michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: DockerSecretsResolver - don't normalize absolute paths like /var/www/html/...
Some checks failed
Deploy Application / deploy (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Michael Schiemer
2025-11-24 21:28:25 +01:00
parent 4eb7134853
commit 77abc65cd7
1327 changed files with 91915 additions and 9909 deletions
Download Patch File Download Diff File Expand all files Collapse all files

180
docker-compose.staging.yml
View File

@@ -10,13 +10,13 @@
services:
# PHP-FPM Application Runtime
staging-app:
php:
image: localhost:5000/framework:latest
container_name: staging-app
container_name: php
restart: unless-stopped
networks:
- staging-internal
- postgres-staging-internal
- app-backend
- app-internal
environment:
- TZ=Europe/Berlin
- APP_ENV=staging
@@ -30,13 +30,13 @@ services:
- GIT_USERNAME=${GIT_USERNAME:-}
- GIT_PASSWORD=${GIT_PASSWORD:-}
# Database - using separate staging database
- DB_HOST=${DB_HOST:-postgres-staging}
- DB_PORT=${DB_PORT:-5432}
- DB_HOST=postgres
- DB_PORT=5432
- DB_DATABASE=${DB_DATABASE:-michaelschiemer_staging}
- DB_USERNAME=${DB_USERNAME}
- DB_PASSWORD=${DB_PASSWORD}
# Redis
- REDIS_HOST=staging-redis
- REDIS_HOST=redis
- REDIS_PORT=6379
# Cache
- CACHE_DRIVER=redis
@@ -50,23 +50,20 @@ services:
# Use Docker Secrets via *_FILE pattern (Framework supports this automatically)
# Note: These paths will be set by the entrypoint script after copying secrets
# to /var/www/html/storage/secrets/ for www-data access
# The entrypoint script will copy secrets and set these paths
- DB_PASSWORD_FILE=/var/www/html/storage/secrets/db_user_password
- REDIS_PASSWORD_FILE=/var/www/html/storage/secrets/redis_password
- APP_KEY_FILE=/var/www/html/storage/secrets/app_key
- VAULT_ENCRYPTION_KEY_FILE=/var/www/html/storage/secrets/vault_encryption_key
- GIT_TOKEN_FILE=/var/www/html/storage/secrets/git_token
volumes:
- staging-code:/var/www/html
- staging-storage:/var/www/html/storage
- staging-logs:/var/www/html/storage/logs
- app-code:/var/www/html
- app-storage:/var/www/html/storage
- app-logs:/var/www/html/storage/logs
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
secrets:
- db_user_password
- redis_password
- app_key
- vault_encryption_key
- git_token
# Override entrypoint to only start PHP-FPM (not nginx) + fix git ownership
entrypoint: ["/bin/sh", "-c"]
command:
@@ -77,6 +74,9 @@ services:
# We copy them here as root to a location where www-data can read them.
echo "🔐 Setting up Docker Secrets for PHP access..."
SECRETS_DIR="/var/www/html/storage/secrets"
# Ensure we're in the right directory
cd /var/www/html || exit 1
# Create secrets directory if it doesn't exist
mkdir -p "$SECRETS_DIR"
chmod 750 "$SECRETS_DIR"
chown www-data:www-data "$SECRETS_DIR"
@@ -87,6 +87,8 @@ services:
chown www-data:www-data "$SECRETS_DIR/redis_password"
export REDIS_PASSWORD_FILE="$SECRETS_DIR/redis_password"
echo "✅ Copied redis_password to $SECRETS_DIR/redis_password"
else
echo "⚠️ Warning: /run/secrets/redis_password not found"
fi
if [ -f /run/secrets/db_user_password ]; then
@@ -105,21 +107,6 @@ services:
echo "✅ Copied app_key to $SECRETS_DIR/app_key"
fi
if [ -f /run/secrets/vault_encryption_key ]; then
cp /run/secrets/vault_encryption_key "$SECRETS_DIR/vault_encryption_key" 2>/dev/null || true
chmod 640 "$SECRETS_DIR/vault_encryption_key"
chown www-data:www-data "$SECRETS_DIR/vault_encryption_key"
export VAULT_ENCRYPTION_KEY_FILE="$SECRETS_DIR/vault_encryption_key"
echo "✅ Copied vault_encryption_key to $SECRETS_DIR/vault_encryption_key"
fi
if [ -f /run/secrets/git_token ]; then
cp /run/secrets/git_token "$SECRETS_DIR/git_token" 2>/dev/null || true
chmod 640 "$SECRETS_DIR/git_token"
chown www-data:www-data "$SECRETS_DIR/git_token"
export GIT_TOKEN_FILE="$SECRETS_DIR/git_token"
echo "✅ Copied git_token to $SECRETS_DIR/git_token"
fi
# Fix Git ownership issue
# Ensure Git treats the mounted repository as safe regardless of owner
@@ -205,16 +192,16 @@ services:
retries: 3
start_period: 40s
depends_on:
staging-redis:
redis:
condition: service_started
# Nginx Web Server
staging-nginx:
nginx:
image: localhost:5000/framework:latest
container_name: staging-nginx
container_name: nginx
restart: unless-stopped
networks:
- traefik-public
- staging-internal
- app-backend
environment:
- TZ=Europe/Berlin
- APP_ENV=staging
@@ -227,15 +214,15 @@ services:
- GIT_PASSWORD=${GIT_PASSWORD:-}
volumes:
- ./deployment/stacks/staging/nginx/conf.d:/etc/nginx/conf.d:ro
- staging-code:/var/www/html:ro
- staging-storage:/var/www/html/storage:ro
- app-code:/var/www/html:ro
- app-storage:/var/www/html/storage:ro
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
# Wait for code to be available (cloned by staging-app container) then start nginx
# Wait for code to be available (cloned by php container) then start nginx
entrypoint: ["/bin/sh", "-c"]
command:
- |
# Wait for code to be available in shared volume (staging-app container clones it)
# Wait for code to be available in shared volume (php container clones it)
GIT_TARGET_DIR="/var/www/html"
echo "⏳ [staging-nginx] Waiting for code to be available in shared volume..."
for i in 1 2 3 4 5 6 7 8 9 10; do
@@ -254,19 +241,21 @@ services:
fi
# Fix nginx upstream configuration - sites-enabled/default overrides conf.d/default.conf
# This is critical: nginx sites-available/default uses 127.0.0.1:9000 but PHP-FPM runs in staging-app container
# This is critical: nginx sites-available/default uses 127.0.0.1:9000 but PHP-FPM runs in php container
if [ -f "/etc/nginx/sites-available/default" ]; then
echo "🔧 [staging-nginx] Fixing PHP-FPM upstream configuration..."
# Replace in upstream block
sed -i '/upstream php-upstream {/,/}/s|server 127.0.0.1:9000;|server staging-app:9000;|g' /etc/nginx/sites-available/default || true
sed -i '/upstream php-upstream {/,/}/s|server localhost:9000;|server staging-app:9000;|g' /etc/nginx/sites-available/default || true
# Replace in upstream block - use php container name (as defined in docker-compose.staging.yml)
sed -i '/upstream php-upstream {/,/}/s|server 127.0.0.1:9000;|server php:9000;|g' /etc/nginx/sites-available/default || true
sed -i '/upstream php-upstream {/,/}/s|server localhost:9000;|server php:9000;|g' /etc/nginx/sites-available/default || true
# Replace any auto-generated container names (like 5aad84af7c9e_php)
sed -i '/upstream php-upstream {/,/}/s|server [a-f0-9_]*php:9000;|server php:9000;|g' /etc/nginx/sites-available/default || true
# Replace any direct fastcgi_pass references too
sed -i 's|fastcgi_pass 127.0.0.1:9000;|fastcgi_pass php-upstream;|g' /etc/nginx/sites-available/default || true
sed -i 's|fastcgi_pass localhost:9000;|fastcgi_pass php-upstream;|g' /etc/nginx/sites-available/default || true
echo "✅ [staging-nginx] PHP-FPM upstream fixed"
fi
# Start nginx only (no PHP-FPM, no Git clone - staging-app container handles that)
# Start nginx only (no PHP-FPM, no Git clone - php container handles that)
echo "🚀 [staging-nginx] Starting nginx..."
exec nginx -g "daemon off;"
labels:
@@ -278,8 +267,6 @@ services:
- "traefik.http.routers.staging.tls.certresolver=letsencrypt"
# Service
- "traefik.http.services.staging.loadbalancer.server.port=80"
# Middleware
- "traefik.http.routers.staging.middlewares=default-chain@file"
# Network
- "traefik.docker.network=traefik-public"
healthcheck:
@@ -289,18 +276,18 @@ services:
retries: 3
start_period: 10s
depends_on:
staging-app:
php:
condition: service_started
# Remove base service dependencies and build
ports: []
# Redis Cache/Session/Queue Backend (separate from production)
staging-redis:
redis:
image: redis:7-alpine
container_name: staging-redis
container_name: redis
restart: unless-stopped
networks:
- staging-internal
- app-backend
environment:
- TZ=Europe/Berlin
- REDIS_PASSWORD_FILE=/run/secrets/redis_password
@@ -339,32 +326,32 @@ services:
--appendfsync everysec
fi
volumes:
- staging-redis-data:/data
- redis-data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
# Queue Worker (Background Jobs)
staging-queue-worker:
queue-worker:
image: localhost:5000/framework:latest
container_name: staging-queue-worker
container_name: queue-worker
restart: unless-stopped
networks:
- staging-internal
- postgres-staging-internal
- app-backend
- app-internal
environment:
- TZ=Europe/Berlin
- APP_ENV=staging
- APP_DEBUG=${APP_DEBUG:-true}
# Database - using separate staging database
- DB_HOST=${DB_HOST:-postgres-staging}
- DB_PORT=${DB_PORT:-5432}
- DB_HOST=postgres
- DB_PORT=5432
- DB_DATABASE=${DB_DATABASE:-michaelschiemer_staging}
- DB_USERNAME=${DB_USERNAME}
- DB_PASSWORD=${DB_PASSWORD}
# Use Docker Secrets via *_FILE pattern (Framework supports this automatically)
- DB_PASSWORD_FILE=/run/secrets/db_user_password
# Redis
- REDIS_HOST=staging-redis
- REDIS_HOST=redis
- REDIS_PORT=6379
- REDIS_PASSWORD_FILE=/run/secrets/redis_password
# Queue
@@ -374,9 +361,9 @@ services:
- QUEUE_WORKER_TRIES=${QUEUE_WORKER_TRIES:-3}
- QUEUE_WORKER_TIMEOUT=${QUEUE_WORKER_TIMEOUT:-60}
volumes:
- staging-code:/var/www/html
- staging-storage:/var/www/html/storage
- staging-logs:/var/www/html/storage/logs
- app-code:/var/www/html
- app-storage:/var/www/html/storage
- app-logs:/var/www/html/storage/logs
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
command: php console.php queue:work --queue=default --timeout=${QUEUE_WORKER_TIMEOUT:-60}
@@ -387,9 +374,9 @@ services:
retries: 3
start_period: 30s
depends_on:
staging-app:
php:
condition: service_started
staging-redis:
redis:
condition: service_started
entrypoint: ""
stop_grace_period: 30s
@@ -397,36 +384,35 @@ services:
- db_user_password
- redis_password
- app_key
- vault_encryption_key
# Scheduler (Cron Jobs)
staging-scheduler:
scheduler:
image: localhost:5000/framework:latest
container_name: staging-scheduler
container_name: scheduler
restart: unless-stopped
networks:
- staging-internal
- postgres-staging-internal
- app-backend
- app-internal
environment:
- TZ=Europe/Berlin
- APP_ENV=staging
- APP_DEBUG=${APP_DEBUG:-true}
# Database - using separate staging database
- DB_HOST=${DB_HOST:-postgres-staging}
- DB_PORT=${DB_PORT:-5432}
- DB_HOST=postgres
- DB_PORT=5432
- DB_DATABASE=${DB_DATABASE:-michaelschiemer_staging}
- DB_USERNAME=${DB_USERNAME}
- DB_PASSWORD=${DB_PASSWORD}
# Use Docker Secrets via *_FILE pattern (Framework supports this automatically)
- DB_PASSWORD_FILE=/run/secrets/db_user_password
# Redis
- REDIS_HOST=staging-redis
- REDIS_HOST=redis
- REDIS_PORT=6379
- REDIS_PASSWORD_FILE=/run/secrets/redis_password
volumes:
- staging-code:/var/www/html
- staging-storage:/var/www/html/storage
- staging-logs:/var/www/html/storage/logs
- app-code:/var/www/html
- app-storage:/var/www/html/storage
- app-logs:/var/www/html/storage/logs
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
command: php console.php scheduler:run
@@ -437,9 +423,9 @@ services:
retries: 3
start_period: 30s
depends_on:
staging-app:
php:
condition: service_started
staging-redis:
redis:
condition: service_started
entrypoint: ""
stop_grace_period: 30s
@@ -447,48 +433,30 @@ services:
- db_user_password
- redis_password
- app_key
- vault_encryption_key
# Remove base services that are not needed in staging
# Disable base services (override from docker-compose.base.yml)
web:
profiles:
- never
php:
profiles:
- never
db:
profiles:
- never
redis:
profiles:
- never
queue-worker:
profiles:
- never
profiles: [never]
minio:
profiles:
- never
profiles: [never]
networks:
traefik-public:
external: true
staging-internal:
app-backend:
driver: bridge
postgres-staging-internal:
external: true
name: postgres-staging-internal
app-internal:
external: true
name: app-internal
volumes:
staging-code:
app-code:
name: staging-code
staging-storage:
app-storage:
name: staging-storage
staging-logs:
app-logs:
name: staging-logs
staging-redis-data:
redis-data:
name: staging-redis-data
# Docker Secrets Configuration
@@ -496,18 +464,12 @@ volumes:
# But we need to explicitly define them here to ensure they're available
secrets:
db_user_password:
file: ./secrets/db_user_password.txt
file: ./deployment/secrets/staging/db_password.txt
external: false
redis_password:
file: ./secrets/redis_password.txt
file: ./deployment/secrets/staging/redis_password.txt
external: false
app_key:
file: ./secrets/app_key.txt
external: false
vault_encryption_key:
file: ./secrets/vault_encryption_key.txt
external: false
git_token:
file: ./secrets/git_token.txt
file: ./deployment/secrets/staging/app_key.txt
external: false