diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 2c36136..79b69cf 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -228,13 +228,31 @@ jobs: env: TRAEFIK_RULE: ${{ needs.prepare.outputs.traefik_rule }} run: | + # Middleware & Auth Logic + LOG_LEVEL=$( [[ "$TARGET" == "testing" || "$TARGET" == "development" ]] && echo "debug" || echo "info" ) + STD_MW="${PROJECT_NAME}-forward,compress" + + if [[ "$TARGET" == "production" ]]; then + AUTH_MIDDLEWARE="$STD_MW" + COMPOSE_PROFILES="" + else + # Order: Forward (Proto) -> Auth -> Compression + AUTH_MIDDLEWARE="${PROJECT_NAME}-forward,${PROJECT_NAME}-auth,compress" + COMPOSE_PROFILES="gatekeeper" + fi + + # Gatekeeper Origin + GATEKEEPER_ORIGIN="$NEXT_PUBLIC_BASE_URL/gatekeeper" + # Generate Environment File cat > .env.deploy << EOF # Generated by CI - $TARGET IMAGE_TAG=$IMAGE_TAG NEXT_PUBLIC_BASE_URL=$NEXT_PUBLIC_BASE_URL + GATEKEEPER_ORIGIN=$GATEKEEPER_ORIGIN SENTRY_DSN=$SENTRY_DSN PROJECT_COLOR=$PROJECT_COLOR + LOG_LEVEL=$LOG_LEVEL # Directus DIRECTUS_URL=$DIRECTUS_URL @@ -270,12 +288,13 @@ jobs: TARGET=$TARGET SENTRY_ENVIRONMENT=$TARGET PROJECT_NAME=$PROJECT_NAME - TRAEFIK_HOST_RULE='$TRAEFIK_RULE' + ENV_FILE=$ENV_FILE + TRAEFIK_RULE='$TRAEFIK_RULE' + TRAEFIK_HOST='$TRAEFIK_HOST' + COMPOSE_PROFILES=$COMPOSE_PROFILES + TRAEFIK_MIDDLEWARES=$AUTH_MIDDLEWARE EOF - # TRAEFIK_MIDDLEWARES logic - printf "TRAEFIK_MIDDLEWARES=%s\n" "$( [[ "$TARGET" == "production" ]] && echo "${PROJECT_NAME}-forward,compress" || echo "${PROJECT_NAME}-auth,${PROJECT_NAME}-forward,compress" )" >> .env.deploy - - name: 🚀 SSH Deploy shell: bash env: diff --git a/docker-compose.yaml b/docker-compose.yaml index 5a92a46..90c2fe3 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -20,15 +20,16 @@ services: - "traefik.http.middlewares.${PROJECT_NAME}-forward.headers.customrequestheaders.X-Forwarded-Proto=https" - "traefik.http.middlewares.${PROJECT_NAME}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on" - # Gatekeeper Router (Shared Host + dedicated Subdomain) - - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.rule=${GATEKEEPER_RULE:-(Host(`${TRAEFIK_HOST:-mb-grid-solutions.localhost}`) && PathPrefix(`/gatekeeper`)) || Host(`gatekeeper.${TRAEFIK_HOST:-mb-grid-solutions.localhost}`)}" + # Gatekeeper Router (Path-based) + - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.rule=(Host(`${TRAEFIK_HOST}`) && PathPrefix(`/gatekeeper`))" - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.entrypoints=websecure" - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.tls.certresolver=le" - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.tls=true" - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.service=${PROJECT_NAME}-gatekeeper" - - "traefik.http.middlewares.${PROJECT_NAME}-auth.forwardauth.address=http://${PROJECT_NAME}-gatekeeper:3000/api/verify" + - "traefik.http.middlewares.${PROJECT_NAME}-auth.forwardauth.address=http://${PROJECT_NAME}-gatekeeper:3000/gatekeeper/api/verify" - "traefik.http.middlewares.${PROJECT_NAME}-auth.forwardauth.trustForwardHeader=true" + - "traefik.http.middlewares.${PROJECT_NAME}-auth.forwardauth.authRequestHeaders=X-Forwarded-Host,X-Forwarded-Proto,X-Forwarded-For" - "traefik.http.middlewares.${PROJECT_NAME}-auth.forwardauth.authResponseHeaders=X-Auth-User" - "traefik.docker.network=infra" healthcheck: @@ -39,7 +40,8 @@ services: start_period: 30s gatekeeper: - image: registry.infra.mintel.me/mintel/gatekeeper:v1.7.3 + profiles: [ "gatekeeper" ] + image: registry.infra.mintel.me/mintel/gatekeeper:v1.7.10 container_name: ${PROJECT_NAME:-mb-grid-solutions}-gatekeeper restart: always networks: @@ -55,8 +57,7 @@ services: COOKIE_DOMAIN: ${COOKIE_DOMAIN:-.mb-grid-solutions.com} AUTH_COOKIE_NAME: ${AUTH_COOKIE_NAME:-mintel_gatekeeper_session} GATEKEEPER_PASSWORD: ${GATEKEEPER_PASSWORD:-mintel} - # Dedicated Base URL for Gatekeeper subdomain to prevent redirect loops - NEXT_PUBLIC_BASE_URL: https://${GATEKEEPER_HOST:-gatekeeper.mb-grid-solutions.localhost} + NEXT_PUBLIC_BASE_URL: ${GATEKEEPER_ORIGIN} labels: - "traefik.enable=true" - "traefik.http.services.${PROJECT_NAME}-gatekeeper.loadbalancer.server.port=3000"