From 58104a9706c49f9424d3e58e7e37e3e0992c8b73 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 20:47:50 +0000 Subject: [PATCH 01/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 62 +++++++++++--------- 1 file changed, 33 insertions(+), 29 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 6489730..6fc03a5 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -6,7 +6,8 @@ on: jobs: bootstrap: runs-on: mealcraft-runners - container: ubuntu:22.04 + container: + image: ubuntu:22.04 steps: # ----------------------------------------------------- @@ -25,7 +26,7 @@ jobs: install -m 0755 kubectl /usr/local/bin/kubectl # ----------------------------------------------------- - # Configure kubeconfig using the ARC pod token + # Configure kubeconfig using ARC pod token # ----------------------------------------------------- - name: Configure kubeconfig run: | @@ -40,29 +41,33 @@ jobs: kubectl config use-context runner-context # ----------------------------------------------------- - # Docker Login + # Build & Push Docker image (ARC-safe, no Docker daemon) # ----------------------------------------------------- - - name: Docker Login - uses: ./.github/actions/docker-login + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx (rootless) + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_TOKEN }} - # ----------------------------------------------------- - # Build & Push the Docker Image (idempotent) - # ----------------------------------------------------- - - name: Build Traefik Image - run: | - docker build traefik \ - --file traefik/Dockerfile \ - --tag docker.io/kimjunte/edge_router:$GITHUB_SHA - - - name: Push Traefik Image - run: | - docker push docker.io/kimjunte/edge_router:$GITHUB_SHA + - name: Build & Push Traefik Image + uses: docker/build-push-action@v5 + with: + context: ./traefik + file: traefik/Dockerfile + push: true + tags: | + docker.io/kimjunte/edge_router:${{ github.sha }} + docker.io/kimjunte/edge_router:latest # ----------------------------------------------------- - # Apply Storage Classes + PVCs — idempotent with apply + # Apply Storage Classes + PVCs # ----------------------------------------------------- - name: Apply StorageClass + PV run: | @@ -71,25 +76,24 @@ jobs: kubectl get storageclass # ----------------------------------------------------- - # Apply Traefik CRDs only if missing + # Install Traefik CRDs (idempotent) # ----------------------------------------------------- - - name: Install Traefik CRDs (idempotent) + - name: Install Traefik CRDs run: | if ! kubectl get crd ingressroutes.traefik.containo.us >/dev/null 2>&1; then - echo "Traefik CRDs not found — installing..." + echo "Installing Traefik CRDs..." kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/user-guides/crd-acme/05-tlsoption.yml else - echo "Traefik CRDs already installed — skipping." + echo "CRDs already exist — skipping." fi # ----------------------------------------------------- - # Deploy Traefik — idempotent with kubectl apply + # Deploy Traefik # ----------------------------------------------------- - - name: Deploy Traefik (safe repeat) + - name: Deploy Traefik run: | - echo "Applying Traefik PVC/Deployments/Services/etc…" kubectl apply -f traefik/edge-router/pvc.yaml kubectl apply -f traefik/edge-router/traefik-deployment.yml kubectl apply -f traefik/edge-router/traefik-services.yml @@ -98,7 +102,7 @@ jobs: kubectl apply -f traefik/edge-router/traefik-ingressroute.yml # ----------------------------------------------------- - # Deploy whoami — idempotent + # Deploy whoami # ----------------------------------------------------- - name: Deploy whoami test service run: | @@ -107,21 +111,21 @@ jobs: kubectl apply -f traefik/who-am-i/whoami-ingressroute.yml # ----------------------------------------------------- - # Create Docker Registry Secrets — idempotent + # Create registry secret # ----------------------------------------------------- - name: Create registry secret (default ns) run: | kubectl apply -f traefik/docker-registry-credentials/docker-credentials.yml # ----------------------------------------------------- - # Create staging namespace if not exists + # Create staging namespace # ----------------------------------------------------- - name: Create staging namespace run: | kubectl get namespace staging >/dev/null 2>&1 || kubectl create namespace staging # ----------------------------------------------------- - # Apply registry secret to staging — idempotent + # Apply registry secret to staging # ----------------------------------------------------- - name: Registry secret in staging namespace run: | From c43285cc0851339e505e2982b9134cebbbe05c17 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 20:50:13 +0000 Subject: [PATCH 02/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 6fc03a5..525f770 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -44,9 +44,6 @@ jobs: # Build & Push Docker image (ARC-safe, no Docker daemon) # ----------------------------------------------------- - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx (rootless) uses: docker/setup-buildx-action@v3 From 784500a5017800430010d0e008451584d6e8e9da Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 20:54:22 +0000 Subject: [PATCH 03/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 36 +++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 525f770..d61499f 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -41,27 +41,29 @@ jobs: kubectl config use-context runner-context # ----------------------------------------------------- - # Build & Push Docker image (ARC-safe, no Docker daemon) + # Enable Buildx in Rootless BuildKit Mode # ----------------------------------------------------- + - name: Install buildkit + run: | + curl -sSL https://github.com/moby/buildkit/releases/download/v0.12.5/buildkit-v0.12.5.linux-amd64.tar.gz -o buildkit.tar.gz + tar -xzf buildkit.tar.gz + mv bin/buildctl /usr/local/bin/ + mv bin/buildkitd /usr/local/bin/ + chmod +x /usr/local/bin/buildctl /usr/local/bin/buildkitd - - name: Set up Docker Buildx (rootless) - uses: docker/setup-buildx-action@v3 + - name: Start buildkitd (rootless) + run: | + buildkitd --oci-worker-no-process-sandbox --rootless & + sleep 3 - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_TOKEN }} + - name: Build & Push (rootless buildkit) + run: | + buildctl build \ + --frontend dockerfile.v0 \ + --local context=./traefik \ + --local dockerfile=./traefik \ + --output type=image,name=docker.io/kimjunte/edge_router:${GITHUB_SHA},push=true - - name: Build & Push Traefik Image - uses: docker/build-push-action@v5 - with: - context: ./traefik - file: traefik/Dockerfile - push: true - tags: | - docker.io/kimjunte/edge_router:${{ github.sha }} - docker.io/kimjunte/edge_router:latest # ----------------------------------------------------- # Apply Storage Classes + PVCs From 6d52aa27aadbd6cb4e6e94cce187af585ed736f5 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 20:59:36 +0000 Subject: [PATCH 04/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index d61499f..de5d8a3 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -41,7 +41,7 @@ jobs: kubectl config use-context runner-context # ----------------------------------------------------- - # Enable Buildx in Rootless BuildKit Mode + # Install BuildKit (rootless) # ----------------------------------------------------- - name: Install buildkit run: | @@ -51,19 +51,26 @@ jobs: mv bin/buildkitd /usr/local/bin/ chmod +x /usr/local/bin/buildctl /usr/local/bin/buildkitd + # ----------------------------------------------------- + # Start BuildKitd (rootless) + # ----------------------------------------------------- - name: Start buildkitd (rootless) run: | buildkitd --oci-worker-no-process-sandbox --rootless & sleep 3 - - name: Build & Push (rootless buildkit) + # ----------------------------------------------------- + # Build & Push using BuildKit (NO Docker daemon) + # ----------------------------------------------------- + - name: Build & Push Traefik Image + env: + IMAGE_TAG: docker.io/kimjunte/edge_router:${{ github.sha }} run: | buildctl build \ --frontend dockerfile.v0 \ - --local context=./traefik \ - --local dockerfile=./traefik \ - --output type=image,name=docker.io/kimjunte/edge_router:${GITHUB_SHA},push=true - + --local context="$GITHUB_WORKSPACE/traefik" \ + --local dockerfile="$GITHUB_WORKSPACE/traefik" \ + --output type=image,name=${IMAGE_TAG},push=true # ----------------------------------------------------- # Apply Storage Classes + PVCs From 4565eefe89dc94c43eac2d780b34cbd6a5a3ae38 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:05:07 +0000 Subject: [PATCH 05/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 45 +++++++------------- 1 file changed, 16 insertions(+), 29 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index de5d8a3..e95f88e 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -41,36 +41,23 @@ jobs: kubectl config use-context runner-context # ----------------------------------------------------- - # Install BuildKit (rootless) + # Build & Push Docker Image (ARC-compatible, no Docker) # ----------------------------------------------------- - - name: Install buildkit - run: | - curl -sSL https://github.com/moby/buildkit/releases/download/v0.12.5/buildkit-v0.12.5.linux-amd64.tar.gz -o buildkit.tar.gz - tar -xzf buildkit.tar.gz - mv bin/buildctl /usr/local/bin/ - mv bin/buildkitd /usr/local/bin/ - chmod +x /usr/local/bin/buildctl /usr/local/bin/buildkitd - - # ----------------------------------------------------- - # Start BuildKitd (rootless) - # ----------------------------------------------------- - - name: Start buildkitd (rootless) - run: | - buildkitd --oci-worker-no-process-sandbox --rootless & - sleep 3 - - # ----------------------------------------------------- - # Build & Push using BuildKit (NO Docker daemon) - # ----------------------------------------------------- - - name: Build & Push Traefik Image + - name: Build & Push Traefik Image (ARC-compatible) + uses: docker/build-push-action@v5 env: - IMAGE_TAG: docker.io/kimjunte/edge_router:${{ github.sha }} - run: | - buildctl build \ - --frontend dockerfile.v0 \ - --local context="$GITHUB_WORKSPACE/traefik" \ - --local dockerfile="$GITHUB_WORKSPACE/traefik" \ - --output type=image,name=${IMAGE_TAG},push=true + BUILDKIT_SBOM_SCAN_STATUS: disabled + with: + context: ${{ github.workspace }}/traefik + file: ${{ github.workspace }}/traefik/Dockerfile + platforms: linux/amd64 + push: true + provenance: false + sbom: false + builder: default + tags: | + docker.io/kimjunte/edge_router:${{ github.sha }} + docker.io/kimjunte/edge_router:latest # ----------------------------------------------------- # Apply Storage Classes + PVCs @@ -108,7 +95,7 @@ jobs: kubectl apply -f traefik/edge-router/traefik-ingressroute.yml # ----------------------------------------------------- - # Deploy whoami + # Deploy whoami (test app) # ----------------------------------------------------- - name: Deploy whoami test service run: | From 29f3e15a2413f8afefcdcfc351499737f8f8596c Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:07:28 +0000 Subject: [PATCH 06/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index e95f88e..f63b7df 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -39,6 +39,14 @@ jobs: kubectl config set-credentials runner --token="$SA_TOKEN" kubectl config set-context runner-context --cluster=microk8s --user=runner --namespace="$NAMESPACE" kubectl config use-context runner-context + + - name: Install Buildx Standalone + run: | + mkdir -p ~/.docker/cli-plugins/ + curl -sSL https://github.com/docker/buildx/releases/download/v0.13.1/buildx-v0.13.1.linux-amd64 \ + -o ~/.docker/cli-plugins/docker-buildx + chmod +x ~/.docker/cli-plugins/docker-buildx + docker buildx version # ----------------------------------------------------- # Build & Push Docker Image (ARC-compatible, no Docker) From 4b5141b37d5fc0e4034ccf5cfb8812f345922850 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:11:29 +0000 Subject: [PATCH 07/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 65 +++++++++++++------- 1 file changed, 42 insertions(+), 23 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index f63b7df..0d0b838 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -39,33 +39,52 @@ jobs: kubectl config set-credentials runner --token="$SA_TOKEN" kubectl config set-context runner-context --cluster=microk8s --user=runner --namespace="$NAMESPACE" kubectl config use-context runner-context - - - name: Install Buildx Standalone - run: | - mkdir -p ~/.docker/cli-plugins/ - curl -sSL https://github.com/docker/buildx/releases/download/v0.13.1/buildx-v0.13.1.linux-amd64 \ - -o ~/.docker/cli-plugins/docker-buildx - chmod +x ~/.docker/cli-plugins/docker-buildx - docker buildx version # ----------------------------------------------------- - # Build & Push Docker Image (ARC-compatible, no Docker) + # Install buildctl (standalone BuildKit client) # ----------------------------------------------------- - - name: Build & Push Traefik Image (ARC-compatible) - uses: docker/build-push-action@v5 + - name: Install buildctl (BuildKit CLI) + run: | + apt-get update && apt-get install -y curl + curl -sSL https://github.com/moby/buildkit/releases/download/v0.12.5/buildkit-v0.12.5.linux-amd64.tar.gz -o buildkit.tar.gz + tar -xzf buildkit.tar.gz + mv bin/buildctl /usr/local/bin/ + chmod +x /usr/local/bin/buildctl + buildctl --version + + # ----------------------------------------------------- + # Log in to Docker Hub (registry auth for buildctl) + # ----------------------------------------------------- + - name: Docker Hub Login for buildctl + run: | + echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | \ + buildctl login docker.io \ + --username ${{ secrets.DOCKER_HUB_USERNAME }} \ + --password-stdin + + # ----------------------------------------------------- + # Build & Push Docker Image (NO Docker, NO Buildx, NO Daemon) + # ----------------------------------------------------- + - name: Build & Push Traefik Image (ARC-safe buildctl) env: - BUILDKIT_SBOM_SCAN_STATUS: disabled - with: - context: ${{ github.workspace }}/traefik - file: ${{ github.workspace }}/traefik/Dockerfile - platforms: linux/amd64 - push: true - provenance: false - sbom: false - builder: default - tags: | - docker.io/kimjunte/edge_router:${{ github.sha }} - docker.io/kimjunte/edge_router:latest + IMAGE_TAG: docker.io/kimjunte/edge_router:${{ github.sha }} + LATEST_TAG: docker.io/kimjunte/edge_router:latest + run: | + # Build SHA-tagged image + buildctl build \ + --frontend dockerfile.v0 \ + --local context="${GITHUB_WORKSPACE}/traefik" \ + --local dockerfile="${GITHUB_WORKSPACE}/traefik" \ + --opt platform=linux/amd64 \ + --output type=image,name=${IMAGE_TAG},push=true + + # Build latest tag + buildctl build \ + --frontend dockerfile.v0 \ + --local context="${GITHUB_WORKSPACE}/traefik" \ + --local dockerfile="${GITHUB_WORKSPACE}/traefik" \ + --opt platform=linux/amd64 \ + --output type=image,name=${LATEST_TAG},push=true # ----------------------------------------------------- # Apply Storage Classes + PVCs From f7e9326872b3f3dbf4eaa46958e5e9d478f2d84c Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:14:03 +0000 Subject: [PATCH 08/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 46 ++++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 0d0b838..924f836 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -11,7 +11,7 @@ jobs: steps: # ----------------------------------------------------- - # Checkout + # Checkout Repo # ----------------------------------------------------- - uses: actions/checkout@v4 @@ -26,7 +26,7 @@ jobs: install -m 0755 kubectl /usr/local/bin/kubectl # ----------------------------------------------------- - # Configure kubeconfig using ARC pod token + # Configure kubeconfig via ARC pod token # ----------------------------------------------------- - name: Configure kubeconfig run: | @@ -41,21 +41,21 @@ jobs: kubectl config use-context runner-context # ----------------------------------------------------- - # Install buildctl (standalone BuildKit client) + # Install buildctl (BuildKit client only) # ----------------------------------------------------- - - name: Install buildctl (BuildKit CLI) + - name: Install buildctl run: | - apt-get update && apt-get install -y curl + apt-get update + apt-get install -y curl curl -sSL https://github.com/moby/buildkit/releases/download/v0.12.5/buildkit-v0.12.5.linux-amd64.tar.gz -o buildkit.tar.gz tar -xzf buildkit.tar.gz mv bin/buildctl /usr/local/bin/ chmod +x /usr/local/bin/buildctl - buildctl --version # ----------------------------------------------------- - # Log in to Docker Hub (registry auth for buildctl) + # Authenticate to Docker Hub for pushing # ----------------------------------------------------- - - name: Docker Hub Login for buildctl + - name: Docker Hub Login (buildctl) run: | echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | \ buildctl login docker.io \ @@ -63,12 +63,12 @@ jobs: --password-stdin # ----------------------------------------------------- - # Build & Push Docker Image (NO Docker, NO Buildx, NO Daemon) + # Build & Push Docker Image (ARC-compatible, simplest) # ----------------------------------------------------- - - name: Build & Push Traefik Image (ARC-safe buildctl) + - name: Build & Push Traefik Image env: - IMAGE_TAG: docker.io/kimjunte/edge_router:${{ github.sha }} - LATEST_TAG: docker.io/kimjunte/edge_router:latest + IMAGE_SHA: docker.io/kimjunte/edge_router:${{ github.sha }} + IMAGE_LATEST: docker.io/kimjunte/edge_router:latest run: | # Build SHA-tagged image buildctl build \ @@ -76,15 +76,15 @@ jobs: --local context="${GITHUB_WORKSPACE}/traefik" \ --local dockerfile="${GITHUB_WORKSPACE}/traefik" \ --opt platform=linux/amd64 \ - --output type=image,name=${IMAGE_TAG},push=true + --output type=image,name=${IMAGE_SHA},push=true - # Build latest tag + # Push latest tag buildctl build \ --frontend dockerfile.v0 \ --local context="${GITHUB_WORKSPACE}/traefik" \ --local dockerfile="${GITHUB_WORKSPACE}/traefik" \ --opt platform=linux/amd64 \ - --output type=image,name=${LATEST_TAG},push=true + --output type=image,name=${IMAGE_LATEST},push=true # ----------------------------------------------------- # Apply Storage Classes + PVCs @@ -106,7 +106,7 @@ jobs: kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/user-guides/crd-acme/05-tlsoption.yml else - echo "CRDs already exist — skipping." + echo "Traefik CRDs already exist — skipping." fi # ----------------------------------------------------- @@ -122,18 +122,18 @@ jobs: kubectl apply -f traefik/edge-router/traefik-ingressroute.yml # ----------------------------------------------------- - # Deploy whoami (test app) + # Deploy whoami test service # ----------------------------------------------------- - - name: Deploy whoami test service + - name: Deploy whoami run: | kubectl apply -f traefik/who-am-i/whoami-deployment.yml kubectl apply -f traefik/who-am-i/whoami-service.yml kubectl apply -f traefik/who-am-i/whoami-ingressroute.yml # ----------------------------------------------------- - # Create registry secret + # Default namespace registry secret # ----------------------------------------------------- - - name: Create registry secret (default ns) + - name: Create registry secret (default) run: | kubectl apply -f traefik/docker-registry-credentials/docker-credentials.yml @@ -142,12 +142,12 @@ jobs: # ----------------------------------------------------- - name: Create staging namespace run: | - kubectl get namespace staging >/dev/null 2>&1 || kubectl create namespace staging + kubectl get ns staging >/dev/null 2>&1 || kubectl create namespace staging # ----------------------------------------------------- - # Apply registry secret to staging + # Add registry secret to staging namespace # ----------------------------------------------------- - - name: Registry secret in staging namespace + - name: Registry secret to staging run: | sed 's/namespace: default/namespace: staging/' \ traefik/docker-registry-credentials/docker-credentials.yml \ From 87f5cef31013f835b0d870ac067bae5a5d5b1d9f Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:17:31 +0000 Subject: [PATCH 09/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 52 +++++++------------- 1 file changed, 19 insertions(+), 33 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 924f836..d973557 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -10,9 +10,6 @@ jobs: image: ubuntu:22.04 steps: - # ----------------------------------------------------- - # Checkout Repo - # ----------------------------------------------------- - uses: actions/checkout@v4 # ----------------------------------------------------- @@ -41,50 +38,43 @@ jobs: kubectl config use-context runner-context # ----------------------------------------------------- - # Install buildctl (BuildKit client only) + # Install buildctl (standalone) # ----------------------------------------------------- - name: Install buildctl run: | - apt-get update - apt-get install -y curl + apt-get update && apt-get install -y curl curl -sSL https://github.com/moby/buildkit/releases/download/v0.12.5/buildkit-v0.12.5.linux-amd64.tar.gz -o buildkit.tar.gz tar -xzf buildkit.tar.gz mv bin/buildctl /usr/local/bin/ chmod +x /usr/local/bin/buildctl # ----------------------------------------------------- - # Authenticate to Docker Hub for pushing - # ----------------------------------------------------- - - name: Docker Hub Login (buildctl) - run: | - echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | \ - buildctl login docker.io \ - --username ${{ secrets.DOCKER_HUB_USERNAME }} \ - --password-stdin - - # ----------------------------------------------------- - # Build & Push Docker Image (ARC-compatible, simplest) + # Build & Push Docker Image (NO docker, NO buildx, NO daemon) # ----------------------------------------------------- - name: Build & Push Traefik Image env: + DOCKER_USER: ${{ secrets.DOCKER_HUB_USERNAME }} + DOCKER_PASS: ${{ secrets.DOCKER_HUB_PASSWORD }} IMAGE_SHA: docker.io/kimjunte/edge_router:${{ github.sha }} IMAGE_LATEST: docker.io/kimjunte/edge_router:latest run: | - # Build SHA-tagged image - buildctl build \ - --frontend dockerfile.v0 \ - --local context="${GITHUB_WORKSPACE}/traefik" \ - --local dockerfile="${GITHUB_WORKSPACE}/traefik" \ - --opt platform=linux/amd64 \ - --output type=image,name=${IMAGE_SHA},push=true + AUTH=$(printf "%s:%s" "$DOCKER_USER" "$DOCKER_PASS" | base64 -w0) - # Push latest tag + # Build + Push SHA tag buildctl build \ --frontend dockerfile.v0 \ --local context="${GITHUB_WORKSPACE}/traefik" \ --local dockerfile="${GITHUB_WORKSPACE}/traefik" \ --opt platform=linux/amd64 \ - --output type=image,name=${IMAGE_LATEST},push=true + --output type=registry,name=${IMAGE_SHA},push=true,registry.insecure=false,registry.auth=$AUTH + + # Build + Push latest tag + buildctl build \ + --frontend dockerfile.v0 \ + --local context="${GITHUB_WORKSPACE}/traefik" \ + --local dockerfile="${GITHUB_WORKSPACE}/traefik" \ + --opt platform=linux/amd64 \ + --output type=registry,name=${IMAGE_LATEST},push=true,registry.insecure=false,registry.auth=$AUTH # ----------------------------------------------------- # Apply Storage Classes + PVCs @@ -93,7 +83,6 @@ jobs: run: | kubectl apply -f traefik/storageclass/storageclass.yaml kubectl apply -f traefik/storageclass/certs-pv.yaml - kubectl get storageclass # ----------------------------------------------------- # Install Traefik CRDs (idempotent) @@ -101,12 +90,9 @@ jobs: - name: Install Traefik CRDs run: | if ! kubectl get crd ingressroutes.traefik.containo.us >/dev/null 2>&1; then - echo "Installing Traefik CRDs..." kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/user-guides/crd-acme/05-tlsoption.yml - else - echo "Traefik CRDs already exist — skipping." fi # ----------------------------------------------------- @@ -131,21 +117,21 @@ jobs: kubectl apply -f traefik/who-am-i/whoami-ingressroute.yml # ----------------------------------------------------- - # Default namespace registry secret + # Create registry secret in default namespace # ----------------------------------------------------- - name: Create registry secret (default) run: | kubectl apply -f traefik/docker-registry-credentials/docker-credentials.yml # ----------------------------------------------------- - # Create staging namespace + # Ensure staging namespace exists # ----------------------------------------------------- - name: Create staging namespace run: | kubectl get ns staging >/dev/null 2>&1 || kubectl create namespace staging # ----------------------------------------------------- - # Add registry secret to staging namespace + # Apply registry secret to staging # ----------------------------------------------------- - name: Registry secret to staging run: | From 7fb4636a989fffb78b4238b78140fd76c56cf2c3 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:20:57 +0000 Subject: [PATCH 10/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 23 ++++++++++---------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index d973557..24b975e 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -6,10 +6,11 @@ on: jobs: bootstrap: runs-on: mealcraft-runners - container: - image: ubuntu:22.04 steps: + # ----------------------------------------------------- + # Checkout Repo + # ----------------------------------------------------- - uses: actions/checkout@v4 # ----------------------------------------------------- @@ -17,10 +18,10 @@ jobs: # ----------------------------------------------------- - name: Install kubectl run: | - apt-get update - apt-get install -y ca-certificates curl + sudo apt-get update + sudo apt-get install -y ca-certificates curl curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" - install -m 0755 kubectl /usr/local/bin/kubectl + sudo install -m 0755 kubectl /usr/local/bin/kubectl # ----------------------------------------------------- # Configure kubeconfig via ARC pod token @@ -38,15 +39,15 @@ jobs: kubectl config use-context runner-context # ----------------------------------------------------- - # Install buildctl (standalone) + # Install buildctl (standalone BuildKit client) # ----------------------------------------------------- - name: Install buildctl run: | - apt-get update && apt-get install -y curl + sudo apt-get update && sudo apt-get install -y curl curl -sSL https://github.com/moby/buildkit/releases/download/v0.12.5/buildkit-v0.12.5.linux-amd64.tar.gz -o buildkit.tar.gz tar -xzf buildkit.tar.gz - mv bin/buildctl /usr/local/bin/ - chmod +x /usr/local/bin/buildctl + sudo mv bin/buildctl /usr/local/bin/ + sudo chmod +x /usr/local/bin/buildctl # ----------------------------------------------------- # Build & Push Docker Image (NO docker, NO buildx, NO daemon) @@ -66,7 +67,7 @@ jobs: --local context="${GITHUB_WORKSPACE}/traefik" \ --local dockerfile="${GITHUB_WORKSPACE}/traefik" \ --opt platform=linux/amd64 \ - --output type=registry,name=${IMAGE_SHA},push=true,registry.insecure=false,registry.auth=$AUTH + --output type=registry,name=${IMAGE_SHA},push=true,registry.auth=${AUTH} # Build + Push latest tag buildctl build \ @@ -74,7 +75,7 @@ jobs: --local context="${GITHUB_WORKSPACE}/traefik" \ --local dockerfile="${GITHUB_WORKSPACE}/traefik" \ --opt platform=linux/amd64 \ - --output type=registry,name=${IMAGE_LATEST},push=true,registry.insecure=false,registry.auth=$AUTH + --output type=registry,name=${IMAGE_LATEST},push=true,registry.auth=${AUTH} # ----------------------------------------------------- # Apply Storage Classes + PVCs From cb5b325790242b0f085317935ce754dfbf1116fa Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:31:51 +0000 Subject: [PATCH 11/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 75 ++++++++------------ github_runner/install/install_arc.sh | 48 +++++++------ 2 files changed, 55 insertions(+), 68 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 24b975e..8ff8907 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -7,6 +7,13 @@ jobs: bootstrap: runs-on: mealcraft-runners + # ----------------------------------------------------- + # REQUIRED: Use Docker DinD job container + # ----------------------------------------------------- + container: + image: docker:24.0-dind + options: --privileged + steps: # ----------------------------------------------------- # Checkout Repo @@ -18,10 +25,9 @@ jobs: # ----------------------------------------------------- - name: Install kubectl run: | - sudo apt-get update - sudo apt-get install -y ca-certificates curl + apk add --no-cache curl ca-certificates bash curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" - sudo install -m 0755 kubectl /usr/local/bin/kubectl + install -m 0755 kubectl /usr/local/bin/kubectl # ----------------------------------------------------- # Configure kubeconfig via ARC pod token @@ -39,43 +45,26 @@ jobs: kubectl config use-context runner-context # ----------------------------------------------------- - # Install buildctl (standalone BuildKit client) + # Docker Login # ----------------------------------------------------- - - name: Install buildctl - run: | - sudo apt-get update && sudo apt-get install -y curl - curl -sSL https://github.com/moby/buildkit/releases/download/v0.12.5/buildkit-v0.12.5.linux-amd64.tar.gz -o buildkit.tar.gz - tar -xzf buildkit.tar.gz - sudo mv bin/buildctl /usr/local/bin/ - sudo chmod +x /usr/local/bin/buildctl + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} # ----------------------------------------------------- - # Build & Push Docker Image (NO docker, NO buildx, NO daemon) + # Build & Push Docker Image (Docker-in-Docker) # ----------------------------------------------------- - - name: Build & Push Traefik Image - env: - DOCKER_USER: ${{ secrets.DOCKER_HUB_USERNAME }} - DOCKER_PASS: ${{ secrets.DOCKER_HUB_PASSWORD }} - IMAGE_SHA: docker.io/kimjunte/edge_router:${{ github.sha }} - IMAGE_LATEST: docker.io/kimjunte/edge_router:latest - run: | - AUTH=$(printf "%s:%s" "$DOCKER_USER" "$DOCKER_PASS" | base64 -w0) - - # Build + Push SHA tag - buildctl build \ - --frontend dockerfile.v0 \ - --local context="${GITHUB_WORKSPACE}/traefik" \ - --local dockerfile="${GITHUB_WORKSPACE}/traefik" \ - --opt platform=linux/amd64 \ - --output type=registry,name=${IMAGE_SHA},push=true,registry.auth=${AUTH} - - # Build + Push latest tag - buildctl build \ - --frontend dockerfile.v0 \ - --local context="${GITHUB_WORKSPACE}/traefik" \ - --local dockerfile="${GITHUB_WORKSPACE}/traefik" \ - --opt platform=linux/amd64 \ - --output type=registry,name=${IMAGE_LATEST},push=true,registry.auth=${AUTH} + - name: Build and Push Traefik Image + uses: docker/build-push-action@v5 + with: + context: ./traefik + file: ./traefik/Dockerfile + push: true + tags: | + docker.io/kimjunte/edge_router:${{ github.sha }} + docker.io/kimjunte/edge_router:latest # ----------------------------------------------------- # Apply Storage Classes + PVCs @@ -118,22 +107,14 @@ jobs: kubectl apply -f traefik/who-am-i/whoami-ingressroute.yml # ----------------------------------------------------- - # Create registry secret in default namespace + # Registry secrets # ----------------------------------------------------- - name: Create registry secret (default) - run: | - kubectl apply -f traefik/docker-registry-credentials/docker-credentials.yml + run: kubectl apply -f traefik/docker-registry-credentials/docker-credentials.yml - # ----------------------------------------------------- - # Ensure staging namespace exists - # ----------------------------------------------------- - name: Create staging namespace - run: | - kubectl get ns staging >/dev/null 2>&1 || kubectl create namespace staging + run: kubectl get ns staging >/dev/null 2>&1 || kubectl create namespace staging - # ----------------------------------------------------- - # Apply registry secret to staging - # ----------------------------------------------------- - name: Registry secret to staging run: | sed 's/namespace: default/namespace: staging/' \ diff --git a/github_runner/install/install_arc.sh b/github_runner/install/install_arc.sh index 9e16758..830ab53 100644 --- a/github_runner/install/install_arc.sh +++ b/github_runner/install/install_arc.sh @@ -11,30 +11,36 @@ set -ex # sudo usermod -aG microk8s $USER # sudo chown -f -R $USER ~/.kube -# helm uninstall arc -n arc-systems || true +helm uninstall arc -n arc-systems || true -# echo "=== Install ARC Scale Set Controller ===" -# helm install arc \ -# --namespace arc-systems \ -# --create-namespace \ -# oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller +echo "=== Install ARC Scale Set Controller ===" +helm install arc \ + --namespace arc-systems \ + --create-namespace \ + oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller -# helm uninstall mealcraft-runners -n arc-systems || true +helm uninstall mealcraft-runners -n arc-systems || true -# helm install mealcraft-runners \ -# --namespace arc-systems \ -# --create-namespace \ -# --set runnerScaleSetName="mealcraft-runners" \ -# --set githubConfigUrl="https://github.com/MealCraft" \ -# --set githubConfigSecret.name="github-secret" \ -# --set githubConfigSecret.github_token="$GITHUB_PAT" \ -# --set containerMode.type="kubernetes" \ -# --set containerMode.kubernetesModeDefaultContainer.image="ubuntu:22.04" \ -# --set containerMode.kubernetesModeWorkVolumeClaim.accessModes[0]="ReadWriteOnce" \ -# --set containerMode.kubernetesModeWorkVolumeClaim.storageClassName="microk8s-hostpath" \ -# --set containerMode.kubernetesModeWorkVolumeClaim.resources.requests.storage="1Gi" \ -# --set runnerLabels[0]="mealcraft" \ -# oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set +helm install mealcraft-runners \ + --namespace arc-systems \ + --create-namespace \ + --set runnerScaleSetName="mealcraft-runners" \ + --set githubConfigUrl="https://github.com/MealCraft" \ + --set githubConfigSecret.name="github-secret" \ + --set githubConfigSecret.github_token="$GITHUB_PAT" \ + \ + --set dockerInDockerEnabled=true \ + \ + --set containerMode.type="kubernetes" \ + --set containerMode.kubernetesModeDefaultContainer.image="docker:24.0-dind" \ + --set containerMode.kubernetesModeDefaultContainer.options="--privileged" \ + \ + --set containerMode.kubernetesModeWorkVolumeClaim.accessModes[0]="ReadWriteOnce" \ + --set containerMode.kubernetesModeWorkVolumeClaim.storageClassName="microk8s-hostpath" \ + --set containerMode.kubernetesModeWorkVolumeClaim.resources.requests.storage="20Gi" \ + \ + --set runnerLabels[0]="mealcraft" \ + oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set echo "=== Applying RBAC for runner ===" From 6b25e8c6b2533ff017e58e479f7143c1e933d469 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:40:25 +0000 Subject: [PATCH 12/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 2 +- github_runner/install/install_arc.sh | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 8ff8907..2ddb6fd 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -51,7 +51,7 @@ jobs: uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_PASSWORD }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} # ----------------------------------------------------- # Build & Push Docker Image (Docker-in-Docker) diff --git a/github_runner/install/install_arc.sh b/github_runner/install/install_arc.sh index 830ab53..f8b7bd3 100644 --- a/github_runner/install/install_arc.sh +++ b/github_runner/install/install_arc.sh @@ -34,6 +34,7 @@ helm install mealcraft-runners \ --set containerMode.type="kubernetes" \ --set containerMode.kubernetesModeDefaultContainer.image="docker:24.0-dind" \ --set containerMode.kubernetesModeDefaultContainer.options="--privileged" \ + --set containerMode.kubernetesModeDefaultContainer.workDirMountPath="/__w" \ \ --set containerMode.kubernetesModeWorkVolumeClaim.accessModes[0]="ReadWriteOnce" \ --set containerMode.kubernetesModeWorkVolumeClaim.storageClassName="microk8s-hostpath" \ @@ -42,6 +43,7 @@ helm install mealcraft-runners \ --set runnerLabels[0]="mealcraft" \ oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set + echo "=== Applying RBAC for runner ===" microk8s kubectl apply -f - <<'EOF' From 45a5eb0c43f0a97b23929ba02e6304413f5d336b Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:42:41 +0000 Subject: [PATCH 13/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 56 ++++---------------- 1 file changed, 9 insertions(+), 47 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 2ddb6fd..00eb0f4 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -7,31 +7,27 @@ jobs: bootstrap: runs-on: mealcraft-runners - # ----------------------------------------------------- - # REQUIRED: Use Docker DinD job container - # ----------------------------------------------------- container: image: docker:24.0-dind options: --privileged steps: - # ----------------------------------------------------- - # Checkout Repo - # ----------------------------------------------------- - uses: actions/checkout@v4 - # ----------------------------------------------------- - # Install kubectl - # ----------------------------------------------------- + # Start the docker daemon manually (REQUIRED) + - name: Start Docker daemon + run: | + dockerd-entrypoint.sh >/tmp/dockerd.log 2>&1 & + echo "Waiting for Docker to start..." + sleep 10 + docker info + - name: Install kubectl run: | apk add --no-cache curl ca-certificates bash curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" install -m 0755 kubectl /usr/local/bin/kubectl - # ----------------------------------------------------- - # Configure kubeconfig via ARC pod token - # ----------------------------------------------------- - name: Configure kubeconfig run: | KUBE_HOST="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT" @@ -44,18 +40,12 @@ jobs: kubectl config set-context runner-context --cluster=microk8s --user=runner --namespace="$NAMESPACE" kubectl config use-context runner-context - # ----------------------------------------------------- - # Docker Login - # ----------------------------------------------------- - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_TOKEN }} - # ----------------------------------------------------- - # Build & Push Docker Image (Docker-in-Docker) - # ----------------------------------------------------- - name: Build and Push Traefik Image uses: docker/build-push-action@v5 with: @@ -66,17 +56,11 @@ jobs: docker.io/kimjunte/edge_router:${{ github.sha }} docker.io/kimjunte/edge_router:latest - # ----------------------------------------------------- - # Apply Storage Classes + PVCs - # ----------------------------------------------------- - name: Apply StorageClass + PV run: | kubectl apply -f traefik/storageclass/storageclass.yaml kubectl apply -f traefik/storageclass/certs-pv.yaml - # ----------------------------------------------------- - # Install Traefik CRDs (idempotent) - # ----------------------------------------------------- - name: Install Traefik CRDs run: | if ! kubectl get crd ingressroutes.traefik.containo.us >/dev/null 2>&1; then @@ -85,9 +69,6 @@ jobs: kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/user-guides/crd-acme/05-tlsoption.yml fi - # ----------------------------------------------------- - # Deploy Traefik - # ----------------------------------------------------- - name: Deploy Traefik run: | kubectl apply -f traefik/edge-router/pvc.yaml @@ -97,26 +78,7 @@ jobs: kubectl apply -f traefik/edge-router/secret-dashboard.yml kubectl apply -f traefik/edge-router/traefik-ingressroute.yml - # ----------------------------------------------------- - # Deploy whoami test service - # ----------------------------------------------------- - name: Deploy whoami run: | kubectl apply -f traefik/who-am-i/whoami-deployment.yml - kubectl apply -f traefik/who-am-i/whoami-service.yml - kubectl apply -f traefik/who-am-i/whoami-ingressroute.yml - - # ----------------------------------------------------- - # Registry secrets - # ----------------------------------------------------- - - name: Create registry secret (default) - run: kubectl apply -f traefik/docker-registry-credentials/docker-credentials.yml - - - name: Create staging namespace - run: kubectl get ns staging >/dev/null 2>&1 || kubectl create namespace staging - - - name: Registry secret to staging - run: | - sed 's/namespace: default/namespace: staging/' \ - traefik/docker-registry-credentials/docker-credentials.yml \ - | kubectl apply -f - + kubectl apply -f traefik/who-am-i/whoami-servi From d697dd21e93bf2b6cc74125d708e000c01691d48 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:48:16 +0000 Subject: [PATCH 14/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 78 +++++++++++++------- github_runner/install/install_arc.sh | 15 +--- 2 files changed, 54 insertions(+), 39 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 00eb0f4..ee11172 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -7,27 +7,25 @@ jobs: bootstrap: runs-on: mealcraft-runners - container: - image: docker:24.0-dind - options: --privileged - steps: + # ----------------------------------------------------- + # Checkout Repo + # ----------------------------------------------------- - uses: actions/checkout@v4 - # Start the docker daemon manually (REQUIRED) - - name: Start Docker daemon - run: | - dockerd-entrypoint.sh >/tmp/dockerd.log 2>&1 & - echo "Waiting for Docker to start..." - sleep 10 - docker info - + # ----------------------------------------------------- + # Install kubectl + # ----------------------------------------------------- - name: Install kubectl run: | - apk add --no-cache curl ca-certificates bash + sudo apt-get update + sudo apt-get install -y ca-certificates curl curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" - install -m 0755 kubectl /usr/local/bin/kubectl + sudo install -m 0755 kubectl /usr/local/bin/kubectl + # ----------------------------------------------------- + # Configure kubeconfig via ARC pod token + # ----------------------------------------------------- - name: Configure kubeconfig run: | KUBE_HOST="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT" @@ -40,27 +38,31 @@ jobs: kubectl config set-context runner-context --cluster=microk8s --user=runner --namespace="$NAMESPACE" kubectl config use-context runner-context - - name: Login to Docker Hub - uses: docker/login-action@v3 + # ----------------------------------------------------- + # Build & Push Image with Kaniko (ARC-compatible) + # ----------------------------------------------------- + - name: Build and Push Traefik Image (Kaniko) + uses: aevea/action-kaniko@v1 with: + registry: docker.io username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_TOKEN }} + image: kimjunte/edge_router + tag: ${{ github.sha }},latest + path: traefik + dockerfile: traefik/Dockerfile - - name: Build and Push Traefik Image - uses: docker/build-push-action@v5 - with: - context: ./traefik - file: ./traefik/Dockerfile - push: true - tags: | - docker.io/kimjunte/edge_router:${{ github.sha }} - docker.io/kimjunte/edge_router:latest - + # ----------------------------------------------------- + # Apply Storage Classes + PVCs + # ----------------------------------------------------- - name: Apply StorageClass + PV run: | kubectl apply -f traefik/storageclass/storageclass.yaml kubectl apply -f traefik/storageclass/certs-pv.yaml + # ----------------------------------------------------- + # Install Traefik CRDs (idempotent) + # ----------------------------------------------------- - name: Install Traefik CRDs run: | if ! kubectl get crd ingressroutes.traefik.containo.us >/dev/null 2>&1; then @@ -69,6 +71,9 @@ jobs: kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/user-guides/crd-acme/05-tlsoption.yml fi + # ----------------------------------------------------- + # Deploy Traefik + # ----------------------------------------------------- - name: Deploy Traefik run: | kubectl apply -f traefik/edge-router/pvc.yaml @@ -78,7 +83,26 @@ jobs: kubectl apply -f traefik/edge-router/secret-dashboard.yml kubectl apply -f traefik/edge-router/traefik-ingressroute.yml + # ----------------------------------------------------- + # Deploy whoami test service + # ----------------------------------------------------- - name: Deploy whoami run: | kubectl apply -f traefik/who-am-i/whoami-deployment.yml - kubectl apply -f traefik/who-am-i/whoami-servi + kubectl apply -f traefik/who-am-i/whoami-service.yml + kubectl apply -f traefik/who-am-i/whoami-ingressroute.yml + + # ----------------------------------------------------- + # Registry secrets + # ----------------------------------------------------- + - name: Create registry secret (default) + run: kubectl apply -f traefik/docker-registry-credentials/docker-credentials.yml + + - name: Create staging namespace + run: kubectl get ns staging >/dev/null 2>&1 || kubectl create namespace staging + + - name: Registry secret to staging + run: | + sed 's/namespace: default/namespace: staging/' \ + traefik/docker-registry-credentials/docker-credentials.yml \ + | kubectl apply -f - diff --git a/github_runner/install/install_arc.sh b/github_runner/install/install_arc.sh index f8b7bd3..cc9d837 100644 --- a/github_runner/install/install_arc.sh +++ b/github_runner/install/install_arc.sh @@ -21,6 +21,7 @@ helm install arc \ helm uninstall mealcraft-runners -n arc-systems || true +echo "=== Install MealCraft Runner Scale Set (NO Docker-in-Docker) ===" helm install mealcraft-runners \ --namespace arc-systems \ --create-namespace \ @@ -28,18 +29,8 @@ helm install mealcraft-runners \ --set githubConfigUrl="https://github.com/MealCraft" \ --set githubConfigSecret.name="github-secret" \ --set githubConfigSecret.github_token="$GITHUB_PAT" \ - \ - --set dockerInDockerEnabled=true \ - \ - --set containerMode.type="kubernetes" \ - --set containerMode.kubernetesModeDefaultContainer.image="docker:24.0-dind" \ - --set containerMode.kubernetesModeDefaultContainer.options="--privileged" \ - --set containerMode.kubernetesModeDefaultContainer.workDirMountPath="/__w" \ - \ - --set containerMode.kubernetesModeWorkVolumeClaim.accessModes[0]="ReadWriteOnce" \ - --set containerMode.kubernetesModeWorkVolumeClaim.storageClassName="microk8s-hostpath" \ - --set containerMode.kubernetesModeWorkVolumeClaim.resources.requests.storage="20Gi" \ - \ + --set dockerInDockerEnabled=false \ + --set containerMode.type="runner" \ --set runnerLabels[0]="mealcraft" \ oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set From dfb96e2a735d8af470719e1bdbbbeac027816b1b Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:49:40 +0000 Subject: [PATCH 15/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index ee11172..24cbc8f 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -42,7 +42,7 @@ jobs: # Build & Push Image with Kaniko (ARC-compatible) # ----------------------------------------------------- - name: Build and Push Traefik Image (Kaniko) - uses: aevea/action-kaniko@v1 + uses: int128/kaniko-action@v1 with: registry: docker.io username: ${{ secrets.DOCKER_HUB_USERNAME }} From 2abe4818ed3e50d48ec9aecc713384aac84d7907 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:51:30 +0000 Subject: [PATCH 16/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 24cbc8f..5a9b69a 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -42,15 +42,15 @@ jobs: # Build & Push Image with Kaniko (ARC-compatible) # ----------------------------------------------------- - name: Build and Push Traefik Image (Kaniko) - uses: int128/kaniko-action@v1 + uses: docker://gcr.io/kaniko-project/executor:latest + env: + DOCKER_CONFIG: /kaniko/.docker/ with: - registry: docker.io - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_TOKEN }} - image: kimjunte/edge_router - tag: ${{ github.sha }},latest - path: traefik - dockerfile: traefik/Dockerfile + args: > + --context ${GITHUB_WORKSPACE}/traefik + --dockerfile ${GITHUB_WORKSPACE}/traefik/Dockerfile + --destination=docker.io/kimjunte/edge_router:${{ github.sha }} + --destination=docker.io/kimjunte/edge_router:latest # ----------------------------------------------------- # Apply Storage Classes + PVCs From a39f66b6744942d959ae2248c1df7cdc4d364cc7 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 21:55:51 +0000 Subject: [PATCH 17/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 180 ++++++++++--------- 1 file changed, 91 insertions(+), 89 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 5a9b69a..6a2ff6d 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -4,105 +4,107 @@ on: workflow_dispatch: jobs: - bootstrap: - runs-on: mealcraft-runners + + # ----------------------------------------------------- + # Job 1: Build and push image using GitHub-hosted runner + # ----------------------------------------------------- + build-image: + runs-on: ubuntu-latest steps: - # ----------------------------------------------------- - # Checkout Repo - # ----------------------------------------------------- - - uses: actions/checkout@v4 + - uses: actions/checkout@v4 - # ----------------------------------------------------- - # Install kubectl - # ----------------------------------------------------- - - name: Install kubectl - run: | - sudo apt-get update - sudo apt-get install -y ca-certificates curl - curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" - sudo install -m 0755 kubectl /usr/local/bin/kubectl + # Docker login on GitHub-hosted runner (has Docker) + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} - # ----------------------------------------------------- - # Configure kubeconfig via ARC pod token - # ----------------------------------------------------- - - name: Configure kubeconfig - run: | - KUBE_HOST="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT" - SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) - CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) + # Build and push using real Docker daemon + - name: Build & Push Traefik Image + uses: docker/build-push-action@v5 + with: + context: ./traefik + file: ./traefik/Dockerfile + push: true + tags: | + docker.io/kimjunte/edge_router:${{ github.sha }} + docker.io/kimjunte/edge_router:latest - kubectl config set-cluster microk8s --server="$KUBE_HOST" --certificate-authority="$CA_CERT" - kubectl config set-credentials runner --token="$SA_TOKEN" - kubectl config set-context runner-context --cluster=microk8s --user=runner --namespace="$NAMESPACE" - kubectl config use-context runner-context + # ----------------------------------------------------- + # Job 2: Deploy to MicroK8s using ARC self-hosted runner + # ----------------------------------------------------- + deploy: + runs-on: mealcraft-runners + needs: build-image - # ----------------------------------------------------- - # Build & Push Image with Kaniko (ARC-compatible) - # ----------------------------------------------------- - - name: Build and Push Traefik Image (Kaniko) - uses: docker://gcr.io/kaniko-project/executor:latest - env: - DOCKER_CONFIG: /kaniko/.docker/ - with: - args: > - --context ${GITHUB_WORKSPACE}/traefik - --dockerfile ${GITHUB_WORKSPACE}/traefik/Dockerfile - --destination=docker.io/kimjunte/edge_router:${{ github.sha }} - --destination=docker.io/kimjunte/edge_router:latest + steps: + - uses: actions/checkout@v4 - # ----------------------------------------------------- - # Apply Storage Classes + PVCs - # ----------------------------------------------------- - - name: Apply StorageClass + PV - run: | - kubectl apply -f traefik/storageclass/storageclass.yaml - kubectl apply -f traefik/storageclass/certs-pv.yaml + # Install kubectl inside containerMode's default Ubuntu + - name: Install kubectl + run: | + sudo apt-get update + sudo apt-get install -y curl ca-certificates + curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + sudo install -m 0755 kubectl /usr/local/bin/kubectl - # ----------------------------------------------------- - # Install Traefik CRDs (idempotent) - # ----------------------------------------------------- - - name: Install Traefik CRDs - run: | - if ! kubectl get crd ingressroutes.traefik.containo.us >/dev/null 2>&1; then - kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml - kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml - kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/user-guides/crd-acme/05-tlsoption.yml - fi + # Configure kubeconfig from ARC's service account + - name: Configure kubeconfig + run: | + KUBE_HOST="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT" + SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) + CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) - # ----------------------------------------------------- - # Deploy Traefik - # ----------------------------------------------------- - - name: Deploy Traefik - run: | - kubectl apply -f traefik/edge-router/pvc.yaml - kubectl apply -f traefik/edge-router/traefik-deployment.yml - kubectl apply -f traefik/edge-router/traefik-services.yml - kubectl apply -f traefik/edge-router/middleware.yaml - kubectl apply -f traefik/edge-router/secret-dashboard.yml - kubectl apply -f traefik/edge-router/traefik-ingressroute.yml + kubectl config set-cluster microk8s --server="$KUBE_HOST" --certificate-authority="$CA_CERT" + kubectl config set-credentials runner --token="$SA_TOKEN" + kubectl config set-context runner-context --cluster=microk8s --user=runner --namespace="$NAMESPACE" + kubectl config use-context runner-context - # ----------------------------------------------------- - # Deploy whoami test service - # ----------------------------------------------------- - - name: Deploy whoami - run: | - kubectl apply -f traefik/who-am-i/whoami-deployment.yml - kubectl apply -f traefik/who-am-i/whoami-service.yml - kubectl apply -f traefik/who-am-i/whoami-ingressroute.yml + # Apply storage classes + PVs + - name: Apply StorageClass + PV + run: | + kubectl apply -f traefik/storageclass/storageclass.yaml + kubectl apply -f traefik/storageclass/certs-pv.yaml - # ----------------------------------------------------- - # Registry secrets - # ----------------------------------------------------- - - name: Create registry secret (default) - run: kubectl apply -f traefik/docker-registry-credentials/docker-credentials.yml + # Install Traefik CRDs (idempotent) + - name: Install Traefik CRDs + run: | + if ! kubectl get crd ingressroutes.traefik.containo.us >/dev/null 2>&1; then + kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml + kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml + kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/user-guides/crd-acme/05-tlsoption.yml + fi - - name: Create staging namespace - run: kubectl get ns staging >/dev/null 2>&1 || kubectl create namespace staging + # Deploy Traefik + - name: Deploy Traefik + run: | + kubectl apply -f traefik/edge-router/pvc.yaml + kubectl apply -f traefik/edge-router/traefik-deployment.yml + kubectl apply -f traefik/edge-router/traefik-services.yml + kubectl apply -f traefik/edge-router/middleware.yaml + kubectl apply -f traefik/edge-router/secret-dashboard.yml + kubectl apply -f traefik/edge-router/traefik-ingressroute.yml - - name: Registry secret to staging - run: | - sed 's/namespace: default/namespace: staging/' \ - traefik/docker-registry-credentials/docker-credentials.yml \ - | kubectl apply -f - + # Deploy whoami test app + - name: Deploy whoami + run: | + kubectl apply -f traefik/who-am-i/whoami-deployment.yml + kubectl apply -f traefik/who-am-i/whoami-service.yml + kubectl apply -f traefik/who-am-i/whoami-ingressroute.yml + + # Registry secret + - name: Create registry secret (default) + run: kubectl apply -f traefik/docker-registry-credentials/docker-credentials.yml + + # Staging namespace + - name: Create staging namespace + run: kubectl get ns staging >/dev/null 2>&1 || kubectl create namespace staging + + - name: Registry secret to staging + run: | + sed 's/namespace: default/namespace: staging/' \ + traefik/docker-registry-credentials/docker-credentials.yml \ + | kubectl apply -f - From b804311fba696c4dce00ebbe45032af41403b29b Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 22:49:48 +0000 Subject: [PATCH 18/42] certs pv update --- github_runner/install/install_arc.sh | 103 ++++++++++++++++++++------- traefik/storageclass/certs-pv.yaml | 2 +- 2 files changed, 79 insertions(+), 26 deletions(-) diff --git a/github_runner/install/install_arc.sh b/github_runner/install/install_arc.sh index cc9d837..2229204 100644 --- a/github_runner/install/install_arc.sh +++ b/github_runner/install/install_arc.sh @@ -1,31 +1,42 @@ #!/bin/bash set -ex -# OPTIONAL: Enable MicroK8s features first -# sudo microk8s enable dns rbac hostpath-storage host-access -# sudo microk8s enable metrics-server - -# OPTIONAL: Configure kubectl +# ===================================================================== +# OPTIONAL — MicroK8s setup/reset steps (only use when doing a hard reset) +# ===================================================================== +# sudo microk8s reset --destroy-storage +# sudo snap remove microk8s +# sudo snap install microk8s --classic +# sudo microk8s enable dns rbac hostpath-storage host-access metrics-server +# +# # Rebuild kubeconfig for your local user (optional) # microk8s kubectl config view --raw > ~/.kube/config # chmod 600 ~/.kube/config # sudo usermod -aG microk8s $USER # sudo chown -f -R $USER ~/.kube -helm uninstall arc -n arc-systems || true +NAMESPACE="arc-systems" +RUNNER_NAME="mealcraft-runners" + +# ===================================================================== +# Remove previous ARC installation (safe even if missing) +# ===================================================================== +helm uninstall arc -n "${NAMESPACE}" || true +helm uninstall "${RUNNER_NAME}" -n "${NAMESPACE}" || true + +echo "=== Installing ARC Scale Set Controller ===" -echo "=== Install ARC Scale Set Controller ===" helm install arc \ - --namespace arc-systems \ + --namespace "${NAMESPACE}" \ --create-namespace \ oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller -helm uninstall mealcraft-runners -n arc-systems || true +echo "=== Installing MealCraft Runner Scale Set (NO Docker-in-Docker) ===" -echo "=== Install MealCraft Runner Scale Set (NO Docker-in-Docker) ===" -helm install mealcraft-runners \ - --namespace arc-systems \ +helm install "${RUNNER_NAME}" \ + --namespace "${NAMESPACE}" \ --create-namespace \ - --set runnerScaleSetName="mealcraft-runners" \ + --set runnerScaleSetName="${RUNNER_NAME}" \ --set githubConfigUrl="https://github.com/MealCraft" \ --set githubConfigSecret.name="github-secret" \ --set githubConfigSecret.github_token="$GITHUB_PAT" \ @@ -34,33 +45,75 @@ helm install mealcraft-runners \ --set runnerLabels[0]="mealcraft" \ oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set +# ===================================================================== +# RBAC — IMPORTANT +# Grants permissions to the exact ARC runner SA detected earlier. +# ===================================================================== -echo "=== Applying RBAC for runner ===" +echo "=== Applying RBAC for all ARC runners ===" -microk8s kubectl apply -f - <<'EOF' +microk8s kubectl apply -f - < Date: Sat, 6 Dec 2025 22:53:39 +0000 Subject: [PATCH 19/42] certs pv update --- traefik/edge-router/pvc.yaml | 1 + traefik/edge-router/traefik-services.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/traefik/edge-router/pvc.yaml b/traefik/edge-router/pvc.yaml index 4414bad..2de90ec 100644 --- a/traefik/edge-router/pvc.yaml +++ b/traefik/edge-router/pvc.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: certs-pvc + namespace: default spec: accessModes: - ReadWriteMany diff --git a/traefik/edge-router/traefik-services.yml b/traefik/edge-router/traefik-services.yml index 6e7935f..35e6bd6 100644 --- a/traefik/edge-router/traefik-services.yml +++ b/traefik/edge-router/traefik-services.yml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: traefik + namespace: default spec: type: LoadBalancer From 581773a682866edb423c1055e5f8dc2da3c4da61 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 23:10:08 +0000 Subject: [PATCH 20/42] certs pv update --- github_runner/install/install_arc.sh | 61 ++++++++++------------ traefik/edge-router/middleware.yaml | 1 + traefik/edge-router/traefik-deployment.yml | 1 + traefik/who-am-i/whoami-service.yml | 1 + 4 files changed, 30 insertions(+), 34 deletions(-) diff --git a/github_runner/install/install_arc.sh b/github_runner/install/install_arc.sh index 2229204..60b41c9 100644 --- a/github_runner/install/install_arc.sh +++ b/github_runner/install/install_arc.sh @@ -18,37 +18,37 @@ set -ex NAMESPACE="arc-systems" RUNNER_NAME="mealcraft-runners" -# ===================================================================== -# Remove previous ARC installation (safe even if missing) -# ===================================================================== -helm uninstall arc -n "${NAMESPACE}" || true -helm uninstall "${RUNNER_NAME}" -n "${NAMESPACE}" || true +# # ===================================================================== +# # Remove previous ARC installation (safe even if missing) +# # ===================================================================== +# helm uninstall arc -n "${NAMESPACE}" || true +# helm uninstall "${RUNNER_NAME}" -n "${NAMESPACE}" || true -echo "=== Installing ARC Scale Set Controller ===" +# echo "=== Installing ARC Scale Set Controller ===" -helm install arc \ - --namespace "${NAMESPACE}" \ - --create-namespace \ - oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller +# helm install arc \ +# --namespace "${NAMESPACE}" \ +# --create-namespace \ +# oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller -echo "=== Installing MealCraft Runner Scale Set (NO Docker-in-Docker) ===" +# echo "=== Installing MealCraft Runner Scale Set (NO Docker-in-Docker) ===" -helm install "${RUNNER_NAME}" \ - --namespace "${NAMESPACE}" \ - --create-namespace \ - --set runnerScaleSetName="${RUNNER_NAME}" \ - --set githubConfigUrl="https://github.com/MealCraft" \ - --set githubConfigSecret.name="github-secret" \ - --set githubConfigSecret.github_token="$GITHUB_PAT" \ - --set dockerInDockerEnabled=false \ - --set containerMode.type="runner" \ - --set runnerLabels[0]="mealcraft" \ - oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set +# helm install "${RUNNER_NAME}" \ +# --namespace "${NAMESPACE}" \ +# --create-namespace \ +# --set runnerScaleSetName="${RUNNER_NAME}" \ +# --set githubConfigUrl="https://github.com/MealCraft" \ +# --set githubConfigSecret.name="github-secret" \ +# --set githubConfigSecret.github_token="$GITHUB_PAT" \ +# --set dockerInDockerEnabled=false \ +# --set containerMode.type="runner" \ +# --set runnerLabels[0]="mealcraft" \ +# oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set -# ===================================================================== -# RBAC — IMPORTANT -# Grants permissions to the exact ARC runner SA detected earlier. -# ===================================================================== +# # ===================================================================== +# # RBAC — IMPORTANT +# # Grants permissions to the exact ARC runner SA detected earlier. +# # ===================================================================== echo "=== Applying RBAC for all ARC runners ===" @@ -65,14 +65,7 @@ rules: # Core API: PV, PVC, namespaces, secrets, configmaps, services, serviceaccounts (NEW) - apiGroups: [""] - resources: - - persistentvolumes - - persistentvolumeclaims - - namespaces - - secrets - - configmaps - - services - - serviceaccounts # <── NEW + resources: ["persistentvolumes", "persistentvolumeclaims", "namespaces", "secrets", "configmaps", "services", "serviceaccounts"] verbs: ["*"] # Apps (Deployments, DS, etc) diff --git a/traefik/edge-router/middleware.yaml b/traefik/edge-router/middleware.yaml index 4ba3ac7..9cf5963 100644 --- a/traefik/edge-router/middleware.yaml +++ b/traefik/edge-router/middleware.yaml @@ -1,6 +1,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: + namespace: default name: test-auth spec: basicAuth: diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index 1775c45..392207d 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -9,6 +9,7 @@ metadata: kind: Deployment apiVersion: apps/v1 metadata: + namespace: default name: traefik-deployment labels: app: traefik diff --git a/traefik/who-am-i/whoami-service.yml b/traefik/who-am-i/whoami-service.yml index e369c53..ee0ad1e 100644 --- a/traefik/who-am-i/whoami-service.yml +++ b/traefik/who-am-i/whoami-service.yml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: whoami + namespace: default spec: ports: From 76372862cd62cb46833896e6727bc5913dc87f3c Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 23:26:26 +0000 Subject: [PATCH 21/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 6a2ff6d..dab5d61 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -62,6 +62,18 @@ jobs: kubectl config set-credentials runner --token="$SA_TOKEN" kubectl config set-context runner-context --cluster=microk8s --user=runner --namespace="$NAMESPACE" kubectl config use-context runner-context + + # ----------------------------------------------------- + # ⭐ Inject AWS secrets needed for Traefik Route53 DNS + # ----------------------------------------------------- + - name: Apply AWS Secrets + run: | + kubectl create secret generic aws-secrets \ + --namespace=default \ + --from-literal=AWS_ACCESS_KEY_ID='${{ secrets.AWS_ACCESS_KEY_ID }}' \ + --from-literal=AWS_SECRET_ACCESS_KEY='${{ secrets.AWS_SECRET_ACCESS_KEY }}' \ + --from-literal=AWS_REGION='${{ secrets.AWS_REGION }}' \ + --dry-run=client -o yaml | kubectl apply -f - # Apply storage classes + PVs - name: Apply StorageClass + PV From 17c75e160b24b2b6226f363ebeb0ed1c4ea9990b Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sat, 6 Dec 2025 23:40:14 +0000 Subject: [PATCH 22/42] save --- github_runner/install/install_arc.sh | 82 +++++++++++++++++++++++++--- traefik/edge-router/middleware.yaml | 3 +- 2 files changed, 76 insertions(+), 9 deletions(-) diff --git a/github_runner/install/install_arc.sh b/github_runner/install/install_arc.sh index 60b41c9..2b960d4 100644 --- a/github_runner/install/install_arc.sh +++ b/github_runner/install/install_arc.sh @@ -7,7 +7,7 @@ set -ex # sudo microk8s reset --destroy-storage # sudo snap remove microk8s # sudo snap install microk8s --classic -# sudo microk8s enable dns rbac hostpath-storage host-access metrics-server +# sudo microk8s enable dns rbac hostpath-storage host-access metrics-server ingress # # # Rebuild kubeconfig for your local user (optional) # microk8s kubectl config view --raw > ~/.kube/config @@ -50,7 +50,7 @@ RUNNER_NAME="mealcraft-runners" # # Grants permissions to the exact ARC runner SA detected earlier. # # ===================================================================== -echo "=== Applying RBAC for all ARC runners ===" +echo "=== Applying RBAC for all ARC runners + Traefik ===" microk8s kubectl apply -f - < Date: Sun, 7 Dec 2025 00:23:04 +0000 Subject: [PATCH 23/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 3 +-- traefik/edge-router/middleware.yaml | 3 +-- traefik/edge-router/traefik-deployment.yml | 3 ++- traefik/edge-router/traefik-ingressroute.yml | 1 + traefik/edge-router/traefik-services.yml | 23 ++++++++++---------- 5 files changed, 16 insertions(+), 17 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index dab5d61..6883b66 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -84,10 +84,9 @@ jobs: # Install Traefik CRDs (idempotent) - name: Install Traefik CRDs run: | - if ! kubectl get crd ingressroutes.traefik.containo.us >/dev/null 2>&1; then + if ! kubectl get crd ingressroutes.traefik.io >/dev/null 2>&1; then kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml - kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/user-guides/crd-acme/05-tlsoption.yml fi # Deploy Traefik diff --git a/traefik/edge-router/middleware.yaml b/traefik/edge-router/middleware.yaml index e946aea..9cf5963 100644 --- a/traefik/edge-router/middleware.yaml +++ b/traefik/edge-router/middleware.yaml @@ -5,5 +5,4 @@ metadata: name: test-auth spec: basicAuth: - secret: authsecret - namespace: default \ No newline at end of file + secret: authsecret \ No newline at end of file diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index 392207d..5553f15 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -46,8 +46,9 @@ spec: - "--certificatesresolvers.myresolver.acme.httpChallenge.entryPoint=web" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - - "--entrypoints.websecure.address=:443" - "--providers.kubernetescrd.allowexternalnameservices=true" + - "--providers.kubernetescrd.allowcrossnamespace=false" + - "--providers.kubernetescrd.legacyCRDDisabled=true env: - name: AWS_ACCESS_KEY_ID valueFrom: diff --git a/traefik/edge-router/traefik-ingressroute.yml b/traefik/edge-router/traefik-ingressroute.yml index 1c35140..88f1772 100644 --- a/traefik/edge-router/traefik-ingressroute.yml +++ b/traefik/edge-router/traefik-ingressroute.yml @@ -11,6 +11,7 @@ spec: kind: Rule middlewares: - name: test-auth + namespace: default services: - name: traefik port: 8080 diff --git a/traefik/edge-router/traefik-services.yml b/traefik/edge-router/traefik-services.yml index 35e6bd6..6a0515f 100644 --- a/traefik/edge-router/traefik-services.yml +++ b/traefik/edge-router/traefik-services.yml @@ -3,18 +3,17 @@ kind: Service metadata: name: traefik namespace: default - spec: type: LoadBalancer - ports: - - protocol: TCP - name: web - port: 80 - - protocol: TCP - name: websecure - port: 443 - - protocol: TCP - name: admin - port: 8080 selector: - app: traefik \ No newline at end of file + app: traefik + ports: + - name: web + port: 80 + targetPort: web + - name: websecure + port: 443 + targetPort: websecure + - name: admin + port: 8080 + targetPort: admin From 75cede4a9c6698089cf860c61c9f928b9dc18198 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 00:25:18 +0000 Subject: [PATCH 24/42] save --- traefik/edge-router/traefik-deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index 5553f15..b28ba55 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -48,7 +48,7 @@ spec: - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--providers.kubernetescrd.allowexternalnameservices=true" - "--providers.kubernetescrd.allowcrossnamespace=false" - - "--providers.kubernetescrd.legacyCRDDisabled=true + - "--providers.kubernetescrd.legacyCRDDisabled=true" env: - name: AWS_ACCESS_KEY_ID valueFrom: From 9e915d475c7db8bb902e10cce15f71230ad9b0b1 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 00:27:55 +0000 Subject: [PATCH 25/42] save --- traefik/edge-router/traefik-deployment.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index b28ba55..84323ea 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -48,7 +48,6 @@ spec: - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--providers.kubernetescrd.allowexternalnameservices=true" - "--providers.kubernetescrd.allowcrossnamespace=false" - - "--providers.kubernetescrd.legacyCRDDisabled=true" env: - name: AWS_ACCESS_KEY_ID valueFrom: From 74e9de3d86dac823653068811149382578bad34a Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 00:30:37 +0000 Subject: [PATCH 26/42] save --- traefik/edge-router/traefik-deployment.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index 84323ea..1a97526 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -48,6 +48,10 @@ spec: - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--providers.kubernetescrd.allowexternalnameservices=true" - "--providers.kubernetescrd.allowcrossnamespace=false" + # 🔥 USE STAGING CERTIFICATES + - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" + + env: - name: AWS_ACCESS_KEY_ID valueFrom: From 8c9ac59e1bb03b50f34932878d2106bf299eb0b9 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 00:34:28 +0000 Subject: [PATCH 27/42] save --- traefik/edge-router/traefik-deployment.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index 1a97526..957b347 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -48,6 +48,7 @@ spec: - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--providers.kubernetescrd.allowexternalnameservices=true" - "--providers.kubernetescrd.allowcrossnamespace=false" + - "--providers.kubernetescrd.legacyCRDDisabled=true" # 🔥 USE STAGING CERTIFICATES - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" From 0b6cd0c427de7d57c0430ed085864a664b3e1fc5 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 00:38:07 +0000 Subject: [PATCH 28/42] save --- traefik/edge-router/traefik-deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index 957b347..accd617 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -27,7 +27,7 @@ spec: serviceAccountName: traefik-ingress-controller containers: - name: traefik - image: traefik:v2.10 + image: traefik:v2.11 args: - --api.insecure - --accesslog=True From 348d5674211940845a2998fcf868c5045d3e40a9 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 00:47:50 +0000 Subject: [PATCH 29/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 6 +- traefik/edge-router/traefik-deployment.yml | 92 ++++++++------------ traefik/edge-router/traefik-services.yml | 6 +- 3 files changed, 43 insertions(+), 61 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index 6883b66..eb0fc0e 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -84,10 +84,8 @@ jobs: # Install Traefik CRDs (idempotent) - name: Install Traefik CRDs run: | - if ! kubectl get crd ingressroutes.traefik.io >/dev/null 2>&1; then - kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml - kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml - fi + kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml + kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml # Deploy Traefik - name: Deploy Traefik diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index accd617..6b1f3db 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -1,19 +1,8 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: default - name: traefik-ingress-controller - ---- - -kind: Deployment apiVersion: apps/v1 +kind: Deployment metadata: + name: traefik namespace: default - name: traefik-deployment - labels: - app: traefik - spec: replicas: 1 selector: @@ -25,35 +14,51 @@ spec: app: traefik spec: serviceAccountName: traefik-ingress-controller + volumes: + - name: acme + persistentVolumeClaim: + claimName: traefik-acme containers: - name: traefik image: traefik:v2.11 + ports: + - name: web + containerPort: 80 + - name: websecure + containerPort: 443 + - name: admin + containerPort: 8080 + volumeMounts: + - name: acme + mountPath: /acme args: - - --api.insecure - - --accesslog=True - - --entrypoints.web.Address=:80 - - --entrypoints.websecure.Address=:443 - - --providers.kubernetescrd - - --api.dashboard - - --serverstransport.insecureskipverify=true - # TLS (HTTPS) - - "--certificatesresolvers.myresolver.acme.dnschallenge=true" - - "--certificatesresolvers.myresolver.acme.httpChallenge=false" - - "--certificatesresolvers.myresolver.acme.tlsChallenge=false" - - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=route53" - - "--certificatesresolvers.myresolver.acme.email=junte.kim@mealcraft.com" - - "--certificatesresolvers.myresolver.acme.storage=/certs/acme.json" - - "--certificatesresolvers.myresolver.acme.httpChallenge.entryPoint=web" + - "--api.dashboard=true" + - "--api.insecure=false" + - "--entrypoints.web.address=:80" + - "--entrypoints.websecure.address=:443" + + # Redirect HTTP → HTTPS - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - - "--providers.kubernetescrd.allowexternalnameservices=true" - - "--providers.kubernetescrd.allowcrossnamespace=false" - - "--providers.kubernetescrd.legacyCRDDisabled=true" - # 🔥 USE STAGING CERTIFICATES + + # Providers + - "--providers.kubernetescrd=true" + + # TLS + ACME + - "--certificatesresolvers.myresolver.acme.email=junte.kim@mealcraft.com" + - "--certificatesresolvers.myresolver.acme.storage=/acme/acme.json" + - "--certificatesresolvers.myresolver.acme.dnschallenge=true" + - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=route53" + + # STAGING (uncomment for first-time) - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" - env: + - name: AWS_REGION + valueFrom: + secretKeyRef: + name: aws-secrets + key: AWS_REGION - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: @@ -64,24 +69,3 @@ spec: secretKeyRef: name: aws-secrets key: AWS_SECRET_ACCESS_KEY - - name: AWS_REGION - valueFrom: - secretKeyRef: - name: aws-secrets - key: AWS_REGION - ports: - - name: web - containerPort: 80 - - name: admin - containerPort: 8080 - - name: websecure - containerPort: 443 - volumeMounts: - - name: cert-volume - mountPath: /certs - imagePullSecrets: - - name: registrypullsecret - volumes: - - name: cert-volume - persistentVolumeClaim: - claimName: certs-pvc \ No newline at end of file diff --git a/traefik/edge-router/traefik-services.yml b/traefik/edge-router/traefik-services.yml index 6a0515f..e43150f 100644 --- a/traefik/edge-router/traefik-services.yml +++ b/traefik/edge-router/traefik-services.yml @@ -10,10 +10,10 @@ spec: ports: - name: web port: 80 - targetPort: web + targetPort: 80 - name: websecure port: 443 - targetPort: websecure + targetPort: 443 - name: admin port: 8080 - targetPort: admin + targetPort: 8080 From e771e970717faff5fc70f98e8ba286a0fee73c5c Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 00:51:25 +0000 Subject: [PATCH 30/42] save --- .github/workflows/k8s_traefik_init_setup.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml index eb0fc0e..383cf2c 100644 --- a/.github/workflows/k8s_traefik_init_setup.yml +++ b/.github/workflows/k8s_traefik_init_setup.yml @@ -81,11 +81,11 @@ jobs: kubectl apply -f traefik/storageclass/storageclass.yaml kubectl apply -f traefik/storageclass/certs-pv.yaml - # Install Traefik CRDs (idempotent) - - name: Install Traefik CRDs - run: | - kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml - kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml + # # Install Traefik CRDs (idempotent) + # - name: Install Traefik CRDs + # run: | + # kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml + # kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml # Deploy Traefik - name: Deploy Traefik From a1e92bd5e7da5c01be7560ffdccb0d77561e5ba4 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 00:56:50 +0000 Subject: [PATCH 31/42] save --- traefik/edge-router/traefik-deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index 6b1f3db..41c36a8 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -17,7 +17,7 @@ spec: volumes: - name: acme persistentVolumeClaim: - claimName: traefik-acme + claimName: certs-pvc containers: - name: traefik image: traefik:v2.11 From 03cc0d0f6442119cfbef898ea4759ab01c063575 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 08:51:38 +0000 Subject: [PATCH 32/42] save --- traefik/edge-router/traefik-deployment.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index 41c36a8..3b67a31 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -33,7 +33,7 @@ spec: mountPath: /acme args: - "--api.dashboard=true" - - "--api.insecure=false" + - "--api.insecure=true" - "--entrypoints.web.address=:80" - "--entrypoints.websecure.address=:443" @@ -47,7 +47,6 @@ spec: # TLS + ACME - "--certificatesresolvers.myresolver.acme.email=junte.kim@mealcraft.com" - "--certificatesresolvers.myresolver.acme.storage=/acme/acme.json" - - "--certificatesresolvers.myresolver.acme.dnschallenge=true" - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=route53" # STAGING (uncomment for first-time) From adc57c95403f4fd9fed8f821b7f615c434cdc6a9 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 09:29:27 +0000 Subject: [PATCH 33/42] save --- .vscode/settings.json | 33 ++++++++++++++------ github_runner/install/install_arc.sh | 1 + traefik/edge-router/middleware.yaml | 4 ++- traefik/edge-router/traefik-ingressroute.yml | 2 +- 4 files changed, 28 insertions(+), 12 deletions(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index 27782c1..64a6d67 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,19 +1,32 @@ { - "jupyter.interactiveWindow.textEditor.executeSelection": true, - "python.REPL.sendToNativeREPL": true, - "notebook.output.scrolling": true, - "terminal.integrated.defaultProfile.linux": "bash", - "editor.rulers": [67], - "terminal.integrated.profiles.linux": { - "bash": { - "path": "/bin/bash" - } - }, // Hot reload setting that needs to be in user settings // "jupyter.runStartupCommands": [ // "%load_ext autoreload", "%autoreload 2" // ] + // --- VIM SETTINGS --- + "vim.useSystemClipboard": true, + "vim.enableNeovim": false, + + // Allow VSCode native keybindings to override Vim when needed + "vim.handleKeys": { + "": false, + "": false, + "": false, + "": false, + "": false, + "": false, + "": false + }, + + // Make Y, y, p always sync with the system clipboard + + // Terminal copy/paste via Ctrl+Shift+C / Ctrl+Shift+V + "terminal.integrated.copyOnSelection": false, + "terminal.integrated.commandsToSkipShell": [ + "workbench.action.terminal.copySelection", + "workbench.action.terminal.paste" + ], } \ No newline at end of file diff --git a/github_runner/install/install_arc.sh b/github_runner/install/install_arc.sh index 2b960d4..0ec4373 100644 --- a/github_runner/install/install_arc.sh +++ b/github_runner/install/install_arc.sh @@ -8,6 +8,7 @@ set -ex # sudo snap remove microk8s # sudo snap install microk8s --classic # sudo microk8s enable dns rbac hostpath-storage host-access metrics-server ingress +# sudo microk8s enable metallb:192.168.0.200-192.168.0.220 # # # Rebuild kubeconfig for your local user (optional) # microk8s kubectl config view --raw > ~/.kube/config diff --git a/traefik/edge-router/middleware.yaml b/traefik/edge-router/middleware.yaml index 9cf5963..29b771c 100644 --- a/traefik/edge-router/middleware.yaml +++ b/traefik/edge-router/middleware.yaml @@ -5,4 +5,6 @@ metadata: name: test-auth spec: basicAuth: - secret: authsecret \ No newline at end of file + secret: authsecret + + diff --git a/traefik/edge-router/traefik-ingressroute.yml b/traefik/edge-router/traefik-ingressroute.yml index 88f1772..c9f961e 100644 --- a/traefik/edge-router/traefik-ingressroute.yml +++ b/traefik/edge-router/traefik-ingressroute.yml @@ -7,7 +7,7 @@ spec: entryPoints: - websecure routes: - - match: Host(`www.traefik.mealcraft.com`, `traefik.mealcraft.com`) && PathPrefix(`/api`, `/dashboard`) + - match: (Host(`traefik.mealcraft.com`) || Host(`www.traefik.mealcraft.com`)) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) kind: Rule middlewares: - name: test-auth From 9cb6199b1635416ae04f6b42125429d3c5802027 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 10:01:18 +0000 Subject: [PATCH 34/42] push to staging --- README.md | 18 +++---- juntekim_frontend/app/page.tsx | 62 ++---------------------- traefik/who-am-i/whoami-ingressroute.yml | 3 +- 3 files changed, 14 insertions(+), 69 deletions(-) diff --git a/README.md b/README.md index a08173a..b346d6e 100644 --- a/README.md +++ b/README.md @@ -2,17 +2,15 @@ TODO: - [x] Get a basic nextjs app set up - [x] Set up new laptop github workflow - - - [x] Download next js - [x] Aws terraform plan and apply configured - [] Deploy into my new k8s - [x] k get pods -A works - - [] deploy docker registry credentials - - [] deploy storageclass - - [] deloy traefik customised - - [] deploy who-am-i - - - Traefik certs change to staging - - May need to move aws terraform here too -- [] Deploy into my dockercontainer new image \ No newline at end of file + - [x] deploy docker registry credentials + - [x] deploy storageclass + - [x] deloy traefik customised + - [x] deploy who-am-i + - [] deploy next js to juntekim.com + - [] Traefik certs change from staging to production + - [] Merge my code to main + - [] Push from workflow k8s bootstrap \ No newline at end of file diff --git a/juntekim_frontend/app/page.tsx b/juntekim_frontend/app/page.tsx index 295f8fd..00b4917 100644 --- a/juntekim_frontend/app/page.tsx +++ b/juntekim_frontend/app/page.tsx @@ -2,64 +2,10 @@ import Image from "next/image"; export default function Home() { return ( -
-
- Next.js logo -
-

- To get started, edit the page.tsx file. -

-

- Looking for a starting point or more instructions? Head over to{" "} - - Templates - {" "} - or the{" "} - - Learning - {" "} - center. -

-
- -
+
+

+ Impatient with actions, Patient with results +

); } diff --git a/traefik/who-am-i/whoami-ingressroute.yml b/traefik/who-am-i/whoami-ingressroute.yml index 9a980f7..e839652 100644 --- a/traefik/who-am-i/whoami-ingressroute.yml +++ b/traefik/who-am-i/whoami-ingressroute.yml @@ -7,7 +7,8 @@ spec: entryPoints: - websecure routes: - - match: "Host(`www.whoami.mealcraft.com`, `whoami.mealcraft.com`)" + - match: (Host(`whoami.mealcraft.com`) || Host(`www.whoami.mealcraft.com`)) + kind: Rule services: - name: whoami From 8835777a82765a5ba7ce42d7e0eff0e93c63865b Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 10:04:01 +0000 Subject: [PATCH 35/42] added juntekim.com --- .github/workflows/juntekim.yml | 82 +++++++++++++++++++ juntekim_frontend/deployment/Dockerfile | 17 ++++ juntekim_frontend/deployment/deployment.yml | 26 ++++++ juntekim_frontend/deployment/ingressroute.yml | 19 +++++ juntekim_frontend/deployment/service.yml | 13 +++ 5 files changed, 157 insertions(+) create mode 100644 .github/workflows/juntekim.yml create mode 100644 juntekim_frontend/deployment/Dockerfile create mode 100644 juntekim_frontend/deployment/deployment.yml create mode 100644 juntekim_frontend/deployment/ingressroute.yml create mode 100644 juntekim_frontend/deployment/service.yml diff --git a/.github/workflows/juntekim.yml b/.github/workflows/juntekim.yml new file mode 100644 index 0000000..85c832c --- /dev/null +++ b/.github/workflows/juntekim.yml @@ -0,0 +1,82 @@ +name: Build juntekim.com + +on: + push: + tags: + - "*" + branches: + - "**" + +jobs: + Push-to-docker-hub: + runs-on: ubuntu-22.04 + + steps: + - uses: actions/checkout@v3 + + - name: Inject slug/short variables + uses: rlespinasse/github-slug-action@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + + - name: Build Docker Image + run: | + docker build \ + -f juntekim_frontend/deployment/Dockerfile \ + -t docker.io/kimjunte/portfolio_page:$GITHUB_REF_SLUG \ + juntekim_frontend + + - name: Push to Docker Hub + run: | + docker push docker.io/kimjunte/portfolio_page:$GITHUB_REF_SLUG + + + run-on-k8s: + runs-on: mealcraft-runners # <-- your ARC scale set label + needs: Push-to-docker-hub + + container: + image: ubuntu:22.04 # <-- REQUIRED for ARC scale-set jobs + + steps: + - uses: actions/checkout@v3 + + - name: Install envsubst + kubectl + run: | + apt-get update + apt-get install -y gettext-base curl + curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + install -m 0755 kubectl /usr/local/bin/kubectl + + - name: Inject slug variables + uses: rlespinasse/github-slug-action@v4 + + - name: Set namespace + id: ns + run: | + if [[ $GITHUB_REF == refs/tags/* ]]; then + echo "NAMESPACE=default" >> $GITHUB_ENV + else + echo "NAMESPACE=staging" >> $GITHUB_ENV + fi + + - name: Set hostname + run: | + if [ "$NAMESPACE" = "staging" ]; then + echo "HOSTNAME=staging.juntekim.com" >> $GITHUB_ENV + else + echo "HOSTNAME=juntekim.com" >> $GITHUB_ENV + fi + + - name: Deploy to Kubernetes + run: | + export IMAGE="docker.io/kimjunte/portfolio_page:$GITHUB_REF_SLUG" + export NAMESPACE HOSTNAME + + envsubst < k8s/deployment.yaml | kubectl apply -f - + envsubst < k8s/services.yaml | kubectl apply -f - + envsubst < k8s/ingressroute.yaml | kubectl apply -f - diff --git a/juntekim_frontend/deployment/Dockerfile b/juntekim_frontend/deployment/Dockerfile new file mode 100644 index 0000000..6d160f5 --- /dev/null +++ b/juntekim_frontend/deployment/Dockerfile @@ -0,0 +1,17 @@ +# Base image +FROM mcr.microsoft.com/devcontainers/typescript-node + +# Set working directory +WORKDIR /app + +# Copy ONLY the frontend project +COPY ../ . + +# Install dependencies and build +RUN npm install && npm run build + +# Expose +EXPOSE 3000 + +# Start +CMD ["npm", "start"] diff --git a/juntekim_frontend/deployment/deployment.yml b/juntekim_frontend/deployment/deployment.yml new file mode 100644 index 0000000..1ca29bb --- /dev/null +++ b/juntekim_frontend/deployment/deployment.yml @@ -0,0 +1,26 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: ${NAMESPACE} + name: portfolio-page + labels: + app: portfolio-page +spec: + replicas: 1 + selector: + matchLabels: + app: portfolio-page + template: + metadata: + labels: + app: portfolio-page + spec: + containers: + - name: portfolio-page + image: kimjunte/portfolio_page:$GITHUB_REF_SLUG + imagePullPolicy: Always + ports: + - name: portfolioport + containerPort: 3000 + imagePullSecrets: + - name: registrypullsecret \ No newline at end of file diff --git a/juntekim_frontend/deployment/ingressroute.yml b/juntekim_frontend/deployment/ingressroute.yml new file mode 100644 index 0000000..e7bf7c4 --- /dev/null +++ b/juntekim_frontend/deployment/ingressroute.yml @@ -0,0 +1,19 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: juntekim-portfolio-page + namespace: ${NAMESPACE} +spec: + entryPoints: + - websecure + routes: + - match: "Host(`${HOSTNAME}`) || Host(`www.${HOSTNAME}`)" + kind: Rule + services: + - name: portfolio-page + port: 80 + passHostHeader: false + tls: + certResolver: myresolver + domains: + - main: ${HOSTNAME} \ No newline at end of file diff --git a/juntekim_frontend/deployment/service.yml b/juntekim_frontend/deployment/service.yml new file mode 100644 index 0000000..0700de2 --- /dev/null +++ b/juntekim_frontend/deployment/service.yml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: portfolio-page + namespace: ${NAMESPACE} +spec: + ports: + - protocol: TCP + name: portfolioport + port: 80 + targetPort: 3000 + selector: + app: portfolio-page \ No newline at end of file From 5fe551ad6d78792d2a2a800865f6363139161c41 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 10:10:41 +0000 Subject: [PATCH 36/42] added juntekim.com --- .github/workflows/juntekim.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/juntekim.yml b/.github/workflows/juntekim.yml index 85c832c..06e8642 100644 --- a/.github/workflows/juntekim.yml +++ b/.github/workflows/juntekim.yml @@ -38,10 +38,6 @@ jobs: run-on-k8s: runs-on: mealcraft-runners # <-- your ARC scale set label needs: Push-to-docker-hub - - container: - image: ubuntu:22.04 # <-- REQUIRED for ARC scale-set jobs - steps: - uses: actions/checkout@v3 From c68152a8302b12699f68239b8f8691b84f866bda Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 10:14:14 +0000 Subject: [PATCH 37/42] added juntekim.com --- .github/workflows/juntekim.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/juntekim.yml b/.github/workflows/juntekim.yml index 06e8642..b3291e7 100644 --- a/.github/workflows/juntekim.yml +++ b/.github/workflows/juntekim.yml @@ -43,11 +43,24 @@ jobs: - name: Install envsubst + kubectl run: | - apt-get update - apt-get install -y gettext-base curl + sudo apt-get update + sudo apt-get install -y gettext-base curl curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" install -m 0755 kubectl /usr/local/bin/kubectl + # Configure kubeconfig from ARC's service account + - name: Configure kubeconfig + run: | + KUBE_HOST="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT" + SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) + CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) + + kubectl config set-cluster microk8s --server="$KUBE_HOST" --certificate-authority="$CA_CERT" + kubectl config set-credentials runner --token="$SA_TOKEN" + kubectl config set-context runner-context --cluster=microk8s --user=runner --namespace="$NAMESPACE" + kubectl config use-context runner-context + - name: Inject slug variables uses: rlespinasse/github-slug-action@v4 From b71b62bf1ea52265a2f90ea08b614630b5c9fe22 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 10:19:48 +0000 Subject: [PATCH 38/42] added juntekim.com --- .github/workflows/juntekim.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/juntekim.yml b/.github/workflows/juntekim.yml index b3291e7..4aab6ff 100644 --- a/.github/workflows/juntekim.yml +++ b/.github/workflows/juntekim.yml @@ -39,14 +39,20 @@ jobs: runs-on: mealcraft-runners # <-- your ARC scale set label needs: Push-to-docker-hub steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - - name: Install envsubst + kubectl + # Install kubectl inside containerMode's default Ubuntu + - name: Install kubectl run: | sudo apt-get update - sudo apt-get install -y gettext-base curl + sudo apt-get install -y curl ca-certificates curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" - install -m 0755 kubectl /usr/local/bin/kubectl + sudo install -m 0755 kubectl /usr/local/bin/kubectl + + - name: Install envsubst + run: | + sudo apt-get update + sudo apt-get install -y gettext # <---- envsubst lives here # Configure kubeconfig from ARC's service account - name: Configure kubeconfig From 1d5de58cb6b4f8cbcac1cd8c8a1dfb51c4ac2868 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 10:23:36 +0000 Subject: [PATCH 39/42] added juntekim.com --- .github/workflows/juntekim.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/juntekim.yml b/.github/workflows/juntekim.yml index 4aab6ff..632b2f2 100644 --- a/.github/workflows/juntekim.yml +++ b/.github/workflows/juntekim.yml @@ -92,6 +92,6 @@ jobs: export IMAGE="docker.io/kimjunte/portfolio_page:$GITHUB_REF_SLUG" export NAMESPACE HOSTNAME - envsubst < k8s/deployment.yaml | kubectl apply -f - - envsubst < k8s/services.yaml | kubectl apply -f - - envsubst < k8s/ingressroute.yaml | kubectl apply -f - + envsubst < juntekim_frontend/deployment/deployment.yml | kubectl apply -f - + envsubst < juntekim_frontend/deployment/service.yml | kubectl apply -f - + envsubst < juntekim_frontend/deployment/ingressroute.yml | kubectl apply -f - From c21c3f9948f24e4fe80b90512343c731124d10b9 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 10:28:49 +0000 Subject: [PATCH 40/42] added juntekim.com --- traefik/edge-router/traefik-deployment.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index 3b67a31..67ec4f7 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -43,6 +43,8 @@ spec: # Providers - "--providers.kubernetescrd=true" + - "--providers.kubernetescrd.allowCrossNamespace=true" + # TLS + ACME - "--certificatesresolvers.myresolver.acme.email=junte.kim@mealcraft.com" From 082d413ca27c000d1920eaa4db99ca7a48b61a7d Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 10:36:57 +0000 Subject: [PATCH 41/42] impatient with actions --- juntekim_frontend/app/page.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/juntekim_frontend/app/page.tsx b/juntekim_frontend/app/page.tsx index 00b4917..2aa5eaf 100644 --- a/juntekim_frontend/app/page.tsx +++ b/juntekim_frontend/app/page.tsx @@ -2,7 +2,7 @@ import Image from "next/image"; export default function Home() { return ( -
+

Impatient with actions, Patient with results

From 003c2b4e0385681b6b21dd4d99001539972f989f Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Sun, 7 Dec 2025 10:37:10 +0000 Subject: [PATCH 42/42] impatient with actions --- traefik/edge-router/traefik-deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml index 67ec4f7..059fab4 100644 --- a/traefik/edge-router/traefik-deployment.yml +++ b/traefik/edge-router/traefik-deployment.yml @@ -52,7 +52,7 @@ spec: - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=route53" # STAGING (uncomment for first-time) - - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" + # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" env: - name: AWS_REGION