diff --git a/.github/workflows/build-and-deploy.yaml b/.github/workflows/build-and-deploy.yaml index 1efc125..4cdfa6c 100644 --- a/.github/workflows/build-and-deploy.yaml +++ b/.github/workflows/build-and-deploy.yaml @@ -17,6 +17,10 @@ env: jobs: build-and-deploy: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: - name: Checkout code @@ -38,6 +42,7 @@ jobs: run: | mkdir -p $HOME/.kube echo "${{ secrets.KUBECONFIG_BASE64 }}" | base64 -d > $HOME/.kube/config + chmod 600 ~/.kube/config shell: bash - name: Detect container name diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml new file mode 100644 index 0000000..1e44a42 --- /dev/null +++ b/k8s/deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: prod +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: homepage + namespace: prod +spec: + replicas: 1 + selector: + matchLabels: + app: homepage + template: + metadata: + labels: + app: homepage + spec: + containers: + - name: homepage + image: ghcr.io/kebrahimpour/avisenna-landing-page:latest + ports: + - containerPort: 80 + imagePullPolicy: Always + imagePullSecrets: + - name: ghcr-creds +--- +apiVersion: v1 +kind: Service +metadata: + name: homepage + namespace: prod +spec: + selector: + app: homepage + ports: + - protocol: TCP + port: 80 + targetPort: 80 + type: ClusterIP diff --git a/scripts/update-github-secrets.sh b/scripts/update-github-secrets.sh new file mode 100644 index 0000000..3de1ffa --- /dev/null +++ b/scripts/update-github-secrets.sh @@ -0,0 +1,36 @@ +#!/bin/bash +set -euo pipefail + +REPO="kebrahimpour/avisenna-landing-page" +GHCR_PAT="${GHCR_PAT:-}" +TOKEN_SOURCE="" + +# Try env or fallback to file +if [[ -z "$GHCR_PAT" ]]; then + TOKEN_PATH="$HOME/.secrets/g-token.txt" + if [[ -f "$TOKEN_PATH" ]]; then + GHCR_PAT=$(<"$TOKEN_PATH") + TOKEN_SOURCE="file" + fi +else + TOKEN_SOURCE="env" +fi + +if [[ -z "$GHCR_PAT" ]]; then + echo "❌ GHCR_PAT not found. Set as env or in ~/.secrets/g-token.txt" + exit 1 +fi + +echo "🔐 Using GHCR_PAT from $TOKEN_SOURCE" +gh secret set GHCR_PAT --repo "$REPO" --body "$GHCR_PAT" +echo "✅ GHCR_PAT updated" + +KCFG="$HOME/.kube/github-kubeconfig.yaml" +if [[ ! -f "$KCFG" ]]; then + echo "❌ Kubeconfig not found at $KCFG" + exit 1 +fi + +ENCODED_KCFG=$(base64 -w 0 "$KCFG") +gh secret set KUBECONFIG_B64 --repo "$REPO" --body "$ENCODED_KCFG" +echo "✅ KUBECONFIG_B64 updated" diff --git a/scripts/update-kubeconfig-secret.sh b/scripts/update-kubeconfig-secret.sh new file mode 100755 index 0000000..53e1e9a --- /dev/null +++ b/scripts/update-kubeconfig-secret.sh @@ -0,0 +1,45 @@ +#!/bin/bash +set -euo pipefail + +REPO="kebrahimpour/avisenna-landing-page" +SECRET_NAME="KUBECONFIG_BASE64" +SERVER="https://85.214.94.62:6443" + +echo "📦 Generating kubeconfig for GitHub Actions..." + +# Get secret associated with service account +SECRET_NAME_REF=$(kubectl -n web get sa deploy-bot -o jsonpath="{.secrets[0].name}") +TOKEN=$(kubectl -n web get secret "$SECRET_NAME_REF" -o jsonpath="{.data.token}" | base64 -d) +CA_CERT=$(kubectl -n web get secret "$SECRET_NAME_REF" -o jsonpath="{.data['ca\\.crt']}" | base64 -d) + +mkdir -p .kube + +# Generate kubeconfig +cat < .kube/github-kubeconfig.yaml +apiVersion: v1 +kind: Config +clusters: +- name: github-deploy + cluster: + certificate-authority-data: $(echo "$CA_CERT" | base64 -w 0) + server: $SERVER +contexts: +- name: github-deploy-context + context: + cluster: github-deploy + namespace: web + user: deploy-bot +current-context: github-deploy-context +users: +- name: deploy-bot + user: + token: $TOKEN +EOF + +# Encode and push secret to GitHub +ENCODED=$(base64 -w 0 .kube/github-kubeconfig.yaml) + +echo "🔐 Updating GitHub secret $SECRET_NAME..." +gh secret set $SECRET_NAME --repo "$REPO" --body "$ENCODED" + +echo "✅ KUBECONFIG_BASE64 updated and ready."