Update .forgejo/workflows/deploy.yaml
This commit is contained in:
bohessefm
parent
c76a5879f9
commit
b05456e21c
1 changed files with 45 additions and 74 deletions
|
|
@ -8,6 +8,7 @@ on:
|
|||
env:
|
||||
REGISTRY: pipe.gohorsejobs.com
|
||||
IMAGE_NAMESPACE: bohessefm
|
||||
NAMESPACE: gohorsejobsdev
|
||||
|
||||
jobs:
|
||||
build-and-push:
|
||||
|
|
@ -23,7 +24,6 @@ jobs:
|
|||
|
||||
- name: Build & Push Backend
|
||||
run: |
|
||||
# Build usando SHA para imutabilidade e latest para conveniência
|
||||
docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }} \
|
||||
-t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:latest ./backend
|
||||
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
|
||||
|
|
@ -58,56 +58,28 @@ jobs:
|
|||
|
||||
- name: Sync Secrets and Vars
|
||||
run: |
|
||||
kubectl create namespace gohorsejobsdev --dry-run=client -o yaml | kubectl apply -f -
|
||||
# Garante que o namespace existe
|
||||
kubectl create namespace ${{ env.NAMESPACE }} --dry-run=client -o yaml | kubectl apply -f -
|
||||
|
||||
# Sincroniza Registry Secret
|
||||
# Sincroniza Registry Secret do namespace forgejo
|
||||
kubectl get secret forgejo-registry-secret --namespace=forgejo -o yaml | \
|
||||
sed 's/namespace: forgejo/namespace: gohorsejobsdev/' | \
|
||||
kubectl apply -f - --force
|
||||
sed "s/namespace: forgejo/namespace: ${{ env.NAMESPACE }}/" | \
|
||||
kubectl apply -f -
|
||||
|
||||
# Injeta variáveis (Lembre-se de mudar DATABASE_URL para sslmode=disable no Forgejo!)
|
||||
kubectl delete secret backend-secrets -n gohorsejobsdev --ignore-not-found
|
||||
|
||||
# Prepare RSA key file if available (prefer secrets over vars)
|
||||
if [ -n "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" ]; then
|
||||
echo "Decoding RSA_PRIVATE_KEY_BASE64 from secrets"
|
||||
printf '%b' "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true
|
||||
# if it's base64-encoded PEM, decode it
|
||||
if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then
|
||||
base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true
|
||||
fi
|
||||
elif [ -n "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" ]; then
|
||||
echo "Decoding RSA_PRIVATE_KEY_BASE64 from vars"
|
||||
printf '%b' "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true
|
||||
if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then
|
||||
base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create secret: if rsa file exists, create secret from file (robust); otherwise fallback to from-literal
|
||||
if [ -f /tmp/rsa_key.pem ]; then
|
||||
kubectl create secret generic backend-secrets -n gohorsejobsdev \
|
||||
--from-literal=MTU="${{ vars.MTU }}" \
|
||||
--from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
|
||||
--from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \
|
||||
--from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \
|
||||
--from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \
|
||||
--from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \
|
||||
--from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \
|
||||
--from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \
|
||||
--from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \
|
||||
--from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \
|
||||
--from-literal=ENV="${{ vars.ENV }}" \
|
||||
--from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \
|
||||
--from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \
|
||||
--from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \
|
||||
--from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
|
||||
--from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
|
||||
--from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
|
||||
--from-file=private_key.pem=/tmp/rsa_key.pem \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
# Prepara a chave RSA (Prioriza Secret, depois Var)
|
||||
RSA_CONTENT="${{ secrets.RSA_PRIVATE_KEY_BASE64 || vars.RSA_PRIVATE_KEY_BASE64 }}"
|
||||
if [ -n "$RSA_CONTENT" ]; then
|
||||
echo "$RSA_CONTENT" > /tmp/rsa_raw.txt
|
||||
if base64 -d /tmp/rsa_raw.txt > /tmp/rsa_key.pem 2>/dev/null; then
|
||||
echo "RSA Key decoded successfully."
|
||||
else
|
||||
kubectl create secret generic backend-secrets -n gohorsejobsdev \
|
||||
cp /tmp/rsa_raw.txt /tmp/rsa_key.pem
|
||||
fi
|
||||
fi
|
||||
|
||||
# CRIAÇÃO DA SECRET USANDO DRY-RUN + APPLY (Evita deletar e falhar)
|
||||
# O uso de quotes nas variáveis previne erros de shell
|
||||
kubectl create secret generic backend-secrets -n ${{ env.NAMESPACE }} \
|
||||
--from-literal=MTU="${{ vars.MTU }}" \
|
||||
--from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
|
||||
--from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \
|
||||
|
|
@ -125,21 +97,20 @@ jobs:
|
|||
--from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
|
||||
--from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
|
||||
--from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
|
||||
--from-literal=RSA_PRIVATE_KEY_BASE64="${{ vars.RSA_PRIVATE_KEY_BASE64 }}" \
|
||||
$( [ -f /tmp/rsa_key.pem ] && echo "--from-file=private_key.pem=/tmp/rsa_key.pem" ) \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
fi
|
||||
|
||||
- name: Deploy to K3s
|
||||
run: |
|
||||
kubectl apply -f k8s/dev/ -n gohorsejobsdev
|
||||
kubectl apply -f k8s/dev/ -n ${{ env.NAMESPACE }}
|
||||
|
||||
# Vincula o deployment ao SHA específico para garantir que o Pull ocorra corretamente
|
||||
kubectl -n gohorsejobsdev set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
|
||||
kubectl -n gohorsejobsdev set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }}
|
||||
# Atualiza as imagens para o novo SHA
|
||||
kubectl -n ${{ env.NAMESPACE }} set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
|
||||
kubectl -n ${{ env.NAMESPACE }} set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }}
|
||||
|
||||
# Força o restart para carregar os novos valores do secret backend-secrets
|
||||
kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backend-dev
|
||||
kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backoffice-dev
|
||||
# Reinicia para garantir leitura da nova Secret
|
||||
kubectl -n ${{ env.NAMESPACE }} rollout restart deployment/gohorse-backend-dev
|
||||
kubectl -n ${{ env.NAMESPACE }} rollout restart deployment/gohorse-backoffice-dev
|
||||
|
||||
# Aguarda estabilização
|
||||
kubectl -n gohorsejobsdev rollout status deployment/gohorse-backend-dev --timeout=120s
|
||||
# Status
|
||||
kubectl -n ${{ env.NAMESPACE }} rollout status deployment/gohorse-backend-dev --timeout=120s
|
||||
Loading…
Reference in a new issue