From aa022ae18e801d81ad7d13cc39bdd88b0d33c58a Mon Sep 17 00:00:00 2001 From: syoul Date: Thu, 19 Mar 2026 14:50:12 +0100 Subject: [PATCH] feat(ci): ajout acme.sh TLS + routes Fabio KV :443 dans deploy --- .woodpecker.yml | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/.woodpecker.yml b/.woodpecker.yml index 8e36af3..0b83bb6 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -12,10 +12,14 @@ steps: environment: DTRACK_DOMAIN: from_secret: dtrack_domain + CONSUL_TOKEN: + from_secret: consul_token commands: - env | grep -E "^(DTRACK_DOMAIN)=" > .env.deploy # COMPOSE_PROJECT_NAME : convention user-project-branch, genere depuis les vars CI - OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy + # consul_token ecrit seul (depuis from_secret, sans volumes) + - env | grep '^CONSUL_TOKEN=' | cut -d= -f2 > .consul_token - echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)" # TEST write-env : valide le contenu du .env.deploy @@ -45,7 +49,8 @@ steps: - /opt/dtrack:/opt/dtrack commands: - cp .env.deploy /opt/dtrack/.env - - chmod 600 /opt/dtrack/.env + - cp .consul_token /opt/dtrack/.consul_token + - chmod 600 /opt/dtrack/.env /opt/dtrack/.consul_token - cp docker-compose.yml /opt/dtrack/docker-compose.yml - echo "=== config resolue ===" - cd /opt/dtrack && docker compose config @@ -54,6 +59,40 @@ steps: - echo "=== up ===" - cd /opt/dtrack && docker compose up -d --remove-orphans - cd /opt/dtrack && docker compose ps + - | + PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/dtrack/.env | cut -d= -f2) + DOMAIN=$(grep '^DTRACK_DOMAIN=' /opt/dtrack/.env | cut -d= -f2) + + # --- Certificat TLS (acme.sh via sonic-acme-1) --- + # Exit 0 = emis/renouvele, exit 2 = skip (domaine inchange), autres = erreur + ACME_EXIT=0 + docker exec sonic-acme-1 /app/acme.sh \ + --home /etc/acme.sh \ + --issue -d "$DOMAIN" \ + --webroot /usr/share/nginx/html \ + --server letsencrypt \ + --accountemail support+acme@asycn.io || ACME_EXIT=$? + if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then + echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)" + exit 1 + fi + docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem + docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem + echo "Cert TLS: /host/certs/$DOMAIN-cert.pem OK (acme exit $ACME_EXIT)" + + # --- Routes Fabio KV (HTTP + HTTPS) --- + # DTrack a deux services : apiserver (/api/*) et frontend (/*) + CTOK=$(cat /opt/dtrack/.consul_token) + API_IP=$(docker inspect "$PROJECT-apiserver" --format '{{(index .NetworkSettings.Networks "sonic").IPAddress}}') + FRONTEND_IP=$(docker inspect "$PROJECT-frontend" --format '{{(index .NetworkSettings.Networks "sonic").IPAddress}}') + ROUTES=$(printf \ + 'route add %s-api %s/api/* http://%s:8080/api/\nroute add %s-api %s:443/api/* http://%s:8080/api/\nroute add %s-ui %s/* http://%s:8080/\nroute add %s-ui %s:443/* http://%s:8080/' \ + "$PROJECT" "$DOMAIN" "$API_IP" \ + "$PROJECT" "$DOMAIN" "$API_IP" \ + "$PROJECT" "$DOMAIN" "$FRONTEND_IP" \ + "$PROJECT" "$DOMAIN" "$FRONTEND_IP") + docker exec sonic-consul env CONSUL_HTTP_TOKEN="$CTOK" consul kv put "fabio/config/$PROJECT" "$ROUTES" + echo "KV Fabio: fabio/config/$PROJECT -> apiserver=$API_IP frontend=$FRONTEND_IP" # TEST deploy : verifie que les conteneurs sont running # NOTE: pas de ${VAR} (substitue par Woodpecker) — utiliser $VAR sans accolades