diff --git a/.drone.yml b/.drone.yml index ef655bf..1cd8333 100644 --- a/.drone.yml +++ b/.drone.yml @@ -81,6 +81,7 @@ steps: from_secret: GITHUB_OAUTH_KEY ARGO_GOOGLE_OAUTH_KEY: from_secret: GOOGLE_OAUTH_KEY + DEPLOY_SCRIPT_DEBUG: true commands: - ./scripts/deploy-app.pl - name: Cleanup everything diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..0c8a06d --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,5 @@ +creation_rules: + - path_regex: .*secrets\.values.* + key_groups: + - age: + - age155dykdtnkw9fke45pxkygyyx2eal0hwpdm0zz8qa92z5ludjqe5sfakqgs diff --git a/kube/secrets.values-main.yaml b/kube/secrets.values-main.yaml new file mode 100644 index 0000000..a08f765 --- /dev/null +++ b/kube/secrets.values-main.yaml @@ -0,0 +1,21 @@ +values: ENC[AES256_GCM,data:qQTaz7Ab1+2udnxTNRfRKALV93SNBX1l+po11ZPV/RRstwuaBqkrp/zRMllPj6O6p62Y9N9BknSJsuavH62wqAOmN0qVP1XQtzHMLMKMIOe4ut29NtcR7XM54Cq1glqTk2LRfCaCdYSzOsXFscGI/x2bx7G8LjKXWEPtHGXVU+lU3OZFWZ7Ioz02lPl3FnidXBQrCQnY1Wc4qS0T/haCq0cXYk+SA4jMY5vxn3+WwaCfq//50EZOebNFCPnGHR5kRmMmG32u918lt/jv2GEu066Vjd0J67S8HGiykFi6RHZwIry0V65YH7X/L4LtEqKok+WAu3ssNRsgXaEhvWclpn0Jq30Z2qsaSFVItbSC7oiUEixlRc1oxOm0ytWZmlFJbzfpA9JdHw1Dpw0q8kIY2eqmAM/W3omZy+4tmPttHbnWyoKSPJi4CflDMToMkkujGqfnOx0OVQ85fXpr0cKkYJuyLz7YQtAyIGGqGyHtqqicWCqt9B25If1Cv+91gu1If0fpEb77ITIjRHaeEcLkBqb9cCGJnV+a6bdVTtDvH2sS9kBS+oWK+cgsAWD3BVDIpOlV0jwJyAB+++PwmsZuFc9MEkE8DSMK2P64J4ceyV6M4Eb8YNGljdxTRZAl9m6SaKLMC8KiggiHs3JPg69n1OsFWN7EcCKtErTq0+XbiHidkYbg+xnxnez3cCbMvTeNZvbKU2bVllqie4ZMe4q0TzQEnTlMeuqeGtVIgPn9an2N2foTHZUboAysM2MKKeWB2isABtv59SXyzhfQmvC08Cgf9Jj3cJpqWm2/Am3RIYcsXW8NwkxM+lPQ6+IYx87Wd3FvPDTTS+wSO700uzFWXfwsaE7AY1uQBXK7bL61jPQ3HpQYWDS11+1zX30iUaDm3m3u6t6gVlGeICAvxqoBxOiruX/jcAOzU/dSeSTjjPmvDO829kB6rFugAvRDYXetoI09EugdnPHTaC/xFejV,iv:/7k4rjpiuCJev6B/GJu9eyb/RMWJfyfjrRuVRTdybDM=,tag:G1eRy4i6+59wZuGqx9bDPQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age155dykdtnkw9fke45pxkygyyx2eal0hwpdm0zz8qa92z5ludjqe5sfakqgs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEMWthSXdncUI0U0tSdkk4 + d1lyQWJ2M0NQSjRQRWViQ0RLVWlSK3FsczB3Cks1V1BaZmFlUVRCdUpBS2kzekxK + RlRlQ1daTGdMODlEenVUOVNDOVhNUWsKLS0tIERxeG1BRlh0T0hKSlNXeHI0eUVO + V1N2YWIvWXpDckhzampIVUx4YU50Q2cKRyx2G5ki4yhhzpTVjjCBPKvI1C208HJb + Qb9Kpd2HkJaVllL5mUsXOAWtugceaSvidK1t3Hz0NXrVvFVUxDh8Rg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-07T09:10:13Z" + mac: ENC[AES256_GCM,data:gsbIyJU7T6wRj5CFbG2nyeawvCzp/BtOSOIsapC0AF6a2IIqau1IaH+vd2O7mbT5ClurC0zfR5k5g/pRE8AWc85kbdBhzLBe4Kkx5DXy9N/JQaNh8RlJ1HKzvipVK46zF+6PZYjsrb1S+9WL9p/aV226XkhdcHWcMWrKUaAWVOg=,iv:H5YcSg5gVHNEt7gFLuF8OQtTMq88HdZwlMfMTxxL7iQ=,tag:66qP18m69BBEIuHKJMa1Cw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/kube/values-preview.yaml b/kube/values-preview.yaml index bbce5b9..ef340bc 100644 --- a/kube/values-preview.yaml +++ b/kube/values-preview.yaml @@ -1,33 +1,32 @@ --- -values: | - namespace: - name: badhouseplants-$ARGO_APP_BRANCH - labels: - istio-injection: disabled +namespace: + name: badhouseplants-$BH_APP_BRANCH + labels: + istio-injection: disabled +istio: + hosts: + - $BH_APP_HOSTNAME + annotations: + link.argocd.argoproj.io/env: https://$BH_APP_HOSTNAME/ + link.argocd.argoproj.io/remark42: https://remark42-$BH_APP_HOSTNAME/web + link.argocd.argoproj.io/build: $DRONE_BUILD_LINK +hugo: + image: + tag: $BH_APP_IMAGE_TAG + baseURL: https://$BH_APP_HOSTNAME/ + buildDrafts: true + env: + HUGO_PARAMS_GITBRANCH: $BH_APP_BRANCH + HUGO_PARAMS_REMARK42URL: https://remark42-$BH_APP_HOSTNAME + HUGO_PARAMS_GITCOMMIT: $BH_APP_IMAGE_TAG +remark42: istio: hosts: - - $ARGO_APP_HOSTNAME - annotations: - link.argocd.argoproj.io/env: https://$ARGO_APP_HOSTNAME/ - link.argocd.argoproj.io/remark42: https://remark42-$ARGO_APP_HOSTNAME/web - link.argocd.argoproj.io/build: $DRONE_BUILD_LINK - hugo: - image: - tag: $ARGO_APP_IMAGE_TAG - baseURL: https://$ARGO_APP_HOSTNAME/ - buildDrafts: true - env: - HUGO_PARAMS_GITBRANCH: $ARGO_APP_BRANCH - HUGO_PARAMS_REMARK42URL: https://remark42-$ARGO_APP_HOSTNAME - HUGO_PARAMS_GITCOMMIT: $ARGO_APP_IMAGE_TAG - remark42: - istio: - hosts: - - remark42-$ARGO_APP_HOSTNAME - settings: - url: https://remark42-$ARGO_APP_HOSTNAME/ - auth: - anonymous: true - secretKey: $ARGO_REMARK_SECRET - rclone: - command: 'rclone copy -P badhouseplants-public:/badhouseplants-net/$ARGO_APP_IMAGE_TAG /static' + - remark42-$BH_APP_HOSTNAME + settings: + url: https://remark42-$BH_APP_HOSTNAME/ + auth: + anonymous: true + secretKey: $BH_REMARK_SECRET +rclone: + command: 'rclone copy -P badhouseplants-public:/badhouseplants-net/$BH_APP_IMAGE_TAG /static' diff --git a/scripts/deploy-app.pl b/scripts/deploy-app.pl index b99b458..b86a34b 100755 --- a/scripts/deploy-app.pl +++ b/scripts/deploy-app.pl @@ -15,11 +15,11 @@ my $values = ""; my $remark_secret = `openssl rand -hex 12`; chomp($remark_secret); -$ENV{'ARGO_APP_CHART_VERSION'} = $chart_version; -$ENV{'ARGO_APP_BRANCH'} = $git_branch; -$ENV{'ARGO_APP_HOSTNAME'} = "$git_branch-dev.badhouseplants.net"; -$ENV{'ARGO_APP_IMAGE_TAG'} = $git_commit_sha; -$ENV{'ARGO_REMARK_SECRET'} = $remark_secret; +$ENV{'BH_APP_CHART_VERSION'} = $chart_version; +$ENV{'BH_APP_BRANCH'} = $git_branch; +$ENV{'BH_APP_HOSTNAME'} = "$git_branch-dev.badhouseplants.net"; +$ENV{'BH_APP_IMAGE_TAG'} = $git_commit_sha; +$ENV{'BH_REMARK_SECRET'} = $remark_secret; # ---------------------------------- # -- Fill the Application manifest @@ -37,6 +37,7 @@ print `envsubst < ./kube/application.yaml > /tmp/application.yaml` or die $!; print `yq -i '.spec.source.helm.values = load_str("/tmp/values.yaml")' /tmp/application.yaml` or die $!; if(!defined $ENV{DEPLOY_SCRIPT_DEBUG}){ + print `helm upgrade --install ` print `argocd app create -f /tmp/application.yaml --upsert` or die $!; print `argocd app sync --prune -l application=badhouseplants -l branch=$git_branch` or die $!; print `argocd app wait -l application=badhouseplants -l branch=$git_branch` or die $!;