fix: prevent CI jobs from restarting Traefik
Some checks failed
🚀 Build & Deploy Image / Determine Build Necessity (push) Successful in 28s
Security Vulnerability Scan / Check for Dependency Changes (push) Successful in 35s
🚀 Build & Deploy Image / Build Runtime Base Image (push) Successful in 18s
🚀 Build & Deploy Image / Run Tests & Quality Checks (push) Has been skipped
Security Vulnerability Scan / Composer Security Audit (push) Has been skipped
🚀 Build & Deploy Image / Build Docker Image (push) Successful in 17s
🚀 Build & Deploy Image / Auto-deploy to Staging (push) Failing after 1m9s
🚀 Build & Deploy Image / Auto-deploy to Production (push) Has been skipped
Some checks failed
🚀 Build & Deploy Image / Determine Build Necessity (push) Successful in 28s
Security Vulnerability Scan / Check for Dependency Changes (push) Successful in 35s
🚀 Build & Deploy Image / Build Runtime Base Image (push) Successful in 18s
🚀 Build & Deploy Image / Run Tests & Quality Checks (push) Has been skipped
Security Vulnerability Scan / Composer Security Audit (push) Has been skipped
🚀 Build & Deploy Image / Build Docker Image (push) Successful in 17s
🚀 Build & Deploy Image / Auto-deploy to Staging (push) Failing after 1m9s
🚀 Build & Deploy Image / Auto-deploy to Production (push) Has been skipped
- Add traefik_auto_restart check to fix-gitea-timeouts.yml - Add traefik_auto_restart check to fix-gitea-ssl-routing.yml - Add traefik_auto_restart check to fix-gitea-complete.yml - Set traefik_auto_restart=false in all Gitea workflow Ansible calls - Set gitea_auto_restart=false in all Gitea workflow Ansible calls - Add redeploy-traefik-gitea.yml playbook for clean redeployment This prevents CI/CD pipelines from causing Traefik restart loops by ensuring all remediation playbooks respect the traefik_auto_restart flag, which is set to false in group_vars/production/vars.yml.
This commit is contained in:
195
deployment/ansible/playbooks/fix-gitea-ssl-routing.yml
Normal file
195
deployment/ansible/playbooks/fix-gitea-ssl-routing.yml
Normal file
@@ -0,0 +1,195 @@
|
||||
---
|
||||
# Fix Gitea SSL and Routing Issues
|
||||
# Prüft SSL-Zertifikat, Service Discovery und behebt Routing-Probleme
|
||||
- name: Fix Gitea SSL and Routing
|
||||
hosts: production
|
||||
gather_facts: yes
|
||||
become: no
|
||||
vars:
|
||||
gitea_stack_path: "{{ stacks_base_path }}/gitea"
|
||||
traefik_stack_path: "{{ stacks_base_path }}/traefik"
|
||||
gitea_url: "https://{{ gitea_domain }}"
|
||||
gitea_url_http: "http://{{ gitea_domain }}"
|
||||
|
||||
tasks:
|
||||
- name: Check Gitea container status
|
||||
ansible.builtin.shell: |
|
||||
cd {{ gitea_stack_path }}
|
||||
docker compose ps gitea
|
||||
register: gitea_status
|
||||
changed_when: false
|
||||
|
||||
- name: Check Traefik container status
|
||||
ansible.builtin.shell: |
|
||||
cd {{ traefik_stack_path }}
|
||||
docker compose ps traefik
|
||||
register: traefik_status
|
||||
changed_when: false
|
||||
|
||||
- name: Check if Gitea is in traefik-public network
|
||||
ansible.builtin.shell: |
|
||||
docker network inspect traefik-public --format '{{ '{{' }}range .Containers{{ '}}' }}{{ '{{' }}.Name{{ '}}' }} {{ '{{' }}end{{ '}}' }}' 2>/dev/null | grep -q gitea && echo "YES" || echo "NO"
|
||||
register: gitea_in_network
|
||||
changed_when: false
|
||||
|
||||
- name: Test direct connection from Traefik to Gitea (by service name)
|
||||
ansible.builtin.shell: |
|
||||
cd {{ traefik_stack_path }}
|
||||
docker compose exec -T traefik wget -qO- --timeout=5 http://gitea:3000/api/healthz 2>&1 || echo "CONNECTION_FAILED"
|
||||
register: traefik_gitea_direct
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
|
||||
- name: Check Traefik logs for SSL/ACME errors
|
||||
ansible.builtin.shell: |
|
||||
cd {{ traefik_stack_path }}
|
||||
docker compose logs traefik --tail=100 2>&1 | grep -iE "acme|certificate|git\.michaelschiemer\.de|ssl|tls" | tail -20 || echo "No SSL/ACME errors found"
|
||||
register: traefik_ssl_errors
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
|
||||
- name: Check if SSL certificate exists for git.michaelschiemer.de
|
||||
ansible.builtin.shell: |
|
||||
cd {{ traefik_stack_path }}
|
||||
docker compose exec -T traefik cat /acme.json 2>/dev/null | grep -q "git.michaelschiemer.de" && echo "YES" || echo "NO"
|
||||
register: ssl_cert_exists
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
|
||||
- name: Test Gitea via HTTP (port 80, should redirect or show error)
|
||||
ansible.builtin.uri:
|
||||
url: "{{ gitea_url_http }}/api/healthz"
|
||||
method: GET
|
||||
status_code: [200, 301, 302, 404, 502, 503, 504]
|
||||
validate_certs: false
|
||||
timeout: 10
|
||||
register: gitea_http_test
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
|
||||
- name: Test Gitea via HTTPS
|
||||
ansible.builtin.uri:
|
||||
url: "{{ gitea_url }}/api/healthz"
|
||||
method: GET
|
||||
status_code: [200, 301, 302, 404, 502, 503, 504]
|
||||
validate_certs: false
|
||||
timeout: 10
|
||||
register: gitea_https_test
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
|
||||
- name: Display diagnostic information
|
||||
ansible.builtin.debug:
|
||||
msg: |
|
||||
================================================================================
|
||||
GITEA SSL/ROUTING DIAGNOSE:
|
||||
================================================================================
|
||||
|
||||
Container Status:
|
||||
- Gitea: {{ gitea_status.stdout | regex_replace('.*(Up|Down|Restarting).*', '\\1') | default('UNKNOWN') }}
|
||||
- Traefik: {{ traefik_status.stdout | regex_replace('.*(Up|Down|Restarting).*', '\\1') | default('UNKNOWN') }}
|
||||
|
||||
Network:
|
||||
- Gitea in traefik-public: {% if gitea_in_network.stdout == 'YES' %}✅{% else %}❌{% endif %}
|
||||
- Traefik → Gitea (direct): {% if 'CONNECTION_FAILED' not in traefik_gitea_direct.stdout %}✅{% else %}❌{% endif %}
|
||||
|
||||
SSL/Certificate:
|
||||
- Certificate in acme.json: {% if ssl_cert_exists.stdout == 'YES' %}✅{% else %}❌{% endif %}
|
||||
|
||||
Connectivity:
|
||||
- HTTP (port 80): Status {{ gitea_http_test.status | default('TIMEOUT') }}
|
||||
- HTTPS (port 443): Status {{ gitea_https_test.status | default('TIMEOUT') }}
|
||||
|
||||
Traefik SSL/ACME Errors:
|
||||
{{ traefik_ssl_errors.stdout }}
|
||||
|
||||
================================================================================
|
||||
|
||||
- name: Restart Gitea if not in network or connection failed
|
||||
ansible.builtin.shell: |
|
||||
cd {{ gitea_stack_path }}
|
||||
docker compose restart gitea
|
||||
register: gitea_restart
|
||||
changed_when: gitea_restart.rc == 0
|
||||
when: gitea_in_network.stdout != 'YES' or 'CONNECTION_FAILED' in traefik_gitea_direct.stdout
|
||||
|
||||
- name: Wait for Gitea to be ready after restart
|
||||
ansible.builtin.pause:
|
||||
seconds: 30
|
||||
when: gitea_restart.changed | default(false)
|
||||
|
||||
- name: Restart Traefik to refresh service discovery and SSL
|
||||
ansible.builtin.shell: |
|
||||
cd {{ traefik_stack_path }}
|
||||
docker compose restart traefik
|
||||
register: traefik_restart
|
||||
changed_when: traefik_restart.rc == 0
|
||||
when: >
|
||||
(traefik_auto_restart | default(false) | bool)
|
||||
and (gitea_restart.changed | default(false) or gitea_https_test.status | default(0) != 200)
|
||||
|
||||
- name: Wait for Traefik to be ready after restart
|
||||
ansible.builtin.pause:
|
||||
seconds: 15
|
||||
when: traefik_restart.changed | default(false)
|
||||
|
||||
- name: Wait for Gitea to be reachable via HTTPS (with retries)
|
||||
ansible.builtin.uri:
|
||||
url: "{{ gitea_url }}/api/healthz"
|
||||
method: GET
|
||||
status_code: [200]
|
||||
validate_certs: false
|
||||
timeout: 10
|
||||
register: final_gitea_test
|
||||
until: final_gitea_test.status == 200
|
||||
retries: 20
|
||||
delay: 3
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
when: traefik_restart.changed | default(false) or gitea_restart.changed | default(false)
|
||||
|
||||
- name: Final status check
|
||||
ansible.builtin.uri:
|
||||
url: "{{ gitea_url }}/api/healthz"
|
||||
method: GET
|
||||
status_code: [200]
|
||||
validate_certs: false
|
||||
timeout: 10
|
||||
register: final_status
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
|
||||
- name: Summary
|
||||
ansible.builtin.debug:
|
||||
msg: |
|
||||
================================================================================
|
||||
ZUSAMMENFASSUNG - Gitea SSL/Routing Fix:
|
||||
================================================================================
|
||||
|
||||
Aktionen:
|
||||
- Gitea Restart: {% if gitea_restart.changed | default(false) %}✅ Durchgeführt{% else %}ℹ️ Nicht nötig{% endif %}
|
||||
- Traefik Restart: {% if traefik_restart.changed | default(false) %}✅ Durchgeführt{% else %}ℹ️ Nicht nötig{% endif %}
|
||||
|
||||
Final Status:
|
||||
- Gitea via HTTPS: {% if final_status.status == 200 %}✅ Erreichbar{% else %}❌ Nicht erreichbar (Status: {{ final_status.status | default('TIMEOUT') }}){% endif %}
|
||||
|
||||
{% if final_status.status == 200 %}
|
||||
✅ Gitea ist jetzt über Traefik erreichbar!
|
||||
URL: {{ gitea_url }}
|
||||
{% else %}
|
||||
⚠️ Gitea ist noch nicht erreichbar
|
||||
|
||||
Mögliche Ursachen:
|
||||
1. SSL-Zertifikat wird noch generiert (ACME Challenge läuft)
|
||||
2. Traefik Service Discovery braucht mehr Zeit
|
||||
3. Netzwerk-Problem zwischen Traefik und Gitea
|
||||
|
||||
Nächste Schritte:
|
||||
1. Warte 2-5 Minuten und teste erneut: curl -k {{ gitea_url }}/api/healthz
|
||||
2. Prüfe Traefik-Logs: cd {{ traefik_stack_path }} && docker compose logs traefik --tail=50
|
||||
3. Prüfe Gitea-Logs: cd {{ gitea_stack_path }} && docker compose logs gitea --tail=50
|
||||
4. Prüfe Netzwerk: docker network inspect traefik-public | grep -A 5 gitea
|
||||
{% endif %}
|
||||
|
||||
================================================================================
|
||||
|
||||
Reference in New Issue
Block a user