#!/bin/bash # Methods library for web_app — sourced by generated run-*.sh scripts. # SCRIPT_DIR must be set before sourcing. _kubectl() { if command -v kubectl >/dev/null 2>&1; then command kubectl "$@" elif command -v k0s >/dev/null 2>&1; then k0s kubectl "$@" else echo "ERROR: no kubectl or k0s binary found" >&2; exit 127 fi } _require_env() { local var="$1" if [ -z "${!var:-}" ]; then echo "ERROR: required variable $var is not set" >&2; exit 1 fi } _pod_name() { _kubectl get pod \ --namespace "$WEBAPP_NAMESPACE" \ --selector "app.kubernetes.io/name=${WEBAPP_NAME}" \ -o jsonpath='{.items[0].metadata.name}' 2>/dev/null } _wait_for_pod() { local timeout="${1:-300}" _kubectl wait pod \ --namespace "$WEBAPP_NAMESPACE" \ --selector "app.kubernetes.io/name=${WEBAPP_NAME}" \ --for=condition=Ready \ --timeout="${timeout}s" } _plan_apply() { local file="$1" local path="$SCRIPT_DIR/manifests/${file}.yaml" [ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; } _kubectl apply -f "$path" } _plan_apply_skip() { local file="$1" local path="$SCRIPT_DIR/manifests/${file}.yaml" [ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; } if _kubectl get -f "$path" >/dev/null 2>&1; then echo " [skip] ${file} already exists in cluster" return 0 fi _kubectl apply -f "$path" } _plan_rollout_restart() { local file="$1" local path="$SCRIPT_DIR/manifests/${file}.yaml" [ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; } _kubectl rollout restart -f "$path" } _plan_delete() { local file="$1" local path="$SCRIPT_DIR/manifests/${file}.yaml" [ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; } _kubectl delete -f "$path" --ignore-not-found } # shellcheck source=lib/gateway-tls.sh source "${SCRIPT_DIR}/lib/gateway-tls.sh" # ── Component methods ───────────────────────────────────────────────────────── _method_create-cf-secret() { [ -f "${SCRIPT_DIR}/_credentials.env" ] && set -a && source "${SCRIPT_DIR}/_credentials.env" && set +a local secret_name="${WEBAPP_CF_SECRET_NAME:-}" if [ -z "$secret_name" ]; then echo " [skip] WEBAPP_CF_SECRET_NAME not set — skipping Cloudflare secret creation" return 0 fi local env_key="CF_TOKEN_$(echo "${secret_name}" | tr '[:lower:]' '[:upper:]' | tr '-' '_')" local cf_token="${!env_key:-}" if [ -z "$cf_token" ]; then echo " [warn] ${env_key} not set — skipping Cloudflare secret '${secret_name}'" echo " [hint] set ${env_key}= in _credentials.env" return 0 fi _lib_create_cf_secret "$secret_name" "$cf_token" "cert-manager" } _method_create-htpasswd() { [ -f "${SCRIPT_DIR}/_credentials.env" ] && set -a && source "${SCRIPT_DIR}/_credentials.env" && set +a local path_count="${WEBAPP_AUTH_PATH_COUNT:-0}" if [ "$path_count" -eq 0 ]; then echo " [skip] no auth_paths configured — skipping htpasswd secret" return 0 fi local create_args=("--namespace" "$WEBAPP_NAMESPACE") local any=false for i in $(seq 0 $((path_count - 1))); do local slug_var="WEBAPP_AUTH_PATH_${i}_SLUG" local slug="${!slug_var:-}" [ -z "$slug" ] && continue local htpasswd_var="WEBAPP_HTPASSWD_$(echo "$slug" | tr '[:lower:]' '[:upper:]')" local htpasswd_content="${!htpasswd_var:-}" if [ -z "$htpasswd_content" ]; then echo " [warn] ${htpasswd_var} not set — skipping htpasswd for slug '${slug}'" continue fi create_args+=("--from-literal=${slug}.htpasswd=${htpasswd_content}") any=true done if [ "$any" = "false" ]; then echo " [skip] no htpasswd content in _credentials.env — secret not created" return 0 fi _kubectl create secret generic "${WEBAPP_NAME}-htpasswd" \ "${create_args[@]}" \ --dry-run=client -o yaml | _kubectl apply -f - echo " [ok] htpasswd secret '${WEBAPP_NAME}-htpasswd' created in ${WEBAPP_NAMESPACE}" } _method_delete-htpasswd() { _kubectl delete secret "${WEBAPP_NAME}-htpasswd" \ --namespace "$WEBAPP_NAMESPACE" \ --ignore-not-found echo " [ok] htpasswd secret '${WEBAPP_NAME}-htpasswd' deleted" } _method_wait-ready() { _wait_for_pod 300 } _method_protect-volume() { local pvc="${WEBAPP_NAME}-data" echo " waiting for PVC '${pvc}' to bind..." _kubectl wait pvc "$pvc" \ --namespace "$WEBAPP_NAMESPACE" \ --for=jsonpath='{.status.phase}'=Bound \ --timeout=120s local pv_name pv_name=$(_kubectl get pvc "$pvc" \ --namespace "$WEBAPP_NAMESPACE" \ -o jsonpath='{.spec.volumeName}') if [ -z "$pv_name" ]; then echo " [warn] could not resolve PV name for PVC '${pvc}' — skipping volume protection" return 0 fi if command -v hcloud >/dev/null 2>&1; then hcloud volume enable-protection "$pv_name" delete 2>/dev/null \ && echo " [ok] volume '${pv_name}' protected" \ || echo " [warn] hcloud protect failed — run manually: hcloud volume enable-protection ${pv_name} delete" else echo " [warn] hcloud CLI not found — skip volume protection for '${pv_name}'" fi }