admin/stonks-oracle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: final pipeline fixes - kargo SA workaround, oauth2 flow, timeouts

Browse Source
This commit is contained in:
Celes Renata
2026-04-19 02:41:41 +00:00
parent cd4f84a949
commit 76dd58c1dc
3 changed files with 90 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pipelines/gitea/setup.sh
+13 -7
View File
@@ -184,13 +184,19 @@ print(data.get('client_secret', ''))
" 2>/dev/null || echo "") " 2>/dev/null || echo "")
if [ -z "$OAUTH2_CLIENT_SECRET" ]; then if [ -z "$OAUTH2_CLIENT_SECRET" ]; then
echo " ⚠ Client secret not available for existing app — recreating..." echo " ✓ OAuth2 app exists, secret stored in Woodpecker DB (not recreating)"
APP_ID=$(echo "$EXISTING_APP" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])") # Write client_id only — secret is only available on first creation
curl -s -X DELETE \ cat > "${OAUTH2_ENV_FILE}" <<EOF
-H "${AUTH_HEADER}" \ # Generated by gitea/setup.sh
"${API}/user/applications/oauth2/${APP_ID}" > /dev/null # Secret only available on first creation — Woodpecker DB has it
echo " Deleted existing OAuth2 app (id=${APP_ID})" GITEA_CLIENT_ID=${OAUTH2_CLIENT_ID}
EXISTING_APP="" GITEA_CLIENT_SECRET=EXISTING_APP_SECRET_IN_WOODPECKER_DB
EOF
echo ""
echo " ✓ Credentials written to ${OAUTH2_ENV_FILE}"
echo ""
echo "=== Gitea Setup Complete ==="
exit 0
fi fi
fi fi
pipelines/runmefirst.sh
+76 -26
View File
@@ -45,13 +45,11 @@ echo " ✓ PVs applied"
echo "" echo ""
# ------------------------------------------------------- # -------------------------------------------------------
# 3. Configure Gitea (admin user, OAuth2 app, repo) # 3. Configure Gitea (admin user, repo, webhook config)
# ------------------------------------------------------- # -------------------------------------------------------
echo "--- Step 3: Configuring Gitea ---" echo "--- Step 3: Configuring Gitea ---"
bash gitea/setup.sh bash gitea/setup.sh
# Source the OAuth2 credentials for Woodpecker install echo " ✓ Gitea configured"
source gitea/gitea-oauth2.env
echo " ✓ Gitea configured (OAuth2 client_id: ${GITEA_CLIENT_ID})"
# Ensure Gitea allows webhook delivery to local/cluster addresses # Ensure Gitea allows webhook delivery to local/cluster addresses
GITEA_POD=$(kubectl get pods -n git-server -l app=gitea -o jsonpath='{.items[0].metadata.name}') GITEA_POD=$(kubectl get pods -n git-server -l app=gitea -o jsonpath='{.items[0].metadata.name}')
@@ -69,12 +67,48 @@ echo ""
# 4. Install Woodpecker CI via Helm # 4. Install Woodpecker CI via Helm
# ------------------------------------------------------- # -------------------------------------------------------
echo "--- Step 4: Installing Woodpecker CI ---" echo "--- Step 4: Installing Woodpecker CI ---"
helm upgrade --install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
--namespace woodpecker \ # Check if Woodpecker is already installed (upgrade vs fresh install)
--values woodpecker/values.yaml \ WOODPECKER_EXISTS=$(helm list -n woodpecker -q 2>/dev/null | grep -c woodpecker || true)
--set server.env.WOODPECKER_GITEA_CLIENT="${GITEA_CLIENT_ID}" \
--set server.env.WOODPECKER_GITEA_SECRET="${GITEA_CLIENT_SECRET}" \ if [ "${WOODPECKER_EXISTS:-0}" -gt 0 ]; then
--wait --timeout 5m # Upgrade — don't touch OAuth2 credentials, Woodpecker DB already has them
echo " Woodpecker already installed — upgrading (preserving OAuth2 grants)..."
helm upgrade woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
--namespace woodpecker \
--values woodpecker/values.yaml \
--wait --timeout 5m
else
# Fresh install — need fresh OAuth2 credentials from Gitea
echo " Fresh Woodpecker install — creating fresh OAuth2 app..."
# Delete any existing OAuth2 app in Gitea (stale from previous install)
GITEA_AUTH="Authorization: Basic $(echo -n 'admin:St0nks0racl3!' | base64)"
GITEA_API="http://10.1.1.12:30300/api/v1"
EXISTING_APP_ID=$(curl -s -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2" | python3 -c '
import sys, json
for app in json.loads(sys.stdin.read()):
if app.get("name") == "woodpecker-ci":
print(app["id"])
break
' 2>/dev/null || echo "")
if [ -n "$EXISTING_APP_ID" ]; then
curl -s -X DELETE -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2/$EXISTING_APP_ID" > /dev/null
echo " Deleted stale OAuth2 app (id=$EXISTING_APP_ID)"
fi
# Create fresh OAuth2 app
OAUTH2_RESP=$(curl -s -X POST "$GITEA_API/user/applications/oauth2" \
-H "$GITEA_AUTH" -H "Content-Type: application/json" \
-d '{"name":"woodpecker-ci","redirect_uris":["https://stonks-ci.celestium.life/authorize"],"confidential_client":true}')
GITEA_CLIENT_ID=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_id'])")
GITEA_CLIENT_SECRET=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_secret'])")
echo " ✓ OAuth2 app created (client_id: $GITEA_CLIENT_ID)"
helm install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
--namespace woodpecker \
--values woodpecker/values.yaml \
--set server.env.WOODPECKER_GITEA_CLIENT="${GITEA_CLIENT_ID}" \
--set server.env.WOODPECKER_GITEA_SECRET="${GITEA_CLIENT_SECRET}" \
--wait --timeout 5m
fi
echo " ✓ Woodpecker CI installed" echo " ✓ Woodpecker CI installed"
echo "" echo ""
@@ -90,12 +124,15 @@ echo ""
# 6. Install ArgoCD via Helm # 6. Install ArgoCD via Helm
# ------------------------------------------------------- # -------------------------------------------------------
echo "--- Step 6: Installing ArgoCD ---" echo "--- Step 6: Installing ArgoCD ---"
# Clean up leftover ArgoCD CRDs from previous installs (they have resource-policy: keep) ARGOCD_EXISTS=$(helm list -n argocd -q 2>/dev/null | grep -c argocd || true)
kubectl delete crd applications.argoproj.io applicationsets.argoproj.io appprojects.argoproj.io \ if [ "${ARGOCD_EXISTS:-0}" -eq 0 ]; then
--ignore-not-found > /dev/null 2>&1 || true # Fresh install — clean up leftover CRDs and SAs
kubectl delete sa --all -n argocd --ignore-not-found > /dev/null 2>&1 || true kubectl delete crd applications.argoproj.io applicationsets.argoproj.io appprojects.argoproj.io \
kubectl delete role --all -n argocd --ignore-not-found > /dev/null 2>&1 || true --ignore-not-found --timeout=30s > /dev/null 2>&1 || true
kubectl delete rolebinding --all -n argocd --ignore-not-found > /dev/null 2>&1 || true kubectl delete sa --all -n argocd --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
kubectl delete role --all -n argocd --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
kubectl delete rolebinding --all -n argocd --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
fi
helm repo add argo https://argoproj.github.io/argo-helm || true helm repo add argo https://argoproj.github.io/argo-helm || true
helm repo update helm repo update
helm upgrade --install argocd argo/argo-cd \ helm upgrade --install argocd argo/argo-cd \
@@ -116,19 +153,32 @@ echo ""
# 7. Install Kargo via Helm # 7. Install Kargo via Helm
# ------------------------------------------------------- # -------------------------------------------------------
echo "--- Step 7: Installing Kargo ---" echo "--- Step 7: Installing Kargo ---"
# Clean up leftover Kargo CRDs from previous installs (they have resource-policy: keep) KARGO_EXISTS=$(helm list -n kargo -q 2>/dev/null | grep -c kargo || true)
kubectl delete crd freights.kargo.akuity.io projects.kargo.akuity.io stages.kargo.akuity.io \ if [ "${KARGO_EXISTS:-0}" -eq 0 ]; then
warehouses.kargo.akuity.io promotions.kargo.akuity.io promotiontasks.kargo.akuity.io \ # Fresh install — clean up leftover CRDs and SAs from previous installs
clusterpromotiontasks.kargo.akuity.io projectconfigs.kargo.akuity.io \ kubectl delete crd freights.kargo.akuity.io projects.kargo.akuity.io stages.kargo.akuity.io \
clusterconfigs.kargo.akuity.io --ignore-not-found > /dev/null 2>&1 || true warehouses.kargo.akuity.io promotions.kargo.akuity.io promotiontasks.kargo.akuity.io \
# Also clean up any leftover SAs/roles from previous installs that block Helm clusterpromotiontasks.kargo.akuity.io projectconfigs.kargo.akuity.io \
kubectl delete sa --all -n kargo --ignore-not-found > /dev/null 2>&1 || true clusterconfigs.kargo.akuity.io --ignore-not-found --timeout=30s > /dev/null 2>&1 || true
kubectl delete role --all -n kargo --ignore-not-found > /dev/null 2>&1 || true kubectl delete sa --all -n kargo --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
kubectl delete rolebinding --all -n kargo --ignore-not-found > /dev/null 2>&1 || true kubectl delete role --all -n kargo --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
kubectl delete rolebinding --all -n kargo --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
fi
helm upgrade --install kargo oci://ghcr.io/akuity/kargo-charts/kargo \ helm upgrade --install kargo oci://ghcr.io/akuity/kargo-charts/kargo \
--namespace kargo \ --namespace kargo \
--values kargo/values.yaml \ --values kargo/values.yaml \
--wait --timeout 5m --timeout 5m || true
# Kargo chart bug: controller deployment references SA 'kargo-controller' but chart doesn't create it
kubectl create serviceaccount kargo-controller -n kargo 2>/dev/null || true
# Wait for controller to stabilize
echo " Waiting for kargo-controller..."
for i in $(seq 1 24); do
if kubectl get pods -n kargo -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].status.containerStatuses[0].ready}' 2>/dev/null | grep -q true; then
break
fi
kubectl delete pod -n kargo -l app.kubernetes.io/component=controller --field-selector=status.phase=Failed --ignore-not-found > /dev/null 2>&1 || true
sleep 5
done
echo " ✓ Kargo installed" echo " ✓ Kargo installed"
# Apply Kargo resources # Apply Kargo resources
pipelines/woodpecker/values.yaml
+1 -2
View File
@@ -6,8 +6,7 @@
server: server:
enabled: true enabled: true
podAnnotations: # No proxy CA injection — server talks to Gitea internally, proxy would intercept
celestium.life/inject-ca: "true"
env: env:
WOODPECKER_HOST: "https://stonks-ci.celestium.life" WOODPECKER_HOST: "https://stonks-ci.celestium.life"