint.yml │ ├── test-kube-do.yml │ └── test-kube-secrets.yml ├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── bootstrap-action ├── Dockerfile ├── action.yml └── entrypoint.sh ├── discord-action ├── Dockerfile ├── action.yml └── entrypoint.sh ├── docker-template-action └── action.yml ├── docker ├── .bashrc ├── Dockerfile.argo ├── Dockerfile.aws ├── Dockerfile.base └── Dockerfile.do ├── docs ├── dev.txt ├── helm-dependencies-local.txt ├── settings-branch.png ├── settings-create-pr.png ├── settings-delete-pr.png ├── settings-squash-pr.png └── settings-update-pr.png ├── examples ├── cluster-test.yaml ├── dependencies.yaml ├── kube-test-aws-us-east-1.yaml ├── kube-test-do-lon1.yaml └── test-chart │ ├── Chart.yaml │ └── values.yaml ├── helm-dependencies-action ├── Dockerfile ├── action.yml └── entrypoint.sh ├── helm-lint-action ├── Dockerfile ├── action.yml └── entrypoint.sh ├── kube-do-action ├── Dockerfile ├── action.yml └── entrypoint.sh ├── kube-secrets-action ├── Dockerfile ├── action.yml ├── chart │ ├── Chart.yaml │ ├── templates │ │ ├── edgelevel-lastpass.yaml │ │ ├── external-secrets-akeyless.yaml │ │ ├── external-secrets-oracle.yaml │ │ └── namespace.yaml │ └── values.yaml └── entrypoint.sh └── scripts ├── docker_apply.sh └── local.sh /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: "/" 5 | schedule: 6 | interval: "daily" 7 | -------------------------------------------------------------------------------- /.github/workflows/debug.yml: -------------------------------------------------------------------------------- 1 | name: debug 2 | 3 | # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet 4 | # defaut: matches all branch and tag names 5 | on: 6 | push: 7 | 8 | # default environment variables 9 | # https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables 10 | jobs: 11 | docker: 12 | name: Docker 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: Dump GitHub context 16 | run: echo '${{ toJSON(github) }}' 17 | - name: Dump job context 18 | run: echo '${{ toJSON(job) }}' 19 | - name: Dump steps context 20 | run: echo '${{ toJSON(steps) }}' 21 | - name: Dump runner context 22 | run: echo '${{ toJSON(runner) }}' 23 | - name: Dump strategy context 24 | run: echo '${{ toJSON(strategy) }}' 25 | - name: Dump matrix context 26 | run: echo '${{ toJSON(matrix) }}' 27 | -------------------------------------------------------------------------------- /.github/workflows/docker-ci.yml: -------------------------------------------------------------------------------- 1 | name: docker-ci 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - '.github/workflows/docker-*.yml' 9 | - 'docker/**' 10 | # uses semver with prefix to keep image tags independent from action tags 11 | tags: 12 | - 'docker-[0-9]+.[0-9]+.[0-9]+' 13 | 14 | env: 15 | DOCKER_REPOSITORY: hckops 16 | 17 | jobs: 18 | docker-base: 19 | name: Docker base 20 | runs-on: ubuntu-latest 21 | # makes sure it doesn't finish the minutes quota if stalls 22 | timeout-minutes: 10 23 | 24 | strategy: 25 | matrix: 26 | images: 27 | - file: Dockerfile.base 28 | name: kube-base 29 | 30 | steps: 31 | - name: Checkout repository 32 | uses: actions/checkout@v4 33 | 34 | # skips notification 35 | - name: Docker CI 36 | uses: ./docker-template-action 37 | with: 38 | DOCKER_CONTEXT: ./docker 39 | DOCKER_FILE: ${{ matrix.images.file }} 40 | DOCKER_IMAGE_NAME: ${{ matrix.images.name }} 41 | DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} 42 | # default tag is sha 43 | DOCKER_TAG_PREFIX: 'docker-' 44 | # repository secrets: gh-actions-rw 45 | SECRET_DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} 46 | SECRET_DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} 47 | 48 | docker-all: 49 | # runs in sequence: depends on previous jobs to complete 50 | needs: docker-base 51 | 52 | name: Docker all 53 | runs-on: ubuntu-latest 54 | timeout-minutes: 15 55 | 56 | # runs jobs in parallel: alternative to loop 57 | strategy: 58 | matrix: 59 | images: 60 | - file: Dockerfile.argo 61 | name: kube-argo 62 | - file: Dockerfile.do 63 | name: kube-do 64 | - file: Dockerfile.aws 65 | name: kube-aws 66 | 67 | steps: 68 | - name: Checkout repository 69 | uses: actions/checkout@v4 70 | 71 | - name: Docker CI 72 | uses: ./docker-template-action 73 | with: 74 | DOCKER_CONTEXT: ./docker 75 | DOCKER_FILE: ${{ matrix.images.file }} 76 | DOCKER_IMAGE_NAME: ${{ matrix.images.name }} 77 | DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} 78 | DOCKER_TAG_PREFIX: 'docker-' 79 | SECRET_DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} 80 | SECRET_DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} 81 | SECRET_DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} 82 | -------------------------------------------------------------------------------- /.github/workflows/test-bootstrap.yml: -------------------------------------------------------------------------------- 1 | name: test-bootstrap 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - '.github/workflows/test-bootstrap.yml' 9 | - 'bootstrap-action/**' 10 | 11 | jobs: 12 | test-bootstrap: 13 | name: Test 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v4 18 | 19 | - name: "Invalid kubeconfig" 20 | run: | 21 | echo "test: 1" > config.yaml 22 | 23 | - name: Bootstrap 24 | # disabled 25 | if: ${{ false }} 26 | uses: ./bootstrap-action 27 | with: 28 | gitops-ssh-key: INVALID_SSH_KEY 29 | argocd-admin-password: INVALID_ADMIN_PASSWORD 30 | kubeconfig: ./config.yaml 31 | chart-path: INVALID_PATH 32 | config-path: examples/kube-test-do-lon1.yaml 33 | -------------------------------------------------------------------------------- /.github/workflows/test-discord.yml: -------------------------------------------------------------------------------- 1 | name: test-discord 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - '.github/workflows/test-discord.yml' 9 | - 'discord-action/**' 10 | 11 | jobs: 12 | test-discord: 13 | name: Test 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v4 18 | 19 | - name: "Set message content" 20 | id: message 21 | run: | 22 | echo "content=github-test" >> ${GITHUB_OUTPUT} 23 | 24 | - name: "Create message" 25 | uses: ./discord-action 26 | with: 27 | action: create-message 28 | webhook-url: ${{ secrets.DISCORD_WEBHOOK_URL }} 29 | message: "discord-action: ${{ steps.message.outputs.content }}" 30 | -------------------------------------------------------------------------------- /.github/workflows/test-helm-dependencies.yml: -------------------------------------------------------------------------------- 1 | name: test-helm-dependencies 2 | 3 | on: 4 | # enable manual trigger 5 | workflow_dispatch: 6 | # https://cron.help 7 | schedule: 8 | # every 12 hours 9 | - cron: '0 0,12 * * *' 10 | push: 11 | branches: 12 | - main 13 | paths: 14 | - '.github/workflows/test-helm-dependencies.yml' 15 | - 'helm-dependencies-action/**' 16 | - 'examples/dependencies.yaml' 17 | 18 | jobs: 19 | test-helm-dependencies: 20 | name: Test 21 | runs-on: ubuntu-latest 22 | steps: 23 | - name: Checkout 24 | uses: actions/checkout@v4 25 | 26 | - name: Helm Dependencies 27 | uses: ./helm-dependencies-action 28 | with: 29 | config-path: examples/dependencies.yaml 30 | user-email: "hckbot@users.noreply.github.com" 31 | user-name: "hckbot" 32 | dry-run: true 33 | env: 34 | # mandatory: not declared explicitly, but used by gh-cli 35 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 36 | # not required: declared only for documentation because they are automatically added at runtime 37 | GITHUB_REPOSITORY: ${{ env.GITHUB_REPOSITORY }} 38 | GITHUB_SHA: ${{ env.GITHUB_SHA }} 39 | -------------------------------------------------------------------------------- /.github/workflows/test-helm-lint.yml: -------------------------------------------------------------------------------- 1 | name: test-helm-lint 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - '.github/workflows/test-helm-lint.yml' 9 | - 'helm-lint-action/**' 10 | 11 | jobs: 12 | test-helm-lint: 13 | name: Test 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v4 18 | 19 | - name: Helm Lint 20 | uses: ./helm-lint-action 21 | -------------------------------------------------------------------------------- /.github/workflows/test-kube-do.yml: -------------------------------------------------------------------------------- 1 | name: test-kube-do 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - '.github/workflows/test-kube-do.yml' 9 | - 'kube-do-action/**' 10 | - 'examples/kube-*.yaml' 11 | 12 | jobs: 13 | test-kube-do: 14 | name: Test 15 | runs-on: ubuntu-latest 16 | steps: 17 | # required to access cluster definition 18 | - name: Checkout 19 | uses: actions/checkout@v4 20 | 21 | - name: Provision 22 | uses: ./kube-do-action 23 | id: provision 24 | with: 25 | github-token: ${{ github.token }} 26 | access-token: INVALID_ACCESS_TOKEN 27 | config-path: examples/kube-test-do-lon1.yaml 28 | config-branch: main 29 | # action is disabled 30 | enabled: false 31 | wait: false 32 | skip-create: false 33 | 34 | - name: Output 35 | run: | 36 | echo "Status ${{ steps.provision.outputs.status }}" 37 | echo "Config ${{ steps.provision.outputs.config }}" 38 | -------------------------------------------------------------------------------- /.github/workflows/test-kube-secrets.yml: -------------------------------------------------------------------------------- 1 | name: test-kube-secrets 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - '.github/workflows/test-kube-secrets.yml' 9 | - 'kube-secrets-action/**' 10 | 11 | jobs: 12 | test-kube-secrets: 13 | name: Test 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v4 18 | 19 | - name: "Invalid kubeconfig" 20 | run: | 21 | echo "test: 1" > config.yaml 22 | 23 | - name: Secrets 24 | uses: ./kube-secrets-action 25 | with: 26 | kubeconfig: ./config.yaml 27 | enabled: false # dry run 28 | operator: external-secrets-akeyless 29 | edgelevel-lastpass-username: TEST_LASTPASS_USERNAME 30 | edgelevel-lastpass-password: TEST_LASTPASS_PASSWORD 31 | external-secrets-akeyless-access-id: TEST_AKEYLESS_ACCESS_ID 32 | external-secrets-akeyless-access-type: TEST_AKEYLESS_ACCESS_TYPE 33 | external-secrets-akeyless-access-type-param: TEST_AKEYLESS_ACCESS_TYPE_PARAM 34 | external-secrets-oracle-private-key: TEST_ORACLE_PRIVATE_KEY 35 | external-secrets-oracle-fingerprint: TEST_ORACLE_FINGERPRINT 36 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | .DS_Store 3 | 4 | .vscode 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | require-%: 2 | @ if [ "$(shell command -v ${*} 2> /dev/null)" = "" ]; then \ 3 | echo "[$*] not found"; \ 4 | exit 1; \ 5 | fi 6 | 7 | check-param-%: 8 | @ if [ "${${*}}" = "" ]; then \ 9 | echo "Missing parameter: [$*]"; \ 10 | exit 1; \ 11 | fi 12 | 13 | ############################## 14 | 15 | DOCKER_USERNAME := hckops 16 | 17 | ############################## 18 | 19 | .PHONY: docker-build 20 | docker-build: require-docker 21 | ./scripts/docker_apply.sh "build" "base" 22 | ./scripts/docker_apply.sh "build" "do" 23 | ./scripts/docker_apply.sh "build" "aws" 24 | ./scripts/docker_apply.sh "build" "argo" 25 | 26 | # use "@" prefix to don't print command 27 | .PHONY: docker-login 28 | docker-login: require-docker check-param-token 29 | @echo ${token} | docker login -u $(DOCKER_USERNAME) --password-stdin 30 | 31 | .PHONY: docker-publish 32 | docker-publish: require-docker check-param-version docker-login docker-build 33 | ./scripts/docker_apply.sh "publish" "base" ${version} 34 | ./scripts/docker_apply.sh "publish" "do" ${version} 35 | ./scripts/docker_apply.sh "publish" "aws" ${version} 36 | ./scripts/docker_apply.sh "publish" "argo" ${version} 37 | 38 | .PHONY: docker-clean 39 | docker-clean: require-docker 40 | ./scripts/docker_apply.sh "clean" "*" 41 | 42 | ############################## 43 | 44 | .PHONY: bootstrap 45 | bootstrap: require-helm require-kubectl 46 | ./scripts/local.sh "bootstrap" ${kube} 47 | 48 | .PHONY: discord-create 49 | discord-create: require-curl check-param-webhook check-param-message 50 | ./discord-action/entrypoint.sh "create-message" ${webhook} ${message} 51 | 52 | ############################## 53 | 54 | .PHONY: update-version 55 | update-version: check-param-old check-param-new 56 | grep -l -r ${old} */Dockerfile | xargs sed -i 's/${old}/${new}/' 57 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # actions 2 | 3 | * [kube-do](#kube-do-action) 4 | * [bootstrap](#bootstrap-action) 5 | * [kube-secrets](#kube-secrets-action) 6 | * [helm-dependencies](#helm-dependencies-action) 7 | * [helm-lint](#helm-lint-action) 8 | * [discord](#discord-action) 9 | * [docker-template](#docker-template-action) 10 | * [development](#development) 11 | 12 | For a working example see [kube-template](https://github.com/hckops/kube-template/blob/main/.github/workflows/kube-do.yml) 13 | 14 | ### kube-do-action 15 | 16 | [![test-kube-do](https://github.com/hckops/actions/actions/workflows/test-kube-do.yml/badge.svg)](https://github.com/hckops/actions/actions/workflows/test-kube-do.yml) 17 | 18 | > Manages DigitalOcean Kubernetes cluster lifecycle 19 | 20 | Creates or deletes clusters based on a config definition 21 | ```diff 22 | # examples/kube-test-do-lon1.yaml 23 | version: 1 24 | name: test-do-lon1 25 | provider: digitalocean 26 | + status: UP 27 | - status: DOWN 28 | 29 | digitalocean: 30 | cluster: 31 | count: 1 32 | region: lon1 33 | size: s-1vcpu-2gb 34 | ``` 35 | 36 | Example 37 | ```bash 38 | - name: Provision 39 | uses: hckops/actions/kube-do-action@main 40 | with: 41 | access-token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} 42 | config-path: examples/kube-test-do-lon1.yaml 43 | wait: true 44 | ``` 45 | 46 | Requires `DIGITALOCEAN_ACCESS_TOKEN` secret 47 | * [How to Create a Personal Access Token](https://docs.digitalocean.com/reference/api/create-personal-access-token) 48 | * Create a [Personal Access Token](https://cloud.digitalocean.com/account/api/tokens) 49 | 50 | How to test it locally 51 | ```bash 52 | # build image 53 | docker build -t hckops/kube-do-action ./kube-do-action 54 | 55 | # run action 56 | docker run --rm \ 57 | -e GITHUB_REPOSITORY="INVALID_GITHUB_REPOSITORY" \ 58 | -e GITHUB_OUTPUT="INVALID_GITHUB_OUTPUT" \ 59 | -v ${PWD}/examples:/examples \ 60 | hckops/kube-do-action \ 61 | "INVALID_GITHUB_TOKEN" \ 62 | "INVALID_ACCESS_TOKEN" \ 63 | "./examples/kube-test-do-lon1.yaml" \ 64 | "main" \ 65 | "true" \ 66 | "false" \ 67 | "false" 68 | ``` 69 | 70 | TODOs 71 | - [ ] replace implementation with [Terraform](https://docs.digitalocean.com/reference/terraform)? 72 | 73 | ### bootstrap-action 74 | 75 | [![test-bootstrap](https://github.com/hckops/actions/actions/workflows/test-bootstrap.yml/badge.svg)](https://github.com/hckops/actions/actions/workflows/test-bootstrap.yml) 76 | 77 | > Bootstraps a platform with ArgoCD 78 | 79 | Example 80 | ```bash 81 | - name: Bootstrap 82 | uses: hckops/actions/bootstrap-action@main 83 | with: 84 | argocd-admin-password: ${{ secrets.ARGOCD_ADMIN_PASSWORD }} 85 | argocd-git-ssh-key: ${{ secrets.ARGOCD_GIT_SSH_KEY }} 86 | kubeconfig: -kubeconfig.yaml 87 | chart-path: ./charts/argocd-config 88 | ``` 89 | 90 | Requires 91 | * `ARGOCD_ADMIN_PASSWORD` secret 92 | - [User Management](https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management) 93 | - [How to change admin password](https://argo-cd.readthedocs.io/en/stable/faq/#i-forgot-the-admin-password-how-do-i-reset-it) 94 | ```bash 95 | docker run --rm -it python:3-alpine ash 96 | pip3 install bcrypt 97 | 98 | # create secret with bcrypt hash 99 | python3 -c "import bcrypt; print(bcrypt.hashpw(b'', bcrypt.gensalt()).decode())" 100 | ``` 101 | * `ARGOCD_GIT_SSH_KEY` secret 102 | - [Generate a new SSH key pair](https://help.github.com/en/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key) 103 | ```bash 104 | # generate ssh key pair 105 | ssh-keygen -t ed25519 -C "argocd@example.com" -N '' -f /tmp/id_ed25519_argocd 106 | 107 | # add public key to a github user account with access to the repo 108 | cat /tmp/id_ed25519_argocd.pub | xclip -selection clipboard 109 | 110 | # create secret with private key 111 | cat /tmp/id_ed25519_argocd | xclip -selection clipboard 112 | 113 | # cleanup 114 | rm /tmp/id_ed25519_argocd* 115 | ``` 116 | 117 | How to test it locally on minikube 118 | ```bash 119 | # see "scripts/local.sh" 120 | make bootstrap 121 | # default cluster 122 | make bootstrap kube="template" 123 | 124 | # admin|argocd 125 | kubectl port-forward svc/argocd-server -n argocd 8080:443 126 | ``` 127 | 128 | ### kube-secrets-action 129 | 130 | [![test-kube-secrets](https://github.com/hckops/actions/actions/workflows/test-kube-secrets.yml/badge.svg)](https://github.com/hckops/actions/actions/workflows/test-kube-secrets.yml) 131 | 132 | > Initializes operator's master Secret 133 | 134 | Supports 135 | * [External Secrets Operator](https://external-secrets.io) 136 | * [LastPass Operator](https://github.com/edgelevel/lastpass-operator) 137 | 138 | Example 139 | ```bash 140 | # AKEYLESS 141 | - name: Secrets 142 | uses: hckops/actions/kube-secrets-action@main 143 | with: 144 | kubeconfig: -kubeconfig.yaml 145 | operator: external-secrets-akeyless 146 | external-secrets-akeyless-access-id: ${{ secrets.AKEYLESS_ACCESS_ID }} 147 | external-secrets-akeyless-access-type: api_key 148 | external-secrets-akeyless-access-type-param: ${{ secrets.AKEYLESS_ACCESS_KEY }} 149 | 150 | # LASTPASS 151 | - name: Secrets 152 | uses: hckops/actions/kube-secrets-action@main 153 | with: 154 | kubeconfig: -kubeconfig.yaml 155 | operator: edgelevel-lastpass 156 | edgelevel-lastpass-username: ${{ secrets.LASTPASS_USERNAME }} 157 | edgelevel-lastpass-password: ${{ secrets.LASTPASS_PASSWORD }} 158 | ``` 159 | 160 | Requires 161 | * `AKEYLESS_ACCESS_ID` and `AKEYLESS_ACCESS_KEY` secrets for [Akeyless](https://www.akeyless.io) 162 | - In *Auth Methods*, create new *API Key* e.g. `kube-template-action` 163 | - In *Access Roles*, create new *Role* e.g. `template-role`, *Associate Auth Method* to the api key previously created and *Add Rule for Secrets & Keys* 164 | ```bash 165 | # returns AKEYLESS_ACCESS_TOKEN 166 | curl --request POST \ 167 | --url https://api.akeyless.io/auth \ 168 | --header 'accept: application/json' \ 169 | --header 'content-type: application/json' \ 170 | --data '{"access-type": "access_key", "access-id": "", "access-key": ""}' 171 | 172 | # verify access rules 173 | curl --request POST \ 174 | --url https://api.akeyless.io/get-secret-value \ 175 | --header 'accept: application/json' \ 176 | --header 'content-type: application/json' \ 177 | --data '{"names": ["/path/to/MY_SECRET"], "token": ""}' 178 | ``` 179 | * `LASTPASS_USERNAME` and `LASTPASS_PASSWORD` secrets for [LastPass](https://www.lastpass.com) 180 | 181 | ### helm-dependencies-action 182 | 183 | [![test-helm-dependencies](https://github.com/hckops/actions/actions/workflows/test-helm-dependencies.yml/badge.svg)](https://github.com/hckops/actions/actions/workflows/test-helm-dependencies.yml) 184 | 185 | > Keeps [Helm](https://helm.sh) dependencies up to date 186 | 187 | See also https://github.com/dependabot/dependabot-core/issues/2237 188 | 189 | Example 190 | ```bash 191 | # workflow example 192 | - name: Helm Dependencies 193 | uses: hckops/actions/helm-dependencies-action@main 194 | with: 195 | user-email: "" 196 | user-name: "" 197 | config-path: examples/dependencies.yaml 198 | env: 199 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 200 | 201 | # config example 202 | dependencies: 203 | # it will fetch the latest dependency from https://artifacthub.io/packages/helm/argo/argo-cd 204 | # and create a pr with the updated version using jq/yq path in Chart.yaml 205 | - name: "Argo CD" 206 | source: 207 | file: examples/test-chart/Chart.yaml 208 | path: .dependencies[0].version 209 | repository: 210 | type: artifacthub 211 | name: argo/argo-cd 212 | ``` 213 | 214 | For more example see 215 | * [dependencies](https://github.com/hckops/actions/blob/main/examples/dependencies.yaml) 216 | * [workflow](https://github.com/hckops/kube-template/blob/main/.github/workflows/helm-dependencies.yml) 217 | 218 | How to test it locally, sample [output](docs/helm-dependencies-local.txt) 219 | ```bash 220 | # build image 221 | docker build -t hckops/helm-dependencies-action ./helm-dependencies-action 222 | 223 | # dry run without creating a pr 224 | docker run --rm \ 225 | --env GITHUB_TOKEN=INVALID_TOKEN \ 226 | --env GITHUB_REPOSITORY=INVALID_REPOSITORY \ 227 | --env GITHUB_SHA=INVALID_SHA \ 228 | --volume ${PWD}/examples:/examples \ 229 | hckops/helm-dependencies-action \ 230 | "examples/dependencies.yaml" \ 231 | "INVALID_EMAIL" \ 232 | "INVALID_USERNAME" \ 233 | "main" \ 234 | "true" 235 | ``` 236 | 237 | #### Recommendations 238 | 239 | * Automatically delete branches, see `https://github.com///settings` 240 | 241 | ![settings-delete-pr](docs/settings-delete-pr.png) 242 | 243 | * Suggest to update branches, see `https://github.com///settings` 244 | 245 | ![settings-update-pr](docs/settings-update-pr.png) 246 | 247 | * Favour squashed PRs to keep a clean commit history, see `https://github.com///settings` 248 | 249 | ![settings-squash-pr](docs/settings-squash-pr.png) 250 | 251 | * Enable default branch protection, see `https://github.com///settings/branches`. The action pushes a status check named **`action/helm-dependencies`** upon success 252 | 253 | ![settings-branch](docs/settings-branch.png) 254 | 255 | #### Troubleshooting 256 | 257 | * If you get the following error, *pull request create failed: GraphQL: GitHub Actions is not permitted to create or approve pull requests (createPullRequest)* 258 | - make sure you've enabled `Allow GitHub Actions to create and approve pull requests` in your organization and repository settings 259 | - `https://github.com/organizations//settings/actions` 260 | - `https://github.com///settings/actions` 261 | 262 | ![settings-create-pr](docs/settings-create-pr.png) 263 | 264 | ### helm-lint-action 265 | 266 | [![test-helm-lint](https://github.com/hckops/actions/actions/workflows/test-helm-lint.yml/badge.svg)](https://github.com/hckops/actions/actions/workflows/test-helm-lint.yml) 267 | 268 | > Validates [Helm](https://helm.sh) charts 269 | 270 | Example 271 | ```bash 272 | - name: Helm Lint 273 | uses: hckops/actions/helm-lint-action@main 274 | ``` 275 | 276 | TODOs 277 | - [ ] rename to `kube-validate` 278 | - [ ] add https://github.com/yannh/kubeconform 279 | - [ ] add https://github.com/koalaman/shellcheck 280 | 281 | ### discord-action 282 | 283 | [![test-discord](https://github.com/hckops/actions/actions/workflows/test-discord.yml/badge.svg)](https://github.com/hckops/actions/actions/workflows/test-discord.yml) 284 | 285 | > Interacts with Discord API 286 | 287 | Example of *Create message* 288 | ```bash 289 | - name: Notification 290 | uses: hckops/actions/discord-action@main 291 | with: 292 | action: create-message 293 | webhook-url: ${{ secrets.DISCORD_WEBHOOK_URL }} 294 | message: "Hello World" 295 | ``` 296 | 297 | Requires `DISCORD_WEBHOOK_URL` secret 298 | * [Intro to Webhooks](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) 299 | 300 | How to test it locally 301 | ```bash 302 | DISCORD_WEBHOOK_URL="INVALID_URL" 303 | make discord-create webhook=${DISCORD_WEBHOOK_URL} message=test 304 | 305 | docker build -t hckops/discord-action ./discord-action 306 | docker run --rm hckops/discord-action "create-message" ${DISCORD_WEBHOOK_URL} "docker" 307 | ``` 308 | 309 | ### docker-template-action 310 | 311 | > Builds and publishes Docker images 312 | 313 | See [composite actions](https://docs.github.com/en/actions/creating-actions/creating-a-composite-action), useful to build base images in combination with [matrixes](https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs) 314 | 315 | ```bash 316 | - name: Docker CI 317 | uses: hckops/actions/docker-template-action@main 318 | with: 319 | DOCKER_CONTEXT: "./docker/" 320 | # optional 321 | DOCKER_FILE: "Dockerfile" 322 | DOCKER_IMAGE_NAME: "" 323 | DOCKER_REPOSITORY: "" 324 | # optional, default is sha 325 | DOCKER_DEFAULT_TAG: "latest" 326 | SECRET_DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} 327 | SECRET_DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} 328 | # optional 329 | SECRET_DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} 330 | ``` 331 | 332 | ## Development 333 | 334 | ### Docker images 335 | 336 | [![docker-ci](https://github.com/hckops/actions/actions/workflows/docker-ci.yml/badge.svg)](https://github.com/hckops/actions/actions/workflows/docker-ci.yml) 337 | 338 | > Action's base images 339 | 340 | * [DockerHub](https://hub.docker.com/u/hckops) 341 | 342 | ```bash 343 | # run command 344 | docker run --rm hckops/kube-base /bin/bash -c 345 | 346 | # start temporary container 347 | docker run --rm --name hck-tmp -it hckops/kube- 348 | ``` 349 | 350 | How to publish docker images 351 | ```bash 352 | # list latest tags 353 | curl -sS "https://api.github.com/repos/hckops/actions/tags" | jq '.[].name' 354 | 355 | # publish with action 356 | git tag docker-X.Y.Z 357 | git push origin --tags 358 | 359 | # build and publish manually (old) 360 | make docker-build 361 | make docker-publish version=vX.Y.Z token= 362 | make docker-clean 363 | ``` 364 | 365 | Actions to update when a new docker tag is created 366 | * `bootstrap-action` 367 | * `helm-dependencies-action` 368 | * `helm-lint-action` 369 | * `kube-do-action` 370 | * `kube-secrets-action` 371 | 372 | ```bash 373 | # bump all images 374 | make update-version old="" new="" 375 | ``` 376 | 377 | ### minikube 378 | 379 | * [Documentation](https://minikube.sigs.k8s.io) 380 | 381 | ```bash 382 | # install 383 | curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube_latest_amd64.deb 384 | sudo dpkg -i minikube_latest_amd64.deb 385 | 386 | # local cluster 387 | minikube start --driver=docker --embed-certs 388 | minikube delete --all 389 | 390 | # verify status 391 | kubectl get nodes 392 | ``` 393 | -------------------------------------------------------------------------------- /bootstrap-action/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM hckops/kube-base:0.5.1 2 | 3 | COPY entrypoint.sh /entrypoint.sh 4 | 5 | ENTRYPOINT ["/entrypoint.sh"] 6 | -------------------------------------------------------------------------------- /bootstrap-action/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Bootstrap' 2 | description: 'Bootstrap a platform with ArgoCD' 3 | 4 | inputs: 5 | argocd-admin-password: 6 | description: 'ArgoCD admin password' 7 | required: true 8 | argocd-git-ssh-key: 9 | description: 'ArgoCD private SSH key to access the repository from the cluster' 10 | required: true 11 | kubeconfig: 12 | description: 'Path to kubeconfig file e.g. ./OWNER-REPOSITORY-kubeconfig.yaml' 13 | required: true 14 | chart-path: 15 | description: 'Path to Helm v3 chart' 16 | required: true 17 | config-path: 18 | description: 'Path to the cluster configuration file' 19 | required: false 20 | 21 | runs: 22 | using: docker 23 | image: Dockerfile 24 | args: 25 | - ${{ inputs.argocd-admin-password }} 26 | - ${{ inputs.argocd-git-ssh-key }} 27 | - ${{ inputs.kubeconfig }} 28 | - ${{ inputs.chart-path }} 29 | - ${{ inputs.config-path }} 30 | -------------------------------------------------------------------------------- /bootstrap-action/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | ############################## 6 | 7 | PARAM_ARGOCD_ADMIN_PASSWORD=${1:?"Missing ARGOCD_ADMIN_PASSWORD"} 8 | PARAM_ARGOCD_GIT_SSH_KEY=${2:?"Missing ARGOCD_GIT_SSH_KEY"} 9 | PARAM_KUBECONFIG=${3:?"Missing KUBECONFIG"} 10 | PARAM_CHART_PATH=${4:?"Missing CHART_PATH"} 11 | # optional config override: uses always latest config in the current branch 12 | PARAM_CONFIG_PATH=${5:-"INVALID_CONFIG_PATH"} 13 | 14 | ############################## 15 | 16 | # param #1: 17 | # param #2: 18 | function get_config { 19 | local FIELD_NAME=$1 20 | local DEFAULT_VALUE=$2 21 | 22 | # if config file doesn't exist returns default 23 | if [[ -f "${PARAM_CONFIG_PATH}" ]]; then 24 | echo $(yq -o=json '.' "${PARAM_CONFIG_PATH}" | jq -r '.bootstrap.'"${FIELD_NAME}"' // "'"${DEFAULT_VALUE}"'"') 25 | else 26 | echo ${DEFAULT_VALUE} 27 | fi 28 | } 29 | 30 | function bootstrap { 31 | local CHART_NAME=$(get_config "chartName" "argocd") 32 | # https://helm.sh/docs/chart_template_guide/subcharts_and_globals/#overriding-values-from-a-parent-chart 33 | local CHART_NAME_PREFIX=$(get_config "chartNamePrefix" ${CHART_NAME}) 34 | # helm issue: make sure to use an alias without dash for dependencies 35 | # e.g. "my_parent-chart.mysubchart" returns "myparentchart.mysubchart" 36 | local CHART_NAME_PREFIX_ALIAS=$(echo ${CHART_NAME_PREFIX} | sed -r 's/[-_]+//g') 37 | local NAMESPACE=$(get_config "namespace" "argocd") 38 | # if the file doesn't exist apply the default values twice 39 | local HELM_VALUE_FILE=$(get_config "helmValueFile" "values.yaml") 40 | 41 | echo "[*] BOOTSTRAP_CHART_NAME=${CHART_NAME}" 42 | echo "[*] BOOTSTRAP_CHART_NAME_PREFIX=${CHART_NAME_PREFIX}" 43 | echo "[*] BOOTSTRAP_CHART_NAME_PREFIX_ALIAS=${CHART_NAME_PREFIX_ALIAS}" 44 | echo "[*] BOOTSTRAP_NAMESPACE=${NAMESPACE}" 45 | echo "[*] BOOTSTRAP_HELM_VALUE_FILE=${HELM_VALUE_FILE}" 46 | 47 | # download dependencies of the dependency first, alternatively commit the tgz 48 | # fixes "ensure CRDs are installed first", argocd CRDs are defined in the template folder 49 | # https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd/templates/crds 50 | # consider migration to bitnami chart which respects helm 3 standard 51 | # https://github.com/bitnami/charts/tree/main/bitnami/argo-cd/crds 52 | if [[ "${CHART_NAME_PREFIX}" != "argocd" ]]; then 53 | # e.g. "myparentchart.mysubchart" returns "myparentchart" 54 | DEPENDENCY_CHART_NAME=$(echo ${CHART_NAME_PREFIX} | awk -F '.' '{print $1}') 55 | # assumes dependency chart is in the same path 56 | DEPENDENCY_CHART_FOLDER=$(dirname ${PARAM_CHART_PATH}) 57 | DEPENDENCY_CHART_PATH="${DEPENDENCY_CHART_FOLDER}/${DEPENDENCY_CHART_NAME}" 58 | 59 | echo "[*] downloading sub-chart dependencies: ${DEPENDENCY_CHART_PATH}" 60 | helm dependency update ${DEPENDENCY_CHART_PATH} 61 | fi 62 | 63 | echo "[*] downloading chart dependencies: ${PARAM_CHART_PATH}" 64 | # download chart locally: "--dependency-update" fails 65 | helm dependency update ${PARAM_CHART_PATH} 66 | 67 | # manually applies "argocd-config" chart and "argocd" dependency with crds 68 | # applies in order: values.yaml -> values-bootstrap.yaml -> 2 secret ovverrides 69 | # argocd-config app uses values.yaml and values-auth.yaml excluding values-bootstrap.yaml 70 | # values-auth.yaml sets "createSecret: false" to avoid overriding admin password and add SSO independently 71 | # with "createSecret: true" argocd by default creates a random admin password 72 | # https://argo-cd.readthedocs.io/en/stable/faq/#i-forgot-the-admin-password-how-do-i-reset-it 73 | helm template ${CHART_NAME} \ 74 | --include-crds \ 75 | --dependency-update \ 76 | --namespace ${NAMESPACE} \ 77 | --values "${PARAM_CHART_PATH}/values.yaml" \ 78 | --values "${PARAM_CHART_PATH}/${HELM_VALUE_FILE}" \ 79 | --set ${CHART_NAME_PREFIX_ALIAS}.configs.secret.argocdServerAdminPassword="${PARAM_ARGOCD_ADMIN_PASSWORD}" \ 80 | --set ${CHART_NAME_PREFIX_ALIAS}.configs.credentialTemplates.ssh-creds.sshPrivateKey="${PARAM_ARGOCD_GIT_SSH_KEY}" \ 81 | ${PARAM_CHART_PATH} | kubectl --kubeconfig ${PARAM_KUBECONFIG} --namespace ${NAMESPACE} apply -f - 82 | } 83 | 84 | function main { 85 | # add helm repository 86 | helm repo add "argo" "https://argoproj.github.io/argo-helm" 87 | 88 | # Helm 3 flag --include-crds guarantees that CRDs are created first, 89 | # but it might happen that by the time they are used in the same chart they are not ready yet. 90 | # Since the bootstrap is idempotent, to fix the concurrency issue, when it fails apply the template twice 91 | # ERROR 'unable to recognize "STDIN": no matches for kind "???" in version "argoproj.io/v1alpha1"' 92 | bootstrap || bootstrap 93 | } 94 | 95 | ############################## 96 | 97 | echo "[+] bootstrap" 98 | echo "[*] ARGOCD_ADMIN_PASSWORD=${PARAM_ARGOCD_ADMIN_PASSWORD}" 99 | echo "[*] ARGOCD_GIT_SSH_KEY=${PARAM_ARGOCD_GIT_SSH_KEY}" 100 | echo "[*] KUBECONFIG=${PARAM_KUBECONFIG}" 101 | echo "[*] CHART_PATH=${PARAM_CHART_PATH}" 102 | echo "[*] CONFIG_PATH=${PARAM_CONFIG_PATH}" 103 | 104 | main 105 | 106 | echo "[-] bootstrap" 107 | -------------------------------------------------------------------------------- /discord-action/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.20 2 | 3 | RUN apk upgrade --update && apk --no-cache add \ 4 | bash \ 5 | curl 6 | 7 | COPY entrypoint.sh /entrypoint.sh 8 | 9 | ENTRYPOINT ["/entrypoint.sh"] 10 | -------------------------------------------------------------------------------- /discord-action/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Discord' 2 | description: 'Interact with Discord API' 3 | 4 | inputs: 5 | action: 6 | description: 'Supported actions: [create-message]' 7 | required: true 8 | webhook-url: 9 | description: 'Webhook URL of Discord server' 10 | required: true 11 | message: 12 | description: 'Content of the message' 13 | required: false 14 | 15 | runs: 16 | using: docker 17 | image: Dockerfile 18 | args: 19 | - ${{ inputs.action }} 20 | - ${{ inputs.webhook-url }} 21 | - ${{ inputs.message }} 22 | -------------------------------------------------------------------------------- /discord-action/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | ############################## 6 | 7 | PARAM_ACTION=${1:?"Missing ACTION"} 8 | PARAM_WEBHOOK_URL=${2:?"Missing WEBHOOK_URL"} 9 | 10 | ############################## 11 | 12 | echo "[+] discord" 13 | echo "[*] ACTION=${PARAM_ACTION}" 14 | echo "[*] WEBHOOK_URL=${PARAM_WEBHOOK_URL}" 15 | 16 | case ${PARAM_ACTION} in 17 | # https://discord.com/developers/docs/resources/channel#create-message 18 | "create-message") 19 | PARAM_MESSAGE=${3:-"EMPTY_MESSAGE"} 20 | echo "[*] MESSAGE=${PARAM_MESSAGE}" 21 | 22 | curl -sS \ 23 | -H "Content-Type: application/json" \ 24 | -d '{"content":"'"${PARAM_MESSAGE}"'"}' \ 25 | ${PARAM_WEBHOOK_URL} 26 | ;; 27 | *) 28 | echo "ERROR: unknown command" 29 | exit 1 30 | ;; 31 | esac 32 | 33 | echo "[-] discord" 34 | -------------------------------------------------------------------------------- /docker-template-action/action.yml: -------------------------------------------------------------------------------- 1 | name: docker-template 2 | 3 | # https://docs.github.com/en/actions/creating-actions/creating-a-composite-action 4 | # https://wallis.dev/blog/composite-github-actions 5 | 6 | inputs: 7 | DOCKER_CONTEXT: 8 | description: 'Path of Dockerfile' 9 | required: true 10 | DOCKER_PLATFORMS: 11 | description: 'Multi-platform' 12 | required: false 13 | default: 'linux/amd64,linux/arm64' 14 | DOCKER_FILE: 15 | description: 'Dockerfile name' 16 | required: false 17 | default: Dockerfile 18 | DOCKER_IMAGE_NAME: 19 | description: 'Docker image name' 20 | required: true 21 | DOCKER_REPOSITORY: 22 | description: 'Docker repository name' 23 | required: true 24 | DOCKER_TAG_PREFIX: 25 | description: 'Tag prefix to strip out' 26 | required: false 27 | default: 'v' 28 | DOCKER_DEFAULT_TAG: 29 | description: 'Default Docker tag' 30 | required: false 31 | SECRET_DOCKERHUB_USERNAME: 32 | description: 'DockerHub username' 33 | required: true 34 | SECRET_DOCKERHUB_TOKEN: 35 | description: 'DockerHub token' 36 | required: true 37 | SECRET_DISCORD_WEBHOOK_URL: 38 | description: 'Discord webhook url' 39 | required: false 40 | 41 | # all "run" steps require "shell: bash" in composite actions 42 | runs: 43 | using: 'composite' 44 | steps: 45 | 46 | - name: Checkout repository 47 | uses: actions/checkout@v4 48 | 49 | # extracts tag from ref, returns semver tag or sha suffix or default tag 50 | - name: Get Docker tag 51 | id: get-docker-tag 52 | env: 53 | GITHUB_REF: ${{ github.ref }} 54 | COMMIT_SHA: ${{ github.sha }} 55 | TAG_PREFIX: ${{ inputs.DOCKER_TAG_PREFIX }} 56 | DEFAULT_TAG: ${{ inputs.DOCKER_DEFAULT_TAG }} 57 | shell: bash 58 | # see https://www.gnu.org/software/bash/manual/bash.html#Shell-Parameter-Expansion 59 | run: | 60 | if [[ ${{ github.ref_type }} == "tag" ]]; then 61 | echo "tag=${GITHUB_REF#refs/tags/$TAG_PREFIX}" >> ${GITHUB_OUTPUT} 62 | elif [[ ${DEFAULT_TAG} == "" ]]; then 63 | echo "tag=${COMMIT_SHA:0:7}" >> ${GITHUB_OUTPUT} 64 | else 65 | echo "tag=${DEFAULT_TAG}" >> ${GITHUB_OUTPUT} 66 | fi 67 | 68 | - name: Output Docker tag 69 | shell: bash 70 | run: echo ${{ steps.get-docker-tag.outputs.tag }} 71 | 72 | - name: Set up Docker Buildx 73 | uses: docker/setup-buildx-action@v3 74 | 75 | - name: Login to Docker Hub 76 | uses: docker/login-action@v3 77 | with: 78 | username: ${{ inputs.SECRET_DOCKERHUB_USERNAME }} 79 | password: ${{ inputs.SECRET_DOCKERHUB_TOKEN }} 80 | 81 | - name: Build and push [${{ env.IMAGE_NAME }}] 82 | uses: docker/build-push-action@v5 83 | env: 84 | IMAGE_NAME: ${{ inputs.DOCKER_IMAGE_NAME }} 85 | with: 86 | context: ${{ inputs.DOCKER_CONTEXT }} 87 | platforms: ${{ inputs.DOCKER_PLATFORMS }} 88 | file: ${{ inputs.DOCKER_CONTEXT }}/${{ inputs.DOCKER_FILE }} 89 | # if false it will only build 90 | push: true 91 | tags: | 92 | ${{ inputs.DOCKER_REPOSITORY }}/${{ env.IMAGE_NAME }}:latest 93 | ${{ inputs.DOCKER_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ steps.get-docker-tag.outputs.tag }} 94 | 95 | - name: Notification 96 | if: ${{ inputs.SECRET_DISCORD_WEBHOOK_URL != '' }} 97 | uses: hckops/actions/discord-action@main 98 | with: 99 | action: create-message 100 | webhook-url: ${{ inputs.SECRET_DISCORD_WEBHOOK_URL }} 101 | # markdown format 102 | message: "> Repository: **${{ github.repository }}**\\n> Docker:\\t\\t [${{ inputs.DOCKER_IMAGE_NAME }}](https://hub.docker.com/r/${{ inputs.DOCKER_REPOSITORY }}/${{ inputs.DOCKER_IMAGE_NAME }})\\n> Status:\\t\\t **NEW image**" 103 | -------------------------------------------------------------------------------- /docker/.bashrc: -------------------------------------------------------------------------------- 1 | # ALIAS 2 | alias ll='ls -lah' 3 | 4 | # HISTORY 5 | export HISTFILESIZE= 6 | export HISTSIZE= 7 | export HISTTIMEFORMAT="[%F %T] " 8 | 9 | # PROMPT 10 | _DEFAULT="\[\033[00m\]" 11 | _YELLOW="\[\e[1;33m\]" 12 | _BLUE="\[\033[01;34m\]" 13 | _GREEN="\[\e[1;32m\]" 14 | function kube_context_prompt() { 15 | [[ -f "$KUBECONFIG" ]] && echo "($(kubectx -c)|$(kubens -c)) " || echo "" 16 | } 17 | export PS1="${_YELLOW}\$(kube_context_prompt)${_BLUE}\u${_DEFAULT}@\h ${_GREEN}\w${_DEFAULT} \$ " 18 | 19 | # PATH 20 | export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH" 21 | -------------------------------------------------------------------------------- /docker/Dockerfile.argo: -------------------------------------------------------------------------------- 1 | FROM hckops/kube-base 2 | 3 | # https://github.com/argoproj/argo-cd/releases 4 | ARG ARGO_CD_VERSION=2.11.7 5 | # https://github.com/argoproj/argo-workflows/releases 6 | ARG ARGO_WORKFLOWS_VERSION=3.5.10 7 | 8 | RUN echo "$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')" > /tmp/bin-arch 9 | 10 | # argo-cd 11 | RUN curl -sSL "https://github.com/argoproj/argo-cd/releases/download/v${ARGO_CD_VERSION}/argocd-linux-$(cat /tmp/bin-arch)" -o /usr/local/bin/argocd && \ 12 | chmod +x /usr/local/bin/argocd && \ 13 | argocd version --client --output=json 14 | 15 | # argo-workflows 16 | RUN curl -sSL -o - "https://github.com/argoproj/argo-workflows/releases/download/v${ARGO_WORKFLOWS_VERSION}/argo-linux-$(cat /tmp/bin-arch).gz" | gunzip > /usr/local/bin/argo && \ 17 | chmod +x /usr/local/bin/argo && \ 18 | argo version 19 | -------------------------------------------------------------------------------- /docker/Dockerfile.aws: -------------------------------------------------------------------------------- 1 | FROM hckops/kube-base 2 | 3 | # https://github.com/weaveworks/eksctl/releases 4 | ARG EKSCTL_VERSION=0.188.0 5 | 6 | # eksctl 7 | RUN curl -sSL "https://github.com/weaveworks/eksctl/releases/download/v${EKSCTL_VERSION}/eksctl_$(uname -s)_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz" | tar -xzf - -C /usr/local/bin && \ 8 | chmod +x /usr/local/bin/eksctl && \ 9 | eksctl version 10 | -------------------------------------------------------------------------------- /docker/Dockerfile.base: -------------------------------------------------------------------------------- 1 | # https://alpinelinux.org/releases 2 | FROM alpine:3.20 3 | 4 | # https://github.com/kubernetes/kubernetes/releases 5 | ARG KUBECTL_VERSION=1.30.3 6 | # https://github.com/kubernetes-sigs/krew/releases 7 | ARG KREW_VERSION=0.4.4 8 | # https://github.com/ahmetb/kubectx/releases 9 | ARG KUBECTX_VERSION=0.9.5 10 | # https://github.com/helm/helm/releases 11 | ARG HELM_VERSION=3.15.3 12 | 13 | ENV KUBECONFIG="/root/.kube/config" 14 | ENV KREW_ROOT="/root/.krew" 15 | 16 | RUN echo "$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')" > /tmp/bin-arch && cat /tmp/bin-arch 17 | 18 | RUN apk upgrade --update && apk --no-cache add \ 19 | git \ 20 | github-cli \ 21 | make \ 22 | curl \ 23 | jq \ 24 | yq \ 25 | bash \ 26 | openssl 27 | 28 | # kubectl 29 | RUN curl -sSL "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/$(cat /tmp/bin-arch)/kubectl" -o /usr/local/bin/kubectl && \ 30 | curl -sSL "https://dl.k8s.io/v${KUBECTL_VERSION}/bin/linux/$(cat /tmp/bin-arch)/kubectl.sha256" -o /tmp/kubectl.sha256 && \ 31 | echo "$(cat /tmp/kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c && rm /tmp/kubectl.sha256 && \ 32 | chmod +x /usr/local/bin/kubectl && \ 33 | kubectl version --client --output=json 34 | 35 | # krew and klock plugin 36 | RUN TMPDIR="$(mktemp -d)" && \ 37 | curl -sSL "https://github.com/kubernetes-sigs/krew/releases/download/v${KREW_VERSION}/krew-linux_$(cat /tmp/bin-arch).tar.gz" | tar -xzf - -C ${TMPDIR} && \ 38 | "${TMPDIR}/krew-linux_$(cat /tmp/bin-arch)" install krew && \ 39 | rm -frv ${TMPDIR} && PATH="${KREW_ROOT}/bin:$PATH" && kubectl krew version && \ 40 | kubectl krew install klock 41 | 42 | # kubectx and kubens 43 | RUN curl -sSL "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubectx_v${KUBECTX_VERSION}_linux_$(uname -m | sed 's/aarch64/arm64/').tar.gz" | tar -xzf - -C /usr/local/bin && \ 44 | curl -sSL "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubens_v${KUBECTX_VERSION}_linux_$(uname -m | sed 's/aarch64/arm64/').tar.gz" | tar -xzf - -C /usr/local/bin 45 | 46 | # helm 47 | RUN curl -sSL "https://git.io/get_helm.sh" | bash -s -- --version "v${HELM_VERSION}" && \ 48 | helm version 49 | 50 | COPY .bashrc /root/ 51 | CMD ["/bin/bash"] 52 | -------------------------------------------------------------------------------- /docker/Dockerfile.do: -------------------------------------------------------------------------------- 1 | FROM hckops/kube-base 2 | 3 | # https://github.com/digitalocean/doctl/releases 4 | ARG DOCTL_VERSION=1.110.0 5 | 6 | # doctl 7 | RUN curl -sSL "https://github.com/digitalocean/doctl/releases/download/v${DOCTL_VERSION}/doctl-${DOCTL_VERSION}-linux-$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz" | tar -xzf - -C /usr/local/bin && \ 8 | doctl version 9 | -------------------------------------------------------------------------------- /docs/dev.txt: -------------------------------------------------------------------------------- 1 | --- actions 2 | 3 | https://docs.github.com/en/actions 4 | https://github.com/actions/starter-workflows 5 | https://github.com/sdras/awesome-actions 6 | https://www.philschmid.de/create-custom-github-action-in-4-steps 7 | https://www.actionsbyexample.com 8 | https://actionsflow.github.io 9 | 10 | # examples 11 | https://github.com/netlify/actions 12 | https://github.com/managedkaos/github-actions-two-actions 13 | 14 | # local 15 | https://github.com/nektos/act 16 | 17 | # install 18 | curl -sSL https://github.com/nektos/act/releases/download/v0.2.26/act_Linux_x86_64.tar.gz | sudo tar -xzf - -C /usr/local/bin 19 | 20 | --- docker 21 | 22 | # see tags 23 | https://blog.oddbit.com/post/2020-09-25-building-multi-architecture-im 24 | 25 | # tags (unauthorized) 26 | http https://registry.hub.docker.com/v2/hckops/kube-base/tags/list 27 | 28 | --- git 29 | 30 | https://stackoverflow.com/questions/5586383/how-to-diff-one-file-to-an-arbitrary-version-in-git 31 | https://stackoverflow.com/questions/1125476/retrieve-a-single-file-from-a-repository 32 | https://stackoverflow.com/questions/3489173/how-to-clone-git-repository-with-specific-revision-changeset 33 | https://stackoverflow.com/questions/18126559/how-can-i-download-a-single-raw-file-from-a-private-github-repo-using-the-comman 34 | https://gist.github.com/ssp/1663093 35 | https://gist.github.com/madrobby/9476733 36 | 37 | # diff 38 | git diff main~1:.github/workflows/test-kube-do.yml main:.github/workflows/test-kube-do.yml 39 | # yaml 40 | yq -r '.status' examples/kube-test-do-lon1.yaml 41 | 42 | --- github 43 | 44 | https://docs.github.com/en/actions/learn-github-actions/environment-variables 45 | https://docs.github.com/en/rest/commits/commits 46 | https://docs.github.com/en/rest/repos/contents 47 | 48 | # markdown 49 | https://dothanhlong.org/advanced-formatting-in-github-markdown 50 | 51 | --- discord 52 | 53 | https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks 54 | https://discord.com/developers/docs/resources/channel 55 | -------------------------------------------------------------------------------- /docs/helm-dependencies-local.txt: -------------------------------------------------------------------------------- 1 | [+] helm-dependencies 2 | [*] GITHUB_TOKEN=INVALID_TOKEN 3 | [*] GITHUB_REPOSITORY=INVALID_REPOSITORY 4 | [*] GITHUB_SHA=INVALID_SHA 5 | [*] CONFIG_PATH=examples/dependencies.yaml 6 | [*] GIT_USER_EMAIL=INVALID_EMAIL 7 | [*] GIT_USER_NAME=INVALID_USERNAME 8 | [*] GIT_DEFAULT_BRANCH=main 9 | [*] DRY_RUN=true 10 | gh version 2.10.1 (2022-10-07) 11 | https://github.com/cli/cli/releases/tag/v2.10.1 12 | [-] Skip git setup 13 | { 14 | "name": "Argo CD", 15 | "source": { 16 | "file": "examples/test-chart/Chart.yaml", 17 | "path": ".dependencies[0].version" 18 | }, 19 | "repository": { 20 | "type": "artifacthub", 21 | "name": "argo/argo-cd" 22 | }, 23 | "pr": { 24 | "description": "todo" 25 | } 26 | } 27 | [argo/argo-cd] CURRENT=[5.13.6] LATEST=[5.13.6] 28 | [-] Dependency is already up to date 29 | [-] Skip git reset 30 | { 31 | "name": "Argo Workflows", 32 | "source": { 33 | "file": "examples/test-chart/values.yaml", 34 | "path": ".versions.argo.argoWorkflows.helmRepo" 35 | }, 36 | "repository": { 37 | "type": "artifacthub", 38 | "name": "argo/argo-workflows" 39 | } 40 | } 41 | [argo/argo-workflows] CURRENT=[0.20.1] LATEST=[0.20.6] 42 | [-] Skip pull request 43 | [-] Skip git reset 44 | { 45 | "name": "Prometheus Stack", 46 | "source": { 47 | "file": "examples/test-chart/values.yaml", 48 | "path": ".versions.observe.prometheusStack.helmRepo" 49 | }, 50 | "repository": { 51 | "type": "artifacthub", 52 | "name": "prometheus-community/kube-prometheus-stack" 53 | } 54 | } 55 | [prometheus-community/kube-prometheus-stack] CURRENT=[41.4.0] LATEST=[41.7.3] 56 | [-] Skip pull request 57 | [-] Skip git reset 58 | [-] helm-dependencies 59 | -------------------------------------------------------------------------------- /docs/settings-branch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hckops/actions/f34d127ef6934706c5f42d468f3466b04e393da6/docs/settings-branch.png -------------------------------------------------------------------------------- /docs/settings-create-pr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hckops/actions/f34d127ef6934706c5f42d468f3466b04e393da6/docs/settings-create-pr.png -------------------------------------------------------------------------------- /docs/settings-delete-pr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hckops/actions/f34d127ef6934706c5f42d468f3466b04e393da6/docs/settings-delete-pr.png -------------------------------------------------------------------------------- /docs/settings-squash-pr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hckops/actions/f34d127ef6934706c5f42d468f3466b04e393da6/docs/settings-squash-pr.png -------------------------------------------------------------------------------- /docs/settings-update-pr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hckops/actions/f34d127ef6934706c5f42d468f3466b04e393da6/docs/settings-update-pr.png -------------------------------------------------------------------------------- /examples/cluster-test.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/weaveworks/eksctl/blob/main/examples/01-simple-cluster.yaml 2 | --- 3 | apiVersion: eksctl.io/v1alpha5 4 | kind: ClusterConfig 5 | 6 | metadata: 7 | name: cluster-test 8 | # https://docs.aws.amazon.com/general/latest/gr/eks.html 9 | region: us-east-1 10 | 11 | nodeGroups: 12 | - name: ng-1 13 | instanceType: m5.large 14 | desiredCapacity: 1 15 | -------------------------------------------------------------------------------- /examples/dependencies.yaml: -------------------------------------------------------------------------------- 1 | # TODO not used 2 | version: 1 3 | 4 | # TODO not used 5 | default: 6 | pr: 7 | tags: [] 8 | automerge: false 9 | # closes old prs for the same dependency 10 | autoclose: true 11 | # supports markdown 12 | description: "test me" 13 | 14 | dependencies: 15 | - name: "Argo CD" 16 | source: 17 | file: examples/test-chart/Chart.yaml 18 | path: .dependencies[0].version 19 | repository: 20 | # TODO add support for [github] i.e. releases/tags 21 | type: artifacthub 22 | name: argo/argo-cd 23 | # TODO override default 24 | pr: 25 | description: "todo" 26 | - name: "Argo Workflows" 27 | source: 28 | file: examples/test-chart/values.yaml 29 | path: .versions.argo.argoWorkflows.helmRepo 30 | repository: 31 | type: artifacthub 32 | name: argo/argo-workflows 33 | - name: "Prometheus Stack" 34 | source: 35 | file: examples/test-chart/values.yaml 36 | path: .versions.observe.prometheusStack.helmRepo 37 | repository: 38 | type: artifacthub 39 | name: prometheus-community/kube-prometheus-stack 40 | -------------------------------------------------------------------------------- /examples/kube-test-aws-us-east-1.yaml: -------------------------------------------------------------------------------- 1 | # TODO kube-aws-action 2 | 3 | version: 1 4 | name: test-aws-us-east-1 5 | provider: aws 6 | status: DOWN 7 | 8 | aws: 9 | # https://eksctl.io/usage/schema 10 | cluster: 11 | # path from repository root 12 | filePath: examples/cluster-test.yaml 13 | -------------------------------------------------------------------------------- /examples/kube-test-do-lon1.yaml: -------------------------------------------------------------------------------- 1 | # cluster definition used by "kube-do-action" and "bootstrap-action" 2 | 3 | # matches major semver version of the actions 4 | version: 1 5 | # name of the cluster 6 | name: test-do-lon1 7 | # cloud provider: [digitalocean|aws] 8 | provider: digitalocean 9 | # starts|stops the cluster: the action detects changes i.e. UP or DOWN 10 | status: DOWN 11 | 12 | digitalocean: 13 | # https://slugs.do-api.dev 14 | # https://www.digitalocean.com/try/new-pricing 15 | # https://docs.digitalocean.com/products/kubernetes/details/limits 16 | cluster: 17 | # number of nodes 18 | count: 1 19 | region: lon1 20 | # node types 21 | size: s-1vcpu-2gb 22 | # by default use latest version 23 | version: 1.29.6-do.0 24 | # TODO not implemented: by default is tagged automatically with the GitOps repository 25 | tags: [] 26 | # OPTIONAL 27 | network: 28 | domain: 29 | # when true, adds/removes domain when the cluster is created/deleted: domain MUST be first added manually 30 | # WARNING: prefer adding/removing this manually 31 | managed: false 32 | name: example.com 33 | loadBalancer: 34 | # when true and the cluster is deleted, removes the load balancer associated to the domain name 35 | managed: true 36 | volumes: 37 | # when true and the cluster is deleted, removes all the volumes, default is true 38 | managed: true 39 | 40 | # OPTIONAL: all fields are optional 41 | bootstrap: 42 | # uses alias instead of chart name e.g. argo-cd 43 | chartName: argocd 44 | # prefix variable override e.g. if bootstrap chart is a dependency of another chart 45 | # NOTE: chart names must be separated by dots 46 | # if there are dashes or underscore, use the folder name and define an alias for the dependency 47 | chartNamePrefix: myparent-chart.mysubchart 48 | # namespace of where the chart is applied 49 | namespace: argocd 50 | # overrides values in the chart i.e. multi env/tenant/cloud 51 | # NOTE path is relative to the chart folder 52 | # https://github.com/hckops/kube-template/tree/main/charts/argocd-config 53 | helmValueFile: values-bootstrap.yaml 54 | -------------------------------------------------------------------------------- /examples/test-chart/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: test-chart 3 | version: 0.1.0 4 | 5 | dependencies: 6 | - name: argo-cd 7 | alias: argocd 8 | version: 5.13.6 9 | repository: https://argoproj.github.io/argo-helm 10 | -------------------------------------------------------------------------------- /examples/test-chart/values.yaml: -------------------------------------------------------------------------------- 1 | versions: 2 | argo: 3 | argoWorkflows: 4 | helmRepo: "0.20.1" 5 | examples: 6 | # TODO https://github.com/paulbouwer/hello-kubernetes.git 7 | helloKubernetes: 8 | gitRepo: HEAD 9 | observe: 10 | prometheusStack: 11 | # TODO https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack 12 | # TODO replace/prefix/regex 13 | gitRepo: "kube-prometheus-stack-41.4.0" 14 | helmRepo: "41.4.0" 15 | -------------------------------------------------------------------------------- /helm-dependencies-action/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM hckops/kube-base:0.5.1 2 | 3 | # https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables 4 | ENV GITHUB_TOKEN=${GITHUB_TOKEN} 5 | ENV GITHUB_REPOSITORY=${GITHUB_REPOSITORY} 6 | ENV GITHUB_SHA=${GITHUB_SHA} 7 | 8 | COPY entrypoint.sh /entrypoint.sh 9 | 10 | ENTRYPOINT ["/entrypoint.sh"] 11 | -------------------------------------------------------------------------------- /helm-dependencies-action/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Helm Dependencies' 2 | description: 'Keep Helm dependencies updated' 3 | 4 | inputs: 5 | config-path: 6 | description: 'Path to the dependencies configuration file' 7 | required: true 8 | user-email: 9 | description: 'user.email to configure git' 10 | required: true 11 | user-name: 12 | description: 'user.name to configure git' 13 | required: true 14 | default-branch: 15 | description: 'Repository default branch' 16 | required: false 17 | default: ${{ github.event.repository.default_branch }} 18 | dry-run: 19 | description: 'Skip pull requests if set to true' 20 | required: false 21 | default: false 22 | 23 | runs: 24 | using: docker 25 | image: Dockerfile 26 | args: 27 | - ${{ inputs.config-path }} 28 | - ${{ inputs.user-email }} 29 | - ${{ inputs.user-name }} 30 | - ${{ inputs.default-branch }} 31 | - ${{ inputs.dry-run }} 32 | -------------------------------------------------------------------------------- /helm-dependencies-action/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | ############################## 6 | 7 | PARAM_CONFIG_PATH=${1:?"Missing CONFIG_PATH"} 8 | PARAM_GIT_USER_EMAIL=${2:?"Missing GIT_USER_EMAIL"} 9 | PARAM_GIT_USER_NAME=${3:?"Missing GIT_USER_NAME"} 10 | PARAM_GIT_DEFAULT_BRANCH=${4:?"Missing GIT_DEFAULT_BRANCH"} 11 | PARAM_DRY_RUN=${5:?"Missing DRY_RUN"} 12 | 13 | ############################## 14 | 15 | # param #1: 16 | # param #2: 17 | function get_config { 18 | local CONFIG_PATH=$1 19 | local JQ_PATH=$2 20 | 21 | echo $(yq -o=json '.' "${CONFIG_PATH}" | jq -r "${JQ_PATH}") 22 | } 23 | 24 | # param #1: 25 | function get_latest_artifacthub { 26 | # owner/repository 27 | local HELM_NAME=$1 28 | 29 | # fetches latest version from rss feed (xml format) 30 | echo $(curl -sSL "https://artifacthub.io/api/v1/packages/helm/$HELM_NAME/feed/rss" | \ 31 | yq -p=xml --xml-attribute-prefix=+ '.rss.channel.item[0].title') 32 | } 33 | 34 | # global param: 35 | # global param: 36 | function init_git { 37 | # fixes: unsafe repository ('/github/workspace' is owned by someone else) 38 | git config --global --add safe.directory /github/workspace 39 | 40 | # mandatory configs 41 | git config user.email $PARAM_GIT_USER_EMAIL 42 | git config user.name $PARAM_GIT_USER_NAME 43 | 44 | # fetch existing remote branches 45 | git fetch --all 46 | } 47 | 48 | # global param: 49 | function reset_git { 50 | # stash any changes from previous pr 51 | git stash save -u 52 | 53 | # reset to default branch 54 | git checkout $PARAM_GIT_DEFAULT_BRANCH 55 | } 56 | 57 | # param #1: 58 | # param #2: 59 | # param #3: 60 | # global param: 61 | # action param: 62 | # action param: 63 | # action param: 64 | # see https://github.com/my-awesome/actions/blob/main/gh-update-action/update.sh 65 | function create_pr { 66 | local GIT_BRANCH=$1 67 | local PR_TITLE=$2 68 | local PR_MESSAGE=$3 69 | 70 | echo "[*] GIT_BRANCH=${GIT_BRANCH}" 71 | echo "[*] PR_TITLE=${PR_TITLE}" 72 | echo "[*] PR_MESSAGE=${PR_MESSAGE}" 73 | 74 | # must be on a different branch 75 | git checkout -b $GIT_BRANCH 76 | git add . 77 | git status 78 | 79 | # fails without quotes: "quote all values that have spaces" 80 | git commit -m "$PR_TITLE" 81 | git push origin $GIT_BRANCH 82 | 83 | # uses GITHUB_TOKEN 84 | gh pr create --head $GIT_BRANCH --base ${PARAM_GIT_DEFAULT_BRANCH} --title "$PR_TITLE" --body "$PR_MESSAGE" 85 | 86 | # retrieves latest sha of the current branch 87 | # global GITHUB_SHA is the commit sha that triggered the workflow, before the update 88 | GIT_BRANCH_SHA=$(git rev-parse $GIT_BRANCH) 89 | 90 | echo "[*] GIT_BRANCH_SHA=${GIT_BRANCH_SHA}" 91 | 92 | # uses GITHUB_TOKEN 93 | # https://docs.github.com/en/rest/commits/statuses#about-the-commit-statuses-api 94 | # push status to allow branch protection 95 | gh api \ 96 | --method POST \ 97 | -H "Accept: application/vnd.github+json" \ 98 | "/repos/${GITHUB_REPOSITORY}/statuses/${GIT_BRANCH_SHA}" \ 99 | -f state="success" \ 100 | -f target_url="https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" \ 101 | -f description="Helm dependencies up to date" \ 102 | -f context="action/helm-dependencies" 103 | 104 | # TODO labels https://github.com/cli/cli/issues/1503 105 | # TODO automerge 106 | } 107 | 108 | # param #1: 109 | # global param: 110 | function update_dependency { 111 | local DEPENDENCY_JSON=$1 112 | local REPOSITORY_TYPE=$(echo ${DEPENDENCY_JSON} | jq -r '.repository.type') 113 | 114 | # debug 115 | echo ${DEPENDENCY_JSON} | jq '.' 116 | 117 | case ${REPOSITORY_TYPE} in 118 | "artifacthub") 119 | local REPOSITORY_NAME=$(echo ${DEPENDENCY_JSON} | jq -r '.repository.name') 120 | local SOURCE_FILE=$(echo ${DEPENDENCY_JSON} | jq -r '.source.file') 121 | local SOURCE_PATH=$(echo ${DEPENDENCY_JSON} | jq -r '.source.path') 122 | local CURRENT_VERSION=$(get_config ${SOURCE_FILE} ${SOURCE_PATH}) 123 | local LATEST_VERSION=$(get_latest_artifacthub ${REPOSITORY_NAME}) 124 | 125 | echo "[${REPOSITORY_NAME}] CURRENT=[${CURRENT_VERSION}] LATEST=[${LATEST_VERSION}]" 126 | 127 | if [[ ${CURRENT_VERSION} == ${LATEST_VERSION} ]]; then 128 | echo "[-] Dependency is already up to date" 129 | 130 | elif [[ "${PARAM_DRY_RUN}" == "true" ]]; then 131 | echo "[-] Skip pull request" 132 | 133 | else 134 | # update version: see formatting issue https://github.com/mikefarah/yq/issues/515 135 | yq -i "${SOURCE_PATH} = \"${LATEST_VERSION}\"" ${SOURCE_FILE} 136 | 137 | local GIT_BRANCH=$(echo "helm-${REPOSITORY_NAME}-${LATEST_VERSION}" | sed -r 's|[/.]|-|g') 138 | local DEPENDENCY_NAME=$(basename ${REPOSITORY_NAME}) 139 | local PR_TITLE="Update ${DEPENDENCY_NAME} to ${LATEST_VERSION}" 140 | local PR_MESSAGE="Updates [${REPOSITORY_NAME}](https://artifacthub.io/packages/helm/${REPOSITORY_NAME}) Helm dependency from ${CURRENT_VERSION} to ${LATEST_VERSION}" 141 | 142 | # returns the hash of the branch if exists or nothing 143 | # IMPORTANT branches are fetched once during setup 144 | local GIT_BRANCH_EXISTS=$(git show-ref ${GIT_BRANCH}) 145 | 146 | # returns true if the string is not empty 147 | if [[ -n ${GIT_BRANCH_EXISTS} ]]; then 148 | echo "[-] Pull request already exists" 149 | else 150 | create_pr "${GIT_BRANCH}" "${PR_TITLE}" "${PR_MESSAGE}" 151 | fi 152 | fi 153 | ;; 154 | *) 155 | echo "ERROR: invalid repository type" 156 | exit 1 157 | ;; 158 | esac 159 | } 160 | 161 | ############################## 162 | 163 | function main { 164 | local DEPENDENCIES=$(get_config ${PARAM_CONFIG_PATH} '.dependencies[]') 165 | 166 | if [[ "${PARAM_DRY_RUN}" == "true" ]]; then 167 | echo "[-] Skip git setup" 168 | else 169 | # setup git repository 170 | init_git 171 | fi 172 | 173 | # use the compact output option (-c) so each result is put on a single line and is treated as one item in the loop 174 | echo ${DEPENDENCIES} | jq -c '.' | while read ITEM; do 175 | update_dependency "${ITEM}" 176 | 177 | if [[ "${PARAM_DRY_RUN}" == "true" ]]; then 178 | echo "[-] Skip git reset" 179 | else 180 | # prepare git repository for next pr 181 | reset_git 182 | fi 183 | done 184 | } 185 | 186 | echo "[+] helm-dependencies" 187 | # global 188 | echo "[*] GITHUB_TOKEN=${GITHUB_TOKEN}" 189 | echo "[*] GITHUB_REPOSITORY=${GITHUB_REPOSITORY}" 190 | echo "[*] GITHUB_SHA=${GITHUB_SHA}" 191 | # params 192 | echo "[*] CONFIG_PATH=${PARAM_CONFIG_PATH}" 193 | echo "[*] GIT_USER_EMAIL=${PARAM_GIT_USER_EMAIL}" 194 | echo "[*] GIT_USER_NAME=${PARAM_GIT_USER_NAME}" 195 | echo "[*] GIT_DEFAULT_BRANCH=${PARAM_GIT_DEFAULT_BRANCH}" 196 | echo "[*] DRY_RUN=${PARAM_DRY_RUN}" 197 | 198 | gh --version 199 | gh auth status 200 | 201 | main 202 | 203 | echo "[-] helm-dependencies" 204 | -------------------------------------------------------------------------------- /helm-lint-action/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM hckops/kube-base:0.5.1 2 | 3 | COPY entrypoint.sh /entrypoint.sh 4 | 5 | ENTRYPOINT ["/entrypoint.sh"] 6 | -------------------------------------------------------------------------------- /helm-lint-action/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Helm Lint' 2 | description: 'Validate Helm chart' 3 | 4 | runs: 5 | using: docker 6 | image: Dockerfile 7 | -------------------------------------------------------------------------------- /helm-lint-action/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | ############################## 6 | 7 | echo "[+] helm-lint" 8 | 9 | find . -type f -name 'Chart.yaml' -exec dirname {} \; | xargs helm lint 10 | 11 | echo "[-] helm-lint" 12 | -------------------------------------------------------------------------------- /kube-do-action/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM hckops/kube-do:0.5.1 2 | 3 | COPY entrypoint.sh /entrypoint.sh 4 | 5 | ENTRYPOINT ["/entrypoint.sh"] 6 | -------------------------------------------------------------------------------- /kube-do-action/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Kubernetes DigitalOcean Cluster' 2 | description: 'Manage DigitalOcean Kubernetes cluster lifecycle' 3 | 4 | inputs: 5 | # TODO required for private repositories only 6 | # How to create a PAT 7 | # https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token 8 | github-token: 9 | description: 'GitHub token required to download the cluster configurations when the repository is private' 10 | required: true 11 | access-token: 12 | description: 'Digital Ocean access token required to provision clusters' 13 | required: true 14 | config-path: 15 | description: 'Path to the cluster configuration file' 16 | required: true 17 | config-branch: 18 | description: 'Branch of the cluster configuration file' 19 | required: false 20 | enabled: 21 | description: 'Dry run if set to false' 22 | required: false 23 | default: true 24 | wait: 25 | description: 'Wait for the cluster to be provisioned before exit' 26 | required: false 27 | default: false 28 | skip-create: 29 | description: 'Ignore provisioning. If cluster status is UP download kubeconfig only: useful for development' 30 | required: false 31 | default: false 32 | outputs: 33 | status: 34 | description: 'Current status of the cluster: [DISABLE|CREATE|DELETE|UP|DOWN|ERROR]' 35 | kubeconfig: 36 | description: 'Path to kubeconfig file e.g. ./OWNER-REPOSITORY-kubeconfig.yaml' 37 | 38 | runs: 39 | using: docker 40 | image: Dockerfile 41 | args: 42 | - ${{ inputs.github-token }} 43 | - ${{ inputs.access-token }} 44 | - ${{ inputs.config-path }} 45 | - ${{ inputs.config-branch }} 46 | - ${{ inputs.enabled }} 47 | - ${{ inputs.wait }} 48 | - ${{ inputs.skip-create }} 49 | -------------------------------------------------------------------------------- /kube-do-action/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | ############################## 6 | 7 | PARAM_GITHUB_TOKEN=${1:?"Missing GITHUB_TOKEN"} 8 | PARAM_ACCESS_TOKEN=${2:?"Missing ACCESS_TOKEN"} 9 | PARAM_CONFIG_PATH=${3:?"Missing CONFIG_PATH"} 10 | # instead of master or main, uses HEAD as default 11 | PARAM_CONFIG_BRANCH=${4:-"HEAD"} 12 | PARAM_ENABLED=${5:?"Missing ENABLED"} 13 | PARAM_WAIT=${6:?"Missing WAIT"} 14 | PARAM_SKIP_CREATE=${7:?"Missing SKIP_CREATE"} 15 | 16 | CONFIG_VERSION_SUPPORTED="1" 17 | 18 | ############################## 19 | 20 | # param #1: 21 | # param #2: (optional) 22 | # global param: 23 | # global param: 24 | # action param: 25 | # returns SHA 26 | function fetch_commit_sha { 27 | # default latest (index 0) 28 | local COMMIT_INDEX=${1:-"0"} 29 | # fetch last 2 commits only 30 | local COMMITS_URL="https://api.github.com/repos/${GITHUB_REPOSITORY}/commits?sha=${PARAM_CONFIG_BRANCH}&per_page=2&page=1" 31 | 32 | # extract commit sha 33 | echo $(curl -sSL \ 34 | -H "Authorization: token ${PARAM_GITHUB_TOKEN}" \ 35 | -H "Accept: application/vnd.github.v3+json" \ 36 | ${COMMITS_URL} | jq -r --arg COMMIT_INDEX "${COMMIT_INDEX}" '.[$COMMIT_INDEX|tonumber].sha') 37 | } 38 | 39 | # param #1: 40 | # param #2: 41 | # param #3: 42 | # global param: 43 | # action param: 44 | function download_file { 45 | local FILE_PATH=$1 46 | local TMP_PATH=$2 47 | local COMMIT_REF=$3 48 | echo "[-] TMP_PATH=${TMP_PATH} | COMMIT_REF=${COMMIT_REF}" 49 | 50 | curl -sSL -H "Authorization: token ${PARAM_GITHUB_TOKEN}" \ 51 | -H 'Accept: application/vnd.github.v3.raw' \ 52 | -o ${TMP_PATH} \ 53 | "https://api.github.com/repos/${GITHUB_REPOSITORY}/contents/${FILE_PATH}?ref=${COMMIT_REF}" 54 | } 55 | 56 | # param #1: 57 | # param #2: 58 | function get_config { 59 | local CONFIG_PATH=$1 60 | local JQ_PATH=$2 61 | 62 | # JQ_PATH must be between quotes due to "default" issue 63 | echo $(yq -o=json '.' "${CONFIG_PATH}" | jq -r "${JQ_PATH}") 64 | } 65 | 66 | # TODO [json|yaml]-schema validation: https://asdf-standard.readthedocs.io/en/1.5.0/schemas.html 67 | # param #1: 68 | # global param: 69 | # action param: 70 | function validate_config { 71 | local CONFIG_PATH=$1 72 | 73 | echo "[*] Validate config: ${CONFIG_PATH}" 74 | # debug 75 | yq -o=json '.' ${CONFIG_PATH} 76 | 77 | local CONFIG_VERSION=$(get_config ${CONFIG_PATH} '.version') 78 | local CONFIG_PROVIDER=$(get_config ${CONFIG_PATH} '.provider') 79 | local CONFIG_STATUS=$(get_config ${CONFIG_PATH} '.status') 80 | 81 | if [[ ${CONFIG_VERSION} != ${CONFIG_VERSION_SUPPORTED} ]]; then 82 | echo "[*] Invalid version: ${CONFIG_VERSION}" 83 | echo "status=ERROR" >> ${GITHUB_OUTPUT} 84 | exit 1 85 | 86 | elif [[ ${CONFIG_PROVIDER} != "digitalocean" ]]; then 87 | echo "[*] Invalid provider: ${CONFIG_PROVIDER}" 88 | echo "status=ERROR" >> ${GITHUB_OUTPUT} 89 | exit 1 90 | 91 | elif [[ ${CONFIG_STATUS} != "UP" && ${CONFIG_STATUS} != "DOWN" ]]; then 92 | echo "[*] Invalid status: ${CONFIG_STATUS}" 93 | echo "status=ERROR" >> ${GITHUB_OUTPUT} 94 | exit 1 95 | fi 96 | } 97 | 98 | # param #1: 99 | # param #2: 100 | # global param: 101 | # global param: 102 | # action param: 103 | # action param: 104 | function doctl_cluster { 105 | local PARAM_ACTION=$1 106 | local CONFIG_PATH=$2 107 | local CLUSTER_NAME=$(get_config ${CONFIG_PATH} '.name') 108 | local REPOSITORY_NAME=$(echo $GITHUB_REPOSITORY | sed 's|/|-|g') 109 | echo "[-] DOCTL_CLUSTER_ACTION=${PARAM_ACTION}" 110 | echo "[-] CLUSTER_NAME=${CLUSTER_NAME}" 111 | 112 | case ${PARAM_ACTION} in 113 | "create") 114 | local CLUSTER_COUNT=$(get_config ${CONFIG_PATH} '.digitalocean.cluster.count') 115 | local CLUSTER_REGION=$(get_config ${CONFIG_PATH} '.digitalocean.cluster.region') 116 | local CLUSTER_SIZE=$(get_config ${CONFIG_PATH} '.digitalocean.cluster.size') 117 | local CLUSTER_LATEST_VERSION=$(doctl kubernetes options versions --access-token ${PARAM_ACCESS_TOKEN} | \ 118 | tail -n +2 | head -n 1 | awk '{print $1}') 119 | local VERSION_PATH=".digitalocean.cluster.version // \"${CLUSTER_LATEST_VERSION}\"" 120 | local CLUSTER_VERSION=$(get_config ${CONFIG_PATH} "${VERSION_PATH}") 121 | local CLUSTER_TAGS="repository:${REPOSITORY_NAME}" 122 | echo "[-] CLUSTER_COUNT=${CLUSTER_COUNT}" 123 | echo "[-] CLUSTER_REGION=${CLUSTER_REGION}" 124 | echo "[-] CLUSTER_SIZE=${CLUSTER_SIZE}" 125 | echo "[-] CLUSTER_LATEST_VERSION=${CLUSTER_LATEST_VERSION}" 126 | echo "[-] CLUSTER_VERSION=${CLUSTER_VERSION}" 127 | echo "[-] CLUSTER_TAGS=${CLUSTER_TAGS}" 128 | 129 | # https://docs.digitalocean.com/reference/doctl/reference/kubernetes/cluster/create 130 | # https://docs.digitalocean.com/reference/api/api-reference/#operation/kubernetes_create_cluster 131 | doctl kubernetes cluster create ${CLUSTER_NAME} \ 132 | --access-token ${PARAM_ACCESS_TOKEN} \ 133 | --count ${CLUSTER_COUNT} \ 134 | --region ${CLUSTER_REGION} \ 135 | --size ${CLUSTER_SIZE} \ 136 | --version ${CLUSTER_VERSION} \ 137 | --tag ${CLUSTER_TAGS} \ 138 | --wait=${PARAM_WAIT} 139 | ;; 140 | "config") 141 | local KUBE_CONFIG="${REPOSITORY_NAME}-kubeconfig.yaml" 142 | echo "[-] KUBE_CONFIG=${KUBE_CONFIG}" 143 | 144 | # save it in the root directory 145 | doctl kubernetes cluster kubeconfig show ${CLUSTER_NAME} \ 146 | --access-token ${PARAM_ACCESS_TOKEN} > ${KUBE_CONFIG} 147 | 148 | # returns kubeconfig path 149 | echo "kubeconfig=${KUBE_CONFIG}" >> ${GITHUB_OUTPUT} 150 | ;; 151 | "delete") 152 | local VOLUMES_MANAGED=$(get_config ${CONFIG_PATH} '.digitalocean.volumes.managed // "true"') 153 | 154 | # returns comma separated list of volume ids 155 | local VOLUME_IDS=$(doctl kubernetes cluster list-associated-resources ${CLUSTER_NAME} \ 156 | --access-token ${PARAM_ACCESS_TOKEN} \ 157 | --format Volumes --no-header --output json | jq -r '.volumes[].id' | paste -s -d',') 158 | 159 | echo "[-] VOLUMES_MANAGED=${VOLUMES_MANAGED}" 160 | echo "[-] VOLUME_IDS=${VOLUME_IDS}" 161 | 162 | if [[ ${VOLUMES_MANAGED} == "true" && ${VOLUME_IDS} != "" ]]; then 163 | echo "[*] Delete Volumes" 164 | 165 | doctl kubernetes cluster delete-selective ${CLUSTER_NAME} \ 166 | --access-token ${PARAM_ACCESS_TOKEN} \ 167 | --volume-list ${VOLUME_IDS} \ 168 | --force 169 | else 170 | echo "[*] Delete Volumes: skipped" 171 | 172 | doctl kubernetes cluster delete ${CLUSTER_NAME} \ 173 | --access-token ${PARAM_ACCESS_TOKEN} \ 174 | --force 175 | fi 176 | ;; 177 | *) 178 | echo "ERROR: unknown command" 179 | exit 1 180 | ;; 181 | esac 182 | } 183 | 184 | # Domains MUST always be removed and added back immediately: 185 | # they should be added only when the cluster is created and viceversa, 186 | # but there are bots that keep trying to steal other users domains. 187 | # If a domain is stolen, the only way to claim it back is to open a support ticket and show proof of ownership. 188 | # DigitalOcean is not a registrar and they can't verify it automatically. 189 | function doctl_domain_reset { 190 | local DOMAIN_NAME=$1 191 | echo "[*] Reset domain ${DOMAIN_NAME}" 192 | 193 | # deletes domain records 194 | doctl compute domain delete ${DOMAIN_NAME} \ 195 | --access-token ${PARAM_ACCESS_TOKEN} \ 196 | --force 197 | 198 | doctl compute domain create ${DOMAIN_NAME} \ 199 | --access-token ${PARAM_ACCESS_TOKEN} 200 | } 201 | 202 | # param #1: 203 | # global param: 204 | function doctl_load_balancer_delete { 205 | local CLUSTER_NAME=$1 206 | 207 | # returns load balancer id: it expects only 1 for each cluster 208 | local LOAD_BALANCER_ID=$(doctl kubernetes cluster list-associated-resources ${CLUSTER_NAME} \ 209 | --access-token ${PARAM_ACCESS_TOKEN} \ 210 | --format LoadBalancers --no-header | yq '.[0]') 211 | 212 | echo "[-] LOAD_BALANCER_ID=${LOAD_BALANCER_ID}" 213 | 214 | # deletes load balancer 215 | doctl compute load-balancer delete ${LOAD_BALANCER_ID} \ 216 | --access-token ${PARAM_ACCESS_TOKEN} \ 217 | --force 218 | } 219 | 220 | # param #1: 221 | # param #2: 222 | # global param: 223 | function doctl_network { 224 | local PARAM_ACTION=$1 225 | local CONFIG_PATH=$2 226 | local NETWORK_DOMAIN_MANAGED=$(get_config ${CONFIG_PATH} '.digitalocean.network.domain.managed // "false"') 227 | local NETWORK_DOMAIN_NAME=$(get_config ${CONFIG_PATH} '.digitalocean.network.domain.name // "INVALID_DOMAIN"') 228 | local NETWORK_LOAD_BALANCER_MANAGED=$(get_config ${CONFIG_PATH} '.digitalocean.network.loadBalancer.managed // "false"') 229 | 230 | echo "[-] DOCTL_NETWORK_ACTION=${PARAM_ACTION}" 231 | echo "[-] NETWORK_DOMAIN_MANAGED=${NETWORK_DOMAIN_MANAGED}" 232 | echo "[-] NETWORK_DOMAIN_NAME=${NETWORK_DOMAIN_NAME}" 233 | echo "[-] NETWORK_LOAD_BALANCER_MANAGED=${NETWORK_LOAD_BALANCER_MANAGED}" 234 | 235 | case ${PARAM_ACTION} in 236 | "init") 237 | if [[ ${NETWORK_DOMAIN_MANAGED} == "true" && ${NETWORK_DOMAIN_NAME} != "INVALID_DOMAIN" ]]; then 238 | echo "[*] Setup domain" 239 | doctl_domain_reset ${NETWORK_DOMAIN_NAME} 240 | else 241 | echo "[*] Setup domain: skipped" 242 | fi 243 | ;; 244 | "reset") 245 | if [[ ${NETWORK_DOMAIN_MANAGED} == "true" && ${NETWORK_DOMAIN_NAME} != "INVALID_DOMAIN" ]]; then 246 | echo "[*] Cleanup domain" 247 | 248 | # wait for the cluster to be completely gone before deleting the domain, 249 | # or external-dns will keep updading dns records when the domain is re-added 250 | echo "[*] sleeping 2 minutes..." 251 | sleep 2m 252 | 253 | doctl_domain_reset ${NETWORK_DOMAIN_NAME} 254 | else 255 | echo "[*] Cleanup domain: skipped" 256 | fi 257 | ;; 258 | "delete-resources") 259 | if [[ ${NETWORK_LOAD_BALANCER_MANAGED} == "true" ]]; then 260 | echo "[*] Delete LoadBalancer" 261 | local CLUSTER_NAME=$(get_config ${CONFIG_PATH} '.name') 262 | 263 | doctl_load_balancer_delete ${CLUSTER_NAME} 264 | else 265 | echo "[*] Delete LoadBalancer: skipped" 266 | fi 267 | ;; 268 | *) 269 | echo "ERROR: unknown command" 270 | exit 1 271 | ;; 272 | esac 273 | } 274 | 275 | # starts|stops the cluster based on the current "status" 276 | # action param: 277 | function provision_cluster { 278 | local CURRENT_CONFIG_PATH="/tmp/current" 279 | local CURRENT_COMMIT=$(fetch_commit_sha) 280 | local PREVIOUS_CONFIG_PATH="/tmp/previous" 281 | local PREVIOUS_COMMIT=$(fetch_commit_sha 1) 282 | 283 | # download config revisions for comparison 284 | download_file ${PARAM_CONFIG_PATH} ${CURRENT_CONFIG_PATH} ${CURRENT_COMMIT} 285 | download_file ${PARAM_CONFIG_PATH} ${PREVIOUS_CONFIG_PATH} ${PREVIOUS_COMMIT} 286 | 287 | # validate current config 288 | validate_config ${CURRENT_CONFIG_PATH} 289 | 290 | local CURRENT_STATUS=$(get_config ${CURRENT_CONFIG_PATH} '.status') 291 | local PREVIOUS_STATUS=$(get_config ${PREVIOUS_CONFIG_PATH} '.status') 292 | echo "[-] CURRENT_STATUS=${CURRENT_STATUS} | PREVIOUS_STATUS=${PREVIOUS_STATUS}" 293 | 294 | # for development only: flag used to skip cluster creation 295 | if [[ ${CURRENT_STATUS} == "UP" && ${PARAM_SKIP_CREATE} == "true" ]]; then 296 | # init kubeconfig only 297 | doctl_cluster "config" ${CURRENT_CONFIG_PATH} 298 | echo "status=CREATE" >> ${GITHUB_OUTPUT} 299 | 300 | # TODO it should also check cluster real status 301 | elif [[ ${CURRENT_STATUS} == ${PREVIOUS_STATUS} ]]; then 302 | # do nothing 303 | echo "[*] Cluster is already ${CURRENT_STATUS}" 304 | # returns UP or DOWN 305 | echo "status=${CURRENT_STATUS}" >> ${GITHUB_OUTPUT} 306 | 307 | elif [[ ${CURRENT_STATUS} == "UP" ]]; then 308 | # setup network 309 | doctl_network "init" ${CURRENT_CONFIG_PATH} 310 | # create cluster and init kubeconfig 311 | doctl_cluster "create" ${CURRENT_CONFIG_PATH} 312 | doctl_cluster "config" ${CURRENT_CONFIG_PATH} 313 | echo "status=CREATE" >> ${GITHUB_OUTPUT} 314 | 315 | elif [[ ${CURRENT_STATUS} == "DOWN" ]]; then 316 | # delete load-balancer etc. 317 | doctl_network "delete-resources" ${CURRENT_CONFIG_PATH} 318 | # delete cluster 319 | doctl_cluster "delete" ${CURRENT_CONFIG_PATH} 320 | # cleanup network 321 | doctl_network "reset" ${CURRENT_CONFIG_PATH} 322 | echo "status=DELETE" >> ${GITHUB_OUTPUT} 323 | fi 324 | } 325 | 326 | # function definition must be placed before any calls to the function 327 | function main { 328 | if [[ ${PARAM_ENABLED} == "true" ]]; then 329 | echo "[*] Action enabled" 330 | provision_cluster 331 | else 332 | echo "[*] Action disabled" 333 | echo "status=DISABLE" >> ${GITHUB_OUTPUT} 334 | fi 335 | } 336 | 337 | ############################## 338 | 339 | echo "[+] kube-do" 340 | # global 341 | echo "[*] GITHUB_REPOSITORY=${GITHUB_REPOSITORY}" 342 | # params 343 | echo "[*] GITHUB_TOKEN=${PARAM_GITHUB_TOKEN}" 344 | echo "[*] ACCESS_TOKEN=${PARAM_ACCESS_TOKEN}" 345 | echo "[*] CONFIG_PATH=${PARAM_CONFIG_PATH}" 346 | echo "[*] CONFIG_BRANCH=${PARAM_CONFIG_BRANCH}" 347 | echo "[*] ENABLED=${PARAM_ENABLED}" 348 | echo "[*] WAIT=${PARAM_WAIT}" 349 | echo "[*] SKIP_CREATE=${PARAM_SKIP_CREATE}" 350 | echo "[*] CONFIG_VERSION_SUPPORTED=${CONFIG_VERSION_SUPPORTED}" 351 | 352 | main 353 | 354 | echo "[-] kube-do" 355 | -------------------------------------------------------------------------------- /kube-secrets-action/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM hckops/kube-base:0.5.1 2 | 3 | COPY entrypoint.sh /entrypoint.sh 4 | COPY chart /chart 5 | 6 | ENTRYPOINT ["/entrypoint.sh"] 7 | -------------------------------------------------------------------------------- /kube-secrets-action/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Kubernetes Secrets' 2 | description: 'Init Kubernetes master Secret used by the operator' 3 | 4 | inputs: 5 | kubeconfig: 6 | description: 'Path to kubeconfig file e.g. ./OWNER-REPOSITORY-kubeconfig.yaml' 7 | required: true 8 | enabled: 9 | description: 'Dry run if set to false' 10 | required: false 11 | default: true 12 | operator: 13 | description: 'Supported operators: [edgelevel-lastpass|external-secrets-akeyless|external-secrets-oracle]' 14 | required: true 15 | # LASTPASS 16 | edgelevel-lastpass-username: 17 | description: 'LastPass username' 18 | required: false 19 | default: 'INVALID_USERNAME' 20 | edgelevel-lastpass-password: 21 | description: 'LastPass password' 22 | required: false 23 | default: 'INVALID_PASSWORD' 24 | # AKEYLESS 25 | external-secrets-akeyless-access-id: 26 | description: 'Akeyless access id' 27 | required: false 28 | default: 'INVALID_ACCESS_ID' 29 | external-secrets-akeyless-access-type: 30 | description: 'Akeyless access type' 31 | required: false 32 | default: 'INVALID_ACCESS_TYPE' 33 | external-secrets-akeyless-access-type-param: 34 | description: 'Akeyless access type parameter' 35 | required: false 36 | default: 'INVALID_ACCESS_TYPE_PARAM' 37 | # ORACLE 38 | external-secrets-oracle-private-key: 39 | description: 'Oracle API key' 40 | required: false 41 | default: 'INVALID_PRIVATE_KEY' 42 | external-secrets-oracle-fingerprint: 43 | description: 'Oracle API key fingerprint' 44 | required: false 45 | default: 'INVALID_FINGERPRINT' 46 | 47 | runs: 48 | using: docker 49 | image: Dockerfile 50 | args: 51 | - ${{ inputs.kubeconfig }} 52 | - ${{ inputs.enabled }} 53 | - ${{ inputs.operator }} 54 | - ${{ inputs.edgelevel-lastpass-username }} 55 | - ${{ inputs.edgelevel-lastpass-password }} 56 | - ${{ inputs.external-secrets-akeyless-access-id }} 57 | - ${{ inputs.external-secrets-akeyless-access-type }} 58 | - ${{ inputs.external-secrets-akeyless-access-type-param }} 59 | - ${{ inputs.external-secrets-oracle-private-key }} 60 | - ${{ inputs.external-secrets-oracle-fingerprint }} 61 | -------------------------------------------------------------------------------- /kube-secrets-action/chart/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: kube-secrets 3 | version: 0.1.0 4 | -------------------------------------------------------------------------------- /kube-secrets-action/chart/templates/edgelevel-lastpass.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq .Values.operator "edgelevel-lastpass" }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: edgelevel-lastpass-credentials 7 | type: Opaque 8 | stringData: 9 | username: {{ .Values.edgelevel.lastpass.username }} 10 | password: {{ .Values.edgelevel.lastpass.password }} 11 | {{ end }} 12 | -------------------------------------------------------------------------------- /kube-secrets-action/chart/templates/external-secrets-akeyless.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq .Values.operator "external-secrets-akeyless" }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: external-secrets-akeyless-credentials 7 | labels: 8 | type: akeyless 9 | type: Opaque 10 | stringData: 11 | accessId: {{ .Values.externalSecrets.akeyless.accessId }} 12 | accessType: {{ .Values.externalSecrets.akeyless.accessType }} 13 | accessTypeParam: {{ .Values.externalSecrets.akeyless.accessTypeParam }} 14 | {{ end }} 15 | -------------------------------------------------------------------------------- /kube-secrets-action/chart/templates/external-secrets-oracle.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq .Values.operator "external-secrets-oracle" }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: external-secrets-oracle-credentials 7 | labels: 8 | type: oracle 9 | type: Opaque 10 | stringData: 11 | # FIXME "can not create client, bad configuration: PEM data was not found in buffer" 12 | # the PEM needs to be encoded to don't break the bash script, 13 | # so the privateKey end up being encoded twice and invalid. 14 | # SecretStore doesn't supports templating like ExternalSecret i.e. b64dec 15 | # https://github.com/external-secrets/external-secrets/issues/728 16 | # https://github.com/external-secrets/external-secrets/issues/712 17 | # https://github.com/external-secrets/external-secrets/pull/701 18 | privateKey: {{ .Values.externalSecrets.oracle.privateKey | toString | b64enc }} 19 | fingerprint: {{ .Values.externalSecrets.oracle.fingerprint }} 20 | {{ end }} 21 | -------------------------------------------------------------------------------- /kube-secrets-action/chart/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.createNamespace }} 2 | --- 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: kube-secrets 7 | {{ end }} 8 | -------------------------------------------------------------------------------- /kube-secrets-action/chart/values.yaml: -------------------------------------------------------------------------------- 1 | createNamespace: true 2 | 3 | # supported operators: [edgelevel-lastpass|external-secrets-akeyless|external-secrets-oracle] 4 | operator: INVALID_OPERATOR 5 | 6 | edgelevel: 7 | lastpass: 8 | username: INVALID_USERNAME 9 | password: INVALID_PASSWORD 10 | 11 | externalSecrets: 12 | akeyless: 13 | accessId: INVALID_ACCESS_ID 14 | accessType: INVALID_ACCESS_TYPE 15 | accessTypeParam: INVALID_ACCESS_TYPE_PARAM 16 | oracle: 17 | privateKey: INVALID_PRIVATE_KEY 18 | fingerprint: INVALID_FINGERPRINT 19 | -------------------------------------------------------------------------------- /kube-secrets-action/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | ############################## 6 | 7 | PARAM_KUBECONFIG=${1:?"Missing KUBECONFIG"} 8 | PARAM_ENABLED=${2:?"Missing ENABLED"} 9 | PARAM_OPERATOR=${3:?"Missing OPERATOR"} 10 | # LASTPASS 11 | PARAM_LASTPASS_USERNAME=${4:?"Missing LASTPASS_USERNAME"} 12 | PARAM_LASTPASS_PASSWORD=${5:?"Missing LASTPASS_PASSWORD"} 13 | # AKEYLESS 14 | PARAM_AKEYLESS_ACCESS_ID=${6:?"Missing AKEYLESS_ACCESS_ID"} 15 | PARAM_AKEYLESS_ACCESS_TYPE=${7:?"Missing AKEYLESS_ACCESS_TYPE"} 16 | PARAM_AKEYLESS_ACCESS_TYPE_PARAM=${8:?"Missing AKEYLESS_ACCESS_TYPE_PARAM"} 17 | # ORACLE 18 | PARAM_ORACLE_PRIVATE_KEY=${9:?"Missing ORACLE_PRIVATE_KEY"} 19 | PARAM_ORACLE_FINGERPRINT=${10:?"Missing ORACLE_FINGERPRINT"} 20 | 21 | ############################## 22 | 23 | # global param: 24 | # global param: 25 | # global param: 26 | function init_secret { 27 | # default namespace 28 | local NAMESPACE="kube-secrets" 29 | # chart is in the root path 30 | local CHART_PATH="/chart" 31 | local OUTPUT_TEMPLATE="install.yaml" 32 | 33 | helm template \ 34 | --values "${CHART_PATH}/values.yaml" \ 35 | --set createNamespace="true" \ 36 | --set operator="${PARAM_OPERATOR}" \ 37 | --set edgelevel.lastpass.username="${PARAM_LASTPASS_USERNAME}" \ 38 | --set edgelevel.lastpass.password="${PARAM_LASTPASS_PASSWORD}" \ 39 | --set externalSecrets.akeyless.accessId="${PARAM_AKEYLESS_ACCESS_ID}" \ 40 | --set externalSecrets.akeyless.accessType="${PARAM_AKEYLESS_ACCESS_TYPE}" \ 41 | --set externalSecrets.akeyless.accessTypeParam="${PARAM_AKEYLESS_ACCESS_TYPE_PARAM}" \ 42 | --set externalSecrets.oracle.privateKey="${PARAM_ORACLE_PRIVATE_KEY}" \ 43 | --set externalSecrets.oracle.fingerprint="${PARAM_ORACLE_FINGERPRINT}" \ 44 | ${CHART_PATH} > "${CHART_PATH}/${OUTPUT_TEMPLATE}" 45 | 46 | if [[ ${PARAM_ENABLED} == "true" ]]; then 47 | echo "[*] Action enabled" 48 | kubectl --kubeconfig ${PARAM_KUBECONFIG} --namespace ${NAMESPACE} apply -f "${CHART_PATH}/${OUTPUT_TEMPLATE}" 49 | else 50 | echo "[*] Action disabled" 51 | # debug 52 | #cat "${CHART_PATH}/${OUTPUT_TEMPLATE}" 53 | fi 54 | } 55 | 56 | ############################## 57 | 58 | echo "[+] kube-secrets" 59 | echo "[*] OPERATOR=${PARAM_OPERATOR}" 60 | echo "[*] ENABLED=${PARAM_ENABLED}" 61 | echo "[*] KUBECONFIG=${PARAM_KUBECONFIG}" 62 | # LASTPASS 63 | echo "[-] LASTPASS_USERNAME=${PARAM_LASTPASS_USERNAME}" 64 | echo "[-] LASTPASS_PASSWORD=${PARAM_LASTPASS_PASSWORD}" 65 | # AKEYLESS 66 | echo "[-] AKEYLESS_ACCESS_ID=${PARAM_AKEYLESS_ACCESS_ID}" 67 | echo "[-] AKEYLESS_ACCESS_TYPE=${PARAM_AKEYLESS_ACCESS_TYPE}" 68 | echo "[-] AKEYLESS_ACCESS_TYPE_PARAM=${PARAM_AKEYLESS_ACCESS_TYPE_PARAM}" 69 | # ORACLE 70 | echo "[-] ORACLE_PRIVATE_KEY=${PARAM_ORACLE_PRIVATE_KEY}" 71 | echo "[-] ORACLE_FINGERPRINT=${PARAM_ORACLE_FINGERPRINT}" 72 | 73 | init_secret 74 | 75 | echo "[-] kube-secrets" 76 | -------------------------------------------------------------------------------- /scripts/docker_apply.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | CURRENT_PATH=$(cd "$(dirname "${BASH_SOURCE[0]}")"; pwd -P) 6 | cd ${CURRENT_PATH} 7 | 8 | ############################## 9 | 10 | PARAM_ACTION=${1:?"Missing ACTION"} 11 | PARAM_IMAGE_NAME=${2:?"Missing IMAGE_NAME"} 12 | 13 | DOCKER_REPOSITORY="hckops/kube-${PARAM_IMAGE_NAME}" 14 | 15 | ROOT_PATH="${CURRENT_PATH}/.." 16 | 17 | ############################## 18 | 19 | echo "[+] docker_apply" 20 | echo "[*] ACTION=${PARAM_ACTION}" 21 | echo "[*] IMAGE_NAME=${PARAM_IMAGE_NAME}" 22 | echo "[*] DOCKER_REPOSITORY=${DOCKER_REPOSITORY}" 23 | 24 | case ${PARAM_ACTION} in 25 | "build") 26 | cd "${ROOT_PATH}/docker" 27 | 28 | docker build -t ${DOCKER_REPOSITORY} -f "Dockerfile.${PARAM_IMAGE_NAME}" . 29 | ;; 30 | "publish") 31 | # example "vX.Y.Z" 32 | PARAM_VERSION=${3:?"Missing VERSION"} 33 | # remove prefix "v" 34 | VERSION=${PARAM_VERSION#"v"} 35 | echo "[*] VERSION=${VERSION}" 36 | 37 | docker tag ${DOCKER_REPOSITORY} "${DOCKER_REPOSITORY}:${VERSION}" 38 | docker tag ${DOCKER_REPOSITORY} "${DOCKER_REPOSITORY}:latest" 39 | 40 | docker image push --all-tags ${DOCKER_REPOSITORY} 41 | ;; 42 | "clean") 43 | # remove container by name 44 | docker ps -a -q -f name=${DOCKER_REPOSITORY} | xargs --no-run-if-empty docker rm -f 45 | # delete dangling images 46 | docker images -q -f dangling=true | xargs --no-run-if-empty docker rmi -f 47 | # remove image by name 48 | docker images -q ${DOCKER_REPOSITORY} | xargs --no-run-if-empty docker rmi -f 49 | # delete dangling volumes 50 | docker volume ls -q -f dangling=true | xargs --no-run-if-empty docker volume rm -f 51 | ;; 52 | *) 53 | echo "ERROR: unknown command" 54 | exit 1 55 | ;; 56 | esac 57 | 58 | echo "[-] docker_apply" 59 | -------------------------------------------------------------------------------- /scripts/local.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # https://www.mulle-kybernetik.com/modern-bash-scripting/state-euxo-pipefail.html 4 | set -euo pipefail 5 | 6 | CURRENT_PATH=$(cd "$(dirname "${BASH_SOURCE[0]}")"; pwd -P) 7 | ROOT_PATH="${CURRENT_PATH}/.." 8 | cd ${CURRENT_PATH} 9 | 10 | ############################## 11 | 12 | PARAM_ACTION=${1:?"Missing ACTION"} 13 | PARAM_KUBE=${2:-"template"} 14 | 15 | # https://www.devglan.com/online-tools/bcrypt-hash-generator 16 | # https://www.browserling.com/tools/bcrypt 17 | # admin|argocd 18 | ARGOCD_ADMIN_PASSWORD='$2a$04$qj3hWU1Id.l.4e/8JN4Kr.ecQDuf3hhyG0TbsLeDcZV2kRG/AizY2' 19 | MINIKUBE_CONFIG="${HOME}/.kube/config" 20 | CHART_PATH="${ROOT_PATH}/../kube-${PARAM_KUBE}/charts/argocd-config" 21 | CONFIG_PATH="${ROOT_PATH}/../kube-${PARAM_KUBE}/clusters/kube-template-do-lon1.yaml" 22 | 23 | ############################## 24 | 25 | echo "[+] local" 26 | echo "[*] ACTION=${PARAM_ACTION}" 27 | echo "[*] KUBE=${PARAM_KUBE}" 28 | echo "[*] CHART_PATH=${CHART_PATH}" 29 | echo "[*] CONFIG_PATH=${CONFIG_PATH}" 30 | 31 | case ${PARAM_ACTION} in 32 | "bootstrap") 33 | ../bootstrap-action/entrypoint.sh \ 34 | ${ARGOCD_ADMIN_PASSWORD} \ 35 | "$(cat "${HOME}/.ssh/id_ed25519_argocd")" \ 36 | ${MINIKUBE_CONFIG} \ 37 | ${CHART_PATH} \ 38 | ${CONFIG_PATH} 39 | ;; 40 | *) 41 | echo "ERROR: unknown command" 42 | exit 1 43 | ;; 44 | esac 45 | 46 | echo "[-] local" 47 | --------------------------------------------------------------------------------