ci: persist live fixes to pipeline scripts - grpc addr, storage, remove netpol, webhook config

2026-04-18 21:14:51 +00:00
parent ee28db684f
commit 1607baba90
4 changed files with 212 additions and 22 deletions
@@ -0,0 +1,132 @@
+#!/bin/bash
+set -euo pipefail
+
+# runmefirst.sh — Full CI/CD pipeline infrastructure install
+# Installs: Gitea config → Woodpecker CI → ArgoCD → Kargo
+# Tears down ARC first (if present)
+# Persists state on NFS volumes at nfs://192.168.42.8:/volume1/Kubernetes/pipelines
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$SCRIPT_DIR"
+
+# -------------------------------------------------------
+# 0. Tear down ARC infrastructure (if present)
+# -------------------------------------------------------
+echo "--- Step 0: Tearing down ARC infrastructure ---"
+helm uninstall arc-runner-set --namespace arc-system || true
+helm uninstall arc --namespace arc-system || true
+kubectl delete clusterrolebinding arc-runner-rbac --ignore-not-found
+kubectl delete pv pipeline-arc-pv --ignore-not-found
+kubectl delete namespace arc-system --ignore-not-found --wait=false
+echo "  ✓ ARC teardown complete"
+echo ""
+
+# -------------------------------------------------------
+# 1. Create namespaces
+# -------------------------------------------------------
+echo "--- Step 1: Creating namespaces ---"
+for ns in woodpecker argocd kargo stonks-beta stonks-paper; do
+  kubectl create namespace "$ns" --dry-run=client -o yaml | kubectl apply -f -
+  echo "  ✓ namespace/$ns"
+done
+echo ""
+
+# -------------------------------------------------------
+# 2. Apply NFS PersistentVolumes
+# -------------------------------------------------------
+echo "--- Step 2: Applying NFS PersistentVolumes ---"
+kubectl apply -f pvs/argocd-pv.yaml
+kubectl apply -f pvs/kargo-pv.yaml
+kubectl apply -f pvs/woodpecker-pv.yaml
+echo "  ✓ PVs applied"
+echo ""
+
+# -------------------------------------------------------
+# 3. Configure Gitea (admin user, OAuth2 app, repo)
+# -------------------------------------------------------
+echo "--- Step 3: Configuring Gitea ---"
+bash gitea/setup.sh
+# Source the OAuth2 credentials for Woodpecker install
+source gitea/gitea-oauth2.env
+echo "  ✓ Gitea configured (OAuth2 client_id: ${GITEA_CLIENT_ID})"
+
+# Ensure Gitea allows webhook delivery to local/cluster addresses
+GITEA_POD=$(kubectl get pods -n git-server -l app=gitea -o jsonpath='{.items[0].metadata.name}')
+if ! kubectl exec -n git-server "$GITEA_POD" -- grep -q '\[webhook\]' /data/gitea/conf/app.ini 2>/dev/null; then
+  kubectl exec -n git-server "$GITEA_POD" -- sh -c 'printf "\n[webhook]\nALLOWED_HOST_LIST = *\nSKIP_TLS_VERIFY = true\n" >> /data/gitea/conf/app.ini'
+  kubectl rollout restart deployment/gitea -n git-server
+  kubectl rollout status deployment/gitea -n git-server --timeout=60s
+  echo "  ✓ Gitea webhook config added (ALLOWED_HOST_LIST=*)"
+else
+  echo "  ✓ Gitea webhook config already present"
+fi
+echo ""
+
+# -------------------------------------------------------
+# 4. Install Woodpecker CI via Helm
+# -------------------------------------------------------
+echo "--- Step 4: Installing Woodpecker CI ---"
+helm upgrade --install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
+  --namespace woodpecker \
+  --values woodpecker/values.yaml \
+  --set server.env.WOODPECKER_GITEA_CLIENT="${GITEA_CLIENT_ID}" \
+  --set server.env.WOODPECKER_GITEA_SECRET="${GITEA_CLIENT_SECRET}" \
+  --wait --timeout 5m
+echo "  ✓ Woodpecker CI installed"
+echo ""
+
+# -------------------------------------------------------
+# 5. Apply Woodpecker agent RBAC
+# -------------------------------------------------------
+echo "--- Step 5: Applying Woodpecker agent RBAC ---"
+kubectl apply -f woodpecker/agent-rbac.yaml
+echo "  ✓ Agent RBAC applied"
+echo ""
+
+# -------------------------------------------------------
+# 6. Install ArgoCD via Helm
+# -------------------------------------------------------
+echo "--- Step 6: Installing ArgoCD ---"
+helm repo add argo https://argoproj.github.io/argo-helm || true
+helm repo update
+helm upgrade --install argocd argo/argo-cd \
+  --namespace argocd \
+  --values argocd/values.yaml \
+  --wait --timeout 5m
+echo "  ✓ ArgoCD installed"
+
+# Apply repo secret and Applications
+kubectl apply -f argocd/repo-secret.yaml
+kubectl apply -f argocd/apps/stonks-beta.yaml
+kubectl apply -f argocd/apps/stonks-paper.yaml
+kubectl apply -f argocd/apps/stonks-live.yaml
+echo "  ✓ ArgoCD repo secret and Applications applied"
+echo ""
+
+# -------------------------------------------------------
+# 7. Install Kargo via Helm
+# -------------------------------------------------------
+echo "--- Step 7: Installing Kargo ---"
+helm upgrade --install kargo oci://ghcr.io/akuity/kargo-charts/kargo \
+  --namespace kargo \
+  --values kargo/values.yaml \
+  --wait --timeout 5m
+echo "  ✓ Kargo installed"
+
+# Apply Kargo resources
+kubectl apply -f kargo/project.yaml
+kubectl apply -f kargo/project-config.yaml
+kubectl apply -f kargo/warehouse.yaml
+kubectl apply -f kargo/market-hours-check.yaml
+kubectl apply -f kargo/stages/beta.yaml
+kubectl apply -f kargo/stages/paper.yaml
+kubectl apply -f kargo/stages/live.yaml
+echo "  ✓ Kargo project, warehouse, and stages applied"
+echo ""
+
+echo "=== Pipeline Infrastructure Install Complete ==="
+echo ""
+echo "Endpoints:"
+echo "  Woodpecker CI: https://stonks-ci.celestium.life"
+echo "  ArgoCD:        https://stonks-argocd.celestium.life"
+echo "  Kargo:         https://stonks-kargo.celestium.life"
@@ -0,0 +1,77 @@
+#!/bin/bash
+set -euo pipefail
+
+# runmelast.sh — Pipeline infrastructure teardown
+# Removes: Kargo → ArgoCD → Woodpecker (reverse install order)
+# Preserves: NFS PVs, NFS data, git-server namespace (Gitea + registry),
+#            stonks-oracle namespace, stonks-beta, stonks-paper
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$SCRIPT_DIR"
+
+echo "=== Pipeline Infrastructure Teardown ==="
+echo ""
+echo "This will remove Kargo, ArgoCD, and Woodpecker CI."
+echo "Preserved: NFS PVs, NFS data, git-server (Gitea + registry), application namespaces."
+echo ""
+
+# -------------------------------------------------------
+# 1. Remove Kargo resources + Helm release
+# -------------------------------------------------------
+echo "--- Step 1: Removing Kargo ---"
+kubectl delete -f kargo/stages/live.yaml --ignore-not-found || true
+kubectl delete -f kargo/stages/paper.yaml --ignore-not-found || true
+kubectl delete -f kargo/stages/beta.yaml --ignore-not-found || true
+kubectl delete -f kargo/market-hours-check.yaml --ignore-not-found || true
+kubectl delete -f kargo/warehouse.yaml --ignore-not-found || true
+kubectl delete -f kargo/project-config.yaml --ignore-not-found || true
+kubectl delete -f kargo/project.yaml --ignore-not-found || true
+helm uninstall kargo --namespace kargo || true
+echo "  ✓ Kargo removed"
+echo ""
+
+# -------------------------------------------------------
+# 2. Remove ArgoCD resources + Helm release
+# -------------------------------------------------------
+echo "--- Step 2: Removing ArgoCD ---"
+kubectl delete -f argocd/apps/stonks-live.yaml --ignore-not-found || true
+kubectl delete -f argocd/apps/stonks-paper.yaml --ignore-not-found || true
+kubectl delete -f argocd/apps/stonks-beta.yaml --ignore-not-found || true
+kubectl delete -f argocd/repo-secret.yaml --ignore-not-found || true
+helm uninstall argocd --namespace argocd || true
+echo "  ✓ ArgoCD removed"
+echo ""
+
+# -------------------------------------------------------
+# 3. Remove Woodpecker CI
+# -------------------------------------------------------
+echo "--- Step 3: Removing Woodpecker CI ---"
+kubectl delete -f woodpecker/agent-rbac.yaml --ignore-not-found || true
+helm uninstall woodpecker --namespace woodpecker || true
+echo "  ✓ Woodpecker CI removed"
+echo ""
+
+# -------------------------------------------------------
+# 4. Delete namespaces (pipeline infra only)
+# -------------------------------------------------------
+echo "--- Step 4: Deleting pipeline namespaces ---"
+for ns in woodpecker argocd kargo; do
+  kubectl delete namespace "$ns" --ignore-not-found || true
+  echo "  ✓ namespace/$ns deleted"
+done
+echo ""
+
+# NOTE: The following are intentionally NOT deleted:
+# - NFS PersistentVolumes (pipeline-argocd-pv, pipeline-kargo-pv, pipeline-woodpecker-pv)
+# - NFS data at nfs://192.168.42.8:/volume1/Kubernetes/pipelines/
+# - git-server namespace (Gitea + local registry)
+# - stonks-oracle namespace (production workloads)
+# - stonks-beta namespace (beta workloads)
+# - stonks-paper namespace (paper trading workloads)
+
+echo "=== Pipeline Infrastructure Teardown Complete ==="
+echo ""
+echo "Preserved:"
+echo "  - NFS PVs and data (survives cluster rebuild)"
+echo "  - git-server namespace (Gitea + registry)"
+echo "  - Application namespaces (stonks-oracle, stonks-beta, stonks-paper)"
@@ -1,20 +0,0 @@
-# NetworkPolicy: Allow Traefik ingress to Woodpecker server
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: allow-traefik-to-woodpecker
-  namespace: woodpecker
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: server
-  policyTypes:
-    - Ingress
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
-      ports:
-        - protocol: TCP
-          port: 8000
@@ -9,6 +9,7 @@ server:
  env:
    WOODPECKER_HOST: "https://stonks-ci.celestium.life"
    WOODPECKER_SERVER_ADDR: "0.0.0.0:8000"
+    WOODPECKER_GRPC_ADDR: "0.0.0.0:9000"
    WOODPECKER_GITEA: "true"
    WOODPECKER_GITEA_URL: "http://gitea-service.git-server.svc.cluster.local:3000"
    WOODPECKER_GITEA_CLIENT: "<GITEA_CLIENT_ID>"
@@ -49,5 +50,5 @@ agent:
    WOODPECKER_SERVER: "woodpecker-server:9000"
    WOODPECKER_BACKEND: kubernetes
    WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker
-    WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G
-    WOODPECKER_BACKEND_K8S_STORAGE_RWX: "true"
+    WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 5Gi
+    WOODPECKER_BACKEND_K8S_STORAGE_RWX: "false"