syoul/prestashop-test
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: emission cert TLS integree dans la pipeline (modele sonic)
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
Ajout de l'etape acme.sh dans le deploy :
- docker exec sonic-acme-1 /app/acme.sh --issue --webroot
- idempotent : skip (exit 2) si cert valide, echec si autre erreur
- copie automatique fullchain + key vers /host/certs/ pour Fabio SNI
- ordre : docker compose up > cert TLS > consul register > fabio KV

Ce pattern est le modele generique pour tout nouveau service sur sonic.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
syoul
2026-03-17 21:35:19 +01:00
parent 4f334d971f
commit fb3cd6365b
1 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
.woodpecker.yml
View File

@@ -57,9 +57,12 @@ steps:
- echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)"
- env | grep '^CONSUL_TOKEN=' | cut -d= -f2- > .consul_token
# Etape 3b : Deploiement sur sonic via Docker socket + enregistrement Consul
# Le token est lu depuis .consul_token (ecrit par write-env) car
# Etape 3b : Deploiement sur sonic via Docker socket
# Le token Consul est lu depuis .consul_token (ecrit par write-env) car
# volumes + from_secret = secrets vides (bug Woodpecker next)
#
# Modele pipeline sonic : cette etape est generique pour tout service deploye sur sonic.
# Elle gere : deploy Docker Compose + cert TLS (acme.sh) + Consul + Fabio KV
- name: deploy
image: docker:27-cli
volumes:
@@ -76,9 +79,29 @@ steps:
CONTAINER_IP=$(docker inspect prestashop --format '{{.NetworkSettings.Networks.sonic.IPAddress}}')
DOMAIN=$(grep '^PS_DOMAIN=' /opt/prestashop/.env | cut -d= -f2)
CTOK=$(cat $CI_WORKSPACE/.consul_token)
# --- Certificat TLS (acme.sh via sonic-acme-1) ---
# acme.sh est idempotent : skip si cert valide, renouvelle si proche expiration
# Exit 0 = emis/renouvele, exit 2 = skip (domaine inchange), autres = erreur
docker exec sonic-acme-1 /app/acme.sh \
--issue -d "$DOMAIN" \
--webroot /usr/share/nginx/html \
--server letsencrypt \
--accountemail support+acme@asycn.io; ACME_EXIT=$?
if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then
echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)"
exit 1
fi
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
echo "Cert TLS: /host/certs/$DOMAIN-cert.pem OK (acme exit $ACME_EXIT)"
# --- Enregistrement Consul ---
docker exec sonic-consul env CONSUL_HTTP_TOKEN="$CTOK" consul services register \
-address "$CONTAINER_IP" -port 80 -name prestashop -tag "urlprefix-$DOMAIN/"
echo "Consul: prestashop -> $CONTAINER_IP:80 urlprefix-$DOMAIN/"
# --- Routes Fabio KV (HTTP + HTTPS) ---
ROUTES=$(printf 'route add prestashop %s/ http://%s:80/\nroute add prestashop %s:443/ http://%s:80/' "$DOMAIN" "$CONTAINER_IP" "$DOMAIN" "$CONTAINER_IP")
docker exec sonic-consul env CONSUL_HTTP_TOKEN="$CTOK" consul kv put fabio/config "$ROUTES"
echo "Fabio KV: routes HTTP+HTTPS $DOMAIN -> $CONTAINER_IP:80"