infra

Infra tooling for Load

Reusable Build/Deploy Workflow

This repository exposes a reusable GitHub Actions workflow that service repositories can call to build their container image, push it to the registry, and recycle running pods so the new image is pulled automatically.

• Workflow file: .github/workflows/reusable-build-redeploy.yml
• Trigger: workflow_call

Inputs

Input	Required	Description
image_name	✅	Image name/tag without registry host (host added automatically)
build_context		Docker build context (default .)
dockerfile		Path to Dockerfile (default Dockerfile)
publish_latest		Push :latest tag in addition to :${{ github.sha }} (default true)
build_image		Toggle building/pushing the container image (default true)
use_local_docker		Use the runner's Docker daemon (default true)
registry_insecure_http		Toggle HTTP registry login/build (default true)
local_registry_host		Host:port used when use_local_docker=true (default 127.0.0.1:5000)
remote_registry_host		Host:port used when use_local_docker=false (default cr.load.network:7000)
skip_tunnel		Set to true when the kube API is already reachable (no SSH tunnel needed)
wait_for_pods		Controls whether the workflow waits for pods to reach Ready (default true)
upgrade_k8s		Apply manifests from the manifests directory (default true)
k8s_manifest_dir		Directory scanned when upgrade_k8s=true (default ./k8s); detects Kustomize files automatically
runner_labels		JSON array of runner labels (default ["ubuntu-latest"]; overridden when cluster_ref is set and runner_labels exist in clusters.yml)
kube_namespace		Namespace containing the service pods (default default)
pod_selector	✅	Label selector for pods to recycle (e.g. app=my-service)
INFRA_REPO_TOKEN (secret)		Personal access token with repo scope so the workflow can pull shared scripts from loadnetwork/infra

Required Secrets

The calling workflow must map these secrets when invoking the template:

• REGISTRY_USERNAME, REGISTRY_PASSWORD
• MAIN_CLUSTER_USERNAME, MAIN_CLUSTER_PWD, MAIN_CLUSTER_HOST, MAIN_CLUSTER_CTX

Example Usage

name: Deploy

on:
  push:
    branches: [main]

jobs:
  deploy:
    uses: decentland/infra-load/.github/workflows/reusable-build-redeploy.yml@main
    with:
      image_name: my-service
      pod_selector: app=my-service
      kube_namespace: default
      skip_tunnel: true
      wait_for_pods: false
      upgrade_k8s: true
      use_local_docker: true
      runner_labels: '["self-hosted","linux"]'
    secrets:
      REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
      MAIN_CLUSTER_USERNAME: ${{ secrets.MAIN_CLUSTER_USERNAME }}
      MAIN_CLUSTER_PWD: ${{ secrets.MAIN_CLUSTER_PWD }}
      MAIN_CLUSTER_HOST: ${{ secrets.MAIN_CLUSTER_HOST }}
      MAIN_CLUSTER_CTX: ${{ secrets.MAIN_CLUSTER_CTX }}
      INFRA_REPO_TOKEN: ${{ secrets.INFRA_REPO_TOKEN }}

When build_image=true (default) the job builds the image, pushes it with :${{ github.sha }} (and optionally :latest), checks out the shared infra tooling (scripts/tools.sh, scripts/configure-kube.sh), connects to the cluster, applies manifests from the configured directory when upgrade_k8s=true, recycles pods matching the selector, and waits for new pods to become Ready as requested.

For GitOps-only repos or config tweaks, set build_image: false to skip the Docker steps. Use k8s_manifest_dir to target a different manifest folder when upgrade_k8s is enabled. If any subdirectory contains a kustomization.yaml/kustomization.yml, the workflow invokes kubectl apply -k for that overlay before applying standalone manifests.

⚠️ Note: HTTP registries expose credentials in clear text. Prefer enabling TLS; use registry_insecure_http: true only when you control the network path (or when running on a self-hosted runner configured for that registry).

For a remote HTTPS-enabled registry, override the relevant flags:

with:
  image_name: my-service
  use_local_docker: false
  registry_insecure_http: false
  skip_tunnel: false
  runner_labels: '["ubuntu-latest"]'

Registry Options

When use_local_docker=true, the workflow pushes to ${{ inputs.local_registry_host }}/image_name using the runner's Docker daemon. Defaults assume a registry at 127.0.0.1:5000 on the host.

When use_local_docker=false, it pushes to ${{ inputs.remote_registry_host }}/image_name via Buildx (defaults to cr.load.network:7000). For HTTPS registries, set registry_insecure_http: false. If the runner is outside the cluster, set skip_tunnel: false so configure-kube.sh establishes the SSH tunnel.

Demo Workflow

This repository also includes .github/workflows/demo-reusable.yml, a triggerable example that builds a simple image from hello-world.dockerfile, pushes it to cr.load.network:7000/infra-demo, and invokes the reusable workflow. It accepts namespace and pod-selector inputs so you can point it at any test deployment.

Utility Scripts

scripts/create-secret-from-env.sh

• Wraps kubectl create secret generic to build a Kubernetes secret from a dotenv file and apply it to the cluster.
• Usage: ./scripts/create-secret-from-env.sh path/to/.env SECRET_NAME [namespace]; defaults to .env and the business namespace.
• Validates that the dotenv file exists and that a secret name was provided before continuing.
• Pipes the generated manifest through kubectl apply -f -, so rerunning the script updates an existing secret in place.
• Requires kubectl to be authenticated against the target cluster/namespace; each non-empty line in the dotenv file is added to the secret as a key/value pair.