forked from baron/baron-sso
테스트 개선 및 프로덕션 배포준비
This commit is contained in:
@@ -23,8 +23,8 @@ host_from_url() {
|
||||
|
||||
require_env IMAGE_TAG
|
||||
require_env IMAGE_DEPLOY_ENV
|
||||
require_env IMAGE_DEPLOY_PORT_PREFIX
|
||||
require_env IMAGE_DEPLOY_PUBLIC_URL
|
||||
require_env IMAGE_DEPLOY_BACKEND_PORT
|
||||
require_env ADMINFRONT_URL
|
||||
require_env DEVFRONT_URL
|
||||
require_env ORGFRONT_URL
|
||||
@@ -50,26 +50,43 @@ case "$IMAGE_DEPLOY_ENV" in
|
||||
esac
|
||||
|
||||
instance_name="${IMAGE_DEPLOY_INSTANCE_NAME:-$default_instance_name}"
|
||||
port_prefix="${IMAGE_DEPLOY_PORT_PREFIX:-${IMAGE_DEPLOY_BACKEND_PORT%???}}"
|
||||
[[ -n "$port_prefix" ]] || die "IMAGE_DEPLOY_PORT_PREFIX is empty and could not be derived from IMAGE_DEPLOY_BACKEND_PORT."
|
||||
bundle_dir="${IMAGE_DEPLOY_BUNDLE_DIR:-$PWD/${instance_name}-image-deploy-bundle}"
|
||||
bundle_file="${IMAGE_DEPLOY_BUNDLE_FILE:-$PWD/${instance_name}-image-deploy-bundle.tgz}"
|
||||
compose_template="${IMAGE_DEPLOY_COMPOSE_TEMPLATE:-$repo_root/deploy/templates/docker-compose.images.yaml}"
|
||||
|
||||
rm -rf "$bundle_dir"
|
||||
TARGET_DIR="$bundle_dir" bash "$repo_root/deploy/create-instance.sh" "$instance_name" "$IMAGE_DEPLOY_PORT_PREFIX"
|
||||
TARGET_DIR="$bundle_dir" bash "$repo_root/deploy/create-instance.sh" "$instance_name" "$port_prefix"
|
||||
cp "$compose_template" "$bundle_dir/docker-compose.yml"
|
||||
|
||||
sed "s/{{BACKEND_PORT}}/${IMAGE_DEPLOY_BACKEND_PORT}/g" \
|
||||
"$repo_root/deploy/templates/gateway/nginx.conf" >"$bundle_dir/gateway/nginx.conf"
|
||||
sed "s/{{BACKEND_PORT}}/${IMAGE_DEPLOY_BACKEND_PORT}/g" \
|
||||
"$repo_root/deploy/templates/ory/oathkeeper/rules.json" >"$bundle_dir/ory/templates/oathkeeper/rules.json"
|
||||
cp "$bundle_dir/ory/templates/oathkeeper/rules.json" "$bundle_dir/ory/templates/oathkeeper/rules.stage.json"
|
||||
cp "$bundle_dir/ory/templates/oathkeeper/rules.json" "$bundle_dir/ory/templates/oathkeeper/rules.prod.json"
|
||||
cp "$bundle_dir/ory/templates/oathkeeper/rules.json" "$bundle_dir/ory/templates/oathkeeper/rules.active.json"
|
||||
|
||||
public_host="$(host_from_url "$IMAGE_DEPLOY_PUBLIC_URL")"
|
||||
admin_host="$(host_from_url "$ADMINFRONT_URL")"
|
||||
dev_host="$(host_from_url "$DEVFRONT_URL")"
|
||||
org_host="$(host_from_url "$ORGFRONT_URL")"
|
||||
backend_log_level="${IMAGE_DEPLOY_BACKEND_LOG_LEVEL:-${BACKEND_LOG_LEVEL:-info}}"
|
||||
client_log_debug="${IMAGE_DEPLOY_CLIENT_LOG_DEBUG:-${CLIENT_LOG_DEBUG:-false}}"
|
||||
backend_public_url="${IMAGE_DEPLOY_BACKEND_PUBLIC_URL:-${BACKEND_PUBLIC_URL:-${BACKEND_URL:-$IMAGE_DEPLOY_PUBLIC_URL}}}"
|
||||
backend_url="${IMAGE_DEPLOY_BACKEND_URL:-${BACKEND_URL:-$backend_public_url}}"
|
||||
|
||||
cat >"$bundle_dir/.env" <<EOF
|
||||
INSTANCE_NAME=${instance_name}
|
||||
COMPOSE_PROJECT_NAME=baron-sso-${instance_name}
|
||||
APP_ENV=${app_env}
|
||||
BACKEND_LOG_LEVEL=${backend_log_level}
|
||||
CLIENT_LOG_DEBUG=${client_log_debug}
|
||||
VITE_CLIENT_LOG_DEBUG=${client_log_debug}
|
||||
TZ=Asia/Seoul
|
||||
SOURCE_ROOT=.
|
||||
P=${IMAGE_DEPLOY_PORT_PREFIX}
|
||||
P=${port_prefix}
|
||||
DB_PORT=${IMAGE_DEPLOY_DB_PORT}
|
||||
REDIS_PORT=${IMAGE_DEPLOY_REDIS_PORT}
|
||||
CLICKHOUSE_PORT_HTTP=${IMAGE_DEPLOY_CLICKHOUSE_PORT_HTTP}
|
||||
@@ -85,6 +102,8 @@ USERFRONT_URL=${IMAGE_DEPLOY_PUBLIC_URL}
|
||||
ADMINFRONT_URL=${ADMINFRONT_URL}
|
||||
DEVFRONT_URL=${DEVFRONT_URL}
|
||||
ORGFRONT_URL=${ORGFRONT_URL}
|
||||
BACKEND_PUBLIC_URL=${backend_public_url}
|
||||
BACKEND_URL=${backend_url}
|
||||
PUBLIC_HOST=${public_host}
|
||||
ADMINFRONT_HOST=${admin_host}
|
||||
DEVFRONT_HOST=${dev_host}
|
||||
@@ -106,9 +125,22 @@ HYDRA_CONSENT_URL=${IMAGE_DEPLOY_PUBLIC_URL}/consent
|
||||
HYDRA_ERROR_URL=${IMAGE_DEPLOY_PUBLIC_URL}/error
|
||||
HYDRA_REFRESH_TOKEN_TTL=${HYDRA_REFRESH_TOKEN_TTL}
|
||||
OATHKEEPER_PUBLIC_URL=${IMAGE_DEPLOY_PUBLIC_URL}
|
||||
OATHKEEPER_API_URL=${OATHKEEPER_API_URL:-}
|
||||
KETO_READ_URL=http://keto:4466
|
||||
KETO_WRITE_URL=http://keto:4467
|
||||
IDP_PROVIDER=ory
|
||||
WORKS_ADMIN_API_BASE_URL=${WORKS_ADMIN_API_BASE_URL:-}
|
||||
WORKS_ADMIN_OAUTH_TOKEN_URL=${WORKS_ADMIN_OAUTH_TOKEN_URL:-}
|
||||
PROFILE_CACHE_TTL=${PROFILE_CACHE_TTL:-}
|
||||
NAVER_CLOUD_ACCESS_KEY=${NAVER_CLOUD_ACCESS_KEY:-}
|
||||
NAVER_CLOUD_SECRET_KEY=${NAVER_CLOUD_SECRET_KEY:-}
|
||||
NAVER_CLOUD_SERVICE_ID=${NAVER_CLOUD_SERVICE_ID:-}
|
||||
NAVER_SENDER_PHONE_NUMBER=${NAVER_SENDER_PHONE_NUMBER:-}
|
||||
AWS_REGION=${AWS_REGION:-}
|
||||
AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-}
|
||||
AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-}
|
||||
AWS_SES_SENDER=${AWS_SES_SENDER:-}
|
||||
CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-}
|
||||
DB_PASSWORD=${IMAGE_DEPLOY_DB_PASSWORD}
|
||||
ORY_POSTGRES_USER=${ORY_POSTGRES_USER}
|
||||
ORY_POSTGRES_PASSWORD=${IMAGE_DEPLOY_ORY_POSTGRES_PASSWORD}
|
||||
@@ -125,6 +157,8 @@ OATHKEEPER_UID=${OATHKEEPER_UID}
|
||||
OATHKEEPER_GID=${OATHKEEPER_GID}
|
||||
OATHKEEPER_INTROSPECT_CLIENT_ID=${OATHKEEPER_INTROSPECT_CLIENT_ID}
|
||||
OATHKEEPER_INTROSPECT_CLIENT_SECRET=${IMAGE_DEPLOY_OATHKEEPER_INTROSPECT_CLIENT_SECRET}
|
||||
CLICKHOUSE_HOST=${CLICKHOUSE_HOST:-clickhouse}
|
||||
CLICKHOUSE_USER=${CLICKHOUSE_USER:-baron}
|
||||
CLICKHOUSE_PASSWORD=${IMAGE_DEPLOY_CLICKHOUSE_PASSWORD}
|
||||
REDIS_ADDR=redis:6379
|
||||
COOKIE_SECRET=${IMAGE_DEPLOY_COOKIE_SECRET}
|
||||
@@ -146,6 +180,7 @@ required_dotenv_keys="
|
||||
APP_ENV IMAGE_TAG BACKEND_IMAGE_NAME USERFRONT_IMAGE_NAME ADMINFRONT_IMAGE_NAME DEVFRONT_IMAGE_NAME ORGFRONT_IMAGE_NAME
|
||||
USERFRONT_URL PUBLIC_HOST HYDRA_PUBLIC_URL VITE_OIDC_AUTHORITY TRAEFIK_PUBLIC_NETWORK
|
||||
DB_PASSWORD ORY_POSTGRES_PASSWORD COOKIE_SECRET JWT_SECRET CSRF_COOKIE_SECRET
|
||||
BACKEND_LOG_LEVEL CLIENT_LOG_DEBUG BACKEND_PUBLIC_URL BACKEND_URL CLICKHOUSE_HOST CLICKHOUSE_USER
|
||||
"
|
||||
for key in $required_dotenv_keys; do
|
||||
if ! grep -Eq "^${key}=.+" "$bundle_dir/.env"; then
|
||||
|
||||
61
scripts/docker-image/verify_archive.sh
Executable file
61
scripts/docker-image/verify_archive.sh
Executable file
@@ -0,0 +1,61 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
repo_root="$(cd "$script_dir/../.." && pwd)"
|
||||
source "$repo_root/scripts/backup/lib/common.sh"
|
||||
|
||||
archive_dir="${1:-${WORKS_DOCKER_IMAGE_ARCHIVE_DIR:-}}"
|
||||
verify_load="${WORKS_DOCKER_VERIFY_LOAD:-false}"
|
||||
|
||||
[[ -n "$archive_dir" ]] || backup_die "archive directory is required. Example: scripts/docker-image/verify_archive.sh /path/to/archive"
|
||||
backup_require_path "$archive_dir"
|
||||
|
||||
backup_require_command jq
|
||||
backup_require_command sha256sum
|
||||
backup_require_command stat
|
||||
backup_require_command zstd
|
||||
|
||||
manifest_file="$archive_dir/manifest.json"
|
||||
backup_require_path "$manifest_file"
|
||||
|
||||
schema_version="$(jq -er '.schema_version' "$manifest_file")"
|
||||
format="$(jq -er '.format' "$manifest_file")"
|
||||
archive_name="$(jq -er '.archive.file_name' "$manifest_file")"
|
||||
manifest_sha256="$(jq -er '.archive.sha256' "$manifest_file")"
|
||||
manifest_size="$(jq -er '.archive.size_bytes' "$manifest_file")"
|
||||
|
||||
[[ "$schema_version" == "1" ]] || backup_die "unsupported archive schema_version: $schema_version"
|
||||
[[ "$format" == "docker-save-zstd" ]] || backup_die "unsupported archive format: $format"
|
||||
[[ "$archive_name" != */* && -n "$archive_name" ]] || backup_die "manifest archive.file_name must be a file name: $archive_name"
|
||||
[[ "$manifest_sha256" =~ ^[0-9a-f]{64}$ ]] || backup_die "manifest archive.sha256 is invalid: $manifest_sha256"
|
||||
[[ "$manifest_size" =~ ^[0-9]+$ ]] || backup_die "manifest archive.size_bytes is invalid: $manifest_size"
|
||||
|
||||
archive_file="$archive_dir/$archive_name"
|
||||
checksum_file="$archive_dir/${archive_name}.sha256"
|
||||
|
||||
backup_require_path "$archive_file"
|
||||
backup_require_path "$checksum_file"
|
||||
|
||||
backup_log "Checking archive checksum"
|
||||
(
|
||||
cd "$archive_dir"
|
||||
sha256sum -c "$(basename "$checksum_file")" >/dev/null
|
||||
)
|
||||
|
||||
actual_sha256="$(sha256sum "$archive_file" | awk '{print $1}')"
|
||||
[[ "$actual_sha256" == "$manifest_sha256" ]] || backup_die "manifest sha256 mismatch: expected=$manifest_sha256 actual=$actual_sha256"
|
||||
|
||||
actual_size="$(stat -c '%s' "$archive_file")"
|
||||
[[ "$actual_size" == "$manifest_size" ]] || backup_die "manifest size mismatch: expected=$manifest_size actual=$actual_size"
|
||||
|
||||
backup_log "Testing zstd archive integrity"
|
||||
zstd -q -t "$archive_file"
|
||||
|
||||
if [[ "$verify_load" == "true" ]]; then
|
||||
backup_require_command docker
|
||||
backup_log "Loading Docker image from archive"
|
||||
zstd -q -d -c "$archive_file" | docker load
|
||||
fi
|
||||
|
||||
backup_log "Docker image archive verification passed: $archive_dir"
|
||||
69
scripts/test_deploy_workflow_env_prefixes.sh
Normal file
69
scripts/test_deploy_workflow_env_prefixes.sh
Normal file
@@ -0,0 +1,69 @@
|
||||
#!/usr/bin/env sh
|
||||
set -eu
|
||||
|
||||
fail_if_contains() {
|
||||
file="$1"
|
||||
pattern="$2"
|
||||
if grep -Fq "$pattern" "$file"; then
|
||||
echo "forbidden pattern in $file: $pattern" >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
assert_contains() {
|
||||
file="$1"
|
||||
pattern="$2"
|
||||
if ! grep -Fq "$pattern" "$file"; then
|
||||
echo "missing pattern in $file: $pattern" >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
staging_workflows="
|
||||
.gitea/workflows/staging_code_pull.yml
|
||||
.gitea/workflows/staging_release.yml
|
||||
.gitea/workflows/staging_image_deploy.yml
|
||||
"
|
||||
|
||||
production_workflows="
|
||||
.gitea/workflows/production_release.yml
|
||||
.gitea/workflows/production_image_deploy.yml
|
||||
"
|
||||
|
||||
for workflow in $staging_workflows; do
|
||||
assert_contains "$workflow" "vars.STG_"
|
||||
assert_contains "$workflow" "secrets.STG_"
|
||||
fail_if_contains "$workflow" "vars.STAGE_"
|
||||
fail_if_contains "$workflow" "secrets.STAGE_"
|
||||
for name in \
|
||||
USERFRONT_URL ADMINFRONT_URL DEVFRONT_URL ORGFRONT_URL VITE_OIDC_AUTHORITY \
|
||||
BACKEND_URL BACKEND_LOG_LEVEL CLIENT_LOG_DEBUG PROFILE_CACHE_TTL CORS_ALLOWED_ORIGINS \
|
||||
WORKS_ADMIN_API_BASE_URL WORKS_ADMIN_OAUTH_TOKEN_URL NAVER_CLOUD_ACCESS_KEY \
|
||||
NAVER_CLOUD_SERVICE_ID NAVER_SENDER_PHONE_NUMBER AWS_REGION AWS_ACCESS_KEY_ID \
|
||||
AWS_SES_SENDER CLICKHOUSE_HOST CLICKHOUSE_USER DB_PORT DB_USER DB_NAME REDIS_ADDR
|
||||
do
|
||||
fail_if_contains "$workflow" "vars.$name"
|
||||
done
|
||||
for name in AWS_SECRET_ACCESS_KEY NAVER_CLOUD_SECRET_KEY CLICKHOUSE_PASSWORD STAGE_SSH_PRIVATE_KEY; do
|
||||
fail_if_contains "$workflow" "secrets.$name"
|
||||
done
|
||||
done
|
||||
|
||||
for workflow in $production_workflows; do
|
||||
assert_contains "$workflow" "vars.PROD_"
|
||||
assert_contains "$workflow" "secrets.PROD_"
|
||||
for name in \
|
||||
ADMINFRONT_URL DEVFRONT_URL ORGFRONT_URL VITE_OIDC_AUTHORITY BACKEND_LOG_LEVEL \
|
||||
CLIENT_LOG_DEBUG PROFILE_CACHE_TTL CORS_ALLOWED_ORIGINS WORKS_ADMIN_API_BASE_URL \
|
||||
WORKS_ADMIN_OAUTH_TOKEN_URL NAVER_CLOUD_ACCESS_KEY NAVER_CLOUD_SERVICE_ID \
|
||||
NAVER_SENDER_PHONE_NUMBER AWS_REGION AWS_ACCESS_KEY_ID AWS_SES_SENDER \
|
||||
CLICKHOUSE_HOST CLICKHOUSE_USER ADMINFRONT_PORT DEVFRONT_PORT ORGFRONT_PORT
|
||||
do
|
||||
fail_if_contains "$workflow" "vars.$name"
|
||||
done
|
||||
for name in AWS_SECRET_ACCESS_KEY NAVER_CLOUD_SECRET_KEY CLICKHOUSE_PASSWORD; do
|
||||
fail_if_contains "$workflow" "secrets.$name"
|
||||
done
|
||||
done
|
||||
|
||||
echo "deploy workflow env prefix checks passed"
|
||||
80
scripts/test_docker_image_archive_verify.sh
Executable file
80
scripts/test_docker_image_archive_verify.sh
Executable file
@@ -0,0 +1,80 @@
|
||||
#!/usr/bin/env sh
|
||||
set -eu
|
||||
|
||||
repo_root="$(cd "$(dirname "$0")/.." && pwd)"
|
||||
verify_script="$repo_root/scripts/docker-image/verify_archive.sh"
|
||||
tmp_root="$(mktemp -d)"
|
||||
|
||||
cleanup() {
|
||||
rm -rf "$tmp_root"
|
||||
}
|
||||
trap cleanup EXIT INT TERM
|
||||
|
||||
require_command() {
|
||||
command -v "$1" >/dev/null 2>&1 || {
|
||||
echo "required command not found: $1" >&2
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
|
||||
assert_fails() {
|
||||
if "$@" >/dev/null 2>&1; then
|
||||
echo "expected command to fail: $*" >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
require_command jq
|
||||
require_command sha256sum
|
||||
require_command zstd
|
||||
|
||||
artifact_dir="$tmp_root/baron_sso/backend/v1.2606.ab12"
|
||||
mkdir -p "$artifact_dir"
|
||||
|
||||
printf 'docker image archive smoke\n' >"$artifact_dir/image.tar"
|
||||
zstd -q -f -o "$artifact_dir/image.tar.zst" "$artifact_dir/image.tar"
|
||||
rm -f "$artifact_dir/image.tar"
|
||||
|
||||
archive_sha256="$(sha256sum "$artifact_dir/image.tar.zst" | awk '{print $1}')"
|
||||
archive_size="$(wc -c <"$artifact_dir/image.tar.zst" | tr -d ' ')"
|
||||
printf '%s image.tar.zst\n' "$archive_sha256" >"$artifact_dir/image.tar.zst.sha256"
|
||||
|
||||
jq -n \
|
||||
--arg remotePath "docker-build-image/baron_sso/backend/v1.2606.ab12" \
|
||||
--arg archiveSha256 "$archive_sha256" \
|
||||
--argjson archiveSize "$archive_size" \
|
||||
'{
|
||||
schema_version: 1,
|
||||
format: "docker-save-zstd",
|
||||
image_ref: "reg.hmac.kr/baron_sso/backend:v1.2606.ab12",
|
||||
repository: "baron_sso/backend",
|
||||
tag: "v1.2606.ab12",
|
||||
remote_path: $remotePath,
|
||||
archive: {
|
||||
file_name: "image.tar.zst",
|
||||
size_bytes: $archiveSize,
|
||||
sha256: $archiveSha256
|
||||
}
|
||||
}' >"$artifact_dir/manifest.json"
|
||||
|
||||
"$verify_script" "$artifact_dir" >/dev/null
|
||||
|
||||
bad_checksum_dir="$tmp_root/bad-checksum"
|
||||
cp -R "$artifact_dir" "$bad_checksum_dir"
|
||||
printf '0000000000000000000000000000000000000000000000000000000000000000 image.tar.zst\n' >"$bad_checksum_dir/image.tar.zst.sha256"
|
||||
assert_fails "$verify_script" "$bad_checksum_dir"
|
||||
|
||||
bad_manifest_dir="$tmp_root/bad-manifest"
|
||||
cp -R "$artifact_dir" "$bad_manifest_dir"
|
||||
jq '.archive.sha256 = "1111111111111111111111111111111111111111111111111111111111111111"' \
|
||||
"$bad_manifest_dir/manifest.json" >"$bad_manifest_dir/manifest.json.tmp"
|
||||
mv "$bad_manifest_dir/manifest.json.tmp" "$bad_manifest_dir/manifest.json"
|
||||
assert_fails "$verify_script" "$bad_manifest_dir"
|
||||
|
||||
bad_archive_dir="$tmp_root/bad-archive"
|
||||
cp -R "$artifact_dir" "$bad_archive_dir"
|
||||
printf 'not a zstd stream\n' >"$bad_archive_dir/image.tar.zst"
|
||||
sha256sum "$bad_archive_dir/image.tar.zst" | awk '{print $1 " image.tar.zst"}' >"$bad_archive_dir/image.tar.zst.sha256"
|
||||
assert_fails "$verify_script" "$bad_archive_dir"
|
||||
|
||||
echo "docker image archive verification checks passed"
|
||||
169
scripts/test_image_deploy_env_override.sh
Normal file
169
scripts/test_image_deploy_env_override.sh
Normal file
@@ -0,0 +1,169 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
tmp_root="$(mktemp -d)"
|
||||
|
||||
cleanup() {
|
||||
rm -rf "$tmp_root"
|
||||
}
|
||||
trap cleanup EXIT INT TERM
|
||||
|
||||
assert_contains() {
|
||||
local file="$1"
|
||||
local pattern="$2"
|
||||
if ! grep -Fq "$pattern" "$file"; then
|
||||
printf 'missing pattern in %s: %s\n' "$file" "$pattern" >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
assert_env_value() {
|
||||
local file="$1"
|
||||
local key="$2"
|
||||
local expected="$3"
|
||||
if ! grep -Fxq "${key}=${expected}" "$file"; then
|
||||
printf 'missing env value in %s: %s=%s\n' "$file" "$key" "$expected" >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
for workflow in \
|
||||
"$repo_root/.gitea/workflows/staging_image_deploy.yml" \
|
||||
"$repo_root/.gitea/workflows/production_image_deploy.yml"
|
||||
do
|
||||
assert_contains "$workflow" "IMAGE_DEPLOY_BACKEND_LOG_LEVEL:"
|
||||
assert_contains "$workflow" "IMAGE_DEPLOY_CLIENT_LOG_DEBUG:"
|
||||
assert_contains "$workflow" "WORKS_ADMIN_API_BASE_URL:"
|
||||
assert_contains "$workflow" "WORKS_ADMIN_OAUTH_TOKEN_URL:"
|
||||
assert_contains "$workflow" "PROFILE_CACHE_TTL:"
|
||||
assert_contains "$workflow" "NAVER_CLOUD_ACCESS_KEY:"
|
||||
assert_contains "$workflow" "NAVER_CLOUD_SECRET_KEY:"
|
||||
assert_contains "$workflow" "NAVER_CLOUD_SERVICE_ID:"
|
||||
assert_contains "$workflow" "NAVER_SENDER_PHONE_NUMBER:"
|
||||
assert_contains "$workflow" "AWS_REGION:"
|
||||
assert_contains "$workflow" "AWS_ACCESS_KEY_ID:"
|
||||
assert_contains "$workflow" "AWS_SECRET_ACCESS_KEY:"
|
||||
assert_contains "$workflow" "AWS_SES_SENDER:"
|
||||
assert_contains "$workflow" "CORS_ALLOWED_ORIGINS:"
|
||||
assert_contains "$workflow" "OATHKEEPER_API_URL:"
|
||||
done
|
||||
|
||||
assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "secrets.STG_SSH_PRIVATE_KEY"
|
||||
assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "vars.STG_USERFRONT_URL"
|
||||
assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "vars.STG_BACKEND_URL"
|
||||
assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "vars.STG_WORKS_ADMIN_API_BASE_URL"
|
||||
assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "secrets.STG_NAVER_CLOUD_SECRET_KEY"
|
||||
assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "secrets.STG_AWS_SECRET_ACCESS_KEY"
|
||||
assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "secrets.STG_CLICKHOUSE_PASSWORD"
|
||||
|
||||
assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "secrets.PROD_SSH_PRIVATE_KEY"
|
||||
assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "vars.PROD_FRONTEND_URL"
|
||||
assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "vars.PROD_BACKEND_URL"
|
||||
assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "vars.PROD_WORKS_ADMIN_API_BASE_URL"
|
||||
assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "secrets.PROD_NAVER_CLOUD_SECRET_KEY"
|
||||
assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "secrets.PROD_AWS_SECRET_ACCESS_KEY"
|
||||
assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "secrets.PROD_CLICKHOUSE_PASSWORD"
|
||||
|
||||
bundle_dir="$tmp_root/stage-image-deploy-bundle"
|
||||
bundle_file="$tmp_root/stage-image-deploy-bundle.tgz"
|
||||
|
||||
(
|
||||
cd "$repo_root"
|
||||
IMAGE_TAG=v1.2606.ab12 \
|
||||
IMAGE_DEPLOY_ENV=stage \
|
||||
IMAGE_DEPLOY_INSTANCE_NAME=stage-test \
|
||||
IMAGE_DEPLOY_PORT_PREFIX=19 \
|
||||
IMAGE_DEPLOY_PUBLIC_URL=https://sso.example.test \
|
||||
IMAGE_DEPLOY_COMPOSE_TEMPLATE=deploy/templates/docker-compose.images.yaml \
|
||||
IMAGE_DEPLOY_BUNDLE_DIR="$bundle_dir" \
|
||||
IMAGE_DEPLOY_BUNDLE_FILE="$bundle_file" \
|
||||
ADMINFRONT_URL=https://sadmin.example.test \
|
||||
DEVFRONT_URL=https://sdev.example.test \
|
||||
ORGFRONT_URL=https://sorg.example.test \
|
||||
VITE_OIDC_AUTHORITY=https://sso.example.test/oidc \
|
||||
IMAGE_DEPLOY_DB_PORT=15432 \
|
||||
IMAGE_DEPLOY_REDIS_PORT=16379 \
|
||||
IMAGE_DEPLOY_CLICKHOUSE_PORT_HTTP=18123 \
|
||||
IMAGE_DEPLOY_CLICKHOUSE_PORT_NATIVE=19000 \
|
||||
IMAGE_DEPLOY_BACKEND_PORT=13000 \
|
||||
IMAGE_DEPLOY_FRONTEND_PORT=15000 \
|
||||
ADMINFRONT_PORT=15173 \
|
||||
DEVFRONT_PORT=15174 \
|
||||
ORGFRONT_PORT=15175 \
|
||||
IMAGE_DEPLOY_OATHKEEPER_PROXY_PORT=14455 \
|
||||
IMAGE_DEPLOY_DOMAIN_SUFFIX=example.test \
|
||||
ADMINFRONT_CALLBACK_URLS=https://sadmin.example.test/auth/callback \
|
||||
DEVFRONT_CALLBACK_URLS=https://sdev.example.test/auth/callback \
|
||||
ORGFRONT_CALLBACK_URLS=https://sorg.example.test/auth/callback \
|
||||
HYDRA_REFRESH_TOKEN_TTL=720h \
|
||||
ORY_POSTGRES_USER=ory \
|
||||
ORY_POSTGRES_DB=ory \
|
||||
KRATOS_DB=ory_kratos \
|
||||
HYDRA_DB=ory_hydra \
|
||||
KETO_DB=ory_keto \
|
||||
KRATOS_VERSION=v26.2.0-distroless \
|
||||
HYDRA_VERSION=v26.2.0-distroless \
|
||||
KETO_VERSION=v26.2.0-distroless \
|
||||
OATHKEEPER_VERSION=v26.2.0 \
|
||||
ORY_POSTGRES_TAG=17-trixie \
|
||||
OATHKEEPER_UID=1001 \
|
||||
OATHKEEPER_GID=1001 \
|
||||
OATHKEEPER_INTROSPECT_CLIENT_ID=oathkeeper-introspect \
|
||||
ADMIN_EMAIL=admin@example.test \
|
||||
HARBOR_HOSTNAME=reg.example.test \
|
||||
BACKEND_IMAGE_NAME=reg.example.test/baron_sso/backend \
|
||||
USERFRONT_IMAGE_NAME=reg.example.test/baron_sso/userfront \
|
||||
ADMINFRONT_IMAGE_NAME=reg.example.test/baron_sso/adminfront \
|
||||
DEVFRONT_IMAGE_NAME=reg.example.test/baron_sso/devfront \
|
||||
ORGFRONT_IMAGE_NAME=reg.example.test/baron_sso/orgfront \
|
||||
IMAGE_DEPLOY_DB_PASSWORD=db-secret \
|
||||
IMAGE_DEPLOY_ORY_POSTGRES_PASSWORD=ory-secret \
|
||||
IMAGE_DEPLOY_OATHKEEPER_INTROSPECT_CLIENT_SECRET=oathkeeper-secret \
|
||||
IMAGE_DEPLOY_CLICKHOUSE_PASSWORD=clickhouse-secret \
|
||||
IMAGE_DEPLOY_COOKIE_SECRET=cookie-secret \
|
||||
IMAGE_DEPLOY_JWT_SECRET=jwt-secret \
|
||||
IMAGE_DEPLOY_CSRF_COOKIE_SECRET=csrf-secret \
|
||||
IMAGE_DEPLOY_ADMIN_PASSWORD=admin-secret \
|
||||
IMAGE_DEPLOY_BACKEND_LOG_LEVEL=debug \
|
||||
IMAGE_DEPLOY_CLIENT_LOG_DEBUG=true \
|
||||
WORKS_ADMIN_API_BASE_URL=https://works-api.example.test \
|
||||
WORKS_ADMIN_OAUTH_TOKEN_URL=https://works-auth.example.test/token \
|
||||
PROFILE_CACHE_TTL=30m \
|
||||
NAVER_CLOUD_ACCESS_KEY=naver-access \
|
||||
NAVER_CLOUD_SECRET_KEY=naver-secret \
|
||||
NAVER_CLOUD_SERVICE_ID=naver-service \
|
||||
NAVER_SENDER_PHONE_NUMBER=021234567 \
|
||||
AWS_REGION=ap-northeast-2 \
|
||||
AWS_ACCESS_KEY_ID=aws-access \
|
||||
AWS_SECRET_ACCESS_KEY=aws-secret \
|
||||
AWS_SES_SENDER=support@example.test \
|
||||
CORS_ALLOWED_ORIGINS=https://sso.example.test \
|
||||
OATHKEEPER_API_URL=http://oathkeeper:4456 \
|
||||
CLICKHOUSE_HOST=clickhouse \
|
||||
CLICKHOUSE_USER=baron \
|
||||
scripts/deploy/build_image_deploy_bundle.sh >/dev/null
|
||||
)
|
||||
|
||||
env_file="$bundle_dir/.env"
|
||||
assert_env_value "$env_file" "BACKEND_LOG_LEVEL" "debug"
|
||||
assert_env_value "$env_file" "CLIENT_LOG_DEBUG" "true"
|
||||
assert_env_value "$env_file" "WORKS_ADMIN_API_BASE_URL" "https://works-api.example.test"
|
||||
assert_env_value "$env_file" "WORKS_ADMIN_OAUTH_TOKEN_URL" "https://works-auth.example.test/token"
|
||||
assert_env_value "$env_file" "PROFILE_CACHE_TTL" "30m"
|
||||
assert_env_value "$env_file" "NAVER_CLOUD_ACCESS_KEY" "naver-access"
|
||||
assert_env_value "$env_file" "NAVER_CLOUD_SECRET_KEY" "naver-secret"
|
||||
assert_env_value "$env_file" "NAVER_CLOUD_SERVICE_ID" "naver-service"
|
||||
assert_env_value "$env_file" "NAVER_SENDER_PHONE_NUMBER" "021234567"
|
||||
assert_env_value "$env_file" "AWS_REGION" "ap-northeast-2"
|
||||
assert_env_value "$env_file" "AWS_ACCESS_KEY_ID" "aws-access"
|
||||
assert_env_value "$env_file" "AWS_SECRET_ACCESS_KEY" "aws-secret"
|
||||
assert_env_value "$env_file" "AWS_SES_SENDER" "support@example.test"
|
||||
assert_env_value "$env_file" "CORS_ALLOWED_ORIGINS" "https://sso.example.test"
|
||||
assert_env_value "$env_file" "BACKEND_PUBLIC_URL" "https://sso.example.test"
|
||||
assert_env_value "$env_file" "BACKEND_URL" "https://sso.example.test"
|
||||
assert_env_value "$env_file" "OATHKEEPER_API_URL" "http://oathkeeper:4456"
|
||||
assert_env_value "$env_file" "CLICKHOUSE_HOST" "clickhouse"
|
||||
assert_env_value "$env_file" "CLICKHOUSE_USER" "baron"
|
||||
|
||||
echo "image deploy env override checks passed"
|
||||
@@ -17,9 +17,12 @@ do
|
||||
assert_contains "$workflow" "APP_ENV=stage"
|
||||
assert_contains "$workflow" "BACKEND_LOG_LEVEL=debug"
|
||||
assert_contains "$workflow" "CLIENT_LOG_DEBUG=true"
|
||||
assert_contains "$workflow" 'WORKS_ADMIN_API_BASE_URL=${{ vars.WORKS_ADMIN_API_BASE_URL }}'
|
||||
assert_contains "$workflow" 'WORKS_ADMIN_OAUTH_TOKEN_URL=${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }}'
|
||||
assert_contains "$workflow" 'BACKEND_PUBLIC_URL=${{ vars.BACKEND_URL }}'
|
||||
assert_contains "$workflow" 'WORKS_ADMIN_API_BASE_URL=${{ vars.STG_WORKS_ADMIN_API_BASE_URL }}'
|
||||
assert_contains "$workflow" 'WORKS_ADMIN_OAUTH_TOKEN_URL=${{ vars.STG_WORKS_ADMIN_OAUTH_TOKEN_URL }}'
|
||||
assert_contains "$workflow" 'BACKEND_PUBLIC_URL=${{ vars.STG_BACKEND_URL }}'
|
||||
assert_contains "$workflow" 'NAVER_CLOUD_SECRET_KEY=${{ secrets.STG_NAVER_CLOUD_SECRET_KEY }}'
|
||||
assert_contains "$workflow" 'AWS_SECRET_ACCESS_KEY=${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}'
|
||||
assert_contains "$workflow" 'CLICKHOUSE_PASSWORD=${{ secrets.STG_CLICKHOUSE_PASSWORD }}'
|
||||
done
|
||||
|
||||
assert_contains ".gitea/workflows/staging_release.yml" "scp adminfront/seed-tenant.csv"
|
||||
|
||||
Reference in New Issue
Block a user