devteam/sharenet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix prod docker setup

Browse source
This commit is contained in:
continuist 2025-07-04 23:40:07 -04:00
parent 3fc060bb64
commit f95359dda2
1 changed files with 46 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

54
CI_CD_PIPELINE_SETUP_GUIDE.md
View file

@ -1321,23 +1321,61 @@ sudo usermod -aG docker PROD_SERVICE_USER
### Step 13: Configure Docker for Harbor Access
**Important**: The Production Linode needs to be able to pull Docker images from the Harbor registry on the CI/CD Linode.
**Important**: The Production Linode needs to be able to pull Docker images from the Harbor registry on the CI/CD Linode. We need to configure Docker to trust the Harbor SSL certificate.
```bash
# Add the CI/CD Harbor registry to Docker's insecure registries
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json << EOF
{
"insecure-registries": ["YOUR_CI_CD_IP:8080"]
}
EOF
# Add Harbor certificate to system CA certificates
sudo mkdir -p /usr/local/share/ca-certificates
# Copy Harbor certificate from CI Linode to local machine, then to Production Linode
# First, from your local machine, copy the certificate from CI Linode:
scp CI_DEPLOY_USER@YOUR_CI_CD_IP:/etc/ssl/registry/registry.crt ./
# Then copy it to the Production Linode:
scp registry.crt PROD_DEPLOY_USER@YOUR_PRODUCTION_IP:/tmp/
# Remove the cert from your local machine as no longer needed
rm registry.crt
# Now on the Production Linode, move it to the correct location:
sudo mv /tmp/registry.crt /usr/local/share/ca-certificates/
# Fix certificate ownership (crucial for CA certificate trust)
sudo chown root:root /usr/local/share/ca-certificates/registry.crt
# Update CA certificates
sudo update-ca-certificates
# Restart Docker to apply changes
sudo systemctl restart docker
# Change to the PROD_SERVICE_USER
sudo su - PROD_SERVICE_USER
# Test that the certificate is working by pulling an image from Harbor
docker pull YOUR_CI_CD_IP/APP_NAME/test:latest
# If the pull succeeds, the certificate is working correctly
# Change back to PROD_DEPLOY_USER
exit
```
**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address.
**What this does**:
- **Copies Harbor certificate**: Transfers the SSL certificate from CI Linode to Production Linode via your local machine
- **Configures certificate trust**: Properly sets up Harbor certificate trust in Docker
- **Fixes ownership issues**: Ensures certificate has correct ownership for CA trust
- **Updates CA certificates**: Makes the certificate available to all applications
- **Restarts Docker**: Applies the new configuration
- **Tests certificate**: Verifies that Docker can successfully pull images from Harbor
**Note**: Since you don't have direct SSH access between the Linodes, you'll need to copy the certificate through your local machine using the deployment users:
1. From your local machine: `scp CI_DEPLOY_USER@YOUR_CI_CD_IP:/etc/ssl/registry/registry.crt ./`
2. Then: `scp registry.crt PROD_DEPLOY_USER@YOUR_PRODUCTION_IP:/tmp/`
3. On Production Linode: `sudo mv /tmp/registry.crt /usr/local/share/ca-certificates/`
### Step 14: Set Up Forgejo Runner for Production Deployment
**Important**: The Production Linode needs a Forgejo runner to execute the deployment job from the CI/CD workflow. This runner will pull images from Harbor and deploy using `docker-compose.prod.yml`.