ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
f6bac10ff382ae751870e8bd8692cd51096c5de5
dezky/infrastructure/production/fleet/ci/ci-deployer.yaml
T
Ronni Baslund c60937c5cb
ci / build (map[dir:apps/booking name:booking]) (push) Has been cancelled
Details
ci / build (map[dir:apps/operator name:operator]) (push) Has been cancelled
Details
ci / build (map[dir:apps/portal name:portal]) (push) Has been cancelled
Details
ci / build (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
ci / deploy (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/operator name:operator]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
ci / test (push) Has been cancelled
Details
feat(ci): deploy to k3s straight from the pipeline (drop Flux plan) 
Push to main = release: after build, a deploy job pins each app image to the
commit SHA (kustomize edit set image), kubectl-applies fleet/apps and waits
for the rollouts. The runner already runs in-cluster, so it reaches the API
server on the in-cluster service IP with a kubeconfig for the new ci-deployer
ServiceAccount (namespace-scoped admin, KUBECONFIG_B64 repo secret).

The drafted Flux sync/image-automation layer is removed — a GitOps controller
plus bot tag-bump commits is more machinery than a single-node cluster needs.
Sortable image tags and $imagepolicy markers go with it.

Also: per-router ACME-safe HTTP->HTTPS redirects for the app ingresses,
platform-api prod config completed (Authentik JWT/JWKS + admin API, Stalwart
via the cni0 gateway IP, OCIS/cold-storage placeholders until those tiers
exist) and the secrets template/README updated to match.
2026-06-10 07:53:55 +02:00

91 lines
2.5 KiB
YAML
Raw Blame History

# ServiceAccount the CI deploy job uses to roll out the app tier.
#
# The Gitea Actions runner lives in this cluster (see gitea-runner.yaml), so
# the deploy job in .gitea/workflows/ci.yml talks straight to the API server
# on the in-cluster service IP (https://10.43.0.1) with a kubeconfig built
# from this ServiceAccount's token. Scope: admin within dezky-apps only, plus
# the Traefik Middleware CRD ('admin' doesn't aggregate CRDs) and read/patch
# on the dezky-apps Namespace object itself (kustomization includes it).
#
# Mint the kubeconfig + store it as the KUBECONFIG_B64 Gitea repo secret —
# one-time, documented in ../README.md.
apiVersion: v1
kind: ServiceAccount
metadata:
name: ci-deployer
namespace: dezky-apps
---
# Long-lived token (k8s no longer auto-creates these for ServiceAccounts).
apiVersion: v1
kind: Secret
metadata:
name: ci-deployer-token
namespace: dezky-apps
annotations:
kubernetes.io/service-account.name: ci-deployer
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ci-deployer-admin
namespace: dezky-apps
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: ci-deployer
namespace: dezky-apps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ci-deployer-traefik
namespace: dezky-apps
rules:
- apiGroups: ["traefik.io"]
resources: ["middlewares"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ci-deployer-traefik
namespace: dezky-apps
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ci-deployer-traefik
subjects:
- kind: ServiceAccount
name: ci-deployer
namespace: dezky-apps
---
# kubectl apply -k includes namespace.yaml; name-scoped so this SA can only
# touch the dezky-apps Namespace (create is intentionally absent — if the
# namespace is ever gone, bootstrap it by hand per the RUNBOOK).
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ci-deployer-namespace
rules:
- apiGroups: [""]
resources: ["namespaces"]
resourceNames: ["dezky-apps"]
verbs: ["get", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ci-deployer-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ci-deployer-namespace
subjects:
- kind: ServiceAccount
name: ci-deployer
namespace: dezky-apps
Reference in New Issue View Git Blame Copy Permalink