185 lines
6.5 KiB
Bash
185 lines
6.5 KiB
Bash
|
|
#!/bin/bash
|
||
|
|
# Methods library for rustelo_website — sourced by install-rustelo_website.sh
|
||
|
|
# and generated run-*.sh scripts. SCRIPT_DIR must be set before sourcing.
|
||
|
|
|
||
|
|
_kubectl() {
|
||
|
|
if command -v kubectl >/dev/null 2>&1; then
|
||
|
|
command kubectl "$@"
|
||
|
|
elif command -v k0s >/dev/null 2>&1; then
|
||
|
|
k0s kubectl "$@"
|
||
|
|
else
|
||
|
|
echo "ERROR: no kubectl or k0s binary found" >&2; exit 127
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|
||
|
|
_require_env() {
|
||
|
|
local var="$1"
|
||
|
|
if [ -z "${!var:-}" ]; then
|
||
|
|
echo "ERROR: required variable $var is not set" >&2; exit 1
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|
||
|
|
_pod_name() {
|
||
|
|
_kubectl get pod \
|
||
|
|
--namespace "$WEBSITE_NAMESPACE" \
|
||
|
|
--selector "app.kubernetes.io/name=${WEBSITE_NAME}" \
|
||
|
|
-o jsonpath='{.items[0].metadata.name}' 2>/dev/null
|
||
|
|
}
|
||
|
|
|
||
|
|
_wait_for_pod() {
|
||
|
|
local timeout="${1:-300}"
|
||
|
|
_kubectl wait pod \
|
||
|
|
--namespace "$WEBSITE_NAMESPACE" \
|
||
|
|
--selector "app.kubernetes.io/name=${WEBSITE_NAME}" \
|
||
|
|
--for=condition=Ready \
|
||
|
|
--timeout="${timeout}s"
|
||
|
|
}
|
||
|
|
|
||
|
|
# ── Manifest plan helpers ─────────────────────────────────────────────────────
|
||
|
|
|
||
|
|
_plan_apply() {
|
||
|
|
local file="$1"
|
||
|
|
local path="$SCRIPT_DIR/manifests/${file}.yaml"
|
||
|
|
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
|
||
|
|
_kubectl apply -f "$path"
|
||
|
|
}
|
||
|
|
|
||
|
|
_plan_apply_skip() {
|
||
|
|
local file="$1"
|
||
|
|
local path="$SCRIPT_DIR/manifests/${file}.yaml"
|
||
|
|
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
|
||
|
|
if _kubectl get -f "$path" >/dev/null 2>&1; then
|
||
|
|
echo " [skip] ${file} already exists in cluster"
|
||
|
|
return 0
|
||
|
|
fi
|
||
|
|
_kubectl apply -f "$path"
|
||
|
|
}
|
||
|
|
|
||
|
|
_plan_rollout_restart() {
|
||
|
|
local file="$1"
|
||
|
|
local path="$SCRIPT_DIR/manifests/${file}.yaml"
|
||
|
|
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
|
||
|
|
_kubectl rollout restart -f "$path"
|
||
|
|
}
|
||
|
|
|
||
|
|
_plan_delete() {
|
||
|
|
local file="$1"
|
||
|
|
local path="$SCRIPT_DIR/manifests/${file}.yaml"
|
||
|
|
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
|
||
|
|
_kubectl delete -f "$path" --ignore-not-found
|
||
|
|
}
|
||
|
|
|
||
|
|
# shellcheck source=lib/gateway-tls.sh
|
||
|
|
source "${SCRIPT_DIR}/lib/gateway-tls.sh"
|
||
|
|
|
||
|
|
# ── Component methods ─────────────────────────────────────────────────────────
|
||
|
|
|
||
|
|
_method_create-credentials() {
|
||
|
|
[ -f "${SCRIPT_DIR}/_credentials.env" ] && set -a && source "${SCRIPT_DIR}/_credentials.env" && set +a
|
||
|
|
_require_env SECRET_KEY
|
||
|
|
|
||
|
|
# App credentials secret: SECRET_KEY + DATABASE_URL.
|
||
|
|
# DATABASE_URL is SQLite at the data PVC mount path when data_pvc.enabled = true.
|
||
|
|
local db_url="${DATABASE_URL:-}"
|
||
|
|
if [ -z "$db_url" ] && [ "${WEBSITE_DATA_PVC_ENABLED:-false}" = "true" ]; then
|
||
|
|
db_url="sqlite:${WEBSITE_DATA_MOUNT}/site.db"
|
||
|
|
fi
|
||
|
|
|
||
|
|
local secret_name="${WEBSITE_NAME}-credentials"
|
||
|
|
if [ -n "$db_url" ]; then
|
||
|
|
_kubectl create secret generic "$secret_name" \
|
||
|
|
--namespace "$WEBSITE_NAMESPACE" \
|
||
|
|
--from-literal=SECRET_KEY="$SECRET_KEY" \
|
||
|
|
--from-literal=DATABASE_URL="$db_url" \
|
||
|
|
--dry-run=client -o yaml | _kubectl apply -f -
|
||
|
|
else
|
||
|
|
_kubectl create secret generic "$secret_name" \
|
||
|
|
--namespace "$WEBSITE_NAMESPACE" \
|
||
|
|
--from-literal=SECRET_KEY="$SECRET_KEY" \
|
||
|
|
--dry-run=client -o yaml | _kubectl apply -f -
|
||
|
|
fi
|
||
|
|
echo " [ok] credentials secret '${secret_name}' in ${WEBSITE_NAMESPACE}"
|
||
|
|
|
||
|
|
# Registry pull secret — docker-registry type, in deployment namespace.
|
||
|
|
# Token derived from the secret name: e.g. reg-librecloud-pull →
|
||
|
|
# REGISTRY_TOKEN_REG_LIBRECLOUD_PULL (uppercased, dashes to underscores).
|
||
|
|
local reg_secret="${WEBSITE_REGISTRY_SECRET:-regcred}"
|
||
|
|
local reg_env_key="REGISTRY_TOKEN_$(echo "${reg_secret}" | tr '[:lower:]' '[:upper:]' | tr '-' '_')"
|
||
|
|
local reg_token="${!reg_env_key:-}"
|
||
|
|
|
||
|
|
if [ -n "$reg_token" ]; then
|
||
|
|
# reg_token is expected to be a base64-encoded dockerconfigjson or a raw token.
|
||
|
|
# Convention: if it contains '{', treat as raw dockerconfigjson; otherwise it is
|
||
|
|
# a plain Bearer token for the registry host extracted from the zot htpasswd secret.
|
||
|
|
local registry_host
|
||
|
|
registry_host=$(echo "${WEBSITE_IMAGE:-}" | cut -d'/' -f1)
|
||
|
|
[ -z "$registry_host" ] && registry_host="reg.librecloud.online"
|
||
|
|
|
||
|
|
if echo "$reg_token" | grep -q '^{'; then
|
||
|
|
# Raw dockerconfigjson
|
||
|
|
_kubectl create secret generic "$reg_secret" \
|
||
|
|
--namespace "$WEBSITE_NAMESPACE" \
|
||
|
|
--type=kubernetes.io/dockerconfigjson \
|
||
|
|
--from-literal=.dockerconfigjson="$reg_token" \
|
||
|
|
--dry-run=client -o yaml | _kubectl apply -f -
|
||
|
|
else
|
||
|
|
# username:password pair expected as REGISTRY_USER + REGISTRY_PASS, or colon-separated token
|
||
|
|
local reg_user reg_pass
|
||
|
|
if echo "$reg_token" | grep -q ':'; then
|
||
|
|
reg_user="${reg_token%%:*}"
|
||
|
|
reg_pass="${reg_token#*:}"
|
||
|
|
else
|
||
|
|
reg_user="${REGISTRY_USER:-regadm}"
|
||
|
|
reg_pass="$reg_token"
|
||
|
|
fi
|
||
|
|
_kubectl create secret docker-registry "$reg_secret" \
|
||
|
|
--namespace "$WEBSITE_NAMESPACE" \
|
||
|
|
--docker-server="$registry_host" \
|
||
|
|
--docker-username="$reg_user" \
|
||
|
|
--docker-password="$reg_pass" \
|
||
|
|
--dry-run=client -o yaml | _kubectl apply -f -
|
||
|
|
fi
|
||
|
|
echo " [ok] registry pull secret '${reg_secret}' in ${WEBSITE_NAMESPACE}"
|
||
|
|
else
|
||
|
|
echo " [warn] ${reg_env_key} not set — skipping registry pull secret creation"
|
||
|
|
echo " [hint] set ${reg_env_key}=user:pass in _credentials.env or deploy environment"
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|
||
|
|
_method_wait-ready() {
|
||
|
|
_wait_for_pod 300
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
_method_protect-volume() {
|
||
|
|
local pvc="${PLAN_PARAM_PVC:-${WEBSITE_NAME}-data}"
|
||
|
|
|
||
|
|
if [ "${WEBSITE_DATA_PVC_ENABLED:-false}" != "true" ]; then
|
||
|
|
echo " [skip] data_pvc disabled — no volume to protect"
|
||
|
|
return 0
|
||
|
|
fi
|
||
|
|
|
||
|
|
echo " waiting for PVC '${pvc}' to bind..."
|
||
|
|
_kubectl wait pvc "$pvc" \
|
||
|
|
--namespace "$WEBSITE_NAMESPACE" \
|
||
|
|
--for=jsonpath='{.status.phase}'=Bound \
|
||
|
|
--timeout=120s
|
||
|
|
|
||
|
|
local pv_name
|
||
|
|
pv_name=$(_kubectl get pvc "$pvc" \
|
||
|
|
--namespace "$WEBSITE_NAMESPACE" \
|
||
|
|
-o jsonpath='{.spec.volumeName}')
|
||
|
|
if [ -z "$pv_name" ]; then
|
||
|
|
echo " [warn] could not resolve PV name for PVC '${pvc}' — skipping volume protection"
|
||
|
|
return 0
|
||
|
|
fi
|
||
|
|
|
||
|
|
if command -v hcloud >/dev/null 2>&1; then
|
||
|
|
hcloud volume enable-protection "$pv_name" delete 2>/dev/null \
|
||
|
|
&& echo " [ok] volume '${pv_name}' protected" \
|
||
|
|
|| echo " [warn] hcloud protect failed — run manually: hcloud volume enable-protection ${pv_name} delete"
|
||
|
|
else
|
||
|
|
echo " [warn] hcloud CLI not found — skip volume protection for '${pv_name}'"
|
||
|
|
fi
|
||
|
|
}
|