diff --git a/.github/workflows/deploy_kubernetes.yml b/.github/workflows/deploy_kubernetes.yml index 44dac09..557f29c 100644 --- a/.github/workflows/deploy_kubernetes.yml +++ b/.github/workflows/deploy_kubernetes.yml @@ -66,14 +66,29 @@ jobs: env: KUBECONFIG: ./talos-config/kubeconfig - # Sometimes there might be DNS problems. This step will stop - # and restart the DNS services to ensure it works as expected + # Sometimes there might be DNS problems. This step + # will try to fix the problems if there are any - name: Fix potential DNS problems run: | - sleep 10 - kubectl delete pod -n kube-system -l k8s-app=kube-dns - sleep 20 - kubectl get pods -n strelka + echo "Waiting initial 90 seconds before first DNS test..." + sleep 90 + + for i in {1..15}; do + + POD_NAME=$(kubectl get pods -n strelka -l app=strelka-frontend -o jsonpath='{.items[0].metadata.name}') + + if kubectl exec -n strelka "$POD_NAME" -- nslookup strelka-postgresdb.strelka.svc.cluster.local; then + echo "DNS test $i succeeded. Exiting loop." + exit 0 + fi + + echo "DNS test $i failed. Restarting kube-dns pods and retrying in 90 seconds..." + kubectl delete pod -n kube-system -l k8s-app=kube-dns + sleep 90 + done + + echo "All DNS tests failed." + exit 1 working-directory: ${{ env.WORKING_DIR }} env: KUBECONFIG: ./talos-config/kubeconfig diff --git a/.github/workflows/deploy_misp.yml b/.github/workflows/deploy_misp.yml index 0da0230..a8897cf 100644 --- a/.github/workflows/deploy_misp.yml +++ b/.github/workflows/deploy_misp.yml @@ -4,7 +4,6 @@ on: push: branches: - 'main' - - 'maja' paths: - 'misp/**' - 'modules/misp/**' diff --git a/management_bootstrap/modules/github_runner/runner-config.yaml b/management_bootstrap/modules/github_runner/runner-config.yaml index 4b7239e..296242b 100644 --- a/management_bootstrap/modules/github_runner/runner-config.yaml +++ b/management_bootstrap/modules/github_runner/runner-config.yaml @@ -13,6 +13,9 @@ runcmd: - chmod 600 /home/runner_user/ansible/id_rsa - chmod 600 /home/runner_user/ansible/clouds.yaml + # Create the kubeconfig file + - touch /home/runner_user/kubeconfig + # Install Docker - sudo dnf -y install dnf-plugins-core - sudo dnf config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo @@ -35,9 +38,10 @@ runcmd: -e FILE_NAME="${FILE_NAME}" \ -e ENVIRONMENT="${ENVIRONMENT}" \ -p 8080:22 \ - -v /home/runner_user/ansible/id_rsa:/home/runner_user/.ssh/id_rsa \ - -v /home/runner_user/ansible/clouds.yaml:/etc/ansible/clouds.yaml \ - -v /home/runner_user/ansible/openstack.yaml:/etc/ansible/openstack.yaml \ + -v /home/runner_user/ansible/id_rsa:/home/runner_user/.ssh/id_rsa:ro \ + -v /home/runner_user/ansible/clouds.yaml:/etc/ansible/clouds.yaml:ro \ + -v /home/runner_user/ansible/openstack.yaml:/etc/ansible/openstack.yaml:ro \ + -v /home/runner_user/test1:/home/runner_user/kubeconfig \ runner_image' users: @@ -64,6 +68,23 @@ write_files: RUN dnf install -y python3-pip && \ python3 -m pip install --upgrade pip RUN pip3 install ansible openstacksdk + + # Install kubectl + RUN cat < /etc/yum.repos.d/kubernetes.repo + [kubernetes] + name=Kubernetes + baseurl=https://pkgs.k8s.io/core:/stable:/v1.33/rpm/ + enabled=1 + gpgcheck=1 + gpgkey=https://pkgs.k8s.io/core:/stable:/v1.33/rpm/repodata/repomd.xml.key + EOF + RUN yum install -y kubectl + + # Install Helm + RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 + RUN chmod 700 get_helm.sh && \ + ./get_helm.sh + # Install other dependencies that requires sudo privileges RUN yum install -y lttng-ust openssl-libs krb5-libs zlib libicu perl-Digest-SHA diff --git a/modules/security/main.tf b/modules/security/main.tf index bdc4f45..9f3bf32 100644 --- a/modules/security/main.tf +++ b/modules/security/main.tf @@ -5,7 +5,6 @@ resource "openstack_networking_secgroup_v2" "allow_all_egress" { count = var.create_security_groups ? 1 : 0 name = "${var.kubernetes_cluster_name}-allow-all-ipv4-ipv6-egress" description = "Allows all IPv4 and IPv6 egress traffic" - delete_default_rules = true } data "openstack_networking_secgroup_v2" "allow_all_egress" { @@ -13,22 +12,6 @@ data "openstack_networking_secgroup_v2" "allow_all_egress" { name = "${var.kubernetes_cluster_name}-allow-all-ipv4-ipv6-egress" } -resource "openstack_networking_secgroup_rule_v2" "allow_all_ipv4_egress" { - count = var.create_security_groups ? 1 : 0 - direction = "egress" - ethertype = "IPv4" - remote_ip_prefix = "0.0.0.0/0" - security_group_id = openstack_networking_secgroup_v2.allow_all_egress[0].id -} - -resource "openstack_networking_secgroup_rule_v2" "allow_all_ipv6_egress" { - count = var.create_security_groups ? 1 : 0 - direction = "egress" - ethertype = "IPv6" - remote_ip_prefix = "::/0" - security_group_id = openstack_networking_secgroup_v2.allow_all_egress[0].id -} - ############################## # Control Plane Security Group ############################## diff --git a/modules/storage/main.tf b/modules/storage/main.tf index 745bfb9..f6bc979 100644 --- a/modules/storage/main.tf +++ b/modules/storage/main.tf @@ -33,7 +33,7 @@ resource "null_resource" "kubernetes_readiness" { done # Store the KUBECONFIG file - cat $KUBECONFIG &>/home/runner_user/test1 + cat $KUBECONFIG &>/home/runner_user/kubeconfig # Wait for API server to be responsive echo "Waiting for Kubernetes API to be available..."