fix(ci): split website production deploy by target cluster

Read production kubeconfigs via Bob/Seguro in reusable website workflow and add RU/EU entrypoints.
Render website ingress, tuf-router ingress, and certificate separately for ru and eu targets while rejecting invalid production targetCluster values.

Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>

Author: odiora

.github/workflows/_website_converge.yml

@@ -0,0 +1,124 @@
+name: Converge website production
+on:
+  workflow_call:
+    inputs:
+      jobName:
+        required: true
+        type: string
+      targetCluster:
+        required: true
+        type: string
+      kubeConfigSecretPath:
+        required: true
+        type: string
+      runner:
+        required: false
+        default: prod-github-runner-0
+        type: string
+    outputs:
+      KUBECONFIG_BASE64_PRODUCTION:
+        value: ${{ jobs.converge.outputs.kubeconfig_base64 }}
+
+env:
+  WERF_REPO: "ghcr.io/${{ github.repository_owner }}/trdl"
+
+jobs:
+  converge:
+    name: ${{ inputs.jobName }}
+    runs-on: ${{ inputs.runner }}
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    outputs:
+      kubeconfig_base64: ${{ steps.kubeconfig.outputs.kubeconfig_base64 }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install werf
+        uses: werf/actions/install@v2
+
+      - name: Authenticate in Seguro
+        id: vault
+        run: |
+          set -euo pipefail
+
+          audience="github-access-aud"
+          id_token_response="$(curl -fsSL -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${audience}")"
+          id_token="$(printf '%s' "$id_token_response" | jq -r '.value')"
+
+          if [[ -z "$id_token" || "$id_token" == "null" ]]; then
+            echo "GitHub OIDC token is empty" >&2
+            exit 1
+          fi
+
+          vault_response="$(curl -fsSL -X POST "https://seguro.flant.com/v1/auth/github/login" -H "Content-Type: application/json" -d "$(jq -nc --arg role "werf-web" --arg jwt "$id_token" '{role: $role, jwt: $jwt}')")"
+          vault_token="$(printf '%s' "$vault_response" | jq -r '.auth.client_token')"
+
+          if [[ -z "$vault_token" || "$vault_token" == "null" ]]; then
+            echo "Seguro token is empty" >&2
+            exit 1
+          fi
+
+          echo "::add-mask::$vault_token"
+          echo "vault_token=$vault_token" >> "$GITHUB_OUTPUT"
+
+      - name: Read and normalize kubeconfig from Bob
+        id: kubeconfig
+        run: |
+          set -euo pipefail
+
+          response="$(curl -fsSL -H "X-Vault-Token: ${{ steps.vault.outputs.vault_token }}" "https://seguro.flant.com/v1/${{ inputs.kubeConfigSecretPath }}")"
+          secret_value="$(printf '%s' "$response" | jq -r '.data.data["kube.config"]')"
+
+          if [[ -z "$secret_value" || "$secret_value" == "null" ]]; then
+            echo "Bob kubeconfig secret is empty" >&2
+            exit 1
+          fi
+
+          if printf '%s' "$secret_value" | base64 -d >/tmp/kubeconfig-decoded 2>/dev/null && grep -q '^apiVersion:' /tmp/kubeconfig-decoded; then
+            kubeconfig_base64="$secret_value"
+          else
+            kubeconfig_base64="$(printf '%s' "$secret_value" | base64 | tr -d '\n')"
+          fi
+
+          echo "::add-mask::$kubeconfig_base64"
+          echo "kubeconfig_base64=$kubeconfig_base64" >> "$GITHUB_OUTPUT"
+
+      - name: Converge
+        run: |
+          werf_env_file="$(werf ci-env github --as-file)"
+          . "$werf_env_file"
+          werf converge --set global.targetCluster=${{ inputs.targetCluster }}
+        env:
+          WERF_DIR: "docs"
+          WERF_ENV: "production"
+          WERF_KUBE_CONFIG_BASE64: ${{ steps.kubeconfig.outputs.kubeconfig_base64 }}
+          KUBECONFIG_BASE64_PRODUCTION: ${{ steps.kubeconfig.outputs.kubeconfig_base64 }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Summary
+        run: |
+          cat <<EOF >> "$GITHUB_STEP_SUMMARY"
+          ## ${{ inputs.jobName }}
+
+          - Event: ${{ github.event_name }}
+          - Target cluster mode: ${{ inputs.targetCluster }}
+          - Seguro role: werf-web
+          - Secret path: ${{ inputs.kubeConfigSecretPath }}
+          - Secret field used: kube.config
+          - Helm switch: global.targetCluster=${{ inputs.targetCluster }}
+          EOF
+
+  notification:
+    name: Notification
+    if: false
+    needs: converge
+    uses: werf/common-ci/.github/workflows/notification.yml@main
+    secrets:
+      loopNotificationGroup: ${{ secrets.LOOP_NOTIFICATION_GROUP }}
+      webhook: ${{ secrets.LOOP_NOTIFICATION_WEBHOOK }}
+      notificationChannel: ${{ secrets.LOOP_NOTIFICATION_CHANNEL }}

.github/workflows/website_converge.yml

@@ -0,0 +1,23 @@
+name: Converge website EU
+on:
+  push:
+    branches: [main]
+    paths:
+      - ".github/workflows/_website_converge.yml"
+      - ".github/workflows/website_converge_eu.yml"
+      - "docs/**"
+  workflow_dispatch:
+
+jobs:
+  converge:
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    uses: ./.github/workflows/_website_converge.yml
+    secrets: inherit
+    with:
+      jobName: Converge site to Production EU
+      targetCluster: eu
+      runner: prod-github-runner-0
+      kubeConfigSecretPath: projects/data/b454e6aa-39f0-45f4-aa7c-a9465ab154cb/KUBE_CONFIG

.github/workflows/website_converge_eu.yml

@@ -0,0 +1,23 @@
+name: Converge website RU
+on:
+  push:
+    branches: [fix/ci/split-website-production-deploy]
+    paths:
+      - ".github/workflows/_website_converge.yml"
+      - ".github/workflows/website_converge_ru.yml"
+      - "docs/**"
+  workflow_dispatch:
+
+jobs:
+  converge:
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    uses: ./.github/workflows/_website_converge.yml
+    secrets: inherit
+    with:
+      jobName: Converge site to Production RU
+      targetCluster: ru
+      runner: prod-github-runner-0
+      kubeConfigSecretPath: projects/data/b454e6aa-39f0-45f4-aa7c-a9465ab154cb/KUBE_CONFIG_RU

.github/workflows/website_converge_ru.yml

@@ -1,31 +1,39 @@
-{{- $host := pluck .Values.werf.env .Values.host | first | default .Values.host._default  }}
-{{- if  hasPrefix "review" .Values.werf.env }}
-{{- $host = ( printf "%s.%s" .Values.werf.env (pluck "dev" .Values.host | first | default .Values.host._default ) | lower ) }}
+{{- $env := .Values.werf.env }}
+{{- $host := pluck $env .Values.host | first | default .Values.host._default }}
+{{- if hasPrefix "review" $env }}
+{{- $host = ( printf "%s.%s" $env (pluck "dev" .Values.host | first | default .Values.host._default ) | lower ) }}
 {{- end }}
 {{- $ingressClassName := pluck .Values.global.env .Values.ingressClassName | first | default .Values.ingressClassName._default | quote }}
-
+{{- $targetCluster := include "targetCluster" . | trim }}
+{{- $isProduction := eq .Values.global.env "production" }}
+{{- $ruHost := include "ruHost" $host | trim }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: tuf-router
-  annotations:
 spec:
   ingressClassName: {{ $ingressClassName }}
   tls:
   - hosts:
-      - {{ $host }}
-{{- if eq .Values.global.env "production" }}
-      - ru.{{ $host }}
+{{- if $isProduction }}
+{{- if eq $targetCluster "ru" }}
+      - {{ $ruHost }}
 {{- else }}
-      - ru-{{ $host }}
+      - {{ $host }}
 {{- end }}
-{{- if eq .Values.global.env "production" }}
     secretName: tls-{{ $host }}
 {{- else }}
+      - {{ $host }}
+      - ru-{{ $host }}
     secretName: {{ pluck .Values.global.env .Values.ingressSecretName | first | default .Values.ingressSecretName._default }}
 {{- end }}
   rules:
+{{- if $isProduction }}
+{{- if eq $targetCluster "ru" }}
+  - host: {{ $ruHost }}
+{{- else }}
   - host: {{ $host }}
+{{- end }}
     http:
       paths:
       - path: /targets
@@ -42,11 +50,25 @@ spec:
             name: tuf-router
             port:
               name: http
-{{- if eq .Values.global.env "production" }}
-  - host: ru.{{ $host }}
 {{- else }}
+  - host: {{ $host }}
+    http:
+      paths:
+      - path: /targets
+        pathType: Prefix
+        backend:
+          service:
+            name: tuf-router
+            port:
+              name: http
+      - path: /download
+        pathType: Prefix
+        backend:
+          service:
+            name: tuf-router
+            port:
+              name: http
   - host: ru-{{ $host }}
-{{- end }}
     http:
       paths:
       - path: /targets
@@ -63,3 +85,4 @@ spec:
             name: tuf-router
             port:
               name: http
+{{- end }}