zero downtime deployment?

.gitlab-ci.yml

@@ -7,8 +7,8 @@ variables:
   POSTGRES_USER: web
   POSTGRES_PASSWORD: secret
   POSTGRES_DB: doorcode
-  DOORCODE_IMAGE_NAME: doorcode/app:$CI_COMMIT_REF_SLUG
-  NGINX_IMAGE_NAME: doorcode/web:$CI_COMMIT_REF_SLUG
+  DOORCODE_IMAGE_NAME: doorcode/app:$CI_PIPELINE_ID
+  NGINX_IMAGE_NAME: doorcode/web:$CI_PIPELINE_ID
 
 stages:
   - build
@@ -101,15 +101,13 @@ deploy application:
     - docker-compose -f docker-compose.prod.yml build
     - docker build -t $DOORCODE_IMAGE_NAME -f prod.Dockerfile .
     - docker build -t $NGINX_IMAGE_NAME -f nginx.Dockerfile .
-    - docker-compose -f docker-compose.prod.yml down
     - sed -i "s/\(^DB_PASSWORD=\).*/\1$(cat $POSTGRES_PASSWORD)/" $PROJ_DIR/.env
-    - docker-compose -f docker-compose.prod.yml up -d
+    - docker stack deploy -c docker-compose.prod.yml doorcode --prune
     # Give it some time to spin up...
     - sleep 10
     # Make sure app is running
     - "curl --fail --insecure --location https://${DEPLOY_ADDRESS}/api"
     - "curl --fail --insecure --location https://${DEPLOY_ADDRESS}/api/docs"
-    - exit 1
   environment:
     name: production
     url: https://elock.cs.wallawalla.edu/api
@@ -121,7 +119,7 @@ deploy application:
 stop-prod:
   stage: deploy
   script:
-    - docker-compose -f docker-compose.prod.yml down
+    - docker stack rm doorcode
   only:
     - master
   when: manual

docker-compose.prod.yml

@@ -4,29 +4,48 @@ networks:
   doorcode:
     attachable: true
 
+configs:
+  laravel_env:
+    name: laravel_env-${CI_JOB_ID}
+    file: $PROJ_DIR/.env
+
 secrets:
   webserver_cert:
+    name: webserver_cert-${CI_JOB_ID}
     file: $WEBSERVER_CERT
   webserver_key:
+    name: webserver_key-${CI_JOB_ID}
     file: $WEBSERVER_KEY
   root_cert:
+    name: root_cert-${CI_JOB_ID}
     file: $ROOT_CERT
   wwu_webserver_cert:
+    name: wwu_webserver_cert-${CI_JOB_ID}
     file: $WWU_WEBSERVER_CERT
   wwu_webserver_key:
+    name: wwu_webserver_key-${CI_JOB_ID}
     file: $WWU_WEBSERVER_KEY
   wwu_root_cert:
+    name: wwu_root_cert-${CI_JOB_ID}
     file: $WWU_ROOT_CERT
   postgres_password:
+    name: postgres_password-${CI_JOB_ID}
     file: $POSTGRES_PASSWORD
 
 volumes:
-  db-data:
-  pgadmin-data:
+  doorcode_db-data:
+    external: true
+  doorcode_pgadmin-data:
+    external: true
 
 services:
   webserver:
     image: $NGINX_IMAGE_NAME
+    healthcheck:
+      test: [ "CMD", "curl", "--fail", "http://localhost/health" ]
+      interval: 30s
+      timeout: 3s
+      retries: 3
     secrets:
       - webserver_cert
       - webserver_key
@@ -35,14 +54,14 @@ services:
       - wwu_webserver_key
       - wwu_root_cert
     ports:
-      - target: "4433"
-        published: "4433"
+      - target: 4433
+        published: 4433
         mode: host
-      - target: "443"
-        published: "443"
+      - target: 443
+        published: 443
         mode: host
-      - target: "80"
-        published: "80"
+      - target: 80
+        published: 80
         mode: host
     volumes:
       - $PROJ_DIR/simple-saml/cert:/var/simplesamlphp/cert:ro
@@ -54,20 +73,25 @@ services:
         max-file: "3"
     networks:
       - doorcode
+    deploy:
+      update_config:
+        order: start-first
+        failure_action: rollback
+        delay: 5s
+      rollback_config:
+        parallelism: 0
+        order: stop-first
   postgres:
     image: postgres:13-alpine
     secrets:
       - postgres_password
-    ports:
-      - target: "5432"
-        published: "127.0.0.1:5432"
-        mode: host
     volumes:
-      - db-data:/var/lib/postgresql/data
+      - doorcode_db-data:/var/lib/postgresql/data
     environment:
       POSTGRES_USER: web
       POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
       POSTGRES_DB: doorcode
+      TZ: America/Los_Angeles
     logging:
       options:
         max-size: "10m"
@@ -77,7 +101,7 @@ services:
   dbadmin:
     image: dpage/pgadmin4:4.24
     volumes:
-      - pgadmin-data:/var/lib/pgadmin
+      - doorcode_pgadmin-data:/var/lib/pgadmin
     environment:
       PGADMIN_DEFAULT_EMAIL: admin@elock
       PGADMIN_DEFAULT_PASSWORD: Please change the default password.
@@ -89,8 +113,17 @@ services:
       - doorcode
   api:
     image: $DOORCODE_IMAGE_NAME
+    environment:
+      TZ: America/Los_Angeles
+    configs:
+      - source: laravel_env
+        target: /var/www/backend/.env
+    healthcheck:
+      test: [ "CMD", "/healthcheck.sh" ]
+      interval: 30s
+      timeout: 3s
+      retries: 3
     volumes:
-      - $PROJ_DIR/.env:/var/www/backend/.env:ro
       - $PROJ_DIR/controller-bins:/var/www/backend/storage/app/controller/binaries:ro
       - $PROJ_DIR/simple-saml/cert:/var/simplesamlphp/cert:ro
       - $PROJ_DIR/simple-saml/config:/var/simplesamlphp/config:ro
@@ -101,3 +134,11 @@ services:
         max-file: "3"
     networks:
       - doorcode
+    deploy:
+      update_config:
+        order: start-first
+        failure_action: rollback
+        delay: 5s
+      rollback_config:
+        parallelism: 0
+        order: stop-first

nginx/conf.d/app.conf

@@ -45,6 +45,11 @@ server {
     # Comment the following change to the JS frontend
     root /var/www/backend/public;
 
+    location /health {
+        access_log off;
+        return 200 "healthy";
+    }
+
     location ^~ /simplesaml {
         alias /var/simplesamlphp/www;
 

nginx/conf.d/prod.conf

@@ -45,6 +45,11 @@ server {
     # Comment the following change to the JS frontend
     root /var/www/backend/public;
 
+    location /health {
+        access_log off;
+        return 200 "healthy";
+    }
+
     location ^~ /saml {
         alias /var/simplesamlphp/www;
 

prod.Dockerfile

@@ -45,7 +45,10 @@ RUN rm -rf backend/cov backend/vendor backend/public \
         ../simplesamlphp/modules/exampleauth/enable \
         backend/tests frontend backend/install-dev.sh install-dev.sh \
         backend/node_modules \
-    && chmod 0755 /docker-entrypoint.sh
+    && chmod 0755 /docker-entrypoint.sh \
+    && wget -O /healthcheck.sh \
+        https://raw.githubusercontent.com/renatomefi/php-fpm-healthcheck/master/php-fpm-healthcheck \
+    && chmod +x /healthcheck.sh
 COPY --chown=www:www --from=frontend_assets /app/public backend/public
 
 # Change current user to www