diff --git a/.forgejo/workflows/deploy.yaml b/.forgejo/workflows/deploy.yaml index b9d7e32..b93af1d 100644 --- a/.forgejo/workflows/deploy.yaml +++ b/.forgejo/workflows/deploy.yaml @@ -23,7 +23,6 @@ jobs: - name: Build & Push Backend run: | - # Build usando SHA para imutabilidade e latest para conveniência docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }} \ -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:latest ./backend docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }} @@ -60,86 +59,60 @@ jobs: run: | kubectl create namespace gohorsejobsdev --dry-run=client -o yaml | kubectl apply -f - - # Sincroniza Registry Secret kubectl get secret forgejo-registry-secret --namespace=forgejo -o yaml | \ sed 's/namespace: forgejo/namespace: gohorsejobsdev/' | \ kubectl apply -f - --force - # Injeta variáveis (Lembre-se de mudar DATABASE_URL para sslmode=disable no Forgejo!) kubectl delete secret backend-secrets -n gohorsejobsdev --ignore-not-found - # Prepare RSA key file if available (prefer secrets over vars) - if [ -n "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" ]; then - echo "Decoding RSA_PRIVATE_KEY_BASE64 from secrets" - printf '%b' "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true - # if it's base64-encoded PEM, decode it - if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then - base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true - fi - elif [ -n "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" ]; then - echo "Decoding RSA_PRIVATE_KEY_BASE64 from vars" - printf '%b' "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true - if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then - base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true - fi + # Limpeza da chave para evitar caracteres UTF-8 invalidos + RAW_KEY="${{ secrets.RSA_PRIVATE_KEY_BASE64 || vars.RSA_PRIVATE_KEY_BASE64 }}" + CLEAN_KEY=$(echo "$RAW_KEY" | tr -d '[:space:]') + + # Decodifica se necessario para o arquivo + if [ -n "$CLEAN_KEY" ]; then + echo "$CLEAN_KEY" > /tmp/rsa_key.base64 + base64 -d /tmp/rsa_key.base64 > /tmp/rsa_key.pem 2>/dev/null || cp /tmp/rsa_key.base64 /tmp/rsa_key.pem fi - # Create secret: if rsa file exists, create secret from file (robust); otherwise fallback to from-literal - if [ -f /tmp/rsa_key.pem ]; then - kubectl create secret generic backend-secrets -n gohorsejobsdev \ - --from-literal=MTU="${{ vars.MTU }}" \ - --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \ - --from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \ - --from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \ - --from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \ - --from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \ - --from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \ - --from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \ - --from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \ - --from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \ - --from-literal=ENV="${{ vars.ENV }}" \ - --from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \ - --from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \ - --from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \ - --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \ - --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \ - --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \ - --from-file=private_key.pem=/tmp/rsa_key.pem \ - --dry-run=client -o yaml | kubectl apply -f - - else - kubectl create secret generic backend-secrets -n gohorsejobsdev \ - --from-literal=MTU="${{ vars.MTU }}" \ - --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \ - --from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \ - --from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \ - --from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \ - --from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \ - --from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \ - --from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \ - --from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \ - --from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \ - --from-literal=ENV="${{ vars.ENV }}" \ - --from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \ - --from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \ - --from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \ - --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \ - --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \ - --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \ - --from-literal=RSA_PRIVATE_KEY_BASE64="${{ vars.RSA_PRIVATE_KEY_BASE64 }}" \ - --dry-run=client -o yaml | kubectl apply -f - - fi + # Criação via Heredoc para evitar erros de marshaling gRPC (UTF-8) + cat </dev/null || echo "$CLEAN_KEY") + EOF - name: Deploy to K3s run: | kubectl apply -f k8s/dev/ -n gohorsejobsdev - # Vincula o deployment ao SHA específico para garantir que o Pull ocorra corretamente kubectl -n gohorsejobsdev set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }} kubectl -n gohorsejobsdev set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }} - # Força o restart para carregar os novos valores do secret backend-secrets kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backend-dev kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backoffice-dev - # Aguarda estabilização kubectl -n gohorsejobsdev rollout status deployment/gohorse-backend-dev --timeout=120s \ No newline at end of file