alexei.dolgolyov
be6ad15efc
Security: apply AdminOnly middleware to mutating routes, require ENCRYPTION_KEY and ADMIN_PASSWORD (no insecure defaults), restrict CORS to same-origin, fix OIDC token delivery via cookie instead of URL query param, add rate limiting on login, add MaxBytesReader, validate volume paths against traversal, add security headers, validate user roles, add Secure flag to OIDC cookie. Performance: set SQLite MaxOpenConns(1) to prevent SQLITE_BUSY, add FK indexes on 8 columns, track notifier goroutines with WaitGroup for graceful shutdown, use GetRegistryByName instead of GetAllRegistries in deployer, pass basePath param to avoid redundant settings query, return empty slices from store to remove reflection. Quality: refactor TriggerDeploy to delegate to runDeploy (~100 lines removed), consolidate duplicated utilities (extractPort, boolToInt, now, isTerminalStatus) into shared exports, migrate all log.Printf to slog structured logging, use consistent webhook response envelope, remove dead code (parseEnvVars, duplicate auth types). UX: clean up NPM proxy on instance removal via API, add README with quickstart guide, add .env.example, require ADMIN_PASSWORD in docker-compose, document staging-net prerequisite.
92 lines
2.4 KiB
Go
92 lines
2.4 KiB
Go
package webhook
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"log/slog"
|
|
"strings"
|
|
|
|
"github.com/alexei/docker-watcher/internal/docker"
|
|
"github.com/alexei/docker-watcher/internal/store"
|
|
)
|
|
|
|
// AutoCreateProject creates a new project and a default "dev" stage from an
|
|
// unknown image. It inspects the Docker image to extract defaults (EXPOSE port,
|
|
// healthcheck, labels).
|
|
//
|
|
// The auto-created project uses:
|
|
// - Name: derived from image name (e.g. "web-app-launcher")
|
|
// - Image: full owner/name path
|
|
// - Port: first EXPOSE port from the image, or 0 if none
|
|
// - Healthcheck: from image HEALTHCHECK instruction, if present
|
|
// - A single "dev" stage with auto_deploy=true and tag_pattern="*"
|
|
func AutoCreateProject(
|
|
ctx context.Context,
|
|
st *store.Store,
|
|
inspector ImageInspector,
|
|
parsed ParsedImage,
|
|
) (store.Project, store.Stage, error) {
|
|
// Build the full image ref for inspection (registry/owner/name:tag).
|
|
imageRef := buildImageRef(parsed)
|
|
|
|
var port int
|
|
var healthcheck string
|
|
|
|
// Attempt to inspect the image for metadata. If inspection fails (image
|
|
// not pulled locally), proceed with zero defaults.
|
|
if inspector != nil {
|
|
info, err := inspector.InspectImage(ctx, imageRef)
|
|
if err != nil {
|
|
slog.Warn("webhook: image inspection failed, using defaults", "image", imageRef, "error", err)
|
|
} else {
|
|
port = docker.ExtractPort(info.ExposedPorts)
|
|
healthcheck = info.Healthcheck
|
|
}
|
|
}
|
|
|
|
project, err := st.CreateProject(store.Project{
|
|
Name: parsed.Name,
|
|
Registry: parsed.Registry,
|
|
Image: parsed.FullName(),
|
|
Port: port,
|
|
Healthcheck: healthcheck,
|
|
Env: "{}",
|
|
Volumes: "{}",
|
|
})
|
|
if err != nil {
|
|
return store.Project{}, store.Stage{}, fmt.Errorf("create project: %w", err)
|
|
}
|
|
|
|
stage, err := st.CreateStage(store.Stage{
|
|
ProjectID: project.ID,
|
|
Name: "dev",
|
|
TagPattern: "*",
|
|
AutoDeploy: true,
|
|
MaxInstances: 1,
|
|
})
|
|
if err != nil {
|
|
return store.Project{}, store.Stage{}, fmt.Errorf("create default stage: %w", err)
|
|
}
|
|
|
|
return project, stage, nil
|
|
}
|
|
|
|
// buildImageRef reconstructs a pullable image reference from parsed components.
|
|
func buildImageRef(parsed ParsedImage) string {
|
|
var parts []string
|
|
if parsed.Registry != "" {
|
|
parts = append(parts, parsed.Registry)
|
|
}
|
|
if parsed.Owner != "" {
|
|
parts = append(parts, parsed.Owner)
|
|
}
|
|
parts = append(parts, parsed.Name)
|
|
|
|
ref := strings.Join(parts, "/")
|
|
if parsed.Tag != "" {
|
|
ref += ":" + parsed.Tag
|
|
}
|
|
return ref
|
|
}
|
|
|