fix: prevent Traefik restart loops and improve Docker registry login

Registry Login Fixes: - Filter out service names (minio, redis) from registry URL extraction - Only recognize actual registry URLs (with TLD or port) - Preserve port numbers in registry URLs (e.g. git.michaelschiemer.de:5000) - Better error messages for failed logins Traefik Restart Loop Prevention: - Set traefik_auto_restart default to false in traefik role - Add traefik_auto_restart, traefik_ssl_restart, gitea_auto_restart to staging vars - Add guard to fix-gitea-traefik-connection.yml restart task - Add guard and deprecation warning to update-gitea-traefik-service.yml This ensures that: - CI/CD pipelines won't cause Traefik restart loops - Staging environment uses same safe defaults as production - Deprecated playbooks fail by default unless explicitly enabled - Only actual Docker registries are used for login, not service names
2025-11-09 00:03:30 +01:00
parent c6b94b1147
commit ba859d0fdf
5 changed files with 312 additions and 10 deletions
--- a/deployment/ansible/playbooks/deploy-image.yml
+++ b/deployment/ansible/playbooks/deploy-image.yml
@@ -233,21 +233,42 @@
      ignore_errors: yes
      changed_when: false

-    - name: Determine actual registry URLs from docker-compose files
+    - name: Extract registry URLs from docker-compose files (preserve port if present)
      ansible.builtin.shell: |
        cd {{ application_code_dest }}
-        grep -h "image:" docker-compose.base.yml docker-compose.{{ application_compose_suffix }} 2>/dev/null | sed -E 's/.*image:\s*([^\/]+).*/\1/' | sed 's/:.*//' | sort -u || echo ""
-      register: actual_registry_urls
+        grep -h "image:" docker-compose.base.yml docker-compose.{{ application_compose_suffix }} 2>/dev/null | \
+        sed -E 's/.*image:\s*([^\/]+).*/\1/' | \
+        sed -E 's/:([^:]+)$//' | \
+        grep -E '\.(de|com|org|net|io|dev)|:[0-9]+|localhost' | \
+        sort -u || echo ""
+      register: actual_registry_urls_raw
      changed_when: false
      failed_when: false

-    - name: Set list of registries to login to
+    - name: Extract full registry URLs with ports from docker-compose files
+      ansible.builtin.shell: |
+        cd {{ application_code_dest }}
+        grep -h "image:" docker-compose.base.yml docker-compose.{{ application_compose_suffix }} 2>/dev/null | \
+        sed -E 's/.*image:\s*([^\/]+).*/\1/' | \
+        sed -E 's/:([^:]+)$//' | \
+        sort -u || echo ""
+      register: actual_registry_urls_full
+      changed_when: false
+      failed_when: false
+
+    - name: Set list of registries to login to (filter out service names, preserve ports)
      ansible.builtin.set_fact:
        registries_to_login: >-
-          {%- set found_registries = actual_registry_urls.stdout | trim | split('\n') | select('match', '.+') | list -%}
+          {%- set found_registries = actual_registry_urls_full.stdout | trim | split('\n') | select('match', '.+') | list -%}
+          {%- set filtered_registries = [] -%}
+          {%- for reg in found_registries -%}
+            {%- if reg | regex_search('\.(de|com|org|net|io|dev)') or reg | regex_search(':[0-9]+') or reg == 'localhost' -%}
+              {%- set _ = filtered_registries.append(reg) -%}
+            {%- endif -%}
+          {%- endfor -%}
          {%- set default_registry = [docker_registry] -%}
-          {%- if found_registries | length > 0 -%}
-            {{ found_registries | unique | list }}
+          {%- if filtered_registries | length > 0 -%}
+            {{ filtered_registries | unique | list }}
          {%- else -%}
            {{ default_registry }}
          {%- endif -%}
@@ -260,14 +281,14 @@
      when: 
        - registry_password | string | trim != ''
        - registry_accessible == 'true'
-      loop: "{{ registries_to_login }}"
+      loop: "{{ registries_to_login | default([docker_registry]) }}"
      no_log: yes
      register: docker_login_results
      failed_when: false

    - name: Display login results
      ansible.builtin.debug:
-        msg: "Docker login to {{ item.item }}: {% if item.failed %}FAILED{% else %}SUCCESS{% endif %}"
+        msg: "Docker login to {{ item.item }}: {% if item.failed %}FAILED ({{ item.msg | default('unknown error') }}){% else %}SUCCESS{% endif %}"
      when: 
        - registry_password | string | trim != ''
        - registry_accessible == 'true'