Fix nginx issues #2
Some checks failed
Podman Rootless Demo / test-backend (push) Has been skipped
Podman Rootless Demo / test-frontend (push) Has been skipped
Podman Rootless Demo / build-backend (push) Has been skipped
Podman Rootless Demo / build-frontend (push) Has been skipped
Podman Rootless Demo / deploy-prod (push) Failing after 1m31s
Some checks failed
Podman Rootless Demo / test-backend (push) Has been skipped
Podman Rootless Demo / test-frontend (push) Has been skipped
Podman Rootless Demo / build-backend (push) Has been skipped
Podman Rootless Demo / build-frontend (push) Has been skipped
Podman Rootless Demo / deploy-prod (push) Failing after 1m31s
This commit is contained in:
parent
8e2a5236ac
commit
795d83c81a
1 changed files with 42 additions and 50 deletions
|
|
@ -230,60 +230,52 @@ jobs:
|
||||||
PROD_BACKEND_HOST: ${{ secrets.PROD_BACKEND_HOST }}
|
PROD_BACKEND_HOST: ${{ secrets.PROD_BACKEND_HOST }}
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Login to container registry with PAT
|
- name: Login to container registry with PAT
|
||||||
run: |
|
run: |
|
||||||
echo "${{ secrets.REGISTRY_TOKEN }}" | podman --remote login \
|
echo "${{ secrets.REGISTRY_TOKEN }}" | podman --remote login \
|
||||||
-u "${{ secrets.REGISTRY_USERNAME }}" \
|
-u "${{ secrets.REGISTRY_USERNAME }}" \
|
||||||
--password-stdin \
|
--password-stdin \
|
||||||
"${{ secrets.REGISTRY_HOST }}"
|
"${{ secrets.REGISTRY_HOST }}"
|
||||||
|
|
||||||
- name: Pull production images (optional but faster on play)
|
- name: (Optional) Pre-pull images to speed up play
|
||||||
run: |
|
run: |
|
||||||
podman --remote pull "$REGISTRY_HOST/$APP_NAME/sharenet-backend-api-postgres:$IMAGE_TAG"
|
podman --remote pull "$REGISTRY_HOST/$APP_NAME/sharenet-backend-api-postgres:$IMAGE_TAG"
|
||||||
podman --remote pull "$REGISTRY_HOST/$APP_NAME/sharenet-frontend:$IMAGE_TAG"
|
podman --remote pull "$REGISTRY_HOST/$APP_NAME/sharenet-frontend:$IMAGE_TAG"
|
||||||
|
|
||||||
# RENDER nginx.conf FROM REPO AND COPY TO HOST (no unshare)
|
# 1) Render nginx.conf from repo and copy to host (no unshare)
|
||||||
- name: Render nginx.conf and write to host
|
- name: Render nginx.conf and write to host
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
apk add --no-cache gettext >/dev/null # provides envsubst
|
apk add --no-cache gettext >/dev/null
|
||||||
# Render with your CI env (PROD_* vars)
|
envsubst < nginx/nginx.conf > /tmp/nginx.conf
|
||||||
envsubst < nginx/nginx.conf > /tmp/nginx.conf
|
podman --remote run --rm -i \
|
||||||
|
--userns=keep-id \
|
||||||
|
-v /opt/sharenet/nginx:/host-nginx:rw \
|
||||||
|
alpine:3.20 sh -c 'install -D -m 0644 /dev/stdin /host-nginx/nginx.conf' \
|
||||||
|
< /tmp/nginx.conf
|
||||||
|
|
||||||
# Copy to host via remote Podman bind-mount; keep prod-service uid/gid
|
# 2) Lint nginx.conf BEFORE restarting the pod (avoids crash loops)
|
||||||
podman --remote run --rm -i \
|
- name: Validate nginx.conf with throwaway container
|
||||||
--userns=keep-id \
|
run: |
|
||||||
-v /opt/sharenet/nginx:/host-nginx:rw \
|
set -euo pipefail
|
||||||
alpine:3.20 sh -c 'install -D -m 0644 /dev/stdin /host-nginx/nginx.conf' \
|
podman --remote run --rm \
|
||||||
< /tmp/nginx.conf
|
-v /opt/sharenet/nginx:/etc/nginx:ro \
|
||||||
|
docker.io/nginx:alpine \
|
||||||
|
sh -lc 'nginx -t -c /etc/nginx/nginx.conf'
|
||||||
|
|
||||||
# TRY ZERO-DOWNTIME RELOAD FIRST
|
# 3) Recreate the pod (down → play). This ensures new images/ports/env + the validated conf.
|
||||||
- name: Reload in-pod Nginx (or restart on failure)
|
- name: Recreate pod
|
||||||
continue-on-error: true
|
run: |
|
||||||
run: |
|
set -euo pipefail
|
||||||
set -euo pipefail
|
podman --remote kube down sharenet-production-pod || true
|
||||||
podman --remote exec sharenet-production-pod-nginx nginx -t
|
envsubst < deploy/prod-pod.yml | podman --remote kube play -
|
||||||
podman --remote exec sharenet-production-pod-nginx nginx -s reload
|
|
||||||
|
|
||||||
- name: Fallback restart Nginx container if reload failed
|
# 4) Verify health on the prod host
|
||||||
if: failure()
|
- name: Verify in-pod Nginx
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
podman --remote restart sharenet-production-pod-nginx
|
curl -sS -D- http://127.0.0.1:18080/healthz
|
||||||
|
|
||||||
# (Re)APPLY THE POD (ensures new images/config picked up)
|
|
||||||
- name: Recreate pod (down & play)
|
|
||||||
run: |
|
|
||||||
set -euo pipefail
|
|
||||||
podman --remote kube down sharenet-production-pod || true
|
|
||||||
# Render your pod manifest (uses same $ENV as before)
|
|
||||||
envsubst < deploy/prod-pod.yml | podman --remote kube play -
|
|
||||||
|
|
||||||
# VERIFY
|
|
||||||
- name: Verify in-pod nginx is healthy
|
|
||||||
run: |
|
|
||||||
set -euo pipefail
|
|
||||||
curl -sS -D- http://127.0.0.1:18080/healthz
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue