153 lines
4.6 KiB
Bash
Executable File
153 lines
4.6 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
################################################################################
|
|
# WOODPECKER CI PRODUCTION DEPLOYMENT SCRIPT
|
|
################################################################################
|
|
#
|
|
# ⚠️ WARNING: THIS SCRIPT IS EXCLUSIVELY FOR WOODPECKER CI USE
|
|
#
|
|
# This script is designed to run within the Woodpecker CI environment with
|
|
# specific environment variables and Docker socket access.
|
|
#
|
|
# 🚫 DO NOT RUN THIS ON A DEVELOPER WORKSTATION
|
|
# 🚫 This will attempt to remove production Docker stacks and secrets
|
|
# 🚫 This requires access to production Docker swarm manager nodes
|
|
#
|
|
# This script handles:
|
|
# - Production stack removal and cleanup
|
|
# - Docker secrets recreation with fresh values
|
|
# - New stack deployment with verification
|
|
# - Health checking and deployment validation
|
|
#
|
|
################################################################################
|
|
|
|
set -euo pipefail
|
|
|
|
# Color codes for output
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m' # No Color
|
|
|
|
# Logging function
|
|
log() {
|
|
echo -e "${BLUE}[$(date +'%Y-%m-%d %H:%M:%S')] $1${NC}"
|
|
}
|
|
|
|
error() {
|
|
echo -e "${RED}[ERROR] $1${NC}"
|
|
}
|
|
|
|
success() {
|
|
echo -e "${GREEN}[SUCCESS] $1${NC}"
|
|
}
|
|
|
|
warning() {
|
|
echo -e "${YELLOW}[WARNING] $1${NC}"
|
|
}
|
|
|
|
# Verify we're running in CI environment
|
|
if [[ -z "${CI_REPO_NAME:-}" ]]; then
|
|
error "This script must only be run in Woodpecker CI environment!"
|
|
error "Missing CI_REPO_NAME environment variable"
|
|
exit 1
|
|
fi
|
|
|
|
log "Starting production deployment for ${CI_REPO_NAME}"
|
|
|
|
# Step 1: Docker registry login
|
|
log "Logging into Docker registry"
|
|
echo "${REGISTRY_PASSWORD}" | docker login -u "${REGISTRY_USER}" --password-stdin git.nixc.us
|
|
|
|
# Step 2: Remove old stack to release secrets
|
|
log "Removing old stack to release secrets"
|
|
docker stack rm "${CI_REPO_NAME}" || true
|
|
|
|
# Step 3: Wait for complete stack removal
|
|
log "Waiting for complete stack removal (30 seconds)"
|
|
sleep 30
|
|
|
|
log "Verifying stack removal completed"
|
|
while docker stack ls | grep -q "${CI_REPO_NAME}"; do
|
|
log "Stack still exists, waiting..."
|
|
sleep 5
|
|
done
|
|
success "Stack removal completed"
|
|
|
|
# Step 4: Remove old Docker secrets
|
|
log "Removing old Docker secrets"
|
|
declare -a SECRETS=(
|
|
"AUTHENTICATION_BACKEND_LDAP_PASSWORD"
|
|
"IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET"
|
|
"STORAGE_ENCRYPTION_KEY"
|
|
"SESSION_SECRET"
|
|
"NOTIFIER_SMTP_PASSWORD"
|
|
"IDENTITY_PROVIDERS_OIDC_HMAC_SECRET"
|
|
"IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY"
|
|
"IDENTITY_PROVIDERS_OIDC_JWKS_KEY"
|
|
"CLIENT_SECRET_HEADSCALE"
|
|
"CLIENT_SECRET_HEADADMIN"
|
|
)
|
|
|
|
for secret in "${SECRETS[@]}"; do
|
|
docker secret rm "$secret" || true
|
|
log "Removed secret: $secret"
|
|
done
|
|
|
|
# Step 5: Create new Docker secrets with updated values
|
|
log "Creating new Docker secrets with updated values"
|
|
for secret in "${SECRETS[@]}"; do
|
|
env_var="${secret}"
|
|
if [[ -n "${!env_var:-}" ]]; then
|
|
echo "${!env_var}" | docker secret create "$secret" -
|
|
success "Created secret: $secret"
|
|
else
|
|
error "Environment variable $env_var is not set!"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
# Step 6: Deploy new stack with fresh secrets
|
|
log "Deploying new stack with fresh secrets"
|
|
docker stack deploy --with-registry-auth -c ./stack.production.yml "${CI_REPO_NAME}"
|
|
|
|
# Step 7: Wait for services to initialize
|
|
log "Waiting for services to initialize (30 seconds)"
|
|
sleep 30
|
|
|
|
# Step 8: Check deployment status
|
|
log "Checking deployment status"
|
|
docker stack ps "${CI_REPO_NAME}"
|
|
|
|
# Step 9: Health check loop for authelia service
|
|
log "Checking service health for 60 seconds"
|
|
for i in {1..12}; do
|
|
if docker stack ps "${CI_REPO_NAME}" | grep Running | grep -q "authelia_authelia"; then
|
|
success "✅ Authelia service is running!"
|
|
|
|
# Additional health verification
|
|
log "Performing additional health checks..."
|
|
sleep 5
|
|
|
|
# Check if service is actually healthy (not just running)
|
|
if docker stack ps "${CI_REPO_NAME}" | grep -A 5 "authelia_authelia" | grep -q "Running"; then
|
|
success "🎉 Production deployment completed successfully!"
|
|
success "Authelia service is healthy and running"
|
|
exit 0
|
|
fi
|
|
elif [ $i -eq 12 ]; then
|
|
error "❌ Deployment verification failed after 60 seconds"
|
|
error "Showing service logs for debugging:"
|
|
docker service logs "${CI_REPO_NAME}_authelia" --tail 20
|
|
error "Showing stack status:"
|
|
docker stack ps "${CI_REPO_NAME}"
|
|
exit 1
|
|
else
|
|
log "Attempt $i/12: Waiting for authelia service..."
|
|
sleep 5
|
|
fi
|
|
done
|
|
|
|
error "Health check timeout - this should not be reached"
|
|
exit 1 |