becb1b4666
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
; ACME_EXIT=$? ne fonctionnait que si acme.sh retournait 0 (premier lancement). Avec exit 2 (skip/cert valide), set -e coupait le script avant la capture. Correction : ACME_EXIT=0 + || ACME_EXIT=$? Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
181 lines
7.5 KiB
YAML
181 lines
7.5 KiB
YAML
when:
|
|
- branch: main
|
|
event: push
|
|
|
|
steps:
|
|
|
|
# Etape 1 : Validation syntaxique du docker-compose.yml
|
|
- name: validate
|
|
image: docker:27-cli
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
environment:
|
|
PS_DOMAIN: presta.syoul.fr
|
|
PS_ADMIN_FOLDER: admin-secure
|
|
DB_PASSWORD: placeholder
|
|
DB_ROOT_PASSWORD: placeholder
|
|
PRESTASHOP_ADMIN_EMAIL: placeholder
|
|
PRESTASHOP_ADMIN_PASSWORD: placeholder
|
|
commands:
|
|
- docker compose config --quiet
|
|
- echo "docker-compose.yml valide"
|
|
|
|
# Etape 2 : Verifications de securite
|
|
- name: security-check
|
|
image: alpine:3.20
|
|
commands:
|
|
- |
|
|
if [ -f .env ]; then
|
|
echo "ERREUR: .env ne doit pas etre commite dans le depot !"
|
|
exit 1
|
|
fi
|
|
- 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)'
|
|
- echo "Verifications de securite OK"
|
|
|
|
# Etape 3a : Ecriture du .env et du token Consul depuis les secrets
|
|
# NOTE: ne pas utiliser ${VAR} dans commands (bug Woodpecker next), utiliser env | grep
|
|
- name: write-env
|
|
image: alpine:3.20
|
|
environment:
|
|
TEST_STATIC: hello-world
|
|
PS_DOMAIN:
|
|
from_secret: ps_domain
|
|
PS_ADMIN_FOLDER:
|
|
from_secret: ps_admin_folder
|
|
PRESTASHOP_ADMIN_EMAIL:
|
|
from_secret: prestashop_admin_email
|
|
PRESTASHOP_ADMIN_PASSWORD:
|
|
from_secret: prestashop_admin_password
|
|
DB_ROOT_PASSWORD:
|
|
from_secret: db_root_password
|
|
DB_PASSWORD:
|
|
from_secret: db_password
|
|
CONSUL_TOKEN:
|
|
from_secret: consul_token
|
|
commands:
|
|
- env | grep -E "^(PS_DOMAIN|PS_ADMIN_FOLDER|PRESTASHOP_ADMIN_EMAIL|PRESTASHOP_ADMIN_PASSWORD|DB_ROOT_PASSWORD|DB_PASSWORD)=" > .env.deploy
|
|
- echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)"
|
|
- env | grep '^CONSUL_TOKEN=' | cut -d= -f2- > .consul_token
|
|
|
|
# Etape 3b : Deploiement sur sonic via Docker socket
|
|
# Le token Consul est lu depuis .consul_token (ecrit par write-env) car
|
|
# volumes + from_secret = secrets vides (bug Woodpecker next)
|
|
#
|
|
# Modele pipeline sonic : cette etape est generique pour tout service deploye sur sonic.
|
|
# Elle gere : deploy Docker Compose + cert TLS (acme.sh) + Consul + Fabio KV
|
|
- name: deploy
|
|
image: docker:27-cli
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
- /opt/prestashop:/opt/prestashop
|
|
commands:
|
|
- cp .env.deploy /opt/prestashop/.env
|
|
- chmod 600 /opt/prestashop/.env
|
|
- cp docker-compose.yml /opt/prestashop/docker-compose.yml
|
|
- cd /opt/prestashop && docker compose pull
|
|
- cd /opt/prestashop && docker compose up -d --remove-orphans
|
|
- cd /opt/prestashop && docker compose ps
|
|
- |
|
|
CONTAINER_IP=$(docker inspect prestashop --format '{{.NetworkSettings.Networks.sonic.IPAddress}}')
|
|
DOMAIN=$(grep '^PS_DOMAIN=' /opt/prestashop/.env | cut -d= -f2)
|
|
CTOK=$(cat $CI_WORKSPACE/.consul_token)
|
|
|
|
# --- Certificat TLS (acme.sh via sonic-acme-1) ---
|
|
# acme.sh est idempotent : skip si cert valide, renouvelle si proche expiration
|
|
# Exit 0 = emis/renouvele, exit 2 = skip (domaine inchange), autres = erreur
|
|
# --home /etc/acme.sh = volume persistant sonic_acme (sinon /root/.acme.sh non persiste)
|
|
# ; ACME_EXIT=$? ne fonctionne pas avec set -e (shell quitte si exit != 0 avant la capture)
|
|
# || ACME_EXIT=$? capture le code sans declencher set -e
|
|
ACME_EXIT=0
|
|
docker exec sonic-acme-1 /app/acme.sh \
|
|
--home /etc/acme.sh \
|
|
--issue -d "$DOMAIN" \
|
|
--webroot /usr/share/nginx/html \
|
|
--server letsencrypt \
|
|
--accountemail support+acme@asycn.io || ACME_EXIT=$?
|
|
if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then
|
|
echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)"
|
|
exit 1
|
|
fi
|
|
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
|
|
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
|
|
echo "Cert TLS: /host/certs/$DOMAIN-cert.pem OK (acme exit $ACME_EXIT)"
|
|
|
|
# --- Enregistrement Consul ---
|
|
docker exec sonic-consul env CONSUL_HTTP_TOKEN="$CTOK" consul services register \
|
|
-address "$CONTAINER_IP" -port 80 -name prestashop -tag "urlprefix-$DOMAIN/"
|
|
echo "Consul: prestashop -> $CONTAINER_IP:80 urlprefix-$DOMAIN/"
|
|
|
|
# --- Routes Fabio KV (HTTP + HTTPS) ---
|
|
# /* requis avec le glob matcher de Fabio : sans *, seul / exact matche (les sous-chemins tombent sur le catch-all nginx)
|
|
ROUTES=$(printf 'route add prestashop %s/* http://%s:80/\nroute add prestashop %s:443/* http://%s:80/' "$DOMAIN" "$CONTAINER_IP" "$DOMAIN" "$CONTAINER_IP")
|
|
docker exec sonic-consul env CONSUL_HTTP_TOKEN="$CTOK" consul kv put fabio/config "$ROUTES"
|
|
echo "Fabio KV: routes HTTP+HTTPS $DOMAIN -> $CONTAINER_IP:80"
|
|
|
|
# Etape 4 : Configuration post-deploiement (SSL, cache)
|
|
# Attend la fin de l'installation PrestaShop (ps_configuration initialisee),
|
|
# puis active SSL dans la DB (PrestaShop genere des URLs https:// grace a X-Forwarded-Proto:https de Fabio)
|
|
- name: configure
|
|
image: docker:27-cli
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
commands:
|
|
- |
|
|
DB_PASS=$(grep '^DB_PASSWORD=' .env.deploy | cut -d= -f2)
|
|
echo "Attente fin installation PrestaShop (ps_configuration)..."
|
|
MAX=60
|
|
i=0
|
|
until [ $i -ge $MAX ]; do
|
|
READY=$(docker exec prestashop-db mysql -uprestashop -p"$DB_PASS" -se \
|
|
"SELECT COUNT(*) FROM prestashop.ps_configuration WHERE name='PS_SSL_ENABLED';" 2>/dev/null || echo 0)
|
|
if [ "$READY" -gt "0" ] 2>/dev/null; then
|
|
echo "Base prete, activation SSL..."
|
|
docker exec prestashop-db mysql -uprestashop -p"$DB_PASS" prestashop -e \
|
|
"UPDATE ps_configuration SET value='1' WHERE name IN ('PS_SSL_ENABLED','PS_SSL_ENABLED_EVERYWHERE');"
|
|
docker exec prestashop rm -rf /var/www/html/var/cache/prod/ 2>/dev/null || true
|
|
echo "SSL active dans DB, cache efface"
|
|
break
|
|
fi
|
|
i=$((i+1))
|
|
echo "Tentative $i/$MAX - installation en cours..."
|
|
sleep 10
|
|
done
|
|
[ $i -ge $MAX ] && echo "AVERTISSEMENT: timeout configure SSL" || true
|
|
|
|
# Etape 5 : Healthcheck post-deploiement
|
|
- name: healthcheck
|
|
image: alpine:3.20
|
|
commands:
|
|
- apk add --no-cache --quiet curl
|
|
- |
|
|
SITE=$(grep '^PS_DOMAIN=' .env.deploy | cut -d= -f2)
|
|
if [ -z "$SITE" ]; then
|
|
echo "ERREUR: PS_DOMAIN non defini dans .env.deploy"
|
|
exit 1
|
|
fi
|
|
TARGET="http://$SITE"
|
|
echo "Healthcheck sur $TARGET (max 10 minutes)..."
|
|
MAX=60
|
|
i=0
|
|
until [ $i -ge $MAX ]; do
|
|
CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null)
|
|
echo "Tentative $((i+1))/$MAX - HTTP $CODE"
|
|
if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then
|
|
echo "PrestaShop repond correctement sur $TARGET"
|
|
exit 0
|
|
fi
|
|
i=$((i+1))
|
|
sleep 10
|
|
done
|
|
echo "ERREUR: PrestaShop ne repond pas apres 10 minutes"
|
|
exit 1
|
|
|
|
# Notification en cas d'echec
|
|
- name: notify-failure
|
|
image: alpine:3.20
|
|
commands:
|
|
- 'echo "ECHEC pipeline #${CI_BUILD_NUMBER} sur commit ${CI_COMMIT_SHA}"'
|
|
- 'echo "Branche: ${CI_COMMIT_BRANCH}"'
|
|
when:
|
|
- status: failure
|