This commit is contained in:
@@ -13,6 +13,10 @@ jobs:
|
||||
IMAGE_REPO: localhost/kubeviz
|
||||
IMAGE_TAG: prod
|
||||
SERVICE_NAME: kubeviz.service
|
||||
SYSTEMD_SCOPE: user
|
||||
INSTALL_QUADLET: "true"
|
||||
QUADLET_SRC: deploy/quadlet/kubeviz-traefik.container
|
||||
PODMAN_USE_SUDO: "false"
|
||||
steps:
|
||||
- name: Checkout + Build/Deploy (git, no Node runtime required)
|
||||
env:
|
||||
|
||||
@@ -78,12 +78,21 @@ For private base images (for example `dhi.io/golang:*`), ensure the runner user
|
||||
|
||||
The deploy script forwards `REGISTRY_AUTH_FILE` to `sudo podman` automatically.
|
||||
|
||||
Default workflow mode uses user services (`systemctl --user`) and rootless Podman:
|
||||
- `SYSTEMD_SCOPE=user`
|
||||
- `PODMAN_USE_SUDO=false`
|
||||
- quadlet target: `~/.config/containers/systemd/kubeviz.container`
|
||||
|
||||
So no root sudo is required for normal deploy runs.
|
||||
|
||||
Required sudo permissions for the Gitea runner user (example):
|
||||
|
||||
```text
|
||||
gitea-runner ALL=(root) NOPASSWD:/usr/bin/podman build *,/usr/bin/podman tag *,/usr/bin/systemctl restart kubeviz.service,/usr/bin/systemctl is-active kubeviz.service
|
||||
```
|
||||
|
||||
Only needed when you switch to `SYSTEMD_SCOPE=system` or `PODMAN_USE_SUDO=true`.
|
||||
|
||||
The user must be the one that executes the Gitea Actions runner service (often `gitea-runner`).
|
||||
Check it with:
|
||||
|
||||
|
||||
@@ -4,6 +4,12 @@ set -euo pipefail
|
||||
IMAGE_REPO="${IMAGE_REPO:-localhost/kubeviz}"
|
||||
IMAGE_TAG="${IMAGE_TAG:-prod}"
|
||||
SERVICE_NAME="${SERVICE_NAME:-kubeviz.service}"
|
||||
SYSTEMD_SCOPE="${SYSTEMD_SCOPE:-user}"
|
||||
INSTALL_QUADLET="${INSTALL_QUADLET:-true}"
|
||||
QUADLET_SRC="${QUADLET_SRC:-deploy/quadlet/kubeviz-traefik.container}"
|
||||
USER_QUADLET_DIR="${USER_QUADLET_DIR:-${HOME}/.config/containers/systemd}"
|
||||
SYSTEM_QUADLET_DIR="${SYSTEM_QUADLET_DIR:-/etc/containers/systemd}"
|
||||
PODMAN_USE_SUDO="${PODMAN_USE_SUDO:-}"
|
||||
|
||||
if [ -z "${REGISTRY_AUTH_FILE:-}" ]; then
|
||||
if [ -n "${XDG_RUNTIME_DIR:-}" ] && [ -f "${XDG_RUNTIME_DIR}/containers/auth.json" ]; then
|
||||
@@ -13,10 +19,37 @@ if [ -z "${REGISTRY_AUTH_FILE:-}" ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
SUDO_PODMAN=(sudo podman)
|
||||
if [ -z "${PODMAN_USE_SUDO}" ]; then
|
||||
if [ "${SYSTEMD_SCOPE}" = "system" ]; then
|
||||
PODMAN_USE_SUDO="true"
|
||||
else
|
||||
PODMAN_USE_SUDO="false"
|
||||
fi
|
||||
fi
|
||||
|
||||
PODMAN_CMD=(podman)
|
||||
SYSTEMCTL_CMD=(systemctl --user)
|
||||
if [ "${PODMAN_USE_SUDO}" = "true" ]; then
|
||||
PODMAN_CMD=(sudo podman)
|
||||
fi
|
||||
if [ "${SYSTEMD_SCOPE}" = "system" ]; then
|
||||
SYSTEMCTL_CMD=(sudo systemctl)
|
||||
QUADLET_TARGET_DIR="${SYSTEM_QUADLET_DIR}"
|
||||
else
|
||||
SYSTEMCTL_CMD=(systemctl --user)
|
||||
QUADLET_TARGET_DIR="${USER_QUADLET_DIR}"
|
||||
if [ -z "${XDG_RUNTIME_DIR:-}" ]; then
|
||||
export XDG_RUNTIME_DIR="/run/user/$(id -u)"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "${REGISTRY_AUTH_FILE:-}" ] && [ -f "${REGISTRY_AUTH_FILE}" ]; then
|
||||
export REGISTRY_AUTH_FILE
|
||||
SUDO_PODMAN=(sudo --preserve-env=REGISTRY_AUTH_FILE podman)
|
||||
if [ "${PODMAN_USE_SUDO}" = "true" ]; then
|
||||
PODMAN_CMD=(sudo --preserve-env=REGISTRY_AUTH_FILE podman)
|
||||
else
|
||||
PODMAN_CMD=(podman)
|
||||
fi
|
||||
echo "Using registry auth file: ${REGISTRY_AUTH_FILE}"
|
||||
else
|
||||
echo "Warning: no REGISTRY_AUTH_FILE found; private base image pulls may fail."
|
||||
@@ -32,13 +65,30 @@ SOURCE_IMAGE="${IMAGE_REPO}:ci-${BUILD_ID}"
|
||||
RELEASE_IMAGE="${IMAGE_REPO}:${IMAGE_TAG}"
|
||||
|
||||
echo "Building ${SOURCE_IMAGE}"
|
||||
"${SUDO_PODMAN[@]}" build --pull=always -t "${SOURCE_IMAGE}" .
|
||||
"${PODMAN_CMD[@]}" build --pull=always -t "${SOURCE_IMAGE}" .
|
||||
|
||||
echo "Tagging ${RELEASE_IMAGE}"
|
||||
"${SUDO_PODMAN[@]}" tag "${SOURCE_IMAGE}" "${RELEASE_IMAGE}"
|
||||
"${PODMAN_CMD[@]}" tag "${SOURCE_IMAGE}" "${RELEASE_IMAGE}"
|
||||
|
||||
echo "Restarting ${SERVICE_NAME}"
|
||||
sudo systemctl restart "${SERVICE_NAME}"
|
||||
sudo systemctl is-active --quiet "${SERVICE_NAME}"
|
||||
if [ "${INSTALL_QUADLET}" = "true" ]; then
|
||||
if [ ! -f "${QUADLET_SRC}" ]; then
|
||||
echo "Quadlet source not found: ${QUADLET_SRC}"
|
||||
exit 1
|
||||
fi
|
||||
echo "Installing quadlet ${QUADLET_SRC} -> ${QUADLET_TARGET_DIR}/kubeviz.container"
|
||||
if [ "${SYSTEMD_SCOPE}" = "system" ]; then
|
||||
sudo mkdir -p "${QUADLET_TARGET_DIR}"
|
||||
sudo cp "${QUADLET_SRC}" "${QUADLET_TARGET_DIR}/kubeviz.container"
|
||||
else
|
||||
mkdir -p "${QUADLET_TARGET_DIR}"
|
||||
cp "${QUADLET_SRC}" "${QUADLET_TARGET_DIR}/kubeviz.container"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "Reloading ${SYSTEMD_SCOPE} systemd and restarting ${SERVICE_NAME}"
|
||||
"${SYSTEMCTL_CMD[@]}" daemon-reload
|
||||
"${SYSTEMCTL_CMD[@]}" enable --now "${SERVICE_NAME}"
|
||||
"${SYSTEMCTL_CMD[@]}" restart "${SERVICE_NAME}"
|
||||
"${SYSTEMCTL_CMD[@]}" is-active --quiet "${SERVICE_NAME}"
|
||||
|
||||
echo "Deployment successful: ${RELEASE_IMAGE}"
|
||||
|
||||
Reference in New Issue
Block a user