diff --git a/.github/workflows/build-sign-push.yml b/.github/workflows/build-sign-push.yml new file mode 100644 index 0000000..0e512f7 --- /dev/null +++ b/.github/workflows/build-sign-push.yml @@ -0,0 +1,81 @@ +name: Zarf Packages - Build, Sign, and Push + +on: + push: + branches: + - develop + paths: + - '**/zarf.yaml' + +jobs: + build-sign-push: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + env: + REGISTRY: ghcr.io + REGISTRY_USERNAME: ${{ github.actor }} + REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }} + OCI_PATH: ${{ env.REGISTRY }}/${{ github.repository_owner }} + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install Zarf + uses: zarf-dev/setup-zarf@main + with: + version: v0.73.0 + + - name: Zarf Registry Login + run: | + echo "${{ env.REGISTRY_TOKEN }}" | zarf tools registry login ${{ env.REGISTRY }} \ + --username ${{ env.REGISTRY_USERNAME }} \ + --password-stdin + + - name: Detect and Process Changed Packages + env: + SIGNING_KEY_DATA: ${{ secrets.ZARF_SIGNING_KEY }} + KEY_PASSWORD: ${{ secrets.ZARF_KEY_PASSWORD }} + run: | + touch cosign.key + chmod 600 cosign.key + echo "$SIGNING_KEY_DATA" > cosign.key + + # Ensure cleanup happens even if the script fails + trap 'rm -f cosign.key' EXIT + + # Get changed directories + # Use the commits from the push event specifically + CHANGED_DIRS=$(git diff --name-only ${{ github.event.before }} ${{ github.event.after }} | grep 'zarf.yaml' | xargs -I {} dirname {} | sort -u) + + if [ -z "$CHANGED_DIRS" ]; then + echo "No changes detected in Zarf packages." + exit 0 + fi + + for DIR in $CHANGED_DIRS; do + echo "-------------------------------------------------------" + echo "📦 Building: $DIR" + zarf package create "$DIR" --confirm --output "$DIR" + + # Locate the package file + PACKAGE_FILE=$(ls "$DIR"/zarf-package-*.tar.zst) + + echo "📦 Signing: $PACKAGE_FILE" + zarf package sign "$PACKAGE_FILE" \ + --signing-key cosign.key \ + --signing-key-pass "$KEY_PASSWORD" \ + --confirm + + echo "📦 Publishing: $PACKAGE_FILE" + OCI_PATH_LOWER=$(echo "$OCI_PATH" | tr '[:upper:]' '[:lower:]') + zarf package publish "$PACKAGE_FILE" "oci://$OCI_PATH_LOWER" --confirm + + echo "✅ Successfully pushed $PACKAGE_FILE" + done + diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..8f8c10a --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,42 @@ +name: Zarf Packages - Lint + +on: + pull_request: + branches: + - develop + paths: + - '**/zarf.yaml' + +jobs: + lint: + runs-on: ubuntu-latest + permissions: + contents: read + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install Zarf + uses: zarf-dev/setup-zarf@main + with: + version: v0.73.0 + + - name: Lint Changed Packages + run: | + # Get changed directories + # Use github.base_ref to ensure we compare against the PR's target branch + CHANGED_DIRS=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep 'zarf.yaml' | xargs -I {} dirname {} | sort -u) + + if [ -z "$CHANGED_DIRS" ]; then + echo "No changes detected in Zarf packages." + exit 0 + fi + + for DIR in $CHANGED_DIRS; do + echo "📦 Linting: $DIR" + zarf dev lint "$DIR" + done + diff --git a/README.md b/README.md index de90be1..d7f86c1 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,24 @@ This repository contains a collection of **Zarf packages** designed to deploy and manage a complete Rocket.Chat ecosystem in air-gapped or restricted environments. Zarf is an open-source tool designed to simplify the delivery of software into air-gapped, secure, or highly regulated environments by bundling all necessary dependencies into [packages](https://docs.zarf.dev/ref/packages/). +## Deploying packages + +It is recommended that your Kubernetes cluster contains at least 3 nodes with 2 vCPUs, 6 GiB memory and 100G disk each. +For testing, you can decrease storage and mongod limits. There's a README.md in each package folder with variables and defaults. + +### Init the cluster + +``` +KUBECONFIG= zarf init [--storage-class longhorn] [--confirm] +``` + +If there's no reliable storage class in the target cluster, init with what you have, then: +``` +KUBECONFIG= zarf package deploy zarf-package-rocketchat-longhorn-*.tar.zst --components migrate-registry --confirm # move to longhorn +``` + +### Deploying + Deploy in order: - monitoring (requires a storage class) - traefik @@ -12,7 +30,7 @@ Deploy in order: - launchcontrol (requires airlock) - server-workspace (requires launchcontrol) -## High-level architectural diagram +#### High-level architectural diagram ```mermaid graph TD @@ -80,7 +98,7 @@ graph TD --- -## Getting Started +## Developers: Getting Started Most likely you'll need a lab setup. There's a guide for developing Zarf packages https://rocketchat.atlassian.net/wiki/spaces/RnD/pages/756842503/Developing+Rocket.Chat+Zarf+packages diff --git a/traefik/zarf.yaml b/traefik/zarf.yaml index ac01db2..07128b6 100644 --- a/traefik/zarf.yaml +++ b/traefik/zarf.yaml @@ -33,3 +33,4 @@ variables: description: "Cloud-specific annotations for Traefik" default: "{}" # Default to empty for K3s/On-prem, or # example: zarf package deploy --set LOADBALANCER_SERVICE_ANNOTATIONS='{service.beta.kubernetes.io/aws-load-balancer-type: "nlb"}' +