diff --git a/.github/workflows/deploy-dependencies.yml b/.github/workflows/deploy-dependencies.yml index 9fa690a3..ef3af9c0 100644 --- a/.github/workflows/deploy-dependencies.yml +++ b/.github/workflows/deploy-dependencies.yml @@ -11,7 +11,7 @@ on: options: - "" env: - DEPENDENCIES_CHART_VERSION: "v1.9.12" + DEPENDENCIES_CHART_VERSION: "1.9.14" TRAEFIK_CHART_VERSION: "39.0.0" jobs: approve: diff --git a/.github/workflows/deploy-opencrvs.yml b/.github/workflows/deploy-opencrvs.yml index 0602c341..0a03feb1 100644 --- a/.github/workflows/deploy-opencrvs.yml +++ b/.github/workflows/deploy-opencrvs.yml @@ -16,11 +16,11 @@ on: core-image-tag: description: "Tag of the core image" required: true - default: "v1.9.12" + default: "1.9.14" countryconfig-image-tag: description: "Tag of the countryconfig image" required: true - default: "v1.9.12" + default: "1.9.14" data-seed-enabled: description: "Data seeding during deployment" required: false @@ -36,7 +36,7 @@ on: env: # Assuming chart version matches core image tag - OPENCRVS_CHART_VERSION: "v1.9.13" + OPENCRVS_CHART_VERSION: "1.9.14" jobs: approve: environment: ${{ inputs.environment }} @@ -145,8 +145,8 @@ jobs: --atomic \ --wait \ --wait-for-jobs \ - --set platform.tag="$CORE_IMAGE_TAG" \ - --set countryconfig.image.tag="$COUNTRYCONFIG_IMAGE_TAG" \ + --set-string platform.tag="$CORE_IMAGE_TAG" \ + --set-string countryconfig.image.tag="$COUNTRYCONFIG_IMAGE_TAG" \ --set countryconfig.image.name="$COUNTRYCONFIG_IMAGE_NAME" \ --set data_seed.env.ACTIVATE_USERS="${{ vars.ACTIVATE_USERS || 'false' }}" \ --set data_seed.enabled="${{ inputs.data-seed-enabled }}" \ diff --git a/.github/workflows/init-release.yml b/.github/workflows/init-release.yml index f30c053c..a8a175bb 100644 --- a/.github/workflows/init-release.yml +++ b/.github/workflows/init-release.yml @@ -67,7 +67,7 @@ jobs: with: ref: ${{ steps.get_base_branch.outputs.base_branch }} fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.INFRASTRUCTURE_WORKFLOW_TOKEN }} - name: Check if release branch already exists id: check_branch diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..2b9ba6d9 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,7 @@ +# Changelog + +## 1.9.14 Release Candidate + +### Fixes + +- Improved internet connectivity checks by replacing ICMP ping with HTTPS endpoint validation and detailed diagnostics for restricted environments. \ No newline at end of file diff --git a/infrastructure/server-setup/tasks/k8s/ufw.yml b/infrastructure/server-setup/tasks/k8s/ufw.yml index 1d98043a..334d1673 100644 --- a/infrastructure/server-setup/tasks/k8s/ufw.yml +++ b/infrastructure/server-setup/tasks/k8s/ufw.yml @@ -36,6 +36,8 @@ - { port: 7946, proto: "udp" } # Used by some CNIs (e.g., Flannel, Weave) - { port: 8472, proto: "udp" } # VXLAN (Flannel/Calico; verify if needed) - { port: 4789, proto: "udp" } # VXLAN (Calico; verify if needed) + - { port: 179, proto: "tcp" } # BGP (Calico) + - { port: 179, proto: "udp" } # BGP (Calico) # Expose traefik on node port # Rules are required for internet facing load balancer (if exists) - { port: 30080, proto: "tcp" } # NodePort HTTP diff --git a/scripts/bootstrap/node-runner.sh b/scripts/bootstrap/node-runner.sh index a32184a4..1ee863f8 100644 --- a/scripts/bootstrap/node-runner.sh +++ b/scripts/bootstrap/node-runner.sh @@ -102,7 +102,7 @@ if [[ ! -f "runner.tar.gz" ]]; then fi echo "[+] Download URL: $RUNNER_LATEST_URL into folder $(pwd)" - if ! curl -fL "$RUNNER_LATEST_URL" -o runner.tar.gz; then + if ! sudo -u $RUNAS_USER curl -fL "$RUNNER_LATEST_URL" -o runner.tar.gz; then echo "❌ Failed to download runner archive." exit 1 fi @@ -111,9 +111,9 @@ else fi echo "[+] Extracting runner..." -tar xzf runner.tar.gz +sudo -u $RUNAS_USER tar xzf runner.tar.gz echo "[+] Setting permissions... `pwd`" -chown -R $RUNAS_USER:$RUNAS_GROUP . +sudo chown -R $RUNAS_USER:$RUNAS_GROUP . # --- GET REGISTRATION TOKEN --- echo "[+] Requesting registration token..." REG_TOKEN=$(curl -s -X POST \ @@ -133,7 +133,7 @@ sudo -u $RUNAS_USER ./config.sh \ # --- SETUP SYSTEMD SERVICE --- echo "[+] Installing systemd service..." -sudo ./svc.sh install +sudo ./svc.sh install provision # Fix service to run as specific user/group SERVICE_FILE_PATH=$(ls /etc/systemd/system/actions.runner.*.service 2>/dev/null | head -n1) diff --git a/scripts/bootstrap/opencrvs-bootstrap.sh b/scripts/bootstrap/opencrvs-bootstrap.sh index f066df7a..049687eb 100644 --- a/scripts/bootstrap/opencrvs-bootstrap.sh +++ b/scripts/bootstrap/opencrvs-bootstrap.sh @@ -69,12 +69,75 @@ check_ubuntu_version() { echo "Ubuntu version OK." } +curl_check_url() { + local url="$1" + local http_code + + http_code="$(curl \ + --silent \ + --location \ + --head \ + --retry 3 \ + --retry-delay 2 \ + --retry-all-errors \ + --max-time 10 \ + --output /dev/null \ + --write-out "%{http_code}" \ + "$url" || true)" + + # 000 means curl could not connect / DNS failed / TLS failed / timed out. + if [ "$http_code" = "000" ]; then + return 1 + fi + + return 0 +} check_internet() { - echo "Testing internet connectivity (ping google.com)..." - if ! ping -c 2 google.com >/dev/null 2>&1; then - abort "Internet connectivity failed (cannot reach google.com)" + local urls=( + "https://raw.githubusercontent.com/" + "https://get.helm.sh" + "https://pkgs.k8s.io" + "https://archive.ubuntu.com" + "https://changelogs.ubuntu.com" + "https://hub.docker.com" + "https://auth.docker.io" + "https://registry-1.docker.io" + "https://download.docker.com" + "https://sentry.io" + "https://fonts.gstatic.com" + "https://storage.googleapis.com" + "https://fonts.googleapis.com" + "https://github.com" + "https://acme-v02.api.letsencrypt.org" + "https://registry.npmjs.org" + "https://registry.yarnpkg.com" + "https://eu.ui-avatars.com" + ) + + local failed=0 + + echo "Testing outbound HTTPS connectivity..." + echo + + printf "%-40s %-10s\n" "URL" "STATUS" + printf "%-40s %-10s\n" "----------------------------------------" "----------" + + for url in "${urls[@]}"; do + if curl_check_url "$url"; then + printf "%-45s %-10s\n" "$url" "OK" + else + printf "%-45s %-10s\n" "$url" "FAILED" + failed=1 + fi + done + + echo + + if [ "$failed" -ne 0 ]; then + abort "Internet connectivity check failed. Some required endpoints are unreachable." fi + echo "Internet connectivity OK." }