BlastPilot/netbird-gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: BlastPilot:73af8325a611407ff59d4547b81c4a99bfd08f25
Branches Tags
BlastPilot:main
BlastPilot:test-scenario-4
BlastPilot:test-scenario-3
BlastPilot:test-scenario-2
BlastPilot:test-scenario-1
BlastPilot:test-dry-run
..
compare: BlastPilot:312423c0c74d5824d131617c046295b418ff00ce
Branches Tags
BlastPilot:main
BlastPilot:test-scenario-4
BlastPilot:test-scenario-3
BlastPilot:test-scenario-2
BlastPilot:test-scenario-1
BlastPilot:test-dry-run

No commits in common. "73af8325a611407ff59d4547b81c4a99bfd08f25" and "312423c0c74d5824d131617c046295b418ff00ce" have entirely different histories.
73af8325a6 ... 312423c0c7

3 changed files with 183 additions and 190 deletions
Show Stats Expand all files Collapse all files

169
.gitea/workflows/dry-run.yml
View File

@ -6,114 +6,101 @@ on:
- "state/*.json" - "state/*.json"
jobs: jobs:
dry-run: detect:
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs:
envs: ${{ steps.changed.outputs.envs }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Dry-run reconcile for changed environments - name: Detect changed environments
env: id: changed
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.sha }}
TEST_RECONCILER_TOKEN: ${{ secrets.TEST_RECONCILER_TOKEN }}
TEST_RECONCILER_URL: ${{ secrets.TEST_RECONCILER_URL }}
DEV_RECONCILER_TOKEN: ${{ secrets.DEV_RECONCILER_TOKEN }}
DEV_RECONCILER_URL: ${{ secrets.DEV_RECONCILER_URL }}
PROD_RECONCILER_TOKEN: ${{ secrets.PROD_RECONCILER_TOKEN }}
PROD_RECONCILER_URL: ${{ secrets.PROD_RECONCILER_URL }}
GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
GIT_URL: ${{ secrets.GIT_URL }}
REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: | run: |
python3 <<'SCRIPT' FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} -- 'state/*.json')
import json, os, subprocess, urllib.request ENVS="[]"
for f in $FILES; do
ENV=$(basename "$f" .json)
ENVS=$(echo "$ENVS" | jq -c ". + [\"$ENV\"]")
done
echo "envs=$ENVS" >> "$GITHUB_OUTPUT"
echo "Changed environments: $ENVS"
# Detect changed state files dry-run:
diff = subprocess.run( needs: detect
["git", "diff", "--name-only", os.environ["BASE_SHA"], os.environ["HEAD_SHA"], "--", "state/*.json"], runs-on: ubuntu-latest
capture_output=True, text=True, check=True, if: needs.detect.outputs.envs != '[]'
) strategy:
envs = [os.path.basename(f).replace(".json", "") for f in diff.stdout.strip().split("\n") if f.strip()] matrix:
env: ${{ fromJson(needs.detect.outputs.envs) }}
steps:
- uses: actions/checkout@v4
if not envs: - name: Resolve environment secrets
print("No state files changed") id: env
exit(0) run: |
ENV_UPPER=$(echo "${{ matrix.env }}" | tr '[:lower:]-' '[:upper:]_')
echo "token_key=${ENV_UPPER}_RECONCILER_TOKEN" >> "$GITHUB_OUTPUT"
echo "url_key=${ENV_UPPER}_RECONCILER_URL" >> "$GITHUB_OUTPUT"
print(f"Changed environments: {envs}") - name: Run dry-run reconcile
id: plan
env:
RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }}
RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }}
run: |
if [ -z "$RECONCILER_URL" ] || [ -z "$RECONCILER_TOKEN" ]; then
echo "No secrets configured for environment '${{ matrix.env }}' — skipping"
echo "response={}" >> "$GITHUB_OUTPUT"
exit 0
fi
RESPONSE=$(curl -sf \
-X POST \
-H "Authorization: Bearer ${RECONCILER_TOKEN}" \
-H "Content-Type: application/json" \
-d @state/${{ matrix.env }}.json \
"${RECONCILER_URL}/reconcile?dry_run=true")
echo "response<<EOF" >> "$GITHUB_OUTPUT"
echo "$RESPONSE" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
for env in envs: - name: Format plan as markdown
key = env.upper().replace("-", "_") id: format
token = os.environ.get(f"{key}_RECONCILER_TOKEN", "") if: steps.plan.outputs.response != '{}'
url = os.environ.get(f"{key}_RECONCILER_URL", "") run: |
cat <<'SCRIPT' > format.py
if not token or not url: import json, sys
print(f"[{env}] No secrets configured — skipping") data = json.loads(sys.stdin.read())
continue
# Call reconciler dry-run
with open(f"state/{env}.json", "rb") as f:
state_data = f.read()
req = urllib.request.Request(
f"{url}/reconcile?dry_run=true",
data=state_data,
method="POST",
headers={
"Authorization": f"Bearer {token}",
"Content-Type": "application/json",
},
)
try:
resp = urllib.request.urlopen(req)
data = json.loads(resp.read())
except Exception as e:
print(f"[{env}] Reconciler call failed: {e}")
continue
# Format as markdown grouped by action
ops = data.get("operations", []) ops = data.get("operations", [])
summary = data.get("summary", {}) summary = data.get("summary", {})
env = sys.argv[1]
lines = [f"## Reconciliation Plan: `{env}`\n"] lines = [f"## Reconciliation Plan: `{env}`\n"]
if not ops: if not ops:
lines.append("No changes detected.\n") lines.append("No changes detected.\n")
else: else:
groups = {"Create": [], "Update": [], "Delete": []} lines.append("| Operation | Name |")
lines.append("|-----------|------|")
for op in ops: for op in ops:
t = op["type"] lines.append(f"| `{op['type']}` | {op['name']} |")
if t.startswith("create"): groups["Create"].append(op)
elif t.startswith("delete"): groups["Delete"].append(op)
else: groups["Update"].append(op)
for action, items in groups.items():
if not items:
continue
emoji = {"Create": "+", "Update": "~", "Delete": "-"}[action]
lines.append(f"### {action} ({len(items)})\n")
lines.append("| Resource | Name |")
lines.append("|----------|------|")
for op in items:
resource = op["type"].split("_", 1)[1] if "_" in op["type"] else op["type"]
lines.append(f"| {resource} | {op['name']} |")
lines.append("") lines.append("")
s = summary
c, u, d = summary.get("created", 0), summary.get("updated", 0), summary.get("deleted", 0) lines.append(f"**Summary:** {s.get('created',0)} create, {s.get('updated',0)} update, {s.get('deleted',0)} delete")
lines.append(f"**Total: {c} create, {u} update, {d} delete**") print("\n".join(lines))
comment = "\n".join(lines)
print(comment)
# Post PR comment
git_token = os.environ.get("GIT_TOKEN", "")
git_url = os.environ.get("GIT_URL", "")
if git_token and git_url:
api_url = f"{git_url}/api/v1/repos/{os.environ['REPO']}/issues/{os.environ['PR_NUMBER']}/comments"
body = json.dumps({"body": comment}).encode()
req = urllib.request.Request(api_url, data=body, method="POST", headers={
"Authorization": f"token {git_token}",
"Content-Type": "application/json",
})
urllib.request.urlopen(req)
print(f"Posted comment to PR #{os.environ['PR_NUMBER']}")
SCRIPT SCRIPT
COMMENT=$(echo '${{ steps.plan.outputs.response }}' | python3 format.py "${{ matrix.env }}")
echo "comment<<EOF" >> "$GITHUB_OUTPUT"
echo "$COMMENT" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
- name: Post PR comment
if: steps.plan.outputs.response != '{}'
env:
GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
run: |
curl -sf \
-X POST \
-H "Authorization: token ${GIT_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"body\": $(echo '${{ steps.format.outputs.comment }}' | jq -Rs .)}" \
"${{ secrets.GIT_URL }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments"

165
.gitea/workflows/reconcile.yml
View File

@ -8,98 +8,103 @@ on:
- "state/*.json" - "state/*.json"
jobs: jobs:
reconcile: detect:
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs:
envs: ${{ steps.changed.outputs.envs }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 2 fetch-depth: 2
- name: Reconcile changed environments - name: Detect changed environments
env: id: changed
TEST_RECONCILER_TOKEN: ${{ secrets.TEST_RECONCILER_TOKEN }}
TEST_RECONCILER_URL: ${{ secrets.TEST_RECONCILER_URL }}
DEV_RECONCILER_TOKEN: ${{ secrets.DEV_RECONCILER_TOKEN }}
DEV_RECONCILER_URL: ${{ secrets.DEV_RECONCILER_URL }}
PROD_RECONCILER_TOKEN: ${{ secrets.PROD_RECONCILER_TOKEN }}
PROD_RECONCILER_URL: ${{ secrets.PROD_RECONCILER_URL }}
run: | run: |
python3 <<'SCRIPT' FILES=$(git diff --name-only HEAD~1 HEAD -- 'state/*.json')
import json, os, subprocess, urllib.request, sys ENVS="[]"
for f in $FILES; do
ENV=$(basename "$f" .json)
ENVS=$(echo "$ENVS" | jq -c ". + [\"$ENV\"]")
done
echo "envs=$ENVS" >> "$GITHUB_OUTPUT"
echo "Changed environments: $ENVS"
# Detect changed state files reconcile:
diff = subprocess.run( needs: detect
["git", "diff", "--name-only", "HEAD~1", "HEAD", "--", "state/*.json"], runs-on: ubuntu-latest
capture_output=True, text=True, check=True, if: needs.detect.outputs.envs != '[]'
) strategy:
envs = [os.path.basename(f).replace(".json", "") for f in diff.stdout.strip().split("\n") if f.strip()] matrix:
env: ${{ fromJson(needs.detect.outputs.envs) }}
steps:
- uses: actions/checkout@v4
if not envs: - name: Resolve environment secrets
print("No state files changed") id: env
exit(0) run: |
ENV_UPPER=$(echo "${{ matrix.env }}" | tr '[:lower:]-' '[:upper:]_')
echo "token_key=${ENV_UPPER}_RECONCILER_TOKEN" >> "$GITHUB_OUTPUT"
echo "url_key=${ENV_UPPER}_RECONCILER_URL" >> "$GITHUB_OUTPUT"
echo "age_key=${ENV_UPPER}_AGE_PUBLIC_KEY" >> "$GITHUB_OUTPUT"
print(f"Changed environments: {envs}") - name: Sync events
failed = [] env:
RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }}
RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }}
run: |
if [ -z "$RECONCILER_URL" ] || [ -z "$RECONCILER_TOKEN" ]; then
echo "No secrets configured for environment '${{ matrix.env }}' — skipping"
exit 0
fi
curl -sf \
-X POST \
-H "Authorization: Bearer ${RECONCILER_TOKEN}" \
"${RECONCILER_URL}/sync-events"
for env in envs: - name: Pull latest (poller may have committed)
key = env.upper().replace("-", "_") run: git pull --rebase
token = os.environ.get(f"{key}_RECONCILER_TOKEN", "")
url = os.environ.get(f"{key}_RECONCILER_URL", "")
if not token or not url: - name: Apply reconcile
print(f"[{env}] No secrets configured — skipping") id: reconcile
continue env:
RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }}
RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }}
run: |
RESPONSE=$(curl -sf \
-X POST \
-H "Authorization: Bearer ${RECONCILER_TOKEN}" \
-H "Content-Type: application/json" \
-d @state/${{ matrix.env }}.json \
"${RECONCILER_URL}/reconcile")
echo "response<<EOF" >> "$GITHUB_OUTPUT"
echo "$RESPONSE" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
# Sync events first STATUS=$(echo "$RESPONSE" | jq -r '.status')
try: if [ "$STATUS" = "error" ]; then
req = urllib.request.Request( echo "Reconcile failed for ${{ matrix.env }}"
f"{url}/sync-events", method="POST", echo "$RESPONSE" | jq .
headers={"Authorization": f"Bearer {token}"}, exit 1
) fi
urllib.request.urlopen(req)
print(f"[{env}] Synced events")
except Exception as e:
print(f"[{env}] Sync events failed (non-fatal): {e}")
# Apply reconcile - name: Encrypt and upload setup keys
with open(f"state/{env}.json", "rb") as f: if: success()
state_data = f.read() env:
AGE_PUBLIC_KEY: ${{ secrets[steps.env.outputs.age_key] }}
run: |
KEYS=$(echo '${{ steps.reconcile.outputs.response }}' | jq -r '.created_keys // empty')
if [ -n "$KEYS" ] && [ "$KEYS" != "{}" ] && [ "$KEYS" != "null" ] && [ -n "$AGE_PUBLIC_KEY" ]; then
echo "$KEYS" | age -r "$AGE_PUBLIC_KEY" -o setup-keys-${{ matrix.env }}.age
echo "Setup keys for ${{ matrix.env }} encrypted"
else
echo "No new keys created for ${{ matrix.env }}"
exit 0
fi
req = urllib.request.Request( - name: Upload artifact
f"{url}/reconcile", if: success()
data=state_data, uses: actions/upload-artifact@v4
method="POST", with:
headers={ name: setup-keys-${{ matrix.env }}
"Authorization": f"Bearer {token}", path: setup-keys-${{ matrix.env }}.age
"Content-Type": "application/json", if-no-files-found: ignore
},
)
try:
resp = urllib.request.urlopen(req)
data = json.loads(resp.read())
except Exception as e:
print(f"[{env}] Reconcile FAILED: {e}")
failed.append(env)
continue
status = data.get("status", "ok")
if status == "error":
print(f"[{env}] Reconcile returned error:")
print(json.dumps(data, indent=2))
failed.append(env)
continue
summary = data.get("summary", {})
print(f"[{env}] Reconcile OK: "
f"{summary.get('created',0)} created, "
f"{summary.get('updated',0)} updated, "
f"{summary.get('deleted',0)} deleted")
keys = data.get("created_keys", {})
if keys:
print(f"[{env}] Created setup keys: {list(keys.keys())}")
if failed:
print(f"\nFailed environments: {failed}")
sys.exit(1)
SCRIPT

23
state/test.json
View File

@ -12,21 +12,18 @@
"type": "one-off", "type": "one-off",
"expires_in": 604800, "expires_in": 604800,
"usage_limit": 1, "usage_limit": 1,
"auto_groups": ["ground-stations"], "auto_groups": [
"ground-stations"
],
"enrolled": false "enrolled": false
}, },
"Pilot-TestHawk-1": { "Pilot-TestHawk-1": {
"type": "one-off", "type": "one-off",
"expires_in": 604800, "expires_in": 604800,
"usage_limit": 1, "usage_limit": 1,
"auto_groups": ["pilots"], "auto_groups": [
"enrolled": false "pilots"
}, ],
"Pilot-Vlad-2": {
"type": "one-off",
"expires_in": 604800,
"usage_limit": 1,
"auto_groups": ["pilots"],
"enrolled": false "enrolled": false
} }
}, },
@ -34,8 +31,12 @@
"pilots-to-gs": { "pilots-to-gs": {
"description": "", "description": "",
"enabled": true, "enabled": true,
"sources": ["pilots"], "sources": [
"destinations": ["ground-stations"], "pilots"
],
"destinations": [
"ground-stations"
],
"bidirectional": true, "bidirectional": true,
"protocol": "all", "protocol": "all",
"action": "accept", "action": "accept",