thalla/lomavuokraus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: thalla:104a8a4cab62b1862e4dcddeae12207397233989
Branches Tags
thalla:master
..
compare: thalla:be0b194737d3750528391296374846eec8fe6c91
Branches Tags
thalla:master

No commits in common. "104a8a4cab62b1862e4dcddeae12207397233989" and "be0b194737d3750528391296374846eec8fe6c91" have entirely different histories.
104a8a4cab ... be0b194737

3 changed files with 0 additions and 34 deletions
Show stats Expand all files Collapse all files

26
deploy/README.md
View file

@ -1,26 +0,0 @@
Deploying to k3s (Hetzner)
==========================
Prereqs
- `kubectl` installed locally.
- Access to the cluster kubeconfig.
- Secrets loaded (dotenv via `scripts/load-secrets.sh`).
Kubeconfig
- By default `deploy/deploy.sh` will use `$KUBECONFIG`. If that is unset and `creds/kubeconfig.yaml` exists, it will export `KUBECONFIG=$PWD/creds/kubeconfig.yaml`.
- Recommended flow for new devs:
1) Obtain the kubeconfig from the cluster admin.
2) Save it as `creds/kubeconfig.yaml` (ignored by git), or set `KUBECONFIG` to your own path.
3) Verify access: `kubectl get ns` (you should see `lomavuokraus-test/staging/prod`).
- If you want to keep the kubeconfig in-repo but encrypted, store it as `creds/kubeconfig.enc.yaml` with sops/age and decrypt to `creds/kubeconfig.yaml` before deploying:
- Decrypt: `SOPS_AGE_KEY_FILE=creds/age-key.txt sops -d creds/kubeconfig.enc.yaml > creds/kubeconfig.yaml`
- Encrypt (admin only): `SOPS_AGE_KEY_FILE=creds/age-key.txt sops -e kubeconfig.yaml > creds/kubeconfig.enc.yaml`
Deploy commands
- Test: `./deploy/deploy-test.sh`
- Staging (default): `./deploy/deploy-staging.sh` or `TARGET=staging ./deploy/deploy.sh`
- Prod: `./deploy/deploy-prod.sh`
Notes
- Ensure `deploy/.last-image` exists (run `deploy/build.sh` first).
- `AUTH_SECRET`/`DATABASE_URL` should be in your env or loaded via `scripts/load-secrets.sh`.

6
deploy/deploy.sh
View file

@ -6,12 +6,6 @@ if [[ -f scripts/load-secrets.sh ]]; then
# Export secrets from creds/secrets.env (dotenv) when available. # Export secrets from creds/secrets.env (dotenv) when available.
source scripts/load-secrets.sh source scripts/load-secrets.sh
fi fi
# Prefer repo-local kubeconfig if present and KUBECONFIG is not set.
if [[ -z "${KUBECONFIG:-}" && -f creds/kubeconfig.yaml ]]; then
export KUBECONFIG="$(pwd)/creds/kubeconfig.yaml"
fi
source deploy/env.sh source deploy/env.sh
if [[ ! -f deploy/.last-image ]]; then if [[ ! -f deploy/.last-image ]]; then

2
scripts/zap-baseline.sh
View file

@ -16,8 +16,6 @@ echo "Running ZAP baseline against $TARGET (timeout ${TIMEOUT_MINUTES}m)..."
docker run --rm \ docker run --rm \
-u "$(id -u)":"$(id -g)" \ -u "$(id -u)":"$(id -g)" \
-v "$PWD/$REPORT_DIR":/zap/wrk \ -v "$PWD/$REPORT_DIR":/zap/wrk \
-w /zap/wrk \
-e HOME=/zap/wrk \
"$ZAP_IMAGE" zap-baseline.py \ "$ZAP_IMAGE" zap-baseline.py \
-t "$TARGET" \ -t "$TARGET" \
-x zap-report.xml \ -x zap-report.xml \