Support insecure VPN registry pulls
Build & Deploy / Build & Push Docker Image (push) Successful in 2m52s
Test / Type Check (all packages) (push) Successful in 50s
Build & Deploy / Deploy to VPS (push) Successful in 4s
Test / API Unit Tests (push) Successful in 49s
Test / Homepage Unit Tests (push) Successful in 42s
Test / Storefront Unit Tests (push) Successful in 39s
Test / Admin Unit Tests (push) Successful in 40s
Test / Dashboard Unit Tests (push) Successful in 41s
Test / API Integration Tests (push) Successful in 1m1s
Build & Deploy / Build & Push Docker Image (push) Successful in 2m52s
Test / Type Check (all packages) (push) Successful in 50s
Build & Deploy / Deploy to VPS (push) Successful in 4s
Test / API Unit Tests (push) Successful in 49s
Test / Homepage Unit Tests (push) Successful in 42s
Test / Storefront Unit Tests (push) Successful in 39s
Test / Admin Unit Tests (push) Successful in 40s
Test / Dashboard Unit Tests (push) Successful in 41s
Test / API Integration Tests (push) Successful in 1m1s
This commit is contained in:
@@ -16,6 +16,7 @@ REGISTRY_HOST=10.0.0.4
|
|||||||
REGISTRY_USER=melabidi
|
REGISTRY_USER=melabidi
|
||||||
REGISTRY_TOKEN=
|
REGISTRY_TOKEN=
|
||||||
REGISTRY_PASSWORD=
|
REGISTRY_PASSWORD=
|
||||||
|
REGISTRY_INSECURE=true
|
||||||
|
|
||||||
# Optional shared folder for image archives. Leave empty when the VPS can pull from the VPN registry directly.
|
# Optional shared folder for image archives. Leave empty when the VPS can pull from the VPN registry directly.
|
||||||
# Current production VPN routing: VPS 10.0.0.1 can reach registry 10.0.0.4.
|
# Current production VPN routing: VPS 10.0.0.1 can reach registry 10.0.0.4.
|
||||||
|
|||||||
@@ -50,10 +50,27 @@ APP_IMAGE=10.0.0.4/melabidi/carmanagement
|
|||||||
REGISTRY_HOST=10.0.0.4
|
REGISTRY_HOST=10.0.0.4
|
||||||
REGISTRY_USER=melabidi
|
REGISTRY_USER=melabidi
|
||||||
REGISTRY_TOKEN=<registry-token>
|
REGISTRY_TOKEN=<registry-token>
|
||||||
|
REGISTRY_INSECURE=true
|
||||||
IMAGE_ARCHIVE_DIR=
|
IMAGE_ARCHIVE_DIR=
|
||||||
IMAGE_ARCHIVE_REQUIRED=false
|
IMAGE_ARCHIVE_REQUIRED=false
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Because Docker image names cannot include `http://`, the VPS Docker daemon must
|
||||||
|
mark the registry as insecure before direct HTTP pulls. Add this entry to
|
||||||
|
`/etc/docker/daemon.json`, merging it with any existing settings:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"insecure-registries": ["10.0.0.4"]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Then restart Docker:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo systemctl restart docker
|
||||||
|
```
|
||||||
|
|
||||||
## VPN Container Image Handoff
|
## VPN Container Image Handoff
|
||||||
|
|
||||||
This fallback is only needed if the VPS cannot reach `10.0.0.4` directly. If the
|
This fallback is only needed if the VPS cannot reach `10.0.0.4` directly. If the
|
||||||
|
|||||||
@@ -118,6 +118,7 @@ load_prod_env_exports() {
|
|||||||
REGISTRY_USER \
|
REGISTRY_USER \
|
||||||
REGISTRY_PASSWORD \
|
REGISTRY_PASSWORD \
|
||||||
REGISTRY_TOKEN \
|
REGISTRY_TOKEN \
|
||||||
|
REGISTRY_INSECURE \
|
||||||
VPN_CONTAINER
|
VPN_CONTAINER
|
||||||
do
|
do
|
||||||
export_env_value_if_unset "${key}"
|
export_env_value_if_unset "${key}"
|
||||||
@@ -129,6 +130,54 @@ load_prod_env_exports() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
registry_host_name() {
|
||||||
|
local host="${REGISTRY_HOST:-}"
|
||||||
|
|
||||||
|
host="${host#http://}"
|
||||||
|
host="${host#https://}"
|
||||||
|
host="${host%%/*}"
|
||||||
|
printf '%s' "${host}"
|
||||||
|
}
|
||||||
|
|
||||||
|
ensure_registry_transport_configured() {
|
||||||
|
local insecure="${REGISTRY_INSECURE:-false}"
|
||||||
|
local host
|
||||||
|
|
||||||
|
if [[ "${insecure}" != "true" && "${insecure}" != "1" ]]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
host="$(registry_host_name)"
|
||||||
|
if [[ -z "${host}" ]]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
REGISTRY_HOST="${host}"
|
||||||
|
export REGISTRY_HOST
|
||||||
|
|
||||||
|
if docker info 2>/dev/null | awk '/Insecure Registries:/,/Live Restore Enabled:/' | grep -Fqx " ${host}"; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat >&2 <<EOF
|
||||||
|
Docker is not configured to pull ${host} over HTTP.
|
||||||
|
|
||||||
|
Docker image names cannot include http://. Configure the VPS Docker daemon once by adding
|
||||||
|
this entry to /etc/docker/daemon.json, merging it with any existing settings:
|
||||||
|
|
||||||
|
{
|
||||||
|
"insecure-registries": ["${host}"]
|
||||||
|
}
|
||||||
|
|
||||||
|
Then restart Docker:
|
||||||
|
|
||||||
|
sudo systemctl restart docker
|
||||||
|
|
||||||
|
Then rerun ./deploy-production.sh.
|
||||||
|
EOF
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
validate_prod_env_file() {
|
validate_prod_env_file() {
|
||||||
local acme_email api_domain public_site_domain cors_origins postgres_password redis_password jwt_secret
|
local acme_email api_domain public_site_domain cors_origins postgres_password redis_password jwt_secret
|
||||||
|
|
||||||
@@ -234,6 +283,8 @@ require_release_image() {
|
|||||||
login_registry_if_configured() {
|
login_registry_if_configured() {
|
||||||
local archive_disabled="${IMAGE_ARCHIVE_DISABLED:-false}"
|
local archive_disabled="${IMAGE_ARCHIVE_DISABLED:-false}"
|
||||||
|
|
||||||
|
ensure_registry_transport_configured
|
||||||
|
|
||||||
if [[ -z "${REGISTRY_PASSWORD:-}" && -n "${REGISTRY_TOKEN:-}" ]]; then
|
if [[ -z "${REGISTRY_PASSWORD:-}" && -n "${REGISTRY_TOKEN:-}" ]]; then
|
||||||
REGISTRY_PASSWORD="${REGISTRY_TOKEN}"
|
REGISTRY_PASSWORD="${REGISTRY_TOKEN}"
|
||||||
export REGISTRY_PASSWORD
|
export REGISTRY_PASSWORD
|
||||||
@@ -278,6 +329,7 @@ login_registry_if_configured() {
|
|||||||
|
|
||||||
pull_prod_release_images() {
|
pull_prod_release_images() {
|
||||||
require_release_image
|
require_release_image
|
||||||
|
ensure_registry_transport_configured
|
||||||
|
|
||||||
if load_release_image_archives; then
|
if load_release_image_archives; then
|
||||||
verify_prod_release_image
|
verify_prod_release_image
|
||||||
|
|||||||
@@ -112,7 +112,8 @@ load_prod_env_exports() {
|
|||||||
REGISTRY_HOST \
|
REGISTRY_HOST \
|
||||||
REGISTRY_USER \
|
REGISTRY_USER \
|
||||||
REGISTRY_PASSWORD \
|
REGISTRY_PASSWORD \
|
||||||
REGISTRY_TOKEN
|
REGISTRY_TOKEN \
|
||||||
|
REGISTRY_INSECURE
|
||||||
do
|
do
|
||||||
export_env_value_if_unset "${key}"
|
export_env_value_if_unset "${key}"
|
||||||
done
|
done
|
||||||
@@ -123,6 +124,54 @@ load_prod_env_exports() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
registry_host_name() {
|
||||||
|
local host="${REGISTRY_HOST:-}"
|
||||||
|
|
||||||
|
host="${host#http://}"
|
||||||
|
host="${host#https://}"
|
||||||
|
host="${host%%/*}"
|
||||||
|
printf '%s' "${host}"
|
||||||
|
}
|
||||||
|
|
||||||
|
ensure_registry_transport_configured() {
|
||||||
|
local insecure="${REGISTRY_INSECURE:-false}"
|
||||||
|
local host
|
||||||
|
|
||||||
|
if [[ "${insecure}" != "true" && "${insecure}" != "1" ]]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
host="$(registry_host_name)"
|
||||||
|
if [[ -z "${host}" ]]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
REGISTRY_HOST="${host}"
|
||||||
|
export REGISTRY_HOST
|
||||||
|
|
||||||
|
if docker info 2>/dev/null | awk '/Insecure Registries:/,/Live Restore Enabled:/' | grep -Fqx " ${host}"; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat >&2 <<EOF
|
||||||
|
Docker is not configured to pull ${host} over HTTP.
|
||||||
|
|
||||||
|
Docker image names cannot include http://. Configure the VPS Docker daemon once by adding
|
||||||
|
this entry to /etc/docker/daemon.json, merging it with any existing settings:
|
||||||
|
|
||||||
|
{
|
||||||
|
"insecure-registries": ["${host}"]
|
||||||
|
}
|
||||||
|
|
||||||
|
Then restart Docker:
|
||||||
|
|
||||||
|
sudo systemctl restart docker
|
||||||
|
|
||||||
|
Then rerun ./deploy-production.sh.
|
||||||
|
EOF
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
validate_prod_env_file() {
|
validate_prod_env_file() {
|
||||||
local acme_email api_domain public_site_domain cors_origins portainer_domain postgres_password redis_password jwt_secret
|
local acme_email api_domain public_site_domain cors_origins portainer_domain postgres_password redis_password jwt_secret
|
||||||
|
|
||||||
@@ -245,6 +294,8 @@ require_release_image() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
login_registry_if_configured() {
|
login_registry_if_configured() {
|
||||||
|
ensure_registry_transport_configured
|
||||||
|
|
||||||
if [[ -z "${REGISTRY_PASSWORD:-}" && -n "${REGISTRY_TOKEN:-}" ]]; then
|
if [[ -z "${REGISTRY_PASSWORD:-}" && -n "${REGISTRY_TOKEN:-}" ]]; then
|
||||||
REGISTRY_PASSWORD="${REGISTRY_TOKEN}"
|
REGISTRY_PASSWORD="${REGISTRY_TOKEN}"
|
||||||
export REGISTRY_PASSWORD
|
export REGISTRY_PASSWORD
|
||||||
@@ -287,6 +338,7 @@ login_registry_if_configured() {
|
|||||||
|
|
||||||
pull_prod_release_images() {
|
pull_prod_release_images() {
|
||||||
require_release_image
|
require_release_image
|
||||||
|
ensure_registry_transport_configured
|
||||||
|
|
||||||
if load_release_image_archives; then
|
if load_release_image_archives; then
|
||||||
return 0
|
return 0
|
||||||
|
|||||||
Reference in New Issue
Block a user