#!/bin/bash # Methods library for rustelo_website — sourced by install-rustelo_website.sh # and generated run-*.sh scripts. SCRIPT_DIR must be set before sourcing. _kubectl() { if command -v kubectl >/dev/null 2>&1; then command kubectl "$@" elif command -v k0s >/dev/null 2>&1; then k0s kubectl "$@" else echo "ERROR: no kubectl or k0s binary found" >&2; exit 127 fi } _require_env() { local var="$1" if [ -z "${!var:-}" ]; then echo "ERROR: required variable $var is not set" >&2; exit 1 fi } _pod_name() { _kubectl get pod \ --namespace "$WEBSITE_NAMESPACE" \ --selector "app.kubernetes.io/name=${WEBSITE_NAME}" \ -o jsonpath='{.items[0].metadata.name}' 2>/dev/null } _wait_for_pod() { local timeout="${1:-300}" _kubectl wait pod \ --namespace "$WEBSITE_NAMESPACE" \ --selector "app.kubernetes.io/name=${WEBSITE_NAME}" \ --for=condition=Ready \ --timeout="${timeout}s" } # ── Manifest plan helpers ───────────────────────────────────────────────────── _plan_apply() { local file="$1" local path="$SCRIPT_DIR/manifests/${file}.yaml" [ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; } _kubectl apply -f "$path" } _plan_apply_skip() { local file="$1" local path="$SCRIPT_DIR/manifests/${file}.yaml" [ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; } if _kubectl get -f "$path" >/dev/null 2>&1; then echo " [skip] ${file} already exists in cluster" return 0 fi _kubectl apply -f "$path" } _plan_rollout_restart() { local file="$1" local path="$SCRIPT_DIR/manifests/${file}.yaml" [ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; } _kubectl rollout restart -f "$path" } _plan_delete() { local file="$1" local path="$SCRIPT_DIR/manifests/${file}.yaml" [ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; } _kubectl delete -f "$path" --ignore-not-found } # shellcheck source=lib/gateway-tls.sh source "${SCRIPT_DIR}/lib/gateway-tls.sh" # ── Component methods ───────────────────────────────────────────────────────── _method_create-credentials() { [ -f "${SCRIPT_DIR}/_credentials.env" ] && set -a && source "${SCRIPT_DIR}/_credentials.env" && set +a _require_env SECRET_KEY # App credentials secret: SECRET_KEY + DATABASE_URL. # DATABASE_URL is SQLite at the data PVC mount path when data_pvc.enabled = true. local db_url="${DATABASE_URL:-}" if [ -z "$db_url" ] && [ "${WEBSITE_DATA_PVC_ENABLED:-false}" = "true" ]; then db_url="sqlite:${WEBSITE_DATA_MOUNT}/site.db" fi local secret_name="${WEBSITE_NAME}-credentials" if [ -n "$db_url" ]; then _kubectl create secret generic "$secret_name" \ --namespace "$WEBSITE_NAMESPACE" \ --from-literal=SECRET_KEY="$SECRET_KEY" \ --from-literal=DATABASE_URL="$db_url" \ --dry-run=client -o yaml | _kubectl apply -f - else _kubectl create secret generic "$secret_name" \ --namespace "$WEBSITE_NAMESPACE" \ --from-literal=SECRET_KEY="$SECRET_KEY" \ --dry-run=client -o yaml | _kubectl apply -f - fi echo " [ok] credentials secret '${secret_name}' in ${WEBSITE_NAMESPACE}" # Registry pull secret — docker-registry type, in deployment namespace. # Token derived from the secret name: e.g. reg-librecloud-pull → # REGISTRY_TOKEN_REG_LIBRECLOUD_PULL (uppercased, dashes to underscores). local reg_secret="${WEBSITE_REGISTRY_SECRET:-regcred}" local reg_env_key="REGISTRY_TOKEN_$(echo "${reg_secret}" | tr '[:lower:]' '[:upper:]' | tr '-' '_')" local reg_token="${!reg_env_key:-}" if [ -n "$reg_token" ]; then # reg_token is expected to be a base64-encoded dockerconfigjson or a raw token. # Convention: if it contains '{', treat as raw dockerconfigjson; otherwise it is # a plain Bearer token for the registry host extracted from the zot htpasswd secret. local registry_host registry_host=$(echo "${WEBSITE_IMAGE:-}" | cut -d'/' -f1) [ -z "$registry_host" ] && registry_host="reg.librecloud.online" if echo "$reg_token" | grep -q '^{'; then # Raw dockerconfigjson _kubectl create secret generic "$reg_secret" \ --namespace "$WEBSITE_NAMESPACE" \ --type=kubernetes.io/dockerconfigjson \ --from-literal=.dockerconfigjson="$reg_token" \ --dry-run=client -o yaml | _kubectl apply -f - else # username:password pair expected as REGISTRY_USER + REGISTRY_PASS, or colon-separated token local reg_user reg_pass if echo "$reg_token" | grep -q ':'; then reg_user="${reg_token%%:*}" reg_pass="${reg_token#*:}" else reg_user="${REGISTRY_USER:-regadm}" reg_pass="$reg_token" fi _kubectl create secret docker-registry "$reg_secret" \ --namespace "$WEBSITE_NAMESPACE" \ --docker-server="$registry_host" \ --docker-username="$reg_user" \ --docker-password="$reg_pass" \ --dry-run=client -o yaml | _kubectl apply -f - fi echo " [ok] registry pull secret '${reg_secret}' in ${WEBSITE_NAMESPACE}" else echo " [warn] ${reg_env_key} not set — skipping registry pull secret creation" echo " [hint] set ${reg_env_key}=user:pass in _credentials.env or deploy environment" fi } _method_wait-ready() { _wait_for_pod 300 } _method_protect-volume() { local pvc="${PLAN_PARAM_PVC:-${WEBSITE_NAME}-data}" if [ "${WEBSITE_DATA_PVC_ENABLED:-false}" != "true" ]; then echo " [skip] data_pvc disabled — no volume to protect" return 0 fi echo " waiting for PVC '${pvc}' to bind..." _kubectl wait pvc "$pvc" \ --namespace "$WEBSITE_NAMESPACE" \ --for=jsonpath='{.status.phase}'=Bound \ --timeout=120s local pv_name pv_name=$(_kubectl get pvc "$pvc" \ --namespace "$WEBSITE_NAMESPACE" \ -o jsonpath='{.spec.volumeName}') if [ -z "$pv_name" ]; then echo " [warn] could not resolve PV name for PVC '${pvc}' — skipping volume protection" return 0 fi if command -v hcloud >/dev/null 2>&1; then hcloud volume enable-protection "$pv_name" delete 2>/dev/null \ && echo " [ok] volume '${pv_name}' protected" \ || echo " [warn] hcloud protect failed — run manually: hcloud volume enable-protection ${pv_name} delete" else echo " [warn] hcloud CLI not found — skip volume protection for '${pv_name}'" fi }