feat: deploy NC01 Sub2API target
Pipelines as Code CI / hwlab-web-probe-sentinel-nc01- Success

This commit is contained in:
Codex
2026-07-09 13:16:58 +02:00
parent 21935e7319
commit 8347d5ed1b
17 changed files with 483 additions and 37 deletions
+45 -3
View File
@@ -24,6 +24,8 @@ export function statusScript(sub2api: Sub2ApiConfig, target: Sub2ApiTargetConfig
const externalPending = target.databaseMode === "external-pending";
const externalActive = target.databaseMode === "external-active";
const proxy = target.egressProxy?.enabled ? target.egressProxy : null;
const localHttps = target.publicExposure?.enabled === true && target.publicExposure.mode === "node-local-https" ? target.publicExposure.localHttps : null;
const localHttpsExposure = localHttps === null ? null : target.publicExposure;
const expectedProxyEnv = sub2ApiProxyEnv(target);
const cleanupPlan = managedResourceCleanupPlan(sub2api, target);
const appSecretName = sub2api.runtime.database.secretName;
@@ -52,6 +54,32 @@ capture_json cronjobs kubectl -n ${target.namespace} get cronjob -l app.kubernet
capture_json ingresses kubectl -n ${target.namespace} get ingress
capture_json quotas kubectl -n ${target.namespace} get resourcequota
capture_json limitranges kubectl -n ${target.namespace} get limitrange
local_https_rc=0
local_https_ps_rc=0
local_https_probe_rc=0
local_https_action="not-enabled"
local_https_ps=""
local_https_probe_url=""
if [ "${localHttps === null ? "false" : "true"}" = "true" ]; then
local_https_action="inspect"
local_https_ps="$(docker ps --filter ${localHttps === null ? "\"\"" : shQuote(`name=^/${localHttps.containerName}$`)} --format '{{.Names}}\t{{.Image}}\t{{.Status}}\t{{.Ports}}' 2>"$tmp/local-https-ps.err" || true)"
if [ -n "$local_https_ps" ]; then local_https_ps_rc=0; else local_https_ps_rc=1; fi
printf '%s' "$local_https_ps" >"$tmp/local-https-ps.out"
local_https_probe_url=${localHttpsExposure === null ? "\"\"" : shQuote(`${localHttpsExposure.publicBaseUrl}/health`)}
curl --noproxy '*' -kfsS --connect-timeout 5 --max-time 20 --resolve ${localHttpsExposure === null || localHttps === null ? "\"\"" : shQuote(`${localHttpsExposure.dns.hostname}:${localHttps.httpsPort}:127.0.0.1`)} "$local_https_probe_url" >"$tmp/local-https-probe.out" 2>"$tmp/local-https-probe.err"
local_https_probe_rc=$?
if [ "$local_https_ps_rc" -ne 0 ] || [ "$local_https_probe_rc" -ne 0 ]; then local_https_rc=1; fi
else
: >"$tmp/local-https-ps.out"
: >"$tmp/local-https-ps.err"
: >"$tmp/local-https-probe.out"
: >"$tmp/local-https-probe.err"
fi
printf '%s' "$local_https_rc" >"$tmp/local-https.rc"
printf '%s' "$local_https_ps_rc" >"$tmp/local-https-ps.rc"
printf '%s' "$local_https_probe_rc" >"$tmp/local-https-probe.rc"
printf '%s' "$local_https_action" >"$tmp/local-https-action.txt"
printf '%s' "$local_https_probe_url" >"$tmp/local-https-probe-url.txt"
pod_name="$(kubectl -n ${target.namespace} get pod -l app.kubernetes.io/name=${serviceName},app.kubernetes.io/component=app -o jsonpath='{.items[0].metadata.name}' 2>"$tmp/pod-name.err" || true)"
printf '%s' "$pod_name" >"$tmp/pod-name.txt"
if [ -n "$pod_name" ]; then
@@ -90,10 +118,11 @@ def items(name):
return []
return data.get("items") or []
def text(name):
def text(name, limit=None):
path = os.path.join(tmp, name)
try:
return open(path, encoding="utf-8", errors="replace").read()
data = open(path, encoding="utf-8", errors="replace").read()
return data if limit is None else data[-limit:]
except FileNotFoundError:
return ""
@@ -383,7 +412,7 @@ else:
state_model_ok = local_postgres_present and sub2api_desired_aligned and redis_desired_aligned
status_label = "pending-external-db" if external_pending else "external-db-active" if external_active else "active"
payload = {
"ok": rc("ns") == 0 and workload_ready and image_aligned and url_allowlist_aligned and proxy_env_aligned and network_policy["ok"] and boundary["internalOnly"] and len(resource_violations) == 0 and boundary["resourceQuotaCount"] == 0 and boundary["limitRangeCount"] == 0 and secret_ok and state_model_ok,
"ok": rc("ns") == 0 and workload_ready and image_aligned and url_allowlist_aligned and proxy_env_aligned and network_policy["ok"] and boundary["internalOnly"] and len(resource_violations) == 0 and boundary["resourceQuotaCount"] == 0 and boundary["limitRangeCount"] == 0 and secret_ok and state_model_ok and rc("local-https") == 0,
"target": "${target.id}",
"route": "${target.route}",
"namespace": "${target.namespace}",
@@ -399,6 +428,19 @@ payload = {
"services": [service_summary(item) for item in services],
"pvcs": [pvc_summary(item) for item in pvcs],
"networkPolicy": network_policy,
"localHttpsExposure": {
"enabled": ${localHttps === null ? "False" : "True"},
"action": text("local-https-action.txt"),
"ok": rc("local-https") == 0,
"mode": ${localHttps === null ? "None" : JSON.stringify("node-local-docker-caddy")},
"publicBaseUrl": ${localHttpsExposure === null ? "None" : JSON.stringify(localHttpsExposure.publicBaseUrl)},
"hostname": ${localHttpsExposure === null ? "None" : JSON.stringify(localHttpsExposure.dns.hostname)},
"bind": ${localHttps === null ? "None" : JSON.stringify(`${localHttps.hostBind}:${localHttps.httpsPort}`)},
"containerName": ${localHttps === null ? "None" : JSON.stringify(localHttps.containerName)},
"ps": {"exitCode": rc("local-https-ps"), "stdout": text("local-https-ps.out"), "stderr": text("local-https-ps.err")},
"probe": {"exitCode": rc("local-https-probe"), "url": text("local-https-probe-url.txt"), "stdout": text("local-https-probe.out", 2000), "stderr": text("local-https-probe.err", 2000)},
"valuesPrinted": False,
},
"secret": {
"name": "${appSecretName}",
"exists": rc("secrets") == 0,