From 742aa7fe8b5c611fe70d56c7fb0f33cd37f4a732 Mon Sep 17 00:00:00 2001 From: bohessefm Date: Sat, 21 Feb 2026 13:31:22 +0000 Subject: [PATCH] Update .forgejo/workflows/deploy.yaml --- .forgejo/workflows/deploy.yaml | 73 ++++++++++++++++++++-------------- 1 file changed, 43 insertions(+), 30 deletions(-) diff --git a/.forgejo/workflows/deploy.yaml b/.forgejo/workflows/deploy.yaml index 99283a0..bfa4457 100644 --- a/.forgejo/workflows/deploy.yaml +++ b/.forgejo/workflows/deploy.yaml @@ -58,58 +58,71 @@ jobs: - name: Sync Secrets and Vars run: | - # 1. Garante o namespace + # 1. Namespace kubectl create namespace ${{ env.NAMESPACE }} --dry-run=client -o yaml | kubectl apply -f - - # 2. Sincroniza Registry Secret + # 2. Sync Registry Secret com limpeza profunda de metadata kubectl get secret forgejo-registry-secret --namespace=forgejo -o yaml | \ grep -vE "resourceVersion|uid|creationTimestamp|namespace" | \ kubectl apply --namespace=${{ env.NAMESPACE }} -f - - # 3. Geração do arquivo de ambiente (Variáveis de texto) - printf "MTU=%s\n" "${{ vars.MTU }}" > .env.backend - printf "DATABASE_URL=%s\n" "${{ vars.DATABASE_URL }}" >> .env.backend - printf "AMQP_URL=%s\n" "${{ vars.AMQP_URL }}" >> .env.backend - printf "JWT_SECRET=%s\n" "${{ vars.JWT_SECRET }}" >> .env.backend - printf "JWT_EXPIRATION=%s\n" "${{ vars.JWT_EXPIRATION }}" >> .env.backend - printf "PASSWORD_PEPPER=%s\n" "${{ vars.PASSWORD_PEPPER }}" >> .env.backend - printf "COOKIE_SECRET=%s\n" "${{ vars.COOKIE_SECRET }}" >> .env.backend - printf "COOKIE_DOMAIN=%s\n" "${{ vars.COOKIE_DOMAIN }}" >> .env.backend - printf "BACKEND_PORT=%s\n" "${{ vars.BACKEND_PORT }}" >> .env.backend - printf "BACKEND_HOST=%s\n" "${{ vars.BACKEND_HOST }}" >> .env.backend - printf "ENV=%s\n" "${{ vars.ENV }}" >> .env.backend - printf "CORS_ORIGINS=%s\n" "${{ vars.CORS_ORIGINS }}" >> .env.backend - printf "S3_BUCKET=%s\n" "${{ vars.S3_BUCKET }}" >> .env.backend - printf "AWS_REGION=%s\n" "${{ vars.AWS_REGION }}" >> .env.backend - printf "AWS_ENDPOINT=%s\n" "${{ vars.AWS_ENDPOINT }}" >> .env.backend - printf "AWS_ACCESS_KEY_ID=%s\n" "${{ vars.AWS_ACCESS_KEY_ID }}" >> .env.backend - printf "AWS_SECRET_ACCESS_KEY=%s\n" "${{ vars.AWS_SECRET_ACCESS_KEY }}" >> .env.backend + # 3. Geração do arquivo .env (SOMENTE VARIÁVEIS CURTAS) + # O uso de 'EOF' evita que o shell interprete caracteres especiais das vars + cat <<'EOF' > .env.backend +MTU=${{ vars.MTU }} +DATABASE_URL=${{ vars.DATABASE_URL }} +AMQP_URL=${{ vars.AMQP_URL }} +JWT_SECRET=${{ vars.JWT_SECRET }} +JWT_EXPIRATION=${{ vars.JWT_EXPIRATION }} +PASSWORD_PEPPER=${{ vars.PASSWORD_PEPPER }} +COOKIE_SECRET=${{ vars.COOKIE_SECRET }} +COOKIE_DOMAIN=${{ vars.COOKIE_DOMAIN }} +BACKEND_PORT=${{ vars.BACKEND_PORT }} +BACKEND_HOST=${{ vars.BACKEND_HOST }} +ENV=${{ vars.ENV }} +CORS_ORIGINS=${{ vars.CORS_ORIGINS }} +S3_BUCKET=${{ vars.S3_BUCKET }} +AWS_REGION=${{ vars.AWS_REGION }} +AWS_ENDPOINT=${{ vars.AWS_ENDPOINT }} +AWS_ACCESS_KEY_ID=${{ vars.AWS_ACCESS_KEY_ID }} +AWS_SECRET_ACCESS_KEY=${{ vars.AWS_SECRET_ACCESS_KEY }} +EOF - # 4. Cria a secret baseada nas variáveis primeiro + # 4. Aplica as variáveis de ambiente kubectl create secret generic backend-secrets -n ${{ env.NAMESPACE }} \ --from-env-file=.env.backend \ --dry-run=client -o yaml | kubectl apply -f - - # 5. Adiciona a chave RSA separadamente (se existir) para evitar o erro de combinação - RSA_CONTENT="${{ secrets.RSA_PRIVATE_KEY_BASE64 || vars.RSA_PRIVATE_KEY_BASE64 }}" - if [ -n "$RSA_CONTENT" ]; then - echo "$RSA_CONTENT" | tr -d '\r\n ' > /tmp/rsa_clean_base64.txt - if base64 -d /tmp/rsa_clean_base64.txt > /tmp/rsa_key.pem 2>/dev/null; then - # Adiciona o arquivo .pem na secret já existente usando set data - kubectl create secret generic backend-secrets -n ${{ env.NAMESPACE }} \ - --from-file=private_key.pem=/tmp/rsa_key.pem \ - --dry-run=client -o yaml | kubectl apply -f - + # 5. TRATAMENTO DA CHAVE RSA (O culpado do erro UTF-8) + # Extraímos a var, limpamos quebras de linha e injetamos como ARQUIVO + RSA_RAW="${{ vars.RSA_PRIVATE_KEY_BASE64 }}" + if [ -n "$RSA_RAW" ]; then + echo "$RSA_RAW" | tr -d '\r\n ' > /tmp/rsa.base64 + # Tenta decodificar. Se falhar, usa o b64 puro (o app decide como ler) + if base64 -d /tmp/rsa.base64 > /tmp/key.pem 2>/dev/null; then + echo "RSA decodificada com sucesso." + else + cp /tmp/rsa.base64 /tmp/key.pem + echo "RSA mantida em formato string limpa." fi + + # Injeta o arquivo na secret existente (o apply faz o merge) + kubectl create secret generic backend-secrets -n ${{ env.NAMESPACE }} \ + --from-file=private_key.pem=/tmp/key.pem \ + --dry-run=client -o yaml | kubectl apply -f - fi - name: Deploy to K3s run: | kubectl apply -f k8s/dev/ -n ${{ env.NAMESPACE }} + # Garante que os deployments usem a imagem com o SHA atual kubectl -n ${{ env.NAMESPACE }} set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }} kubectl -n ${{ env.NAMESPACE }} set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }} + # Força o restart para ler a Secret atualizada kubectl -n ${{ env.NAMESPACE }} rollout restart deployment/gohorse-backend-dev kubectl -n ${{ env.NAMESPACE }} rollout restart deployment/gohorse-backoffice-dev + # Aguarda estabilização kubectl -n ${{ env.NAMESPACE }} rollout status deployment/gohorse-backend-dev --timeout=120s \ No newline at end of file