mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
Give Terraform CI tailnet access for the Proxmox provider
The bpg/proxmox provider has to reach london-a's API and node, which only live on the tailnet, during plan and apply. Add a setup-tailnet composite action (Tailscale via the CI OAuth client + the deploy SSH key in an agent) and use it in the terraform plan/apply and validate workflows. Pin the provider's node SSH address to london-a's Tailscale IP so it isn't reached via the API-reported LAN address.
This commit is contained in:
parent
3e4297f3d6
commit
d2ec024e6a
4 changed files with 66 additions and 0 deletions
35
.github/actions/setup-tailnet/action.yml
vendored
Normal file
35
.github/actions/setup-tailnet/action.yml
vendored
Normal file
|
|
@ -0,0 +1,35 @@
|
||||||
|
name: Set up tailnet + SSH
|
||||||
|
description: >-
|
||||||
|
Join Tailscale and load the deploy SSH key into an agent, so tofu's Proxmox
|
||||||
|
(bpg) provider can reach london-a's API and node over the tailnet.
|
||||||
|
|
||||||
|
inputs:
|
||||||
|
tailscale-client-id:
|
||||||
|
required: true
|
||||||
|
tailscale-audience:
|
||||||
|
required: true
|
||||||
|
ssh-private-key:
|
||||||
|
required: true
|
||||||
|
|
||||||
|
runs:
|
||||||
|
using: composite
|
||||||
|
steps:
|
||||||
|
- name: Set up Tailscale
|
||||||
|
uses: tailscale/github-action@v4
|
||||||
|
with:
|
||||||
|
oauth-client-id: ${{ inputs.tailscale-client-id }}
|
||||||
|
audience: ${{ inputs.tailscale-audience }}
|
||||||
|
tags: tag:ci
|
||||||
|
|
||||||
|
- name: Load SSH key into agent
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
mkdir -p ~/.ssh
|
||||||
|
echo "${{ inputs.ssh-private-key }}" > ~/.ssh/id_ed25519
|
||||||
|
chmod 600 ~/.ssh/id_ed25519
|
||||||
|
eval "$(ssh-agent -s)"
|
||||||
|
ssh-add ~/.ssh/id_ed25519
|
||||||
|
# Persist the agent for later steps (bpg uses SSH_AUTH_SOCK).
|
||||||
|
echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> "$GITHUB_ENV"
|
||||||
|
echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> "$GITHUB_ENV"
|
||||||
|
ssh-keyscan -H 100.122.180.98 >> ~/.ssh/known_hosts 2>/dev/null || true
|
||||||
16
.github/workflows/terraform.yml
vendored
16
.github/workflows/terraform.yml
vendored
|
|
@ -34,6 +34,14 @@ jobs:
|
||||||
- name: Set backend credentials
|
- name: Set backend credentials
|
||||||
uses: ./.github/actions/tofu-backend-creds
|
uses: ./.github/actions/tofu-backend-creds
|
||||||
|
|
||||||
|
# Proxmox (bpg) provider reaches london-a over the tailnet.
|
||||||
|
- name: Set up tailnet + SSH
|
||||||
|
uses: ./.github/actions/setup-tailnet
|
||||||
|
with:
|
||||||
|
tailscale-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
|
||||||
|
tailscale-audience: ${{ secrets.TAILSCALE_AUDIENCE }}
|
||||||
|
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||||
|
|
||||||
- name: tofu init
|
- name: tofu init
|
||||||
working-directory: terraform/
|
working-directory: terraform/
|
||||||
run: tofu init
|
run: tofu init
|
||||||
|
|
@ -69,6 +77,14 @@ jobs:
|
||||||
- name: Set backend credentials
|
- name: Set backend credentials
|
||||||
uses: ./.github/actions/tofu-backend-creds
|
uses: ./.github/actions/tofu-backend-creds
|
||||||
|
|
||||||
|
# Proxmox (bpg) provider reaches london-a over the tailnet.
|
||||||
|
- name: Set up tailnet + SSH
|
||||||
|
uses: ./.github/actions/setup-tailnet
|
||||||
|
with:
|
||||||
|
tailscale-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
|
||||||
|
tailscale-audience: ${{ secrets.TAILSCALE_AUDIENCE }}
|
||||||
|
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||||
|
|
||||||
- name: tofu init
|
- name: tofu init
|
||||||
working-directory: terraform/
|
working-directory: terraform/
|
||||||
run: tofu init
|
run: tofu init
|
||||||
|
|
|
||||||
9
.github/workflows/validate-terraform.yml
vendored
9
.github/workflows/validate-terraform.yml
vendored
|
|
@ -61,6 +61,15 @@ jobs:
|
||||||
if: github.actor != 'dependabot[bot]'
|
if: github.actor != 'dependabot[bot]'
|
||||||
uses: ./.github/actions/tofu-backend-creds
|
uses: ./.github/actions/tofu-backend-creds
|
||||||
|
|
||||||
|
# Proxmox (bpg) provider reaches london-a over the tailnet during plan.
|
||||||
|
- name: Set up tailnet + SSH
|
||||||
|
if: github.actor != 'dependabot[bot]'
|
||||||
|
uses: ./.github/actions/setup-tailnet
|
||||||
|
with:
|
||||||
|
tailscale-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
|
||||||
|
tailscale-audience: ${{ secrets.TAILSCALE_AUDIENCE }}
|
||||||
|
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||||
|
|
||||||
- name: tofu init
|
- name: tofu init
|
||||||
if: github.actor != 'dependabot[bot]'
|
if: github.actor != 'dependabot[bot]'
|
||||||
working-directory: terraform/
|
working-directory: terraform/
|
||||||
|
|
|
||||||
|
|
@ -60,8 +60,14 @@ provider "proxmox" {
|
||||||
insecure = true # self-signed PVE cert
|
insecure = true # self-signed PVE cert
|
||||||
|
|
||||||
# Uploading the cloud-init snippet needs node-level access; SSH to root@london-a.
|
# Uploading the cloud-init snippet needs node-level access; SSH to root@london-a.
|
||||||
|
# Pin the node's SSH address to its Tailscale IP (the API-reported LAN IP isn't
|
||||||
|
# reachable from CI runners on the tailnet).
|
||||||
ssh {
|
ssh {
|
||||||
agent = true
|
agent = true
|
||||||
username = "root"
|
username = "root"
|
||||||
|
node {
|
||||||
|
name = "london-a"
|
||||||
|
address = "100.122.180.98"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue