michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
76ec4cf28d32cf0e3bf5c08df31d6b2f496f8545
michaelschiemer/deployment/ansible/playbooks/deploy-image.yml
Michael Schiemer 76ec4cf28d
Some checks failed
🚀 Build & Deploy Image / Determine Build Necessity (push) Successful in 52s
Details
Security Vulnerability Scan / Check for Dependency Changes (push) Successful in 51s
Details
🚀 Build & Deploy Image / Build Runtime Base Image (push) Successful in 10s
Details
🚀 Build & Deploy Image / Run Tests & Quality Checks (push) Has been skipped
Details
Security Vulnerability Scan / Composer Security Audit (push) Has been skipped
Details
🚀 Build & Deploy Image / Build Docker Image (push) Successful in 12s
Details
🚀 Build & Deploy Image / Auto-deploy to Staging (push) Failing after 52s
Details
🚀 Build & Deploy Image / Auto-deploy to Production (push) Has been skipped
Details
fix: Configure Docker insecure registry and add GIT_BRANCH 
- Add Docker daemon configuration to use HTTP for git.michaelschiemer.de:5000 registry
- Configure insecure-registries in /etc/docker/daemon.json
- Add GIT_BRANCH environment variable (staging for staging, main for production)
- Set default GIT_REPOSITORY_URL if not provided
- Fixes 'http: server gave HTTP response to HTTPS client' error
- Fixes missing GIT_BRANCH variable warnings
2025-11-08 16:01:44 +01:00

258 lines
10 KiB
YAML
Raw Blame History

---
- name: Deploy Docker Image to Application Stack
hosts: "{{ deployment_hosts | default('production') }}"
gather_facts: yes
become: no
vars:
# Application code directory (where docker-compose files are located)
application_code_dest: "/home/deploy/michaelschiemer/current"
application_compose_suffix: >-
{%- if deployment_environment == 'staging' -%}
staging.yml
{%- else -%}
production.yml
{%- endif -%}
# Image to deploy (can be overridden via -e image_tag=...)
image_tag: "{{ image_tag | default('latest') }}"
docker_registry: "{{ docker_registry | default('registry.michaelschiemer.de') }}"
app_name_default: "framework"
# Deployment environment (staging or production)
deployment_environment: "{{ deployment_environment | default('production') }}"
tasks:
- name: Check if vault file exists locally
stat:
path: "{{ playbook_dir }}/../secrets/{{ deployment_environment }}.vault.yml"
delegate_to: localhost
register: vault_file_stat
become: no
- name: Load secrets from vault file if exists
include_vars:
file: "{{ playbook_dir }}/../secrets/{{ deployment_environment }}.vault.yml"
when: vault_file_stat.stat.exists
no_log: yes
ignore_errors: yes
delegate_to: localhost
become: no
- name: Set app_name from provided value or default
ansible.builtin.set_fact:
app_name: "{{ app_name if (app_name is defined and app_name != '') else app_name_default }}"
- name: Set deploy_image from registry, app_name and tag
ansible.builtin.set_fact:
deploy_image: "{{ docker_registry }}/{{ app_name }}:{{ image_tag }}"
- name: Set database and MinIO variables from vault or defaults
ansible.builtin.set_fact:
db_username: "{{ db_username | default(vault_db_user | default('postgres')) }}"
db_password: "{{ db_password | default(vault_db_password | default('')) }}"
minio_root_user: "{{ minio_root_user | default(vault_minio_root_user | default('minioadmin')) }}"
minio_root_password: "{{ minio_root_password | default(vault_minio_root_password | default('')) }}"
secrets_dir: "{{ secrets_dir | default('./secrets') }}"
git_repository_url: "{{ git_repository_url | default(vault_git_repository_url | default('https://git.michaelschiemer.de/michael/michaelschiemer.git')) }}"
git_branch: >-
{%- if deployment_environment == 'staging' -%}
staging
{%- else -%}
main
{%- endif -%}
git_token: "{{ git_token | default(vault_git_token | default('')) }}"
git_username: "{{ git_username | default(vault_git_username | default('')) }}"
git_password: "{{ git_password | default(vault_git_password | default('')) }}"
no_log: yes
- name: Determine Docker registry password from vault or extra vars
ansible.builtin.set_fact:
registry_password: >-
{%- if docker_registry_password is defined and docker_registry_password | string | trim != '' -%}
{{ docker_registry_password }}
{%- elif vault_docker_registry_password is defined and vault_docker_registry_password | string | trim != '' -%}
{{ vault_docker_registry_password }}
{%- else -%}
{{ '' }}
{%- endif -%}
no_log: yes
- name: Check if registry is accessible
ansible.builtin.uri:
url: "https://{{ docker_registry }}/v2/"
method: GET
status_code: [200, 401]
timeout: 5
validate_certs: no
register: registry_check
ignore_errors: yes
delegate_to: "{{ inventory_hostname }}"
become: no
- name: Set registry accessible flag
ansible.builtin.set_fact:
registry_accessible: "{{ 'true' if (registry_check.status is defined and registry_check.status | int in [200, 401]) else 'false' }}"
- name: Login to Docker registry
community.docker.docker_login:
registry_url: "{{ docker_registry }}"
username: "{{ docker_registry_username | default('admin') }}"
password: "{{ registry_password }}"
when:
- registry_password | string | trim != ''
- registry_accessible == 'true'
no_log: yes
ignore_errors: yes
register: docker_login_result
- name: Pull Docker image
community.docker.docker_image:
name: "{{ deploy_image }}"
source: pull
pull: true
when: registry_accessible is defined and registry_accessible == 'true'
register: image_pull_result
ignore_errors: yes
failed_when: false
- name: Verify image exists locally
community.docker.docker_image_info:
name: "{{ deploy_image }}"
register: image_info
failed_when: image_info.failed | default(false)
- name: Update docker-compose file with new image tag
ansible.builtin.replace:
path: "{{ application_code_dest }}/docker-compose.{{ application_compose_suffix }}"
regexp: '^(\s+image:\s+)({{ docker_registry }}/{{ app_name }}:)(.*)$'
replace: '\1\2{{ image_tag }}'
register: compose_update_result
failed_when: false
changed_when: compose_update_result.changed | default(false)
- name: Update docker-compose file with new image (alternative pattern)
ansible.builtin.replace:
path: "{{ application_code_dest }}/docker-compose.{{ application_compose_suffix }}"
regexp: 'image:\s+{{ docker_registry }}/{{ app_name }}:.*'
replace: 'image: {{ deploy_image }}'
register: compose_update_alt
when: compose_update_result.changed == false
failed_when: false
changed_when: compose_update_alt.changed | default(false)
- name: Ensure Docker networks exist
community.docker.docker_network:
name: "{{ item }}"
state: present
loop:
- traefik-public
- app-internal
ignore_errors: yes
- name: Check if .env file exists
stat:
path: "{{ application_code_dest }}/.env"
register: env_file_exists
- name: Create minimal .env file if it doesn't exist
copy:
dest: "{{ application_code_dest }}/.env"
content: |
# Minimal .env file for Docker Compose
# This file should be properly configured by the application setup playbook
DB_USERNAME={{ db_username | default('postgres') }}
DB_PASSWORD={{ db_password | default('') }}
MINIO_ROOT_USER={{ minio_root_user | default('minioadmin') }}
MINIO_ROOT_PASSWORD={{ minio_root_password | default('') }}
SECRETS_DIR={{ secrets_dir | default('./secrets') }}
GIT_REPOSITORY_URL={{ git_repository_url | default('') }}
GIT_TOKEN={{ git_token | default('') }}
GIT_USERNAME={{ git_username | default('') }}
GIT_PASSWORD={{ git_password | default('') }}
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0600'
when: not env_file_exists.stat.exists
become: yes
- name: Configure Docker to use HTTP for git.michaelschiemer.de:5000 registry
shell: |
# Check if insecure-registries is already configured
if ! grep -q "git.michaelschiemer.de:5000" /etc/docker/daemon.json 2>/dev/null; then
# Backup existing daemon.json
cp /etc/docker/daemon.json /etc/docker/daemon.json.bak 2>/dev/null || echo '{}' > /etc/docker/daemon.json.bak
# Add insecure-registries if not present
python3 << 'EOF'
import json
import sys
try:
with open('/etc/docker/daemon.json', 'r') as f:
config = json.load(f)
except (FileNotFoundError, json.JSONDecodeError):
config = {}
if 'insecure-registries' not in config:
config['insecure-registries'] = []
if 'git.michaelschiemer.de:5000' not in config['insecure-registries']:
config['insecure-registries'].append('git.michaelschiemer.de:5000')
with open('/etc/docker/daemon.json', 'w') as f:
json.dump(config, f, indent=2)
sys.exit(0) # Changed
sys.exit(1) # No change
EOF
# Restart Docker daemon if configuration changed
if [ $? -eq 0 ]; then
systemctl restart docker || service docker restart || true
sleep 2
fi
fi
become: yes
ignore_errors: yes
changed_when: false
failed_when: false
- name: Deploy application stack with new image
shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} up -d --pull missing --force-recreate --remove-orphans
register: compose_deploy_result
changed_when: true
environment:
DB_USERNAME: "{{ db_username | default('postgres') }}"
DB_PASSWORD: "{{ db_password | default('') }}"
MINIO_ROOT_USER: "{{ minio_root_user | default('minioadmin') }}"
MINIO_ROOT_PASSWORD: "{{ minio_root_password | default('') }}"
SECRETS_DIR: "{{ secrets_dir | default('./secrets') }}"
GIT_REPOSITORY_URL: "{{ git_repository_url | default('') }}"
GIT_BRANCH: "{{ git_branch | default('main') }}"
GIT_TOKEN: "{{ git_token | default('') }}"
GIT_USERNAME: "{{ git_username | default('') }}"
GIT_PASSWORD: "{{ git_password | default('') }}"
- name: Wait for containers to start
ansible.builtin.pause:
seconds: 15
- name: Check container status
shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} ps
register: container_status
changed_when: false
- name: Display deployment summary
ansible.builtin.debug:
msg: |
========================================
Image Deployment Summary
========================================
Image: {{ deploy_image }}
Tag: {{ image_tag }}
Environment: {{ deployment_environment }}
Stack: {{ application_code_dest }}
Status: SUCCESS
========================================
Container Status:
{{ container_status.stdout | default('Not available') }}
========================================
Reference in New Issue View Git Blame Copy Permalink