fuj-management/.gitea/workflows/kubernetes-deploy.yaml

name: Deploy to K8s
on:
  workflow_dispatch:
  push:
    branches:
      - '**'
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install kubectl
        run: |
          curl -sfLO "https://dl.k8s.io/release/$(curl -sfL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
          install kubectl /usr/local/bin/

      - name: Get Kanidm token from Vault
        id: vault
        run: |
          set -euxo pipefail

          VAULT_AUTH_RESPONSE=$(curl -f --request POST \
            --data '{"role_id":"${{ secrets.VAULT_ROLE_ID }}","secret_id":"${{ secrets.VAULT_SECRET_ID }}"}' \
            https://vault.hrajfrisbee.cz/v1/auth/approle/login)

          echo "Vault auth response: $VAULT_AUTH_RESPONSE" >&2
          VAULT_TOKEN=$(echo "$VAULT_AUTH_RESPONSE" | jq -r '.auth.client_token')

          # Read the kanidm API token
          SECRET_RESPONSE=$(curl -f \
            -H "X-Vault-Token: ${VAULT_TOKEN}" \
            https://vault.hrajfrisbee.cz/v1/secret/data/gitea/gitea-ci)

          echo "Secret response: $SECRET_RESPONSE" >&2
          API_TOKEN=$(echo "$SECRET_RESPONSE" | jq -r '.data.data.token')

          echo "::add-mask::${API_TOKEN}"
          echo "api_token=${API_TOKEN}" >> "$GITHUB_OUTPUT"

      - name: Exchange for K8s OIDC token via Kanidm
        id: k8s
        run: |
          API_TOKEN="${{ steps.vault.outputs.api_token }}"
          echo "api_token length: ${#API_TOKEN}" >&2
          echo "api_token prefix (first 8 chars): ${API_TOKEN:0:8}..." >&2

          HTTP_BODY=$(mktemp)
          HTTP_STATUS=$(curl -sS -X POST "https://idm.home.hrajfrisbee.cz/oauth2/token" \
            -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
            -d "client_id=k8s" \
            -d "subject_token=${API_TOKEN}" \
            -d "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
            -d "audience=k8s" \
            -d "scope=openid groups" \
            -o "$HTTP_BODY" -w "%{http_code}")

          echo "HTTP status: $HTTP_STATUS" >&2
          echo "Response body:" >&2
          cat "$HTTP_BODY" >&2

          RESPONSE=$(cat "$HTTP_BODY")
          ID_TOKEN=$(echo "$RESPONSE" | jq -r '.id_token // empty')

          if [ -z "$ID_TOKEN" ]; then
            echo "::error::Kanidm token exchange failed (HTTP $HTTP_STATUS)"
            exit 1
          fi

          echo "::add-mask::${ID_TOKEN}"
          echo "id_token=${ID_TOKEN}" >> "$GITHUB_OUTPUT"

          # Sanity check
          echo "$ID_TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq '{sub, groups, exp}'

      - name: Configure kubectl & deploy
        run: |
          echo "${{ secrets.K8S_CA_CERT }}" > /tmp/ca.crt
          
          kubectl config set-cluster mycluster \
            --server=https://192.168.0.31:6443 \
            --certificate-authority=/tmp/ca.crt \
            --insecure-skip-tls-verify=true          

          kubectl config set-credentials gitea-ci \
            --token="${{ steps.k8s.outputs.id_token }}"

          kubectl config set-context gitea-ci \
            --cluster=mycluster --user=gitea-ci

          kubectl config use-context gitea-ci

          kubectl auth whoami
          kubectl get ns

          # your deploy here
          # kubectl apply -f k8s/