Update .forgejo/workflows/deploy.yaml

2026-02-18 23:27:20 +00:00 · 2026-02-18 23:27:20 +00:00 · 37749b0f14
commit 37749b0f14
parent 8b231b944f
1 changed files with 37 additions and 64 deletions
--- a/.forgejo/workflows/deploy.yaml
+++ b/.forgejo/workflows/deploy.yaml
@ -23,7 +23,6 @@ jobs:

      - name: Build & Push Backend
        run: |
-          # Build usando SHA para imutabilidade e latest para conveniência
          docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }} \
            -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:latest ./backend
          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
@ -60,86 +59,60 @@ jobs:
        run: |
          kubectl create namespace gohorsejobsdev --dry-run=client -o yaml | kubectl apply -f -

-          # Sincroniza Registry Secret
          kubectl get secret forgejo-registry-secret --namespace=forgejo -o yaml | \
          sed 's/namespace: forgejo/namespace: gohorsejobsdev/' | \
          kubectl apply -f - --force

-          # Injeta variáveis (Lembre-se de mudar DATABASE_URL para sslmode=disable no Forgejo!)
          kubectl delete secret backend-secrets -n gohorsejobsdev --ignore-not-found

-          # Prepare RSA key file if available (prefer secrets over vars)
-          if [ -n "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" ]; then
-            echo "Decoding RSA_PRIVATE_KEY_BASE64 from secrets"
-            printf '%b' "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true
-            # if it's base64-encoded PEM, decode it
-            if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then
-              base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true
-            fi
-          elif [ -n "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" ]; then
-            echo "Decoding RSA_PRIVATE_KEY_BASE64 from vars"
-            printf '%b' "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true
-            if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then
-              base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true
-            fi
+          # Limpeza da chave para evitar caracteres UTF-8 invalidos
+          RAW_KEY="${{ secrets.RSA_PRIVATE_KEY_BASE64 || vars.RSA_PRIVATE_KEY_BASE64 }}"
+          CLEAN_KEY=$(echo "$RAW_KEY" | tr -d '[:space:]')
+
+          # Decodifica se necessario para o arquivo
+          if [ -n "$CLEAN_KEY" ]; then
+            echo "$CLEAN_KEY" > /tmp/rsa_key.base64
+            base64 -d /tmp/rsa_key.base64 > /tmp/rsa_key.pem 2>/dev/null || cp /tmp/rsa_key.base64 /tmp/rsa_key.pem
          fi

-          # Create secret: if rsa file exists, create secret from file (robust); otherwise fallback to from-literal
-          if [ -f /tmp/rsa_key.pem ]; then
-            kubectl create secret generic backend-secrets -n gohorsejobsdev \
-              --from-literal=MTU="${{ vars.MTU }}" \
-              --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
-              --from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \
-              --from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \
-              --from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \
-              --from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \
-              --from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \
-              --from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \
-              --from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \
-              --from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \
-              --from-literal=ENV="${{ vars.ENV }}" \
-              --from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \
-              --from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \
-              --from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \
-              --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
-              --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
-              --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
-              --from-file=private_key.pem=/tmp/rsa_key.pem \
-              --dry-run=client -o yaml | kubectl apply -f -
-          else
-            kubectl create secret generic backend-secrets -n gohorsejobsdev \
-              --from-literal=MTU="${{ vars.MTU }}" \
-              --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
-              --from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \
-              --from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \
-              --from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \
-              --from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \
-              --from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \
-              --from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \
-              --from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \
-              --from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \
-              --from-literal=ENV="${{ vars.ENV }}" \
-              --from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \
-              --from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \
-              --from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \
-              --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
-              --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
-              --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
-              --from-literal=RSA_PRIVATE_KEY_BASE64="${{ vars.RSA_PRIVATE_KEY_BASE64 }}" \
-              --dry-run=client -o yaml | kubectl apply -f -
-          fi
+          # Criação via Heredoc para evitar erros de marshaling gRPC (UTF-8)
+          cat <<EOF | kubectl apply -f -
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: backend-secrets
+            namespace: gohorsejobsdev
+          type: Opaque
+          stringData:
+            MTU: "${{ vars.MTU }}"
+            DATABASE_URL: "${{ vars.DATABASE_URL }}"
+            AMQP_URL: "${{ vars.AMQP_URL }}"
+            JWT_SECRET: "${{ vars.JWT_SECRET }}"
+            JWT_EXPIRATION: "${{ vars.JWT_EXPIRATION }}"
+            PASSWORD_PEPPER: "${{ vars.PASSWORD_PEPPER }}"
+            COOKIE_SECRET: "${{ vars.COOKIE_SECRET }}"
+            COOKIE_DOMAIN: "${{ vars.COOKIE_DOMAIN }}"
+            BACKEND_PORT: "${{ vars.BACKEND_PORT }}"
+            BACKEND_HOST: "${{ vars.BACKEND_HOST }}"
+            ENV: "${{ vars.ENV }}"
+            CORS_ORIGINS: "${{ vars.CORS_ORIGINS }}"
+            S3_BUCKET: "${{ vars.S3_BUCKET }}"
+            AWS_REGION: "${{ vars.AWS_REGION }}"
+            AWS_ENDPOINT: "${{ vars.AWS_ENDPOINT }}"
+            AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}"
+            AWS_SECRET_ACCESS_KEY: "${{ vars.AWS_SECRET_ACCESS_KEY }}"
+            private_key.pem: |
+              $(cat /tmp/rsa_key.pem 2>/dev/null || echo "$CLEAN_KEY")
+          EOF

      - name: Deploy to K3s
        run: |
          kubectl apply -f k8s/dev/ -n gohorsejobsdev
          
-          # Vincula o deployment ao SHA específico para garantir que o Pull ocorra corretamente
          kubectl -n gohorsejobsdev set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
          kubectl -n gohorsejobsdev set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }}
          
-          # Força o restart para carregar os novos valores do secret backend-secrets
          kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backend-dev
          kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backoffice-dev
          
-          # Aguarda estabilização
          kubectl -n gohorsejobsdev rollout status deployment/gohorse-backend-dev --timeout=120s