baron-sso/scripts/deploy/build_image_deploy_bundle.sh

#!/usr/bin/env bash
set -euo pipefail

script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
repo_root="$(cd "$script_dir/../.." && pwd)"

die() {
  printf 'ERROR: %s\n' "$*" >&2
  exit 1
}

require_env() {
  local key="$1"
  [[ -n "${!key:-}" ]] || die "Missing required env: $key"
}

host_from_url() {
  local value="$1"
  value="${value#https://}"
  value="${value#http://}"
  printf '%s' "${value%%/*}"
}

require_env IMAGE_TAG
require_env IMAGE_DEPLOY_ENV
require_env IMAGE_DEPLOY_PUBLIC_URL
require_env IMAGE_DEPLOY_BACKEND_PORT
require_env ADMINFRONT_URL
require_env DEVFRONT_URL
require_env ORGFRONT_URL
require_env VITE_OIDC_AUTHORITY

if ! printf '%s' "$IMAGE_TAG" | grep -Eq '^v[0-9]+\.[0-9]{4}\.[0-9a-f]{4}$'; then
  die "IMAGE_TAG must look like vX.YYMM.ab12 (got: $IMAGE_TAG)"
fi

case "$IMAGE_DEPLOY_ENV" in
  stage | staging)
    app_env="stage"
    default_instance_name="stage"
    ;;
  production | prod)
    app_env="production"
    default_instance_name="prod"
    ;;
  *)
    die "IMAGE_DEPLOY_ENV must be stage or production"
    ;;
esac

instance_name="${IMAGE_DEPLOY_INSTANCE_NAME:-$default_instance_name}"
port_prefix="${IMAGE_DEPLOY_PORT_PREFIX:-${IMAGE_DEPLOY_BACKEND_PORT%???}}"
[[ -n "$port_prefix" ]] || die "IMAGE_DEPLOY_PORT_PREFIX is empty and could not be derived from IMAGE_DEPLOY_BACKEND_PORT."
bundle_dir="${IMAGE_DEPLOY_BUNDLE_DIR:-$PWD/${instance_name}-image-deploy-bundle}"
bundle_file="${IMAGE_DEPLOY_BUNDLE_FILE:-$PWD/${instance_name}-image-deploy-bundle.tgz}"
compose_template="${IMAGE_DEPLOY_COMPOSE_TEMPLATE:-$repo_root/deploy/templates/docker-compose.images.yaml}"

rm -rf "$bundle_dir"
TARGET_DIR="$bundle_dir" bash "$repo_root/deploy/create-instance.sh" "$instance_name" "$port_prefix"
cp "$compose_template" "$bundle_dir/docker-compose.yml"
mkdir -p "$bundle_dir/scripts/docker-image" "$bundle_dir/scripts/backup/lib"
cp "$repo_root/scripts/docker-image/download_works_drive.sh" "$bundle_dir/scripts/docker-image/download_works_drive.sh"
cp "$repo_root/scripts/backup/lib/common.sh" "$bundle_dir/scripts/backup/lib/common.sh"
chmod +x "$bundle_dir/scripts/docker-image/download_works_drive.sh"

sed "s/{{BACKEND_PORT}}/${IMAGE_DEPLOY_BACKEND_PORT}/g" \
  "$repo_root/deploy/templates/gateway/nginx.conf" >"$bundle_dir/gateway/nginx.conf"
sed "s/{{BACKEND_PORT}}/${IMAGE_DEPLOY_BACKEND_PORT}/g" \
  "$repo_root/deploy/templates/ory/oathkeeper/rules.json" >"$bundle_dir/ory/templates/oathkeeper/rules.json"
cp "$bundle_dir/ory/templates/oathkeeper/rules.json" "$bundle_dir/ory/templates/oathkeeper/rules.stage.json"
cp "$bundle_dir/ory/templates/oathkeeper/rules.json" "$bundle_dir/ory/templates/oathkeeper/rules.prod.json"
cp "$bundle_dir/ory/templates/oathkeeper/rules.json" "$bundle_dir/ory/templates/oathkeeper/rules.active.json"

public_host="$(host_from_url "$IMAGE_DEPLOY_PUBLIC_URL")"
admin_host="$(host_from_url "$ADMINFRONT_URL")"
dev_host="$(host_from_url "$DEVFRONT_URL")"
org_host="$(host_from_url "$ORGFRONT_URL")"
backend_log_level="${IMAGE_DEPLOY_BACKEND_LOG_LEVEL:-${BACKEND_LOG_LEVEL:-info}}"
client_log_debug="${IMAGE_DEPLOY_CLIENT_LOG_DEBUG:-${CLIENT_LOG_DEBUG:-false}}"
backend_public_url="${IMAGE_DEPLOY_BACKEND_PUBLIC_URL:-${BACKEND_PUBLIC_URL:-${BACKEND_URL:-$IMAGE_DEPLOY_PUBLIC_URL}}}"
backend_url="${IMAGE_DEPLOY_BACKEND_URL:-${BACKEND_URL:-$backend_public_url}}"

cat >"$bundle_dir/.env" <<EOF
INSTANCE_NAME=${instance_name}
COMPOSE_PROJECT_NAME=baron-sso-${instance_name}
APP_ENV=${app_env}
BACKEND_LOG_LEVEL=${backend_log_level}
CLIENT_LOG_DEBUG=${client_log_debug}
VITE_CLIENT_LOG_DEBUG=${client_log_debug}
TZ=Asia/Seoul
SOURCE_ROOT=.
P=${port_prefix}
DB_PORT=${IMAGE_DEPLOY_DB_PORT}
DB_USER=${DB_USER:-baron}
DB_NAME=${DB_NAME:-baron_sso}
REDIS_PORT=${IMAGE_DEPLOY_REDIS_PORT}
CLICKHOUSE_PORT_HTTP=${IMAGE_DEPLOY_CLICKHOUSE_PORT_HTTP}
CLICKHOUSE_PORT_NATIVE=${IMAGE_DEPLOY_CLICKHOUSE_PORT_NATIVE}
BACKEND_PORT=${IMAGE_DEPLOY_BACKEND_PORT}
USERFRONT_PORT=${IMAGE_DEPLOY_FRONTEND_PORT}
ADMINFRONT_PORT=${ADMINFRONT_PORT}
DEVFRONT_PORT=${DEVFRONT_PORT}
ORGFRONT_PORT=${ORGFRONT_PORT}
OATHKEEPER_PROXY_PORT=${IMAGE_DEPLOY_OATHKEEPER_PROXY_PORT}
DOMAIN_SUFFIX=${IMAGE_DEPLOY_DOMAIN_SUFFIX}
USERFRONT_URL=${IMAGE_DEPLOY_PUBLIC_URL}
ADMINFRONT_URL=${ADMINFRONT_URL}
DEVFRONT_URL=${DEVFRONT_URL}
ORGFRONT_URL=${ORGFRONT_URL}
BACKEND_PUBLIC_URL=${backend_public_url}
BACKEND_URL=${backend_url}
PUBLIC_HOST=${public_host}
ADMINFRONT_HOST=${admin_host}
DEVFRONT_HOST=${dev_host}
ORGFRONT_HOST=${org_host}
TRAEFIK_PUBLIC_NETWORK=traefik-public
TRAEFIK_ENTRYPOINT=websecure
TRAEFIK_CERT_RESOLVER=myresolver
VITE_OIDC_AUTHORITY=${VITE_OIDC_AUTHORITY}
ADMINFRONT_CALLBACK_URLS=${ADMINFRONT_CALLBACK_URLS}
DEVFRONT_CALLBACK_URLS=${DEVFRONT_CALLBACK_URLS}
ORGFRONT_CALLBACK_URLS=${ORGFRONT_CALLBACK_URLS}
KRATOS_UI_URL=${IMAGE_DEPLOY_PUBLIC_URL}/auth
KRATOS_BROWSER_URL=${IMAGE_DEPLOY_PUBLIC_URL}/auth
KRATOS_ADMIN_URL=http://kratos:4434
HYDRA_PUBLIC_URL=${IMAGE_DEPLOY_PUBLIC_URL}/oidc
HYDRA_ADMIN_URL=http://hydra:4445
HYDRA_LOGIN_URL=${IMAGE_DEPLOY_PUBLIC_URL}/login
HYDRA_CONSENT_URL=${IMAGE_DEPLOY_PUBLIC_URL}/consent
HYDRA_ERROR_URL=${IMAGE_DEPLOY_PUBLIC_URL}/error
HYDRA_REFRESH_TOKEN_TTL=${HYDRA_REFRESH_TOKEN_TTL}
OATHKEEPER_PUBLIC_URL=${IMAGE_DEPLOY_PUBLIC_URL}
OATHKEEPER_API_URL=${OATHKEEPER_API_URL:-}
KETO_READ_URL=http://keto:4466
KETO_WRITE_URL=http://keto:4467
IDP_PROVIDER=ory
WORKS_ADMIN_API_BASE_URL=${WORKS_ADMIN_API_BASE_URL:-}
WORKS_ADMIN_OAUTH_TOKEN_URL=${WORKS_ADMIN_OAUTH_TOKEN_URL:-}
PROFILE_CACHE_TTL=${PROFILE_CACHE_TTL:-}
NAVER_CLOUD_ACCESS_KEY=${NAVER_CLOUD_ACCESS_KEY:-}
NAVER_CLOUD_SECRET_KEY=${NAVER_CLOUD_SECRET_KEY:-}
NAVER_CLOUD_SERVICE_ID=${NAVER_CLOUD_SERVICE_ID:-}
NAVER_SENDER_PHONE_NUMBER=${NAVER_SENDER_PHONE_NUMBER:-}
AWS_REGION=${AWS_REGION:-}
AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-}
AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-}
AWS_SES_SENDER=${AWS_SES_SENDER:-}
CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-}
DB_PASSWORD=${IMAGE_DEPLOY_DB_PASSWORD}
ORY_POSTGRES_USER=${ORY_POSTGRES_USER}
ORY_POSTGRES_PASSWORD=${IMAGE_DEPLOY_ORY_POSTGRES_PASSWORD}
ORY_POSTGRES_DB=${ORY_POSTGRES_DB}
KRATOS_DB=${KRATOS_DB}
HYDRA_DB=${HYDRA_DB}
KETO_DB=${KETO_DB}
KRATOS_VERSION=${KRATOS_VERSION}
HYDRA_VERSION=${HYDRA_VERSION}
KETO_VERSION=${KETO_VERSION}
OATHKEEPER_VERSION=${OATHKEEPER_VERSION}
ORY_POSTGRES_TAG=${ORY_POSTGRES_TAG}
OATHKEEPER_UID=${OATHKEEPER_UID}
OATHKEEPER_GID=${OATHKEEPER_GID}
OATHKEEPER_INTROSPECT_CLIENT_ID=${OATHKEEPER_INTROSPECT_CLIENT_ID}
OATHKEEPER_INTROSPECT_CLIENT_SECRET=${IMAGE_DEPLOY_OATHKEEPER_INTROSPECT_CLIENT_SECRET}
CLICKHOUSE_HOST=${CLICKHOUSE_HOST:-clickhouse}
CLICKHOUSE_USER=${CLICKHOUSE_USER:-baron}
CLICKHOUSE_PASSWORD=${IMAGE_DEPLOY_CLICKHOUSE_PASSWORD}
REDIS_ADDR=redis:6379
COOKIE_SECRET=${IMAGE_DEPLOY_COOKIE_SECRET}
JWT_SECRET=${IMAGE_DEPLOY_JWT_SECRET}
CSRF_COOKIE_SECRET=${IMAGE_DEPLOY_CSRF_COOKIE_SECRET}
ADMIN_EMAIL=${ADMIN_EMAIL}
ADMIN_PASSWORD=${IMAGE_DEPLOY_ADMIN_PASSWORD}
IMAGE_TAG=${IMAGE_TAG}
BACKEND_IMAGE_NAME=${BACKEND_IMAGE_NAME}
USERFRONT_IMAGE_NAME=${USERFRONT_IMAGE_NAME}
ADMINFRONT_IMAGE_NAME=${ADMINFRONT_IMAGE_NAME}
DEVFRONT_IMAGE_NAME=${DEVFRONT_IMAGE_NAME}
ORGFRONT_IMAGE_NAME=${ORGFRONT_IMAGE_NAME}
EOF

chmod 600 "$bundle_dir/.env"

required_dotenv_keys="
APP_ENV IMAGE_TAG BACKEND_IMAGE_NAME USERFRONT_IMAGE_NAME ADMINFRONT_IMAGE_NAME DEVFRONT_IMAGE_NAME ORGFRONT_IMAGE_NAME
USERFRONT_URL PUBLIC_HOST HYDRA_PUBLIC_URL VITE_OIDC_AUTHORITY TRAEFIK_PUBLIC_NETWORK
DB_PASSWORD ORY_POSTGRES_PASSWORD COOKIE_SECRET JWT_SECRET CSRF_COOKIE_SECRET
BACKEND_LOG_LEVEL CLIENT_LOG_DEBUG BACKEND_PUBLIC_URL BACKEND_URL CLICKHOUSE_HOST CLICKHOUSE_USER
"
for key in $required_dotenv_keys; do
  if ! grep -Eq "^${key}=.+" "$bundle_dir/.env"; then
    die "Missing required bundle .env value: $key"
  fi
done

ORY_CONFIG_ENV_FILES="$bundle_dir/.env" \
ORY_CONFIG_TEMPLATE_ROOT="$bundle_dir/ory/templates" \
ORY_CONFIG_OUTPUT_DIR="$bundle_dir/config/.generated/ory" \
  bash "$repo_root/scripts/render_ory_config.sh"

tar -C "$bundle_dir" -czf "$bundle_file" .
printf '%s\n' "$bundle_file"