Build with anchors

.drone.yml

@@ -28,6 +28,9 @@ name: Build badhouseplants.net
 trigger:
   event:
     - push
+builder: &builder
+  image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:555262114ea81f6f286010474527f419b56d33a3
+
 clone:
   disable: true
 steps:
@@ -45,8 +48,8 @@ steps:
       - clone
     commands:
       - hugo -s ./src
-  - name: Build and push the docker image
-    image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:2449b73b13a62ae916c6703778d096e5290157b3
+  - <<: *builder
+    name: Build and push the docker image
     privileged: true
     depends_on:
       - Test a build
@@ -56,8 +59,8 @@ steps:
         from_secret: GITEA_TOKEN
     commands:
       - ./scripts/build-container.pl
-  - name: Sync pictures from lfs to Minio
-    image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:2449b73b13a62ae916c6703778d096e5290157b3
+  - <<: *builder
+    name: Sync pictures from lfs to Minio
     depends_on:
       - Test a build
     environment:
@@ -67,8 +70,8 @@ steps:
     commands:
       - echo "$RCLONE_CONFIG_CONTENT" > $RCLONE_CONFIG
       - ./scripts/upload-media.pl
-  - name: Deploy the application
-    image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:2449b73b13a62ae916c6703778d096e5290157b3
+  - <<: *builder
+    name: Deploy the application
     depends_on:
       - Build and push the docker image
       - Sync pictures from lfs to Minio
@@ -81,10 +84,11 @@ steps:
         from_secret: GITHUB_OAUTH_KEY
       ARGO_GOOGLE_OAUTH_KEY:
         from_secret: GOOGLE_OAUTH_KEY
+      DEPLOY_SCRIPT_DEBUG: true
     commands:
       - ./scripts/deploy-app.pl
-  - name: Cleanup everything
-    image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:2449b73b13a62ae916c6703778d096e5290157b3
+  - <<: *builder
+    name: Cleanup everything
     depends_on:
       - Deploy the application
     environment:

.sops.yaml

@@ -0,0 +1,5 @@
+creation_rules:
+  - path_regex: .*secrets\.values.*
+    key_groups:
+      - age:
+          - age155dykdtnkw9fke45pxkygyyx2eal0hwpdm0zz8qa92z5ludjqe5sfakqgs

Containerfile

@@ -1,4 +1,4 @@
-FROM git.badhouseplants.net/badhouseplants/hugo-container:df0ab0c6f98e1921f451eb444aa5e7cb03d1f27b
+FROM git.badhouseplants.net/badhouseplants/hugo-container:3daaf01c9811501f2b4c691f6910e3df285c2007
 WORKDIR /src
 COPY ./src /src
 ENTRYPOINT ["hugo"]

kube/secrets.values-main.yaml

@@ -0,0 +1,21 @@
+values: ENC[AES256_GCM,data:qQTaz7Ab1+2udnxTNRfRKALV93SNBX1l+po11ZPV/RRstwuaBqkrp/zRMllPj6O6p62Y9N9BknSJsuavH62wqAOmN0qVP1XQtzHMLMKMIOe4ut29NtcR7XM54Cq1glqTk2LRfCaCdYSzOsXFscGI/x2bx7G8LjKXWEPtHGXVU+lU3OZFWZ7Ioz02lPl3FnidXBQrCQnY1Wc4qS0T/haCq0cXYk+SA4jMY5vxn3+WwaCfq//50EZOebNFCPnGHR5kRmMmG32u918lt/jv2GEu066Vjd0J67S8HGiykFi6RHZwIry0V65YH7X/L4LtEqKok+WAu3ssNRsgXaEhvWclpn0Jq30Z2qsaSFVItbSC7oiUEixlRc1oxOm0ytWZmlFJbzfpA9JdHw1Dpw0q8kIY2eqmAM/W3omZy+4tmPttHbnWyoKSPJi4CflDMToMkkujGqfnOx0OVQ85fXpr0cKkYJuyLz7YQtAyIGGqGyHtqqicWCqt9B25If1Cv+91gu1If0fpEb77ITIjRHaeEcLkBqb9cCGJnV+a6bdVTtDvH2sS9kBS+oWK+cgsAWD3BVDIpOlV0jwJyAB+++PwmsZuFc9MEkE8DSMK2P64J4ceyV6M4Eb8YNGljdxTRZAl9m6SaKLMC8KiggiHs3JPg69n1OsFWN7EcCKtErTq0+XbiHidkYbg+xnxnez3cCbMvTeNZvbKU2bVllqie4ZMe4q0TzQEnTlMeuqeGtVIgPn9an2N2foTHZUboAysM2MKKeWB2isABtv59SXyzhfQmvC08Cgf9Jj3cJpqWm2/Am3RIYcsXW8NwkxM+lPQ6+IYx87Wd3FvPDTTS+wSO700uzFWXfwsaE7AY1uQBXK7bL61jPQ3HpQYWDS11+1zX30iUaDm3m3u6t6gVlGeICAvxqoBxOiruX/jcAOzU/dSeSTjjPmvDO829kB6rFugAvRDYXetoI09EugdnPHTaC/xFejV,iv:/7k4rjpiuCJev6B/GJu9eyb/RMWJfyfjrRuVRTdybDM=,tag:G1eRy4i6+59wZuGqx9bDPQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age155dykdtnkw9fke45pxkygyyx2eal0hwpdm0zz8qa92z5ludjqe5sfakqgs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEMWthSXdncUI0U0tSdkk4
+            d1lyQWJ2M0NQSjRQRWViQ0RLVWlSK3FsczB3Cks1V1BaZmFlUVRCdUpBS2kzekxK
+            RlRlQ1daTGdMODlEenVUOVNDOVhNUWsKLS0tIERxeG1BRlh0T0hKSlNXeHI0eUVO
+            V1N2YWIvWXpDckhzampIVUx4YU50Q2cKRyx2G5ki4yhhzpTVjjCBPKvI1C208HJb
+            Qb9Kpd2HkJaVllL5mUsXOAWtugceaSvidK1t3Hz0NXrVvFVUxDh8Rg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-07T09:10:13Z"
+    mac: ENC[AES256_GCM,data:gsbIyJU7T6wRj5CFbG2nyeawvCzp/BtOSOIsapC0AF6a2IIqau1IaH+vd2O7mbT5ClurC0zfR5k5g/pRE8AWc85kbdBhzLBe4Kkx5DXy9N/JQaNh8RlJ1HKzvipVK46zF+6PZYjsrb1S+9WL9p/aV226XkhdcHWcMWrKUaAWVOg=,iv:H5YcSg5gVHNEt7gFLuF8OQtTMq88HdZwlMfMTxxL7iQ=,tag:66qP18m69BBEIuHKJMa1Cw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

kube/values-preview.yaml

@@ -1,33 +1,32 @@
 ---
-values: |
-  namespace:
-    name: badhouseplants-$ARGO_APP_BRANCH
-    labels:
-      istio-injection: disabled
+namespace:
+  name: badhouseplants-$BH_APP_BRANCH
+  labels:
+    istio-injection: disabled
+istio:
+  hosts:
+    - $BH_APP_HOSTNAME
+  annotations:
+    link.argocd.argoproj.io/env: https://$BH_APP_HOSTNAME/
+    link.argocd.argoproj.io/remark42: https://remark42-$BH_APP_HOSTNAME/web
+    link.argocd.argoproj.io/build: $DRONE_BUILD_LINK
+hugo:
+  image:
+    tag: $BH_APP_IMAGE_TAG
+  baseURL: https://$BH_APP_HOSTNAME/
+  buildDrafts: true
+  env:
+    HUGO_PARAMS_GITBRANCH: $BH_APP_BRANCH
+    HUGO_PARAMS_REMARK42URL: https://remark42-$BH_APP_HOSTNAME
+    HUGO_PARAMS_GITCOMMIT: $BH_APP_IMAGE_TAG
+remark42:
   istio:
     hosts:
-      - $ARGO_APP_HOSTNAME
-    annotations:
-      link.argocd.argoproj.io/env: https://$ARGO_APP_HOSTNAME/
-      link.argocd.argoproj.io/remark42: https://remark42-$ARGO_APP_HOSTNAME/web
-      link.argocd.argoproj.io/build: $DRONE_BUILD_LINK
-  hugo:
-    image:
-      tag: $ARGO_APP_IMAGE_TAG
-    baseURL: https://$ARGO_APP_HOSTNAME/
-    buildDrafts: true
-    env:
-      HUGO_PARAMS_GITBRANCH: $ARGO_APP_BRANCH
-      HUGO_PARAMS_REMARK42URL: https://remark42-$ARGO_APP_HOSTNAME
-      HUGO_PARAMS_GITCOMMIT: $ARGO_APP_IMAGE_TAG
-  remark42:
-    istio:
-      hosts:
-        - remark42-$ARGO_APP_HOSTNAME
-    settings:
-      url: https://remark42-$ARGO_APP_HOSTNAME/
-      auth:
-        anonymous: true
-      secretKey: $ARGO_REMARK_SECRET
-  rclone:
-    command: 'rclone copy -P badhouseplants-public:/badhouseplants-net/$ARGO_APP_IMAGE_TAG /static'
+      - remark42-$BH_APP_HOSTNAME
+  settings:
+    url: https://remark42-$BH_APP_HOSTNAME/
+    auth:
+      anonymous: true
+    secretKey: $BH_REMARK_SECRET
+rclone:
+  command: 'rclone copy -P badhouseplants-public:/badhouseplants-net/$BH_APP_IMAGE_TAG /static'

scripts/deploy-app.pl

@@ -15,11 +15,11 @@ my $values = "";
 my $remark_secret = `openssl rand -hex 12`;
 chomp($remark_secret);
 
-$ENV{'ARGO_APP_CHART_VERSION'} = $chart_version;
-$ENV{'ARGO_APP_BRANCH'} = $git_branch;
-$ENV{'ARGO_APP_HOSTNAME'} = "$git_branch-dev.badhouseplants.net";
-$ENV{'ARGO_APP_IMAGE_TAG'} = $git_commit_sha;
-$ENV{'ARGO_REMARK_SECRET'} = $remark_secret;
+$ENV{'BH_APP_CHART_VERSION'} = $chart_version;
+$ENV{'BH_APP_BRANCH'} = $git_branch;
+$ENV{'BH_APP_HOSTNAME'} = "$git_branch-dev.badhouseplants.net";
+$ENV{'BH_APP_IMAGE_TAG'} = $git_commit_sha;
+$ENV{'BH_REMARK_SECRET'} = $remark_secret;
 
 # ----------------------------------
 # -- Fill the Application manifest
@@ -37,6 +37,7 @@ print `envsubst < ./kube/application.yaml > /tmp/application.yaml` or die $!;
 print `yq -i '.spec.source.helm.values = load_str("/tmp/values.yaml")' /tmp/application.yaml` or die $!;
 
 if(!defined $ENV{DEPLOY_SCRIPT_DEBUG}){
+	print `helm upgrade --install `
 	print `argocd app create -f /tmp/application.yaml --upsert` or die $!;
 	print `argocd app sync --prune -l application=badhouseplants -l branch=$git_branch` or die $!; 
 	print `argocd app wait -l application=badhouseplants -l branch=$git_branch` or die $!;