refactor: Registrator + healthcheck Consul, suppression token Consul
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
- Ajout SERVICE_80_CHECK_HTTP=/ : Consul valide le service via GET / -> service healthy dans Consul -> Fabio route automatiquement le trafic - SERVICE_80_TAGS sans guillemets + /* pour le glob matcher Fabio - Suppression token Consul, enregistrement manuel et KV Fabio de la pipeline -> Registrator + Consul catalog suffisent (approche native sonic) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
syoul
@@ -32,12 +32,11 @@ steps:
|
||||
- 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)'
|
||||
- echo "Verifications de securite OK"
|
||||
|
||||
# Etape 3a : Ecriture du .env et du token Consul depuis les secrets
|
||||
# Etape 3a : Ecriture du .env depuis les secrets
|
||||
# NOTE: ne pas utiliser ${VAR} dans commands (bug Woodpecker next), utiliser env | grep
|
||||
- name: write-env
|
||||
image: alpine:3.20
|
||||
environment:
|
||||
TEST_STATIC: hello-world
|
||||
PS_DOMAIN:
|
||||
from_secret: ps_domain
|
||||
PS_ADMIN_FOLDER:
|
||||
@@ -50,19 +49,14 @@ steps:
|
||||
from_secret: db_root_password
|
||||
DB_PASSWORD:
|
||||
from_secret: db_password
|
||||
CONSUL_TOKEN:
|
||||
from_secret: consul_token
|
||||
commands:
|
||||
- env | grep -E "^(PS_DOMAIN|PS_ADMIN_FOLDER|PRESTASHOP_ADMIN_EMAIL|PRESTASHOP_ADMIN_PASSWORD|DB_ROOT_PASSWORD|DB_PASSWORD)=" > .env.deploy
|
||||
- echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)"
|
||||
- env | grep '^CONSUL_TOKEN=' | cut -d= -f2- > .consul_token
|
||||
|
||||
# Etape 3b : Deploiement sur sonic via Docker socket
|
||||
# Le token Consul est lu depuis .consul_token (ecrit par write-env) car
|
||||
# volumes + from_secret = secrets vides (bug Woodpecker next)
|
||||
#
|
||||
# Modele pipeline sonic : cette etape est generique pour tout service deploye sur sonic.
|
||||
# Elle gere : deploy Docker Compose + cert TLS (acme.sh) + Consul + Fabio KV
|
||||
# Modele pipeline sonic : deploy Docker Compose + cert TLS (acme.sh)
|
||||
# Registrator enregistre automatiquement le container dans Consul via les labels SERVICE_*
|
||||
# Consul valide le service via SERVICE_80_CHECK_HTTP -> Fabio route le trafic automatiquement
|
||||
- name: deploy
|
||||
image: docker:27-cli
|
||||
volumes:
|
||||
@@ -76,16 +70,13 @@ steps:
|
||||
- cd /opt/prestashop && docker compose up -d --remove-orphans
|
||||
- cd /opt/prestashop && docker compose ps
|
||||
- |
|
||||
CONTAINER_IP=$(docker inspect prestashop --format '{{.NetworkSettings.Networks.sonic.IPAddress}}')
|
||||
DOMAIN=$(grep '^PS_DOMAIN=' /opt/prestashop/.env | cut -d= -f2)
|
||||
CTOK=$(cat $CI_WORKSPACE/.consul_token)
|
||||
|
||||
# --- Certificat TLS (acme.sh via sonic-acme-1) ---
|
||||
# acme.sh est idempotent : skip si cert valide, renouvelle si proche expiration
|
||||
# Exit 0 = emis/renouvele, exit 2 = skip (domaine inchange), autres = erreur
|
||||
# --home /etc/acme.sh = volume persistant sonic_acme (sinon /root/.acme.sh non persiste)
|
||||
# ; ACME_EXIT=$? ne fonctionne pas avec set -e (shell quitte si exit != 0 avant la capture)
|
||||
# || ACME_EXIT=$? capture le code sans declencher set -e
|
||||
# || ACME_EXIT=$? capture le code sans declencher set -e (contrairement a ; ACME_EXIT=$?)
|
||||
ACME_EXIT=0
|
||||
docker exec sonic-acme-1 /app/acme.sh \
|
||||
--home /etc/acme.sh \
|
||||
@@ -101,17 +92,6 @@ steps:
|
||||
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
|
||||
echo "Cert TLS: /host/certs/$DOMAIN-cert.pem OK (acme exit $ACME_EXIT)"
|
||||
|
||||
# --- Enregistrement Consul ---
|
||||
docker exec sonic-consul env CONSUL_HTTP_TOKEN="$CTOK" consul services register \
|
||||
-address "$CONTAINER_IP" -port 80 -name prestashop -tag "urlprefix-$DOMAIN/"
|
||||
echo "Consul: prestashop -> $CONTAINER_IP:80 urlprefix-$DOMAIN/"
|
||||
|
||||
# --- Routes Fabio KV (HTTP + HTTPS) ---
|
||||
# /* requis avec le glob matcher de Fabio : sans *, seul / exact matche (les sous-chemins tombent sur le catch-all nginx)
|
||||
ROUTES=$(printf 'route add prestashop %s/* http://%s:80/\nroute add prestashop %s:443/* http://%s:80/' "$DOMAIN" "$CONTAINER_IP" "$DOMAIN" "$CONTAINER_IP")
|
||||
docker exec sonic-consul env CONSUL_HTTP_TOKEN="$CTOK" consul kv put fabio/config "$ROUTES"
|
||||
echo "Fabio KV: routes HTTP+HTTPS $DOMAIN -> $CONTAINER_IP:80"
|
||||
|
||||
# Etape 4 : Configuration post-deploiement (SSL, cache)
|
||||
# Attend la fin de l'installation PrestaShop (ps_configuration initialisee),
|
||||
# puis active SSL dans la DB (PrestaShop genere des URLs https:// grace a X-Forwarded-Proto:https de Fabio)
|
||||
|
||||
@@ -24,10 +24,13 @@ services:
|
||||
- ps_data:/var/www/html
|
||||
labels:
|
||||
# Registrator lit l'IP du conteneur depuis le reseau "sonic" (-useIpFromNetwork sonic)
|
||||
# et enregistre le service dans Consul -> Fabio route presta.syoul.fr vers cette IP
|
||||
# et enregistre le service dans Consul avec le tag urlprefix- -> Fabio route vers ce service
|
||||
SERVICE_NAME: "prestashop"
|
||||
SERVICE_80_NAME: "prestashop"
|
||||
SERVICE_80_TAGS: "urlprefix-${PS_DOMAIN}/"
|
||||
SERVICE_80_TAGS: urlprefix-${PS_DOMAIN}/*
|
||||
# Consul healthcheck HTTP : Consul requete GET / sur le port 80 du container
|
||||
# Le service doit etre healthy dans Consul pour que Fabio accepte d'y router le trafic
|
||||
SERVICE_80_CHECK_HTTP: /
|
||||
# sonic-acme-1 (acme-companion) emet le cert TLS et le copie dans /host/certs/
|
||||
# Fabio le detecte automatiquement par SNI pour HTTPS
|
||||
LETSENCRYPT_HOST: "${PS_DOMAIN}"
|
||||
|
||||
Reference in New Issue
Block a user