Commit a6875696 authored by Jacob Priddy's avatar Jacob Priddy 👌
Browse files

overhaul deloy system

parent 09ffc971
Pipeline #13201 passed with stages
in 4 minutes and 3 seconds
...@@ -2,10 +2,13 @@ image: gitlab.cs.wallawalla.edu:5050/elock/doorcode:latest ...@@ -2,10 +2,13 @@ image: gitlab.cs.wallawalla.edu:5050/elock/doorcode:latest
services: services:
- postgres:13-alpine - postgres:13-alpine
variables: variables:
POSTGRES_USER: web POSTGRES_USER: web
POSTGRES_PASSWORD: secret POSTGRES_PASSWORD: secret
POSTGRES_DB: doorcode POSTGRES_DB: doorcode
DOORCODE_IMAGE_NAME: doorcode/app:$CI_COMMIT_REF_SLUG
NGINX_IMAGE_NAME: doorcode/web:$CI_COMMIT_REF_SLUG
stages: stages:
- build - build
...@@ -81,50 +84,87 @@ generate_code_coverage: ...@@ -81,50 +84,87 @@ generate_code_coverage:
- src/backend/cov - src/backend/cov
expire_in: 30 days expire_in: 30 days
deploy_backend_production: deploy application:
image: tiangolo/docker-with-compose
tags:
- elock
stage: deploy stage: deploy
before_script:
- eval $(ssh-agent -s)
- ssh-add <(echo "${SSH_PRIVATE_KEY}" | base64 -d -w 0)
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
script: script:
- SSH_COMMAND_STRING="cd doorcode" - docker-compose -f docker-compose.prod.yml build
# get newest changes - docker build -t $DOORCODE_IMAGE_NAME -f prod.Dockerfile .
- SSH_COMMAND_STRING+=" && git pull" - docker build -t $NGINX_IMAGE_NAME -f nginx.Dockerfile .
- SSH_COMMAND_STRING+=" && (docker-compose restart || docker-compose up -d)" - docker-compose -f docker-compose.prod.yml down
# the -T fixes the input device is not a TTY .. see https://github.com/docker/compose/issues/5696 - sed -i "s/\(^DB_PASSWORD=\).*/\1$(< POSTGRES_PASSWORD)/" $PROJ_DIR/.env
- SSH_COMMAND_STRING+=" && docker-compose exec -T api ./update-prod.sh" - docker-compose -f docker-compose.prod.yml up -d
- echo "$SSH_COMMAND_STRING" # Give it some time to spin up...
# Execute the deploy - sleep 10
- ssh $SSH_USER@$SSH_HOST "${SSH_COMMAND_STRING}" # Make sure app is running
# Make sure it is running - "curl --fail --insecure --location https://${DEPLOY_ADDRESS}/api"
- "curl --insecure --location https://${SSH_HOST}/api | grep \"Welcome to the elock API.\"" - "curl --fail --insecure --location https://${DEPLOY_ADDRESS}/api/docs"
environment: environment:
name: production_api name: production
url: https://elock.cs.wallawalla.edu/api url: https://elock.cs.wallawalla.edu/api
on_stop: stop-prod
when: manual when: manual
only: only:
- master - master
deploy_api_docs: stop-prod:
stage: deploy stage: deploy
before_script:
- eval $(ssh-agent -s)
- ssh-add <(echo "${SSH_PRIVATE_KEY}" | base64 -d -w 0)
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
script: script:
# Can't use the CI job token to deploy the artifact because that's a "pRemiUm FEATurE" - docker-compose -f docker-compose.prod.yml down
- "rsync -a --delete src/backend/public/docs $SSH_USER@$SSH_HOST:/home/$SSH_USER/doorcode/src/backend/public/"
# Make sure it is running
- "curl --insecure --location https://${SSH_HOST}/api/docs/ | grep \"Welcome to the generated API reference.\""
environment:
name: production_api_docs
url: https://elock.cs.wallawalla.edu/api/docs/
when: manual
only: only:
- master - master
when: manual
environment:
name: production
action: stop
#deploy_backend_production:
# stage: deploy
# before_script:
# - eval $(ssh-agent -s)
# - ssh-add <(echo "${SSH_PRIVATE_KEY}" | base64 -d -w 0)
# - mkdir -p ~/.ssh
# - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
# script:
# - SSH_COMMAND_STRING="cd doorcode"
# # get newest changes
# - SSH_COMMAND_STRING+=" && git pull"
# - SSH_COMMAND_STRING+=" && (docker-compose restart || docker-compose up -d)"
# # the -T fixes the input device is not a TTY .. see https://github.com/docker/compose/issues/5696
# - SSH_COMMAND_STRING+=" && docker-compose exec -T api ./update-prod.sh"
# - echo "$SSH_COMMAND_STRING"
# # Execute the deploy
# - ssh $SSH_USER@$SSH_HOST "${SSH_COMMAND_STRING}"
# # Make sure it is running
# - "curl --insecure --location https://${SSH_HOST}/api | grep \"Welcome to the elock API.\""
# environment:
# name: production_api
# url: https://elock.cs.wallawalla.edu/api
# when: manual
# only:
# - master
#
#deploy_api_docs:
# stage: deploy
# before_script:
# - eval $(ssh-agent -s)
# - ssh-add <(echo "${SSH_PRIVATE_KEY}" | base64 -d -w 0)
# - mkdir -p ~/.ssh
# - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
# script:
# # Can't use the CI job token to deploy the artifact because that's a "pRemiUm FEATurE"
# - "rsync -a --delete src/backend/public/docs $SSH_USER@$SSH_HOST:/home/$SSH_USER/doorcode/src/backend/public/"
# # Make sure it is running
# - "curl --insecure --location https://${SSH_HOST}/api/docs/ | grep \"Welcome to the generated API reference.\""
# environment:
# name: production_api_docs
# url: https://elock.cs.wallawalla.edu/api/docs/
# when: manual
# only:
# - master
#deploy_frontend_production: #deploy_frontend_production:
# stage: deploy # stage: deploy
......
...@@ -19,10 +19,8 @@ RUN apk update && apk add --no-cache \ ...@@ -19,10 +19,8 @@ RUN apk update && apk add --no-cache \
bash-completion \ bash-completion \
vim \ vim \
curl \ curl \
openssh-client \
coreutils \ coreutils \
rsync \ npm \
npm\
&& apk add --no-cache $PHPIZE_DEPS && apk add --no-cache $PHPIZE_DEPS
# && npm install -g @vue/cli \ # && npm install -g @vue/cli \
# && pecl install xdebug \ # && pecl install xdebug \
...@@ -51,6 +49,5 @@ COPY php/dev.ini /usr/local/etc/php/conf.d/local.ini ...@@ -51,6 +49,5 @@ COPY php/dev.ini /usr/local/etc/php/conf.d/local.ini
# Change current user to www # Change current user to www
USER www USER www
# Expose port 9000 and start php-fpm server # Start php-fpm server
EXPOSE 9000
CMD ["php-fpm"] CMD ["php-fpm"]
#!/usr/bin/env sh
set -e
cd ${PROJECT_DIR}/backend || exit 1
# Apply new migrations
php artisan migrate --force
php-fpm
version: '3.7' version: '3.8'
networks: networks:
doorcode: doorcode:
...@@ -6,19 +6,19 @@ networks: ...@@ -6,19 +6,19 @@ networks:
secrets: secrets:
webserver_cert: webserver_cert:
file: ./secrets/certs/webserver.cert file: $WEBSERVER_CERT
webserver_key: webserver_key:
file: ./secrets/certs/webserver.key file: $WEBSERVER_KEY
root_cert: root_cert:
file: ./secrets/certs/root.cert file: $ROOT_CERT
wwu_webserver_cert: wwu_webserver_cert:
file: ./secrets/certs/wwu-granted-elock-cert.cer file: $WWU_WEBSERVER_CERT
wwu_webserver_key: wwu_webserver_key:
file: ./secrets/certs/wwu-webserver-request-root.key file: $WWU_WEBSERVER_KEY
wwu_root_cert: wwu_root_cert:
file: ./secrets/certs/wwu-webserver-intermediate.pem file: $WWU_ROOT_CERT
postgres_password: postgres_password:
file: ./secrets/passwords/postgres file: $POSTGRES_PASSWORD
volumes: volumes:
db-data: db-data:
...@@ -26,8 +26,7 @@ volumes: ...@@ -26,8 +26,7 @@ volumes:
services: services:
webserver: webserver:
image: nginx:1.17.10-alpine image: $NGINX_IMAGE_NAME
container_name: webserver
restart: always restart: always
secrets: secrets:
- webserver_cert - webserver_cert
...@@ -41,16 +40,12 @@ services: ...@@ -41,16 +40,12 @@ services:
- "443:443" - "443:443"
- "80:80" - "80:80"
volumes: volumes:
- ./src:/var/www - $PROJ_DIR/simple-saml/cert:/var/simplesamlphp/cert:ro
- ./nginx/conf.d/prod.conf:/etc/nginx/conf.d/prod.conf - $PROJ_DIR/simple-saml/config:/var/simplesamlphp/config:ro
- ./nginx/dhparam/:/run/dhparam - $PROJ_DIR/simple-saml/metadata:/var/simplesamlphp/metadata
# Saml config
- ./simplesamlphp-1.19.0-rc1:/var/simplesamlphp
- ./simple-saml-prod/cert:/var/simplesamlphp/cert
- ./simple-saml-prod/config:/var/simplesamlphp/config
- ./simple-saml-prod/metadata:/var/simplesamlphp/metadata
depends_on: depends_on:
- dbadmin - dbadmin
- api
logging: logging:
options: options:
max-size: "10m" max-size: "10m"
...@@ -59,7 +54,6 @@ services: ...@@ -59,7 +54,6 @@ services:
- doorcode - doorcode
postgres: postgres:
image: postgres:13-alpine image: postgres:13-alpine
container_name: postgres
restart: always restart: always
secrets: secrets:
- postgres_password - postgres_password
...@@ -79,7 +73,6 @@ services: ...@@ -79,7 +73,6 @@ services:
- doorcode - doorcode
dbadmin: dbadmin:
image: dpage/pgadmin4:4.24 image: dpage/pgadmin4:4.24
container_name: dbadmin
restart: always restart: always
depends_on: depends_on:
- postgres - postgres
...@@ -95,17 +88,14 @@ services: ...@@ -95,17 +88,14 @@ services:
networks: networks:
- doorcode - doorcode
api: api:
image: gitlab.cs.wallawalla.edu:5050/elock/doorcode:prod image: $DOORCODE_IMAGE_NAME
container_name: api
restart: always restart: always
volumes: volumes:
- ./src:/var/www - $PROJ_DIR/.env:/var/www/backend/.env:ro
- ./php/prod.ini:/usr/local/etc/php/conf.d/local.ini - $PROJ_DIR/controller-bins:/var/www/backend/storage/app/controller/binaries:ro
# Map saml files to the php-fpm server so it has access to them as well - $PROJ_DIR/simple-saml/cert:/var/simplesamlphp/cert:ro
- ./simplesamlphp-1.19.0-rc1:/var/simplesamlphp - $PROJ_DIR/simple-saml/config:/var/simplesamlphp/config:ro
- ./simple-saml-prod/cert:/var/simplesamlphp/cert - $PROJ_DIR/simple-saml/metadata:/var/simplesamlphp/metadata
- ./simple-saml-prod/config:/var/simplesamlphp/config
- ./simple-saml-prod/metadata:/var/simplesamlphp/metadata
logging: logging:
options: options:
max-size: "10m" max-size: "10m"
......
version: '3.7'
networks:
doorcode:
driver: bridge
secrets:
webserver_cert:
file: ./secrets/certs/webserver.cert
webserver_key:
file: ./secrets/certs/webserver.key
root_cert:
file: ./secrets/certs/root.cert
volumes:
db-data:
pgadmin-data:
services:
webserver:
image: nginx:1-alpine
container_name: webserver
restart: unless-stopped
tty: true
secrets:
- webserver_cert
- webserver_key
- root_cert
ports:
- "8080:443"
volumes:
- ./src:/var/www
- ./nginx/conf.d/app.conf:/etc/nginx/conf.d/app.conf
- ./nginx/dhparam/:/run/dhparam
# Saml config
- ./simplesamlphp-1.19.0-rc1:/var/simplesamlphp
- ./simple-saml/cert:/var/simplesamlphp/cert
- ./simple-saml/config:/var/simplesamlphp/config
- ./simple-saml/metadata:/var/simplesamlphp/metadata
- ./simplesamlphp-1.19.0-rc1:/var/simplesamlphp-idp
- ./simple-saml-idp/cert:/var/simplesamlphp-idp/cert
- ./simple-saml-idp/config:/var/simplesamlphp-idp/config
- ./simple-saml-idp/metadata:/var/simplesamlphp-idp/metadata
depends_on:
- dbadmin
- api
logging:
options:
max-size: "10m"
max-file: "3"
networks:
- doorcode
postgres:
image: postgres:13-alpine
container_name: postgres
restart: unless-stopped
tty: true
ports:
- "5432:5432"
volumes:
- db-data:/var/lib/postgresql/data
environment:
POSTGRES_USER: web
POSTGRES_PASSWORD: secret
POSTGRES_DB: doorcode
logging:
options:
max-size: "10m"
max-file: "3"
networks:
- doorcode
dbadmin:
image: dpage/pgadmin4:latest
container_name: dbadmin
restart: unless-stopped
tty: true
ports:
- "8081:80"
depends_on:
- postgres
volumes:
- pgadmin-data:/var/lib/pgadmin
environment:
PGADMIN_DEFAULT_EMAIL: admin@elock
PGADMIN_DEFAULT_PASSWORD: secret
logging:
options:
max-size: "10m"
max-file: "3"
networks:
- doorcode
api:
build:
context: .
dockerfile: Dockerfile
container_name: api
environment:
XDEBUG_MODE: debug
volumes:
- ./src:/var/www
- ./php/dev.ini:/usr/local/etc/php/conf.d/local.ini
# Map saml files to the php-fpm server so it has access to them as well
- ./simplesamlphp-1.19.0-rc1:/var/simplesamlphp
- ./simple-saml/cert:/var/simplesamlphp/cert
- ./simple-saml/config:/var/simplesamlphp/config
- ./simple-saml/metadata:/var/simplesamlphp/metadata
- ./simplesamlphp-1.19.0-rc1:/var/simplesamlphp-idp
- ./simple-saml-idp/cert:/var/simplesamlphp-idp/cert
- ./simple-saml-idp/config:/var/simplesamlphp-idp/config
- ./simple-saml-idp/metadata:/var/simplesamlphp-idp/metadata
ports:
# For xdebug
- "9003:9003"
logging:
options:
max-size: "10m"
max-file: "3"
networks:
- doorcode
FROM nginx:1.19.5-alpine
WORKDIR /var/www
COPY src/ ${WORKDIR}
COPY simplesamlphp-1.19.0-rc1/ ${WORKDIR}../simplesamlphp
COPY simple-saml/ ${WORKDIR}../simplesamlphp
COPY nginx/conf.d/prod.conf:/etc/nginx/conf.d/prod.conf
COPY nginx/dhparam/ /run/dhparam
CMD ["/docker-entrypoint.sh"]
FROM node:15.4-alpine as frontend_assets
WORKDIR /app
COPY --chown=www:www src/backend .
RUN npm install && npm run prod
FROM php:8.0-fpm-alpine FROM php:8.0-fpm-alpine
ENV PROJECT_DIR /var/www ENV PROJECT_DIR /var/www
...@@ -11,10 +19,7 @@ RUN apk update && apk add --no-cache \ ...@@ -11,10 +19,7 @@ RUN apk update && apk add --no-cache \
postgresql-dev \ postgresql-dev \
zlib-dev \ zlib-dev \
libpng-dev \ libpng-dev \
shadow \ shadow
bash \
bash-completion \
vim
# Install PHP Extensions # Install PHP Extensions
RUN docker-php-ext-install pdo \ RUN docker-php-ext-install pdo \
...@@ -31,12 +36,24 @@ RUN groupadd -g 1000 www && \ ...@@ -31,12 +36,24 @@ RUN groupadd -g 1000 www && \
useradd -u 1000 -ms /bin/bash -g www www useradd -u 1000 -ms /bin/bash -g www www
# Copy existing application directory permissions # Copy existing application directory permissions
COPY --chown=root:www src/ ${WORKDIR} COPY bin/docker-entrypoint.sh /
COPY --chown=www:www src/ ${WORKDIR}
COPY --chown=www:www simplesamlphp-1.19.0-rc1/ ${WORKDIR}../simplesamlphp
COPY --chown=www:www --from=frontend_assets /app/public ${WORKDIR}/backend/
COPY php/prod.ini /usr/local/etc/php/conf.d/local.ini COPY php/prod.ini /usr/local/etc/php/conf.d/local.ini
# Change current user to www # Change current user to www
USER www USER www
# Expose port 9000 and start php-fpm server # exampleauth is not used for production
EXPOSE 9000 RUN rm -rf backend/cov backend/vendor ../simplesamlphp/modules/exampleauth/enable backend/tests frontend install-dev.sh \
CMD ["php-fpm"] && cd backend \
&& composer.phar install --no-ansi --no-dev --no-interaction --no-plugins --no-progress --no-scripts --optimize-autoloader \
&& chmod 0755 /docker-entrypoint.sh \
&& php artisan apidoc:generate \
&& php artisan optimize \
&& php artisan config:cache \
&& php artisan route:cache \
&& php artisan view:cache
CMD ["/docker-entrypoint.sh"]
This diff is collapsed.
This diff is collapsed.
#!/bin/bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cd "${DIR}" || exit 255
# Clear cache
rm bootstrap/cache/*.php
# Update php dependencies
composer install
# Apply any new migrations
php artisan migrate --force
# Regenerate cache
php artisan clear-compiled
php artisan optimize
php artisan config:cache
php artisan route:cache
php artisan view:cache
#!/bin/bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
"${DIR}/backend/update-prod.sh"
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment