Kubernetes on Jackson's Computing Corner/tags/kubernetes/Recent content in Kubernetes on Jackson's Computing CornerHugo -- gohugo.ioen© 2024 Jackson PyrahSat, 20 Dec 2025 17:26:25 -0700CI/CD basics - deploying a containerized static website automatically with GitHub Actions and Kubernetes/posts/blog-cicd/Sat, 20 Dec 2025 17:26:25 -0700/posts/blog-cicd/As part of my ongoing effort to improve my DevOps skillset, I decided to re-architect how this blog was deployed. Previously, I had simply pushed the static site files to a GitHub respository and manually pulled down the new files to a webserver whenever I made an update to the site. For starters, I wanted to develop a workflow which would automatically deploy the website when I git push to my remote repository.<p>As part of my ongoing effort to improve my DevOps skillset, I decided to re-architect how this blog was deployed.</p> <p>Previously, I had simply pushed the static site files to a GitHub respository and manually pulled down the new files to a webserver whenever I made an update to the site. For starters, I wanted to develop a workflow which would automatically deploy the website when I <code>git push</code> to my remote repository. For sake of learning, I decided to re-model the entire deployment after an enterprise Kubernetes application. The new deployment pipeline looks like this:</p> <ol> <li>New changes to Hugo source files are pushed to a GitHub remote respository (no compiled static files are commited, we will build the website with Hugo later).</li> <li>A GitHub actions workflow runs with two parts:</li> </ol> <ul> <li>Running Hugo to compile the source markdown files into HTML/CSS, and packaging the resulting static files into a container image with a webserver (Nginx, in this case).</li> <li>Issuing a command to the Kubernetes cluster which runs the webserver application to update the application with the latest container image.</li> </ul> <p>In this blogpost, I&rsquo;ll be detailing how you can implement a similar pipeline in your own projects.</p> <h1 id="first-steps-creating-the-dockerfile">First steps: creating the Dockerfile</h1> <p>The first thing we need is a Dockerfile for building a complete, self-contained web server image that contains the exact content of our static site. Most major webservers provide an officially supported container image for this purpose. Here I have a sample Dockerfile that uses an Nginx container, but the process for most webservers will likely be similar.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-Dockerfile" data-lang="Dockerfile"><span style="display:flex;"><span><span style="color:#66d9ef">FROM</span><span style="color:#e6db74"> nginx:alpine</span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span><span style="color:#66d9ef">COPY</span> ./public /usr/share/nginx/html<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span><span style="color:#66d9ef">EXPOSE</span><span style="color:#e6db74"> 80</span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span><span style="color:#66d9ef">CMD</span> [<span style="color:#e6db74">&#34;nginx&#34;</span>, <span style="color:#e6db74">&#34;-g&#34;</span>, <span style="color:#e6db74">&#34;daemon off;&#34;</span>]<span style="color:#960050;background-color:#1e0010"> </span></span></span></code></pre></div><p>Whenever you run <code>hugo</code> to build a site, the resulting output files are put in the <code>public</code> top-level directory of your project. We simply <code>COPY</code> the files into the directory that the Nginx container is configured by default to serve.</p> <p>In this instance, I&rsquo;m setting up the container to only serve HTTP traffic, as the server itself will sit behind a reverse proxy I have running on my Kubernetes node to handle HTTPS.</p> <h1 id="configuring-github-actions-to-build-the-site-upon-commit">Configuring GitHub actions to build the site upon commit</h1> <p>Next, we need to create some GitHub actions YAML to instruct the site to be built whenever we push with commits to the <code>master</code> branch. Create a new YAML file in the <code>.github/workflows</code> directory of your repository. In this case it&rsquo;s simply `build-image.yml'.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-YAML" data-lang="YAML"><span style="display:flex;"><span><span style="color:#f92672">name</span>: <span style="color:#ae81ff">Build and push static site container image</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">on</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">push</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">branches</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">master</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">paths-ignore</span>: <span style="color:#75715e"># If the only changed files are those that don&#39;t have anything to do with the site or build process, don&#39;t run the workflow&#34;</span> </span></span><span style="display:flex;"><span> - <span style="color:#e6db74">&#34;.gitignore&#34;</span> </span></span><span style="display:flex;"><span> - <span style="color:#e6db74">&#34;README.md&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">env</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">REGISTRY</span>: <span style="color:#ae81ff">ghcr.io</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">IMAGE_NAME</span>: <span style="color:#ae81ff">${{ github.repository }}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">jobs</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">build-and-push</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">runs-on</span>: <span style="color:#ae81ff">ubuntu-latest</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">permissions</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">contents</span>: <span style="color:#ae81ff">read</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">packages</span>: <span style="color:#ae81ff">write</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">steps</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Checkout repository</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">actions/checkout@v4</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Setup Hugo</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Setup hugo</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">peaceiris/actions-hugo@v3</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">hugo-version</span>: <span style="color:#e6db74">&#34;0.131.0&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">extended</span>: <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Build the Site</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Build site with Hugo</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: <span style="color:#ae81ff">hugo --minify</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># ./public directory with built site should now exist on the runner</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Login to container registry</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">docker/login-action@v3</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">registry</span>: <span style="color:#ae81ff">${{ env.REGISTRY }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">username</span>: <span style="color:#ae81ff">${{ github.actor }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">password</span>: <span style="color:#ae81ff">${{ secrets.GITHUB_TOKEN }}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Set up Docker Buildx</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">docker/setup-buildx-action@v3</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Extract metadata (tags, labels) for Docker</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">id</span>: <span style="color:#ae81ff">meta</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">docker/metadata-action@v5</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">images</span>: <span style="color:#ae81ff">${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">tags</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> type=raw,value=latest </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> type=sha,format=short</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Build and push Docker image</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">docker/build-push-action@v5</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">context</span>: <span style="color:#ae81ff">.</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">push</span>: <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">tags</span>: <span style="color:#ae81ff">${{ steps.meta.outputs.tags }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: <span style="color:#ae81ff">${{ steps.meta.outputs.labels }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">platforms</span>: <span style="color:#ae81ff">linux/arm64,linux/amd64</span> </span></span></code></pre></div><p>This file is fairly easy to follow along with to explain the process. We tell our GH Actions runner to checkout our repository, use Hugo to build the site, and then have Docker build and push the image to the container registry according to the instructions in our Dockerfile.</p> <p>Later, we will be adding an additional job to this workflow for automatically updating the site - but for now we will commit this workflow as is and get our first container image published to the container registry.</p> <h1 id="kubernetes-configuration">Kubernetes configuration</h1> <p>Now we configure our deployment. For the sake of this tutorial, I&rsquo;ll assume you already have a working Kubernetes cluster. In my case I&rsquo;m using a simple single-node cluster I installed on an Oracle Cloud VM. Let&rsquo;s create a new manfiest for a deployment and associated service.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-YAML" data-lang="YAML"><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#75715e"># Blog web server deployment manifest</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">apps/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">Deployment</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">blogserver-deployment</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">app</span>: <span style="color:#ae81ff">blogserver</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">replicas</span>: <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">selector</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchLabels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">app</span>: <span style="color:#ae81ff">blogserver</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">template</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">app</span>: <span style="color:#ae81ff">blogserver</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">imagePullSecrets</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">ghcr-secret</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">containers</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">blogserver-nginx</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">image</span>: <span style="color:#ae81ff">ghcr.io/nuclearpine/blog:latest</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">imagePullPolicy</span>: <span style="color:#ae81ff">Always</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ports</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">containerPort</span>: <span style="color:#ae81ff">80</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#75715e"># Service manifest</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">Service</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">blogserver-service</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">selector</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">app</span>: <span style="color:#ae81ff">blogserver</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ports</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">protocol</span>: <span style="color:#ae81ff">TCP</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">port</span>: <span style="color:#ae81ff">80</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">targetPort</span>: <span style="color:#ae81ff">80</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">nodePort</span>: <span style="color:#ae81ff">30081</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">type</span>: <span style="color:#ae81ff">NodePort</span> </span></span></code></pre></div><p>You can take this sample manifest and adjust it for your needs. Just change <code>spec.template.spec.containers</code> appropriately. I opt for a <code>NodePort</code> service as this is a single-node cluster.</p> <p>I also created a <code>docker-registry</code> secret with information needed to login to GHCR, but this is optional if your repository is public. Logging in may help avoid things like rate-limits, however. If you want to do this, just make a secret like this with your GitHub credentials.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-Bash" data-lang="Bash"><span style="display:flex;"><span>kubectl create secret docker-registry ghcr-secret <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --docker-server<span style="color:#f92672">=</span>ghcr.io <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --docker-username<span style="color:#f92672">=</span>YOUR_GITHUB_USERNAME <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --docker-password<span style="color:#f92672">=</span>YOUR_PERSONAL_AUTHENTICATION_TOKEN <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --docker-email<span style="color:#f92672">=</span>YOUR_EMAIL <span style="color:#75715e"># You can use a fake email here, as this is mostly a legacy syntax feature, and does not affect your ability to log in to GHCR</span> </span></span></code></pre></div><p>Now that the manifests are ready, go ahead and run a <code>kubectl apply -f my-manifest.yml</code> and your website should now be live!</p> <h1 id="enabling-automatic-site-updates">Enabling automatic site updates</h1> <p>Our last step is to set up a mechanism for automatically deploying a new version of our website when one becomes available. There are a couple approaches I could have taken here. I first considered the <a href="https://keel.sh/">Keel</a> Kubernetes operator. This is probably the cleanest solution, but unfortunately Keel does not appear to offer ARM compatible images. I decided to take a push based approached, with GitHub actions connecting to my K8s node over SSH and running a specific <code>kubectl</code> command to update the image. As we set <code>imagePullPolicy: always</code> in our K8s manifest, our cluster will always deploy the latest available version of the website whenever a new pod is created, so we can automate this entire process by simply automating a way to call <code>kubectl rollout restart deployment/your_deployment</code> whenever we build a new version of the site.</p> <p>Add a new job to the <code>jobs</code> section of our <code>build-image.yml</code> GH Actions workflow:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-YAML" data-lang="YAML"><span style="display:flex;"><span> <span style="color:#f92672">deploy</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">needs</span>: <span style="color:#ae81ff">build-and-push</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">runs-on</span>: <span style="color:#ae81ff">ubuntu-latest</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">steps</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Connect to Tailnet</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">tailscale/github-action@v4</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">oauth-client-id</span>: <span style="color:#ae81ff">${{ secrets.TS_OAUTH_CLIENT_ID }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">oauth-secret</span>: <span style="color:#ae81ff">${{ secrets.TS_OAUTH_SECRET }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">tags</span>: <span style="color:#ae81ff">tag:ci</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ping</span>: <span style="color:#ae81ff">${{ secrets.SERVER_SSH_HOST }}</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Trigger kubernetes rollout via SSH</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">id</span>: <span style="color:#ae81ff">ssh</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">appleboy/ssh-action@v1</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">host</span>: <span style="color:#ae81ff">${{ secrets.SERVER_SSH_HOST }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">username</span>: <span style="color:#ae81ff">${{ secrets.SERVER_SSH_USERNAME }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">key</span>: <span style="color:#ae81ff">${{ secrets.SSH_PRIVATE_KEY }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">fingerprint</span>: <span style="color:#ae81ff">${{ secrets.SERVER_SSH_FINGERPRINT }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">capture_stdout</span>: <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">script</span>: <span style="color:#ae81ff">sudo /usr/local/bin/k0s kubectl rollout restart deployment/blogserver-deployment</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Print captured output from SSH</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: <span style="color:#ae81ff">echo &#34;SSH output was; ${{ steps.ssh.outputs.stdout }}&#34;</span> </span></span></code></pre></div><p>To avoid exposing SSH publicy on my node, I connect the GH actions runner to my <a href="https://tailscale.com">Tailscale</a> mesh network with the GH actions runner the Tailscale team has conveniently provided. Then I use the <code>appleboy/ssh-action</code> runner to connect to my K8s node over SSH and execute <code>kubectl rollout</code></p> <h1 id="wrapping-up">Wrapping up</h1> <p>At this point, we&rsquo;re all done! Now you&rsquo;re just a <code>git push</code> away from automatically updating content on your static site. This whole solution is quite overkill for the task at hand - using a serverless solution like GitHub pages or Cloudflare pages is probably more pratical and simpler to implement for just hosting a static website. However, this basic deployment pipeline can be ported to a variety of applications you might want to run on kubernetes, and mimics a common type of deployment workflow you might find in enterprise environments.</p> <p>Thanks for reading!</p>