Todos
Steps to deploy to sec.joostagterhoek.nl
Manual
Install and configure a Flask app on my server
Following the steps described in this Yunohost-forum-post, I managed to install a ‘Hello World’-app on sec.joostagterhoek.nl.
Deploy to production according to Flask-documentation
source: link to Flask-documentation on production deployment
To deploy a Flask app, the documentation recommends to:
- Build a wheel (
.whl) file. - Configure a secret key
- Run the app with a production server
How to build a wheel
- Look this up and note here
Docker
Dockerize the Flask application
- Take notes from this walkthrough
Enable the container registry in Gitlab
The commands/configuration code below works, but I had to rework the paths to the *.pem files. Below is what I found in this Yunohost-package issue:
# /etc/gitlab/gitlab-persistent.rb
registry_external_url 'https://git.example.com:5050'
registry_nginx['ssl_certificate'] = "/etc/ssl/private/yunohost_crt.pem"
registry_nginx['ssl_certificate_key'] = "/etc/ssl/private/yunohost_key.pem"
# Then
sudo gitlab-ctl reconfigure
I then had to find out where the actual current pem files are:
/etc/ssl/certs/yunohost_crt.pem
/etc/ssl/private/yunohost_key.pem
Configure the registry to receive Docker containers
Authentication:
- With only a username and password:
- docker login registry.example.com -u
-p - Probably unsafe (you also get a warning that your hashed password is stored in
home/$USER/.docker/config.json).
- docker login registry.example.com -u
- Use Gitlab CI/CD to authenticate
- Upside: per-job user and password managed by Gitlab CI/CD pipeline.
- Authenticate with a token
- Downside: token management (tokens should have a limited lifespan)
Approach
- Build and push the local dockerized Flask image with a temporary token
- Create a Gitlab deployment pipeline that does the following:
- SSH into production server as Gitlab Runner-account
- Use the
CI job token(unique to each CI/CD pipeline) which only hasread_registryscope for read (pull) access.