ci: add updated CI

diogosilva30 · Aug 10, 2024 · d8b441e · d8b441e
1 parent c45b37c
commit d8b441e
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 148 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,49 @@
+name: "CI"
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+jobs:
+  default:
+    runs-on: ubuntu-latest
+    env:
+      AUTH_KEY: ${{ secrets.HEADSCALE_PREAUTH_KEY }}
+      HEADSCALE_API_URL: "https://dsilva-headscale-vpn.fly.dev"
+      TAILSCALE_UPGRADE: "1"
+    steps:
+      # Connect to private network with tailscale
+      - name: Install tailscale
+        run: curl -fsSL https://tailscale.com/install.sh | sh
+
+      - name: Start Tailscale
+        run: sudo tailscale up --auth-key $AUTH_KEY --login-server $HEADSCALE_API_URL --accept-routes
+
+      - name: Tailscale status
+        run: tailscale status
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - uses: azure/setup-kubectl@v4
+        id: kubectl-install
+        with:
+           version: 'v1.30.1'
+
+      - name: Setup kubeconfig
+        run: |
+          mkdir -p ~/.kube
+          echo "${{ secrets.KUBECONFIG }}" > ~/.kube/config
+
+      - name: Setup ArgoCD OIDC and RBAC
+        run: |
+          echo "Setting up ArgoCD OIDC and RBAC"
+          kubectl -n argocd patch secret argocd-secret -p '{
+            "stringData": {
+              "oidc.keycloak.clientSecret": "'$ARGOCD_OIDC_CLIENT_SECRET'"
+            }
+          }'
+          kubectl -n argocd patch cm argocd-cm --type merge --patch "$(cat ./ci-patches/argocd-rbac-patch.yaml)"
+        env:
+          ARGOCD_OIDC_CLIENT_SECRET: ${{ secrets.ARGOCD_OIDC_CLIENT_SECRET }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
diff --git a/README.md b/README.md
@@ -2,6 +2,20 @@
 # 👋 Welcome to k3s.dsilva.dev :test_tube:
 
 
+# Steps:
+
+```shell
+export PRIVATEKEY="private.key"
+export PUBLICKEY="public.crt"
+export NAMESPACE="sealed-secrets"
+export SECRETNAME="keys"
+
+openssl req -x509 -days 358000 -nodes -newkey rsa:4096 -keyout "$PRIVATEKEY" -out "$PUBLICKEY" -subj "/CN=sealed-secret/O=sealed-secret"
+
+kubectl create namespace "$NAMESPACE"
+kubectl -n "$NAMESPACE" create secret tls "$SECRETNAME" --cert="$PUBLICKEY" --key="$PRIVATEKEY"
+kubectl -n "$NAMESPACE" label secret "$SECRETNAME" sealedsecrets.bitnami.com/sealed-secrets-key=active
+```
 
 ### This open-source repository showcases a fully automated homelab k3s cluster on Proxmox, managed with Terraform and ArgoCD :rocket: 
 

diff --git a/ci-patches/argocd-rbac-patch.yaml b/ci-patches/argocd-rbac-patch.yaml
@@ -0,0 +1,14 @@
+# Kubeclt patch to sync groups from keycloak
+# with ArgoCD roles
+# To add a new group, add a new line to the
+# policy.csv file using the format
+# g, <group name>, role:<role name>
+# Where <group name> is the name of the group
+# in keycloak and <role name> is the name of
+# the role in ArgoCD
+# Apply this patch with:
+# kubectl -n argocd patch configmap argocd-rbac-cm --patch "$(cat ci-patches/argocd-rbac-patch.yaml)"
+data:
+  policy.csv: |
+    g, ReadOnly, role:readonly
+    g, ArgoAdmin, role:admin