.forgejo/workflows/build-deploy-prod.yaml

@@ -2,8 +2,8 @@ name: Build and Deploy Production
 
 on:
   push:
-    branches: [main]
-  workflow_dispatch:
+    tags:
+      - "*"
 
 jobs:
   build:
@@ -27,12 +27,27 @@ jobs:
           username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
           password: ${{ secrets.CONTAINER_REGISTRY_TOKEN }}
 
+      - name: Determine image tag
+        id: determine-tag
+        run: |
+          case "${{ github.ref }}" in
+            refs/tags/*)
+              TAG_NAME=${{ github.ref }}
+              TAG_NAME=${TAG_NAME##*/}
+              echo "::set-output name=tag::${TAG_NAME}"
+              ;;
+            *)
+              echo "Unsupported ref: ${{ github.ref }}"
+              exit 1
+              ;;
+          esac
+
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
           context: .
           push: true
-          tags: ${{ vars.CONTAINER_REGISTRY }}/${{ vars.CONTAINER_IMAGE_NAME }}:latest
+          tags: ${{ vars.CONTAINER_REGISTRY }}/${{ vars.CONTAINER_IMAGE_NAME }}:${{ steps.determine-tag.outputs.tag }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -41,23 +56,65 @@ jobs:
     runs-on: ubuntu-latest
     container: catthehacker/ubuntu:act-latest
     environment:
-      name: staging
-      url: https://staging.portal.servala.com/
+      name: production
+      url: https://portal.servala.com/
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Determine image tag
+        id: determine-tag
+        run: |
+          case "${{ github.ref }}" in
+            refs/tags/*)
+              TAG_NAME=${{ github.ref }}
+              TAG_NAME=${TAG_NAME##*/}
+              echo "::set-output name=tag::${TAG_NAME}"
+              ;;
+            *)
+              echo "Unsupported ref: ${{ github.ref }}"
+              exit 1
+              ;;
+          esac
+
       - name: Deploy to OpenShift
         uses: docker://quay.io/appuio/oc:v4.16
         with:
           entrypoint: /bin/bash
           args: |
-            -c "oc login --token=${OPENSHIFT_TOKEN} --server=${OPENSHIFT_URL} && \
-              oc -n ${NAMESPACE} apply --overwrite -k deployment/kustomize/overlays/staging && \
+            -c "set -e && oc login --token=${OPENSHIFT_TOKEN} --server=${OPENSHIFT_URL} && \
+              pushd deployment/kustomize/overlays/production && \
+              kustomize edit set image ${{ vars.CONTAINER_REGISTRY }}/${{ vars.CONTAINER_IMAGE_NAME }}:${{ steps.determine-tag.outputs.tag }} && \
+              cat kustomization.yaml && popd && \
+              oc -n ${NAMESPACE} apply --overwrite -k deployment/kustomize/overlays/production && \
               oc -n ${NAMESPACE} rollout restart deployment/servala"
         env:
-          NAMESPACE: ${{ vars.NAMESPACE_PORTAL_STAGING }}
+          NAMESPACE: ${{ vars.NAMESPACE_PORTAL_PRODUCTION }}
           KUBECONFIG: /tmp/kube_config
-          OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN_STAGING }}
+          OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN_PRODUCTION }}
+          OPENSHIFT_URL: ${{ secrets.OPENSHIFT_URL }}
+
+      - name: Verify deployment
+        uses: docker://quay.io/appuio/oc:v4.16
+        with:
+          entrypoint: /bin/bash
+          args: |
+            -c "set -e && oc login --token=${OPENSHIFT_TOKEN} --server=${OPENSHIFT_URL} && \
+              echo 'Waiting for deployment to complete...' && \
+              oc -n ${NAMESPACE} rollout status deployment/servala --timeout=300s && \
+              echo 'Checking pod status...' && \
+              oc -n ${NAMESPACE} get pods -l app=servala && \
+              READY_PODS=$(oc -n ${NAMESPACE} get pods -l app=servala -o jsonpath='{.items[*].status.containerStatuses[0].ready}' | grep -o 'true' | wc -l) && \
+              TOTAL_PODS=$(oc -n ${NAMESPACE} get pods -l app=servala --no-headers | wc -l) && \
+              echo \"Ready pods: $READY_PODS/$TOTAL_PODS\" && \
+              if [ \"$READY_PODS\" -eq \"$TOTAL_PODS\" ]; then \
+                echo '✅ Deployment verified successfully!' && exit 0; \
+              else \
+                echo '❌ Deployment verification failed!' && exit 1; \
+              fi"
+        env:
+          NAMESPACE: ${{ vars.NAMESPACE_PORTAL_PRODUCTION }}
+          KUBECONFIG: /tmp/kube_config
+          OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN_PRODUCTION }}
           OPENSHIFT_URL: ${{ secrets.OPENSHIFT_URL }}

deployment/kustomize/overlays/production/ingress.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+  name: servala
+spec:
+  rules:
+    - host: portal.servala.com
+      http:
+        paths:
+          - pathType: Prefix
+            path: /
+            backend:
+              service:
+                name: servala
+                port:
+                  number: 8080
+  tls:
+    - hosts:
+        - portal.servala.com
+      secretName: ingress-cert

deployment/kustomize/overlays/production/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/instance: test
+      app.kubernetes.io/name: servala
+resources:
+  - ../../base/portal
+  - ../../base/database
+  - ingress.yaml
+patches:
+  - path: portal-deployment.yaml

deployment/kustomize/overlays/production/portal-deployment.yaml

@@ -0,0 +1,14 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: servala
+spec:
+  template:
+    spec:
+      containers:
+        - name: servala
+          env:
+            - name: SERVALA_ENVIRONMENT
+              value: production
+            - name: SERVALA_ALLOWED_HOSTS
+              value: portal.servala.com