-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmain.sh
executable file
·191 lines (158 loc) · 4.9 KB
/
main.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
#!/usr/bin/env bash
# Exit on error
set -e
hosts_file="$GITHUB_WORKSPACE/.github/hosts.yml" #export PATH="$PATH:$COMPOSER_HOME/vendor/bin"
export PROJECT_ROOT="$(pwd)"
export HTDOCS="$HOME/htdocs"
export GITHUB_BRANCH=${GITHUB_REF##*heads/}
CUSTOM_SCRIPT_DIR="$GITHUB_WORKSPACE/.github/deploy"
JUMPHOST_SERVER=
function init_checks() {
# Check if branch is available
if [[ "$GITHUB_REF" == "" ]]; then
echo "\$GITHUB_REF is not set"
exit 1
fi
# Check for SSH key if jump host is defined
if [[ -n "$JUMPHOST_SERVER" ]]; then
if [[ -z "$SSH_PRIVATE_KEY" ]]; then
echo "Jump host configuration does not work with vault ssh signing."
echo "SSH_PRIVATE_KEY secret needs to be added."
echo "The SSH key should have access to the server as well as jumphost."
exit 1
fi
fi
# Exit if branch deletion detected
if [[ "true" == $(jq --raw-output .deleted "$GITHUB_EVENT_PATH") ]]; then
echo 'Branch deletion trigger found. Skipping deployment.'
exit 78
fi
}
function setup_hosts_file() {
# Setup hosts file
rsync -av --temp-dir=/tmp "$hosts_file" /hosts.yml
cat /hosts.yml
}
function check_branch_in_hosts_file() {
match=0
for branch in $(cat "$hosts_file" | shyaml keys); do
[[ "$GITHUB_REF" == "refs/heads/$branch" ]] &&
echo "$GITHUB_REF matches refs/heads/$branch" &&
match=1
done
# check if the deploy branch is same
# Exit neutral if no match found
if [[ "$match" -eq 0 ]]; then
echo "$GITHUB_REF does not match with any given branch in 'hosts.yml'"
exit 78
fi
}
function setup_private_key() {
if [[ -n "$SSH_PRIVATE_KEY" ]]; then
echo "$SSH_PRIVATE_KEY" | tr -d '\r' >"$SSH_DIR/id_rsa"
chmod 600 "$SSH_DIR/id_rsa"
eval "$(ssh-agent -s)"
ssh-add "$SSH_DIR/id_rsa"
for branch in $(cat "$hosts_file" | shyaml keys); do
hostadd=$(cat "$hosts_file" | shyaml get-value ${branch}.hostname)
ssh-keyscan -H $hostadd >>/etc/ssh/known_hosts
done
if [[ -n "$JUMPHOST_SERVER" ]]; then
ssh-keyscan -H "$JUMPHOST_SERVER" >>/etc/ssh/known_hosts
fi
else
# Generate a key-pair
ssh-keygen -t rsa -b 4096 -C "GH-actions-ssh-deploy-key" -f "$HOME/.ssh/id_rsa" -N ""
fi
}
function maybe_get_ssh_cert_from_vault() {
# Get signed key from vault
if [[ -n "$VAULT_GITHUB_TOKEN" ]]; then
unset VAULT_TOKEN
vault login -method=github token="$VAULT_GITHUB_TOKEN" >/dev/null
fi
if [[ -n "$VAULT_ADDR" ]]; then
vault write -field=signed_key ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub >$HOME/.ssh/signed-cert.pub
fi
}
#IdentityFile ${SSH_DIR}/signed-cert.pub
function configure_ssh_config() {
if [[ -z "$JUMPHOST_SERVER" ]]; then
# Create ssh config file. `~/.ssh/config` does not work.
cat >/etc/ssh/ssh_config <<EOL
Host $hostname
HostName $hostname
IdentityFile ${SSH_DIR}/id_rsa
User $ssh_user
EOL
else
# Create ssh config file. `~/.ssh/config` does not work.
cat >/etc/ssh/ssh_config <<EOL
Host jumphost
HostName $JUMPHOST_SERVER
UserKnownHostsFile /etc/ssh/known_hosts
User $ssh_user
Host $hostname
HostName $hostname
ProxyJump jumphost
UserKnownHostsFile /etc/ssh/known_hosts
User $ssh_user
EOL
fi
}
function setup_ssh_access() {
# get hostname and ssh user
export hostname=$(cat "$hosts_file" | shyaml get-value "$GITHUB_BRANCH.hostname")
export ssh_user=$(cat "$hosts_file" | shyaml get-value "$GITHUB_BRANCH.user")
printf "[\e[0;34mNOTICE\e[0m] Setting up SSH access to server.\n"
SSH_DIR="$HOME/.ssh"
mkdir -p "$SSH_DIR"
chmod 700 "$SSH_DIR"
setup_private_key
maybe_get_ssh_cert_from_vault
configure_ssh_config
}
function maybe_install_submodules() {
# Change directory ownership to container user due to issue https://github.com/actions/checkout/issues/760
# This will be changed to www-data or similar on deployment by deployer.
chown -R root: "$GITHUB_WORKSPACE"
# Check and update submodules if any
if [[ -f "$GITHUB_WORKSPACE/.gitmodules" ]]; then
# add github's public key
curl -sL https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >>/etc/ssh/known_hosts
identity_file=''
if [[ -n "$SUBMODULE_DEPLOY_KEY" ]]; then
echo "$SUBMODULE_DEPLOY_KEY" | tr -d '\r' >"$SSH_DIR/submodule_deploy_key"
chmod 600 "$SSH_DIR/submodule_deploy_key"
ssh-add "$SSH_DIR/submodule_deploy_key"
identity_file="IdentityFile ${SSH_DIR}/submodule_deploy_key"
fi
# Setup config file for proper git cloning
cat >>/etc/ssh/ssh_config <<EOL
Host github.com
HostName github.com
User git
UserKnownHostsFile /etc/ssh/known_hosts
${identity_file}
EOL
git submodule update --init --recursive
fi
}
run_deploy_sh() {
cp -r /github/home/.ssh/ /home/frappe/.ssh
cp /etc/ssh/ssh_config /home/frappe/.ssh/config
chown -R frappe:frappe /home/frappe/.ssh/ /github/home/.ssh
su frappe -c "bash /deploy.sh"
}
function main() {
if [[ -f "$CUSTOM_SCRIPT_DIR/addon.sh" ]]; then
source "$CUSTOM_SCRIPT_DIR/addon.sh"
else
init_checks
setup_hosts_file
check_branch_in_hosts_file
setup_ssh_access
run_deploy_sh
fi
}
main